From bd2d2ae1edbbed4fa5906ae37acdc9547232b791 Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Thu, 16 Feb 2023 11:09:44 +0100 Subject: [PATCH 1/4] Update T1562.001.yaml --- atomics/T1562.001/T1562.001.yaml | 65 ++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 9d1bd5b7..7a49722f 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -793,3 +793,68 @@ atomic_tests: schtasks /create /xml "%temp%\Windows_Defender_Cache_Maintenance.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f name: command_prompt elevation_required: true +- name: Clear History + auto_generated_guid: 23b88394-091b-4968-a42d-fb8076992443 + description: | + Clear Shell History + supported_platforms: + - linux + executor: + command: | + history -c + name: sh + elevation_required: true +- name: Suspend History + auto_generated_guid: 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4 + description: | + suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell + supported_platforms: + - linux + executor: + command: | + set +o history + cleanup_command: | + set -o history + name: sh + elevation_required: true +- name: Reboot Linux Host via Kernel System Request + auto_generated_guid: 6d6d3154-1a52-4d1a-9d51-92ab8148b32e + description: | + reboot system via system request seen in Awfulshred wiper. + supported_platforms: + - linux + executor: + command: | + echo 1> /proc/sys/kernel/sysrq + echo b> /proc/sysrq-trigger + name: sh + elevation_required: true +- name: Clear Pagging Cache + auto_generated_guid: f790927b-ea85-4a16-b7b2-7eb44176a510 + description: | + clear pagging cache via system request. seen in Awfulshred wiper. + supported_platforms: + - linux + executor: + command: | + echo 3> /proc/sys/vm/drop_caches + name: sh + elevation_required: true +- name: Disable Swapping of Paging Device + auto_generated_guid: e74e4c63-6fde-4ad2-9ee8-21c3a1733114 + description: | + disable swaaping of device paging. seen in Awfulshred wiper. + supported_platforms: + - linux + executor: + command: | + swapon -a + sleep 2 + swapoff -a + sync + cleanup_command: | + swapon -a + sleep 2 + sync + name: sh + elevation_required: true From fea0d547dee7d035c99f14956d878f792e77e513 Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Wed, 22 Feb 2023 09:30:20 +0100 Subject: [PATCH 2/4] Update T1562.001.yaml --- atomics/T1562.001/T1562.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 7a49722f..0d144ae2 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -796,7 +796,7 @@ atomic_tests: - name: Clear History auto_generated_guid: 23b88394-091b-4968-a42d-fb8076992443 description: | - Clear Shell History + Clear Shell History. This technique only affect the bash shell application. supported_platforms: - linux executor: From 7663ee597af383f7795979577f9c6117b0baad1a Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Wed, 22 Feb 2023 09:47:10 +0100 Subject: [PATCH 3/4] Update T1562.001.yaml --- atomics/T1562.001/T1562.001.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 0d144ae2..7ce1ced2 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -832,18 +832,21 @@ atomic_tests: - name: Clear Pagging Cache auto_generated_guid: f790927b-ea85-4a16-b7b2-7eb44176a510 description: | - clear pagging cache via system request. seen in Awfulshred wiper. + clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part + of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/ supported_platforms: - linux executor: command: | + free && echo 3 > /proc/sys/vm/drop_caches && free echo 3> /proc/sys/vm/drop_caches name: sh elevation_required: true -- name: Disable Swapping of Paging Device +- name: Disable Memory Swap auto_generated_guid: e74e4c63-6fde-4ad2-9ee8-21c3a1733114 description: | - disable swaaping of device paging. seen in Awfulshred wiper. + disable swapping of device paging that impaire the compromised host to swap data if the RAM. Awfulshred wiper used this technique as an additional + payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of linux. supported_platforms: - linux executor: From d80db05f43263b70b3074e444a5301501cdff455 Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Wed, 22 Feb 2023 17:10:05 +0100 Subject: [PATCH 4/4] Update T1562.001.yaml --- atomics/T1562.001/T1562.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 7ce1ced2..c8b9d72e 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -845,7 +845,7 @@ atomic_tests: - name: Disable Memory Swap auto_generated_guid: e74e4c63-6fde-4ad2-9ee8-21c3a1733114 description: | - disable swapping of device paging that impaire the compromised host to swap data if the RAM. Awfulshred wiper used this technique as an additional + disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of linux. supported_platforms: - linux