From 96d388114968f47719e341927aa64389cdb1f3dc Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 09:01:22 -0700 Subject: [PATCH 1/7] parameterize T1070.002 tests for optional non-destructive runs --- atomics/T1070.002/T1070.002.yaml | 195 ++++++++++++++++++++++++++++--- 1 file changed, 176 insertions(+), 19 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 4301a4f3..6dbf67c2 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -8,10 +8,28 @@ atomic_tests: supported_platforms: - macos - linux + input_arguments: + syslog_path: + description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. + type: String + default: /var/log/sys_T1070.002_1.log + macos_audit_path: + description: path of audit file to delete + type: String + default: /var/audit/20220725213300.202208110700021 + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path} + get_prereq_command: | + touch #{syslog_path} + if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi executor: command: | - sudo rm -rf /private/var/log/system.log* - sudo rm -rf /private/var/audit/* + sudo rm -rf #{syslog_path} + if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi name: sh elevation_required: true - name: Delete log files using built-in log utility @@ -24,7 +42,6 @@ atomic_tests: command: | sudo log erase --all sudo log erase --ttl #Deletes only time-to-live log content - sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log name: sh elevation_required: true - name: Truncate system log files via truncate utility @@ -33,10 +50,23 @@ atomic_tests: This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo truncate -s 0 /var/log/system.log #size parameter shorthand - sudo truncate --size=0 /var/log/system.log #size parameter + sudo truncate -s 0 #{system_log_path} #size parameter shorthand + sudo truncate --size=0 #{system_log_path} #size parameter name: sh elevation_required: true - name: Delete log files via cat utility by appending /dev/null or /dev/zero @@ -45,10 +75,23 @@ atomic_tests: The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes - sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros) + sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes + sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros) name: sh elevation_required: true - name: System log file deletion via find utility @@ -57,11 +100,32 @@ atomic_tests: This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink) supported_platforms: - macos + input_arguments: + system_log_name1: + description: name or prefix of system log to delete. + type: String + default: system.log + system_log_name2: + description: name or prefix of system log to delete. + type: String + default: system.log + system_log_name3: + description: name or prefix of system log to delete. + type: String + default: system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} + get_prereq_command: | + touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} executor: command: | - sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution - sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution - sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution + sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution + sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution + sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution name: sh elevation_required: true - name: Overwrite macOS system log via echo utility @@ -70,9 +134,14 @@ atomic_tests: This test overwrites the contents of system log file with an empty string using echo utility supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log executor: command: | - sudo echo '' > /var/log/system.log + sudo echo '' > #{system_log_path} name: sh elevation_required: true - name: Real-time system log clearance/deletion @@ -81,9 +150,14 @@ atomic_tests: This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log executor: command: | - sudo log -f /var/log/system.log | : > /var/log/system.log + sudo log -f /var/log/system.log | : > #{system_log_path} name: sh elevation_required: true - name: Delete system log files via unlink utility @@ -92,9 +166,22 @@ atomic_tests: This test deletes the system log file using unlink utility supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo unlink /var/log/system.log + sudo unlink #{system_log_path} name: sh elevation_required: true - name: Delete system log files using shred utility @@ -103,9 +190,22 @@ atomic_tests: This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo shred -u -z -n 3 /var/log/system.log + sudo shred -u -z -n 3 #{system_log_path} name: sh elevation_required: true - name: Delete system log files using srm utility @@ -116,10 +216,28 @@ atomic_tests: Refer: https://github.com/khell/homebrew-srm/issues/1 for installation supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + input_arguments: + system_log_folder: + description: path to log parent folder + type: String + default: /var/log/ + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} #{system_log_folder} + get_prereq_command: | + mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log executor: command: | - sudo srm /var/log/system.log #system log file deletion - sudo srm -r /var/log/ #recursive deletion of log files + sudo srm #{system_log_path} #system log file deletion + sudo srm -r #{system_log_folder} #recursive deletion of log files name: sh elevation_required: true - name: Delete system log files using OSAScript @@ -128,9 +246,22 @@ atomic_tests: This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges' + osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges' name: sh elevation_required: true - name: Delete system log files using Applescript @@ -141,9 +272,22 @@ atomic_tests: Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"' + osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"' name: sh elevation_required: true - name: Delete system journal logs via rm and journalctl utilities @@ -152,9 +296,22 @@ atomic_tests: The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero. supported_platforms: - linux + input_arguments: + journal_folder: + description: path to journal logs + type: String + default: /var/log/journal + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{journal_folder} + get_prereq_command: | + mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal executor: command: | - sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content + sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place name: sh elevation_required: true From a0e412b7029a2277554123047a32b3840d4baf0b Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 09:10:55 -0700 Subject: [PATCH 2/7] fix syntax --- atomics/T1070.002/T1070.002.