Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-08-05 17:07:48 +00:00
parent 93b0a73285
commit 7e20a51adb
8 changed files with 748 additions and 102 deletions
@@ -278,13 +278,21 @@ defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HT
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
-defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -71,7 +71,15 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
-defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
+defense-evasion,T1562.004,Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -186,12 +186,12 @@ defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HT
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
@@ -507,13 +507,21 @@
  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
-  - Atomic Test #1: Disable firewall [linux]
-  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
-  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #1: Disable Microsoft Defender Firewall [windows]
+  - Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #7: Stop/Start UFW firewall [linux]
+  - Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
+  - Atomic Test #9: Turn off UFW logging [linux]
+  - Atomic Test #10: Add and delete UFW firewall rules [linux]
+  - Atomic Test #11: Edit UFW firewall user.rules file [linux]
+  - Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
+  - Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
+  - Atomic Test #14: Edit UFW firewall main configuration file [linux]
+  - Atomic Test #15: Tail the UFW firewall log file [linux]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #1: Disable syslog [linux]
  - Atomic Test #2: Disable Cb Response [linux]
@@ -193,7 +193,15 @@
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
-  - Atomic Test #1: Disable firewall [linux]
+  - Atomic Test #7: Stop/Start UFW firewall [linux]
+  - Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
+  - Atomic Test #9: Turn off UFW logging [linux]
+  - Atomic Test #10: Add and delete UFW firewall rules [linux]
+  - Atomic Test #11: Edit UFW firewall user.rules file [linux]
+  - Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
+  - Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
+  - Atomic Test #14: Edit UFW firewall main configuration file [linux]
+  - Atomic Test #15: Tail the UFW firewall log file [linux]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #1: Disable syslog [linux]
  - Atomic Test #2: Disable Cb Response [linux]
@@ -361,12 +361,12 @@
  - Atomic Test #3: Impair Windows Audit Log Policy [windows]
  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
-  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
-  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #1: Disable Microsoft Defender Firewall [windows]
+  - Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
  - Atomic Test #11: Uninstall Sysmon [windows]
@@ -22709,29 +22709,6 @@ defense-evasion:
      - Windows
      identifier: T1562.004
    atomic_tests:
-    - name: Disable firewall
-      auto_generated_guid: 80f5e701-f7a4-4d06-b140-26c8efd1b6b4
-      description: 'Disables the firewall
-
-'
-      supported_platforms:
-      - linux
-      input_arguments:
-        flavor_command:
-          description: Command to disable firewall. Default firewalld. ufw (Ubuntu)
-            command = ufw disable
-          type: String
-          default: systemctl stop firewalld ; systemctl disable firewalld
-        cleanup_command:
-          description: Command to enable firewall. Default firewalld. ufw (Ubuntu)
-            command = ufw enable
-          type: String
-          default: systemctl enable firewalld ; systemctl start firewalld
-      executor:
-        command: "#{flavor_command}\n"
-        cleanup_command: "#{cleanup_command}\n"
-        name: sh
-        elevation_required: true
    - name: Disable Microsoft Defender Firewall
      auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f
      description: |
@@ -22832,6 +22809,249 @@ defense-evasion:
          Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore
        name: powershell
        elevation_required: true
+    - name: Stop/Start UFW firewall
+      auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a
+      description: 'Stop the Uncomplicated Firewall (UFW) if installed.
+
+'
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if ufw is installed on the machine.
+
+'
+        prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
+          ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
+          -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
+          fi \n"
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'ufw disable
+
+'
+        cleanup_command: |
+          ufw enable
+          ufw status verbose
+    - name: Stop/Start UFW firewall systemctl
+      auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1
+      description: "Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
+        \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if systemctl and ufw is installed on the machine.
+
+'
+        prereq_command: "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n*****
+          systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v
+          ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1;
+          fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n*****
+          ufw inactive *****\\n\"; exit 1; fi \n"
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'systemctl stop ufw
+
+'
+        cleanup_command: |
+          systemctl start ufw
+          systemctl status ufw
+    - name: Turn off UFW logging
+      auto_generated_guid: 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad
+      description: "Turn off the Uncomplicated Firewall (UFW) logging. \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if ufw is installed on the machine and enabled.
+
+'
+        prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
+          ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
+          -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
+          fi \n"
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'ufw logging off
+
+'
+        cleanup_command: |
+          ufw logging low
+          ufw status verbose
+    - name: Add and delete UFW firewall rules
+      auto_generated_guid: b2563a4e-c4b8-429c-8d47-d5bcb227ba7a
+      description: "Add and delete a rule on the Uncomplicated Firewall (UFW) if installed
+        and enabled. \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if ufw is installed on the machine and enabled.
+
+'
+        prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
+          ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
+          -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
+          fi \n"
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          ufw prepend deny from 1.2.3.4
+          ufw status numbered
+        cleanup_command: |
+          { echo y; echo response; } | ufw delete 1
+          ufw status numbered
+    - name: Edit UFW firewall user.rules file
+      auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c
+      description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
+
+'
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if /etc/ufw/user.rules exists.
+
+'
+        prereq_command: 'if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n*****
+          ufw NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
+          grep "# THIS IS A COMMENT" /etc/ufw/user.rules
+        cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/ufw/user.rules
+
+'
+    - name: Edit UFW firewall ufw.conf file
+      auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b
+      description: "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf
+        \nwhich controls if the firewall starts on boot and its logging level.\n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if /etc/ufw/ufw.conf exists.
+
+'
+        prereq_command: 'if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw
+          NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
+          grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
+        cleanup_command: |
+          sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf
+          cat /etc/ufw/ufw.conf
+    - name: Edit UFW firewall sysctl.conf file
+      auto_generated_guid: c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
+      description: "Edit the Uncomplicated Firewall (UFW) configuration file for setting
+        network \nvariables /etc/ufw/sysctl.conf.\n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if /etc/ufw/sysctl.conf exists.
+
+'
+        prereq_command: 'if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n*****
+          ufw NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
+          grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
+        cleanup_command: |
+          sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf
+          cat /etc/ufw/sysctl.conf
+    - name: Edit UFW firewall main configuration file
+      auto_generated_guid: 7b697ece-8270-46b5-bbc7-6b9e27081831
+      description: "Edit the Uncomplicated Firewall (UFW) main configuration file
+        for setting \ndefault policies /etc/default/ufw.\n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if /etc/default/ufw exists.
+
+'
+        prereq_command: 'if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw
+          NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "# THIS IS A COMMENT" >> /etc/default/ufw
+          grep "# THIS IS A COMMENT" /etc/default/ufw
+        cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/default/ufw
+
+'
+    - name: Tail the UFW firewall log file
+      auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27
+      description: "Print  the last 10 lines of the Uncomplicated Firewall (UFW) log
+        file \n/var/log/ufw.log.\n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if /var/log/ufw.log exists.
+
+'
+        prereq_command: 'if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw
+          NOT logging *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'tail /var/log/ufw.log
+
+'
+        cleanup_command: ''
  T1562.001:
    technique:
      external_references:
@@ -6,62 +6,40 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 ## Atomic Tests

