Merge branch 'master' into master

atomics/Indexes/Indexes-CSV/index.csv

@@ -404,6 +404,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Disable Me
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,45,AWS - GuardDuty Suspension or Deletion,11e65d8d-e7e4-470e-a3ff-82bc56ad938e,bash
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,46,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -89,6 +89,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,39,Suspend Hi
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,46,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -63,6 +63,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable Lit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,46,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
 defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash

atomics/Indexes/Indexes-Markdown/index.md

@@ -551,6 +551,7 @@
   - Atomic Test #43: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
   - Atomic Test #44: AMSI Bypass - Override AMSI via COM [windows]
   - Atomic Test #45: AWS - GuardDuty Suspension or Deletion [iaas:aws]
+  - Atomic Test #46: Tamper with Defender ATP on Linux/MacOS [linux, macos]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -146,6 +146,7 @@
   - Atomic Test #40: Reboot Linux Host via Kernel System Request [linux]
   - Atomic Test #41: Clear Pagging Cache [linux]
   - Atomic Test #42: Disable Memory Swap [linux]
+  - Atomic Test #46: Tamper with Defender ATP on Linux/MacOS [linux, macos]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -129,6 +129,7 @@
   - Atomic Test #7: Disable OpenDNS Umbrella [macos]
   - Atomic Test #8: Disable macOS Gatekeeper [macos]
   - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
+  - Atomic Test #46: Tamper with Defender ATP on Linux/MacOS [linux, macos]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -20998,6 +20998,30 @@ defense-evasion:
           '
         name: bash
         elevation_required: false
+    - name: Tamper with Defender ATP on Linux/MacOS
+      auto_generated_guid: 40074085-dbc8-492b-90a3-11bcfc52fda8
+      description: 'With root privileges, an adversary can disable real time protection.
+        Note, this test assumes Defender is not in passive mode and real-time protection
+        is enabled. The use of a managed.json on Linux or Defender .plist on MacOS
+        will prevent these changes. Tamper protection will also prevent this (available
+        on MacOS, but not Linux at the time of writing). Installation of MDATP is
+        a prerequisite. Installation steps vary across MacOS and Linux distros. See
+        Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide
+        https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        command: 'sudo mdatp config real-time-protection --value disabled
+
+          '
+        cleanup_command: 'sudo mdatp config real-time-protection --value enabled
+
+          '
+        name: sh
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/Indexes/linux-index.yaml

@@ -12726,6 +12726,30 @@ defense-evasion:
           sync
         name: sh
         elevation_required: true
+    - name: Tamper with Defender ATP on Linux/MacOS
+      auto_generated_guid: 40074085-dbc8-492b-90a3-11bcfc52fda8
+      description: 'With root privileges, an adversary can disable real time protection.
+        Note, this test assumes Defender is not in passive mode and real-time protection
+        is enabled. The use of a managed.json on Linux or Defender .plist on MacOS
+        will prevent these changes. Tamper protection will also prevent this (available
+        on MacOS, but not Linux at the time of writing). Installation of MDATP is
+        a prerequisite. Installation steps vary across MacOS and Linux distros. See
+        Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide
+        https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        command: 'sudo mdatp config real-time-protection --value disabled
+
+          '
+        cleanup_command: 'sudo mdatp config real-time-protection --value enabled
+
+          '
+        name: sh
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/Indexes/macos-index.yaml

@@ -11962,6 +11962,30 @@ defense-evasion:
           sudo launchctl load -w #{userdaemon_plist}
         name: sh
         elevation_required: true
+    - name: Tamper with Defender ATP on Linux/MacOS
+      auto_generated_guid: 40074085-dbc8-492b-90a3-11bcfc52fda8
+      description: 'With root privileges, an adversary can disable real time protection.
+        Note, this test assumes Defender is not in passive mode and real-time protection
+        is enabled. The use of a managed.json on Linux or Defender .plist on MacOS
+        will prevent these changes. Tamper protection will also prevent this (available
+        on MacOS, but not Linux at the time of writing). Installation of MDATP is
+        a prerequisite. Installation steps vary across MacOS and Linux distros. See
+        Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide
+        https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        command: 'sudo mdatp config real-time-protection --value disabled
+
+          '
+        cleanup_command: 'sudo mdatp config real-time-protection --value enabled
+
+          '
+        name: sh
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/T1562.001/T1562.001.md

@@ -104,6 +104,8 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar
 
 - [Atomic Test #45 - AWS - GuardDuty Suspension or Deletion](#atomic-test-45---aws---guardduty-suspension-or-deletion)
 
+- [Atomic Test #46 - Tamper with Defender ATP on Linux/MacOS](#atomic-test-46---tamper-with-defender-atp-on-linuxmacos)
+
 
 <br/>
 
@@ -1898,4 +1900,36 @@ echo "Please install the aws-cli and configure your AWS default profile using: a
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #46 - Tamper with Defender ATP on Linux/MacOS
+With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 40074085-dbc8-492b-90a3-11bcfc52fda8
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo mdatp config real-time-protection --value disabled
+```
+
+#### Cleanup Commands:
+```sh
+sudo mdatp config real-time-protection --value enabled
+```
+
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.yaml

@@ -924,3 +924,19 @@ atomic_tests:
       echo "If test successfully ran, no cleanup required."
     name: bash
     elevation_required: false
+- name: Tamper with Defender ATP on Linux/MacOS
+  auto_generated_guid: 40074085-dbc8-492b-90a3-11bcfc52fda8
+  description: |
+    With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
+  supported_platforms:
+  - linux
+  - macos
+  executor:
+    command: |
+      sudo mdatp config real-time-protection --value disabled
+    cleanup_command: |
+      sudo mdatp config real-time-protection --value enabled
+    name: sh
+    elevation_required: true
+  
+  

atomics/used_guids.txt

@@ -1409,3 +1409,4 @@ e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
 d380c318-0b34-45cb-9dad-828c11891e43
 18136e38-0530-49b2-b309-eed173787471
+40074085-dbc8-492b-90a3-11bcfc52fda8