security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2026-03-13 11:19:52 +00:00
parent 7b3bc23307
commit 7a0e342323
12 changed files with 191 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":7,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- AWS - Config Logs Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/iaas-index.csv
+1
View File
@@ -8,6 +8,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Logs Disabled,4608bc1b-e682-466b-a7d7-dbd76760db31,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
8 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
9 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
10 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 10 GCP - Delete Activity Event Log d56152ec-01d9-42a2-877c-aac1f6ebe8e6 sh
11 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 11 AWS - Config Logs Disabled 4608bc1b-e682-466b-a7d7-dbd76760db31 sh
12 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 1 AWS - Create Snapshot from EBS Volume a3c09662-85bb-4ea8-b15b-6dc8a844e236 sh
13 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 2 Azure - Create Snapshot from Managed Disk 89e69b4b-3458-4ec6-b819-b3008debc1bc sh
14 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 3 GCP - Create Snapshot from Persistent Disk e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d sh
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -603,6 +603,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Logs Disabled,4608bc1b-e682-466b-a7d7-dbd76760db31,sh
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
603 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
604 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
605 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 10 GCP - Delete Activity Event Log d56152ec-01d9-42a2-877c-aac1f6ebe8e6 sh
606 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 11 AWS - Config Logs Disabled 4608bc1b-e682-466b-a7d7-dbd76760db31 sh
607 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
608 defense-evasion T1564.003 Hide Artifacts: Hidden Window 2 Headless Browser Accessing Mockbin 0ad9ab92-c48c-4f08-9b20-9633277c4646 command_prompt
609 defense-evasion T1564.003 Hide Artifacts: Hidden Window 3 Hidden Window-Conhost Execution 5510d22f-2595-4911-8456-4d630c978616 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -770,6 +770,7 @@
- Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
- Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
- Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
- Atomic Test #11: AWS - Config Logs Disabled [iaas:aws]
- [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- Atomic Test #2: Headless Browser Accessing Mockbin [windows]
atomics/Indexes/iaas_aws-index.yaml
+59
View File
@@ -11173,6 +11173,65 @@ defense-evasion:
cleanup_command:
name: sh
elevation_required: false
- name: AWS - Config Logs Disabled
auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
description: 'Disables AWS Config by stopping the configuration recorder, deleting
the delivery channel, and deleting the configuration recorder. An attacker
with sufficient permissions can use this to stop configuration change recording
and avoid detection of subsequent activity.
'
supported_platforms:
- iaas:aws
input_arguments:
configuration_recorder_name:
description: Name of the configuration recorder
type: string
default: redatomictestconfigurationrecorder
delivery_channel_name:
description: Name of the delivery channel
type: string
default: redatomictestdeliverychannel
region:
description: Name of the region
type: string
default: us-west-2
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
default profile using: aws configure
'
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform and configure your AWS
default profile
'
executor:
command: |
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
cleanup_command: aws configservice list-configuration-recorders --region us-west-2
description: 'List recorders, to confirm there are none. Confirming previous
configuration recorder was stopped and deleted.
'
name: sh
elevation_required: false
T1564.003:
technique:
type: attack-pattern
atomics/Indexes/index.yaml
+59
View File
@@ -27124,6 +27124,65 @@ defense-evasion:
get_prereq_command: 'gcloud auth login --no-launch-browser
'
- name: AWS - Config Logs Disabled
auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
description: 'Disables AWS Config by stopping the configuration recorder, deleting
the delivery channel, and deleting the configuration recorder. An attacker
with sufficient permissions can use this to stop configuration change recording
and avoid detection of subsequent activity.
'
supported_platforms:
- iaas:aws
input_arguments:
configuration_recorder_name:
description: Name of the configuration recorder
type: string
default: redatomictestconfigurationrecorder
delivery_channel_name:
description: Name of the delivery channel
type: string
default: redatomictestdeliverychannel
region:
description: Name of the region
type: string
default: us-west-2
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
default profile using: aws configure
'
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform and configure your AWS
default profile
'
executor:
command: |
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
cleanup_command: aws configservice list-configuration-recorders --region us-west-2
description: 'List recorders, to confirm there are none. Confirming previous
configuration recorder was stopped and deleted.
'
name: sh
elevation_required: false
T1564.003:
technique:
type: attack-pattern
atomics/T1562.008/T1562.008.md
+64
View File
@@ -20,6 +20,7 @@
- [Atomic Test #8: AWS CloudWatch Log Stream Deletes](#atomic-test-8-aws-cloudwatch-log-stream-deletes)
- [Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox](#atomic-test-9-office-365---set-audit-bypass-for-a-mailbox)
- [Atomic Test #10: GCP - Delete Activity Event Log](#atomic-test-10-gcp---delete-activity-event-log)
- [Atomic Test #11: AWS - Config Logs Disabled](#atomic-test-11-aws---config-logs-disabled)
### Atomic Test #1: AWS - CloudTrail Changes
@@ -667,3 +668,66 @@ gcloud config get-value account
gcloud auth login --no-launch-browser
```
### Atomic Test #11: AWS - Config Logs Disabled
Disables AWS Config by stopping the configuration recorder, deleting the delivery channel, and deleting the configuration recorder. An attacker with sufficient permissions can use this to stop configuration change recording and avoid detection of subsequent activity.
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** `4608bc1b-e682-466b-a7d7-dbd76760db31`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| configuration_recorder_name | Name of the configuration recorder | string | redatomictestconfigurationrecorder|
| delivery_channel_name | Name of the delivery channel | string | redatomictestdeliverychannel|
| region | Name of the region | string | us-west-2|
#### Attack Commands: Run with `sh`!
```sh
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
```
#### Cleanup Commands
```sh
aws configservice list-configuration-recorders --region us-west-2
```
#### Dependencies: Run with `sh`!
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS default profile using: aws configure
```
##### Description: Check if terraform is installed.
###### Check Prereq Commands
```sh
terraform version
```
###### Get Prereq Commands
```sh
echo Please install terraform and configure your AWS default profile
```
atomics/T1562.008/T1562.008.yaml
+1
View File
@@ -478,6 +478,7 @@ atomic_tests:
get_prereq_command: |
gcloud auth login --no-launch-browser
- name: AWS - Config Logs Disabled
auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
description: |
Disables AWS Config by stopping the configuration recorder, deleting the delivery channel, and deleting the configuration recorder. An attacker with sufficient permissions can use this to stop configuration change recording and avoid detection of subsequent activity.
supported_platforms:
atomics/used_guids.txt
+1
View File
@@ -1797,3 +1797,4 @@ a58c066d-f2f0-42a2-ab70-30af73f89e66
6e78084a-a433-4702-a838-cc7b765d87e8
f57cb283-c131-4e2f-8a6c-363d575748b2
c7be89f7-5d06-4321-9f90-8676a77e0502
4608bc1b-e682-466b-a7d7-dbd76760db31