From b3cf3df9d0d878040ba9100f08ae4a2feb974fc4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 21 May 2021 19:45:48 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 2 +- atomics/Indexes/Indexes-Markdown/index.md | 2 +- .../Indexes/Indexes-Markdown/linux-index.md | 2 +- atomics/Indexes/index.yaml | 71 +++++++++++++------ atomics/T1562.001/T1562.001.md | 35 ++++++--- atomics/T1562.004/T1562.004.md | 29 ++++---- 7 files changed, 94 insertions(+), 49 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index d296f349..1cf5554e 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -348,7 +348,7 @@ defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HT defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh +defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 906a2291..ababea45 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -69,7 +69,7 @@ defense-evasion,T1070.003,Clear Command History,9,Disable Bash History Logging w defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash -defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh +defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 815d45b6..c6241700 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -664,7 +664,7 @@ - Atomic Test #4: Clear Windows Audit Policy Config [windows] - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - - Atomic Test #1: Disable iptables firewall [linux] + - Atomic Test #1: Disable firewall [linux] - Atomic Test #2: Disable Microsoft Defender Firewall [windows] - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows] - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 18f9130e..718a5e3a 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -230,7 +230,7 @@ - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - - Atomic Test #1: Disable iptables firewall [linux] + - Atomic Test #1: Disable firewall [linux] - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md) - Atomic Test #1: Disable syslog [linux] - Atomic Test #2: Disable Cb Response [linux] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 107864b9..639466f6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -29670,26 +29670,29 @@ defense-evasion: - Windows identifier: T1562.004 atomic_tests: - - name: Disable iptables firewall + - name: Disable firewall auto_generated_guid: 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 - description: 'Disables the iptables firewall + description: 'Disables the firewall ' supported_platforms: - linux + input_arguments: + flavor_command: + description: Command to disable firewall. Default firewalld. ufw (Ubuntu) + command = ufw disable + type: String + default: systemctl stop firewalld ; systemctl disable firewalld + cleanup_command: + description: Command to enable firewall. Default firewalld. ufw (Ubuntu) + command = ufw enable + type: String + default: systemctl enable firewalld ; systemctl start firewalld executor: - command: | - if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; - then - service iptables stop - chkconfig off iptables - service ip6tables stop - chkconfig off ip6tables - else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; - systemctl stop firewalld - systemctl disable firewalld - fi + command: "#{flavor_command}\n" + cleanup_command: "#{cleanup_command}\n" name: sh + elevation_required: true - name: Disable Microsoft Defender Firewall auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f description: | @@ -29831,17 +29834,41 @@ defense-evasion: ' supported_platforms: - linux + input_arguments: + package_checker: + description: Package checking command for linux. Default rpm + type: string + default: rpm -q rsyslog + package_installer: + description: Package installer command for linux. Default yum + type: string + default: yum install -y rsyslog + flavor_command: + description: Command to disable syslog collection. Default newer rsyslog + commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog + type: String + default: systemctl stop rsyslog ; systemctl disable rsyslog + cleanup_command: + description: Command to enable syslog collection. Default newer rsyslog + commands. i.e older command = service rsyslog start ; chkconfig rsyslog + on + type: String + default: systemctl start rsyslog ; systemctl enable rsyslog + dependency_executor_name: sh + dependencies: + - description: 'Package with rsyslog must be on system + +' + prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit + 1; fi + +' + get_prereq_command: "sudo #{package_installer} \n" executor: - command: | - if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; - then - service rsyslog stop - chkconfig off rsyslog - else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; - systemctl stop rsyslog - systemctl disable rsyslog - fi + command: "#{flavor_command}\n" + cleanup_command: "#{cleanup_command}\n" name: sh + elevation_required: true - name: Disable Cb Response auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 description: 'Disable the Cb Response service diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index e43f993f..c3e7e8bc 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -63,23 +63,40 @@ Disables syslog collection +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| package_checker | Package checking command for linux. Default rpm | string | rpm -q rsyslog| +| package_installer | Package installer command for linux. Default yum | string | yum install -y rsyslog| +| flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | String | systemctl stop rsyslog ; systemctl disable rsyslog| +| cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | String | systemctl start rsyslog ; systemctl enable rsyslog| -#### Attack Commands: Run with `sh`! + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; -then - service rsyslog stop - chkconfig off rsyslog -else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; - systemctl stop rsyslog - systemctl disable rsyslog -fi +#{flavor_command} +``` + +#### Cleanup Commands: +```sh +#{cleanup_command} ``` +#### Dependencies: Run with `sh`! +##### Description: Package with rsyslog must be on system +##### Check Prereq Commands: +```sh +if #{package_checker} > /dev/null; then exit 0; else exit 1; fi +``` +##### Get Prereq Commands: +```sh +sudo #{package_installer} +``` + diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index 2fd352e4..ea17f6a6 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -6,7 +6,7 @@ Modifying or disabling a system firewall may enable adversary C2 communications, ## Atomic Tests -- [Atomic Test #1 - Disable iptables firewall](#atomic-test-1---disable-iptables-firewall) +- [Atomic Test #1 - Disable firewall](#atomic-test-1---disable-firewall) - [Atomic Test #2 - Disable Microsoft Defender Firewall](#atomic-test-2---disable-microsoft-defender-firewall) @@ -21,31 +21,32 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
-## Atomic Test #1 - Disable iptables firewall -Disables the iptables firewall +## Atomic Test #1 - Disable firewall +Disables the firewall **Supported Platforms:** Linux +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| flavor_command | Command to disable firewall. Default firewalld. ufw (Ubuntu) command = ufw disable | String | systemctl stop firewalld ; systemctl disable firewalld| +| cleanup_command | Command to enable firewall. Default firewalld. ufw (Ubuntu) command = ufw enable | String | systemctl enable firewalld ; systemctl start firewalld| -#### Attack Commands: Run with `sh`! + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; -then - service iptables stop - chkconfig off iptables - service ip6tables stop - chkconfig off ip6tables -else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; - systemctl stop firewalld - systemctl disable firewalld -fi +#{flavor_command} ``` +#### Cleanup Commands: +```sh +#{cleanup_command} +```