- [Atomic Test #1 - Disable firewall](#atomic-test-1---disable-firewall)
+- [Atomic Test #1 - Disable Microsoft Defender Firewall](#atomic-test-1---disable-microsoft-defender-firewall)

- [Atomic Test #2 - Disable Microsoft Defender Firewall](#atomic-test-2---disable-microsoft-defender-firewall)
+- [Atomic Test #2 - Disable Microsoft Defender Firewall via Registry](#atomic-test-2---disable-microsoft-defender-firewall-via-registry)

- [Atomic Test #3 - Disable Microsoft Defender Firewall via Registry](#atomic-test-3---disable-microsoft-defender-firewall-via-registry)
+- [Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall)

- [Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-4---allow-smb-and-rdp-on-microsoft-defender-firewall)
+- [Atomic Test #4 - Opening ports for proxy - HARDRAIN](#atomic-test-4---opening-ports-for-proxy---hardrain)

- [Atomic Test #5 - Opening ports for proxy - HARDRAIN](#atomic-test-5---opening-ports-for-proxy---hardrain)
+- [Atomic Test #5 - Open a local port through Windows Firewall to any profile](#atomic-test-5---open-a-local-port-through-windows-firewall-to-any-profile)

- [Atomic Test #6 - Open a local port through Windows Firewall to any profile](#atomic-test-6---open-a-local-port-through-windows-firewall-to-any-profile)
+- [Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-6---allow-executable-through-firewall-located-in-non-standard-location)

- [Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-7---allow-executable-through-firewall-located-in-non-standard-location)
+- [Atomic Test #7 - Stop/Start UFW firewall](#atomic-test-7---stopstart-ufw-firewall)
+
+- [Atomic Test #8 - Stop/Start UFW firewall systemctl](#atomic-test-8---stopstart-ufw-firewall-systemctl)
+
+- [Atomic Test #9 - Turn off UFW logging](#atomic-test-9---turn-off-ufw-logging)
+
+- [Atomic Test #10 - Add and delete UFW firewall rules](#atomic-test-10---add-and-delete-ufw-firewall-rules)
+
+- [Atomic Test #11 - Edit UFW firewall user.rules file](#atomic-test-11---edit-ufw-firewall-userrules-file)
+
+- [Atomic Test #12 - Edit UFW firewall ufw.conf file](#atomic-test-12---edit-ufw-firewall-ufwconf-file)
+
+- [Atomic Test #13 - Edit UFW firewall sysctl.conf file](#atomic-test-13---edit-ufw-firewall-sysctlconf-file)
+
+- [Atomic Test #14 - Edit UFW firewall main configuration file](#atomic-test-14---edit-ufw-firewall-main-configuration-file)
+
+- [Atomic Test #15 - Tail the UFW firewall log file](#atomic-test-15---tail-the-ufw-firewall-log-file)


 <br/>

-## Atomic Test #1 - Disable firewall
-Disables the firewall
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 80f5e701-f7a4-4d06-b140-26c8efd1b6b4
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| flavor_command | Command to disable firewall. Default firewalld. ufw (Ubuntu) command = ufw disable | String | systemctl stop firewalld ; systemctl disable firewalld|
-| cleanup_command | Command to enable firewall. Default firewalld. ufw (Ubuntu) command = ufw enable | String | systemctl enable firewalld ; systemctl start firewalld|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-#{flavor_command}
-```
-
-#### Cleanup Commands:
-```sh
-#{cleanup_command}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Disable Microsoft Defender Firewall
+## Atomic Test #1 - Disable Microsoft Defender Firewall
 Disables the Microsoft Defender Firewall for the current profile.
 Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...

