Merge branch 'master' into 1562.004_test1_cleanup

2021-05-21 13:47:10 -06:00
parent 0390ec12f4 b3cf3df9d0
commit 4708db0ffa
7 changed files with 94 additions and 49 deletions
@@ -348,7 +348,7 @@ defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HT
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
@@ -69,7 +69,7 @@ defense-evasion,T1070.003,Clear Command History,9,Disable Bash History Logging w
 defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
 defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
 defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
-defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -664,7 +664,7 @@
  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
-  - Atomic Test #1: Disable iptables firewall [linux]
+  - Atomic Test #1: Disable firewall [linux]
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
@@ -230,7 +230,7 @@
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
-  - Atomic Test #1: Disable iptables firewall [linux]
+  - Atomic Test #1: Disable firewall [linux]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #1: Disable syslog [linux]
  - Atomic Test #2: Disable Cb Response [linux]
@@ -29670,26 +29670,29 @@ defense-evasion:
      - Windows
      identifier: T1562.004
    atomic_tests:
-    - name: Disable iptables firewall
+    - name: Disable firewall
      auto_generated_guid: 80f5e701-f7a4-4d06-b140-26c8efd1b6b4
-      description: 'Disables the iptables firewall
+      description: 'Disables the firewall

 '
      supported_platforms:
      - linux
+      input_arguments:
+        flavor_command:
+          description: Command to disable firewall. Default firewalld. ufw (Ubuntu)
+            command = ufw disable
+          type: String
+          default: systemctl stop firewalld ; systemctl disable firewalld
+        cleanup_command:
+          description: Command to enable firewall. Default firewalld. ufw (Ubuntu)
+            command = ufw enable
+          type: String
+          default: systemctl enable firewalld ; systemctl start firewalld
      executor:
-        command: |
-          if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
-          then
-            service iptables stop
-            chkconfig off iptables
-            service ip6tables stop
-            chkconfig off ip6tables
-          else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
-            systemctl stop firewalld
-            systemctl disable firewalld
-          fi
+        command: "#{flavor_command}\n"
+        cleanup_command: "#{cleanup_command}\n"
        name: sh
+        elevation_required: true
    - name: Disable Microsoft Defender Firewall
      auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f
      description: |
@@ -29831,17 +29834,41 @@ defense-evasion:
 '
      supported_platforms:
      - linux
+      input_arguments:
+        package_checker:
+          description: Package checking command for linux. Default rpm
+          type: string
+          default: rpm -q rsyslog
+        package_installer:
+          description: Package installer command for linux. Default yum
+          type: string
+          default: yum install -y rsyslog
+        flavor_command:
+          description: Command to disable syslog collection. Default newer rsyslog
+            commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog
+          type: String
+          default: systemctl stop rsyslog ; systemctl disable rsyslog
+        cleanup_command:
+          description: Command to enable syslog collection. Default newer rsyslog
+            commands. i.e older command = service rsyslog start ; chkconfig rsyslog
+            on
+          type: String
+          default: systemctl start rsyslog ; systemctl enable rsyslog
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Package with rsyslog must be on system
+
+'
+        prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
+          1; fi
+
+'
+        get_prereq_command: "sudo #{package_installer} \n"
      executor:
-        command: |
-          if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
-          then
-            service rsyslog stop
-            chkconfig off rsyslog
-          else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
-            systemctl stop rsyslog
-            systemctl disable rsyslog
-          fi
+        command: "#{flavor_command}\n"
+        cleanup_command: "#{cleanup_command}\n"
        name: sh
+        elevation_required: true
    - name: Disable Cb Response
      auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
      description: 'Disable the Cb Response service
@@ -63,23 +63,40 @@ Disables syslog collection



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| package_checker | Package checking command for linux. Default rpm | string | rpm -q rsyslog|
+| package_installer | Package installer command for linux. Default yum | string | yum install -y rsyslog|
+| flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | String | systemctl stop rsyslog ; systemctl disable rsyslog|
+| cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | String | systemctl start rsyslog ; systemctl enable rsyslog|

-#### Attack Commands: Run with `sh`! 
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


 ```sh
-if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
-then
-  service rsyslog stop
-  chkconfig off rsyslog
-else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
-  systemctl stop rsyslog
-  systemctl disable rsyslog
-fi
+#{flavor_command}
+```
+
+#### Cleanup Commands:
+```sh
+#{cleanup_command}
 ```



+#### Dependencies:  Run with `sh`!
+##### Description: Package with rsyslog must be on system
+##### Check Prereq Commands:
+```sh
+if #{package_checker} > /dev/null; then exit 0; else exit 1; fi 
+```
+##### Get Prereq Commands:
+```sh
+sudo #{package_installer}
+```
+



@@ -6,7 +6,7 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 ## Atomic Tests

- [Atomic Test #1 - Disable iptables firewall](#atomic-test-1---disable-iptables-firewall)
+- [Atomic Test #1 - Disable firewall](#atomic-test-1---disable-firewall)

 - [Atomic Test #2 - Disable Microsoft Defender Firewall](#atomic-test-2---disable-microsoft-defender-firewall)

@@ -21,31 +21,32 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 <br/>

-## Atomic Test #1 - Disable iptables firewall
-Disables the iptables firewall
+## Atomic Test #1 - Disable firewall
+Disables the firewall

 **Supported Platforms:** Linux




+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| flavor_command | Command to disable firewall. Default firewalld. ufw (Ubuntu) command = ufw disable | String | systemctl stop firewalld ; systemctl disable firewalld|
+| cleanup_command | Command to enable firewall. Default firewalld. ufw (Ubuntu) command = ufw enable | String | systemctl enable firewalld ; systemctl start firewalld|

-#### Attack Commands: Run with `sh`! 
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


 ```sh
-if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
-then
-  service iptables stop
-  chkconfig off iptables
-  service ip6tables stop
-  chkconfig off ip6tables
-else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
-  systemctl stop firewalld
-  systemctl disable firewalld
-fi
+#{flavor_command}
 ```

+#### Cleanup Commands:
+```sh
+#{cleanup_command}
+```