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 6dbf67c2..b6ebdccb 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -221,7 +221,6 @@ atomic_tests: description: path to system.log type: String default: /var/log/system.log - input_arguments: system_log_folder: description: path to log parent folder type: String From 2f0b0d79c18d6211b9e91db294b55b0fa091eff1 Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 12:56:50 -0700 Subject: [PATCH 3/7] fix default for system.log in 989cc1b1 --- atomics/T1070.002/T1070.002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index b6ebdccb..75c07353 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -12,7 +12,7 @@ atomic_tests: syslog_path: description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. type: String - default: /var/log/sys_T1070.002_1.log + default: /var/log/system.log macos_audit_path: description: path of audit file to delete type: String From 211101b31992d8565f3e514d93c4e2e95d5097dc Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 13:16:43 -0700 Subject: [PATCH 4/7] fix elevation required on a couple --- atomics/T1070.002/T1070.002.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 75c07353..95d4744f 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -325,7 +325,16 @@ atomic_tests: description: Username of mail spool type: string default: root + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat /var/spool/mail/#{username} + get_prereq_command: | + touch /var/spool/mail/#{username} executor: + elevation_required: true command: | echo 0> /var/spool/mail/#{username} name: bash @@ -344,3 +353,6 @@ atomic_tests: command: | echo 0> #{log_path} name: bash + elevation_required: true + cleanup_command: | + if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi From 40fe1f7cf7af74c6095b1d81706cca77e3772462 Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 13:25:12 -0700 Subject: [PATCH 5/7] change defaults to system_log_name2 and 3 --- atomics/T1070.002/T1070.002.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 95d4744f..2ef60683 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -108,11 +108,11 @@ atomic_tests: system_log_name2: description: name or prefix of system log to delete. type: String - default: system.log + default: system.log.97.gz system_log_name3: description: name or prefix of system log to delete. type: String - default: system.log + default: system.log.98.gz dependency_executor_name: sh dependencies: - description: | From a7cc448291190537dd5e1f0976f714406b74ba5b Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Mon, 5 Jun 2023 20:32:06 -0700 Subject: [PATCH 6/7] arg types lowercase string --- atomics/T1070.002/T1070.002.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 2ef60683..ace7be27 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: syslog_path: description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. - type: String + type: string default: /var/log/system.log macos_audit_path: description: path of audit file to delete - type: String + type: string default: /var/audit/20220725213300.202208110700021 dependency_executor_name: sh dependencies: @@ -53,7 +53,7 @@ atomic_tests: input_arguments: system_log_path: description: path of system log to delete. - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -78,7 +78,7 @@ atomic_tests: input_arguments: system_log_path: description: path of system log to delete. - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -103,15 +103,15 @@ atomic_tests: input_arguments: system_log_name1: description: name or prefix of system log to delete. - type: String + type: string default: system.log system_log_name2: description: name or prefix of system log to delete. - type: String + type: string default: system.log.97.gz system_log_name3: description: name or prefix of system log to delete. - type: String + type: string default: system.log.98.gz dependency_executor_name: sh dependencies: @@ -137,7 +137,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log executor: command: | @@ -153,7 +153,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log executor: command: | @@ -169,7 +169,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -193,7 +193,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -219,11 +219,11 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log system_log_folder: description: path to log parent folder - type: String + type: string default: /var/log/ dependency_executor_name: sh dependencies: @@ -248,7 +248,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -274,7 +274,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -298,7 +298,7 @@ atomic_tests: input_arguments: journal_folder: description: path to journal logs - type: String + type: string default: /var/log/journal dependency_executor_name: sh dependencies: From 546ed5ea1e4be91e8de1e9f2645071fb1b0a3c30 Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Fri, 9 Jun 2023 13:05:25 -0700 Subject: [PATCH 7/7] backout changes to log -f --- atomics/T1070.002/T1070.002.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index ace7be27..c58d7d06 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -150,14 +150,9 @@ atomic_tests: This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process supported_platforms: - macos - input_arguments: - system_log_path: - description: path to system.log - type: string - default: /var/log/system.log executor: command: | - sudo log -f /var/log/system.log | : > #{system_log_path} + sudo log -f /var/log/system.log | : > /var/log/system.log name: sh elevation_required: true - name: Delete system log files via unlink utility