@@ -94,7 +72,7 @@ netsh advfirewall set currentprofile state on >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry
+## Atomic Test #2 - Disable Microsoft Defender Firewall via Registry
 Disables the Microsoft Defender Firewall for the public profile via registry
 Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...

@@ -127,7 +105,7 @@ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Param
 <br/>
 <br/>

-## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall
+## Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall
 Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.
 Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...

@@ -161,7 +139,7 @@ netsh advfirewall reset >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #5 - Opening ports for proxy - HARDRAIN
+## Atomic Test #4 - Opening ports for proxy - HARDRAIN
 This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.

 reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
@@ -195,7 +173,7 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp
 <br/>
 <br/>

-## Atomic Test #6 - Open a local port through Windows Firewall to any profile
+## Atomic Test #5 - Open a local port through Windows Firewall to any profile
 This test will attempt to open a local port defined by input arguments to any profile

 **Supported Platforms:** Windows
@@ -232,7 +210,7 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
 <br/>
 <br/>

-## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location
+## Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location
 This test will attempt to allow an executable through the system firewall located in the Users directory

 **Supported Platforms:** Windows
@@ -268,4 +246,420 @@ Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #7 - Stop/Start UFW firewall
+Stop the Uncomplicated Firewall (UFW) if installed.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** fe135572-edcd-49a2-afe6-1d39521c5a9a
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+ufw disable
+```
+
+#### Cleanup Commands:
+```sh
+ufw enable
+ufw status verbose
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ufw is installed on the machine.
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Stop/Start UFW firewall systemctl
+Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 9fd99609-1854-4f3c-b47b-97d9a5972bd1
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+systemctl stop ufw
+```
+
+#### Cleanup Commands:
+```sh
+systemctl start ufw
+systemctl status ufw
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if systemctl and ufw is installed on the machine.
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi
+if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Turn off UFW logging
+Turn off the Uncomplicated Firewall (UFW) logging.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+ufw logging off
+```
+
+#### Cleanup Commands:
+```sh
+ufw logging low
+ufw status verbose
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ufw is installed on the machine and enabled.
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Add and delete UFW firewall rules
+Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** b2563a4e-c4b8-429c-8d47-d5bcb227ba7a
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+ufw prepend deny from 1.2.3.4
+ufw status numbered
+```
+
+#### Cleanup Commands:
+```sh
+{ echo y; echo response; } | ufw delete 1
+ufw status numbered
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ufw is installed on the machine and enabled.
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Edit UFW firewall user.rules file
+Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** beaf815a-c883-4194-97e9-fdbbb2bbdd7c
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
+grep "# THIS IS A COMMENT" /etc/ufw/user.rules
+```
+
+#### Cleanup Commands:
+```sh
+sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if /etc/ufw/user.rules exists.
+##### Check Prereq Commands:
+```sh
+if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Edit UFW firewall ufw.conf file
+Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf 
+which controls if the firewall starts on boot and its logging level.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** c1d8c4eb-88da-4927-ae97-c7c25893803b
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
+grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
+```
+
+#### Cleanup Commands:
+```sh
+sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf
+cat /etc/ufw/ufw.conf
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if /etc/ufw/ufw.conf exists.
+##### Check Prereq Commands:
+```sh
+if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Edit UFW firewall sysctl.conf file
+Edit the Uncomplicated Firewall (UFW) configuration file for setting network 
+variables /etc/ufw/sysctl.conf.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
+grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
+```
+
+#### Cleanup Commands:
+```sh
+sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf
+cat /etc/ufw/sysctl.conf
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if /etc/ufw/sysctl.conf exists.
+##### Check Prereq Commands:
+```sh
+if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Edit UFW firewall main configuration file
+Edit the Uncomplicated Firewall (UFW) main configuration file for setting 
+default policies /etc/default/ufw.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7b697ece-8270-46b5-bbc7-6b9e27081831
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+echo "# THIS IS A COMMENT" >> /etc/default/ufw
+grep "# THIS IS A COMMENT" /etc/default/ufw
+```
+
+#### Cleanup Commands:
+```sh
+sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if /etc/default/ufw exists.
+##### Check Prereq Commands:
+```sh
+if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #15 - Tail the UFW firewall log file
+Print  the last 10 lines of the Uncomplicated Firewall (UFW) log file 
+/var/log/ufw.log.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 419cca0c-fa52-4572-b0d7-bc7c6f388a27
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+tail /var/log/ufw.log
+```
+
+#### Cleanup Commands:
+```sh
+
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if /var/log/ufw.log exists.
+##### Check Prereq Commands:
+```sh
+if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
 <br/>