From 988f97eb63c76c6cb3dc6b712d0912ce3698c2bd Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 10 May 2019 19:35:24 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1490/T1490.md | 76 +++++++++++++++++++++++++++ atomics/index.md | 6 ++- atomics/index.yaml | 107 +++++++++++++++++++++++++++++++++++++++ atomics/linux-index.md | 2 +- atomics/macos-index.md | 2 +- atomics/windows-index.md | 6 ++- 6 files changed, 195 insertions(+), 4 deletions(-) create mode 100644 atomics/T1490/T1490.md diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md new file mode 100644 index 00000000..6bec9449 --- /dev/null +++ b/atomics/T1490/T1490.md @@ -0,0 +1,76 @@ +# T1490 - Inhibit System Recovery +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1490) +
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) + +A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: + +* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet +* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete +* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet +* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
+ +## Atomic Tests + +- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies) + +- [Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI](#atomic-test-2---windows---delete-volume-shadow-copies-via-wmi) + +- [Atomic Test #3 - Windows - Delete Windows Backup Catalog](#atomic-test-3---windows---delete-windows-backup-catalog) + +- [Atomic Test #4 - Windows - Disable Windows Recovery Console Repair](#atomic-test-4---windows---disable-windows-recovery-console-repair) + + +
+ +## Atomic Test #1 - Windows - Delete Volume Shadow Copies +Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! +``` +vssadmin.exe delete shadows /all /quiet +``` +
+
+ +## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI +Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! +``` +wmic.exe shadowcopy delete +``` +
+
+ +## Atomic Test #3 - Windows - Delete Windows Backup Catalog +Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! +``` +wbadmin.exe delete catalog -quiet +``` +
+
+ +## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair +Disables repair by the Windows Recovery Console on boot. +This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! +``` +bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures +bcdedit.exe /set {default} recoveryenabled no +``` +
diff --git a/atomics/index.md b/atomics/index.md index ff87f748..a65de4ed 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -782,7 +782,11 @@ - T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1490 Inhibit System Recovery](./T1490/T1490.md) + - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] + - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows] + - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] + - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/index.yaml b/atomics/index.yaml index 7e6b3f66..f2661823 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -20990,6 +20990,113 @@ impact: - root - SYSTEM atomic_tests: [] + T1490: + technique: + external_references: + - external_id: T1490 + source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1490 + - url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html + source_name: Talos Olympic Destroyer 2018 + description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer + Takes Aim At Winter Olympics. Retrieved March 14, 2019. + - url: https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html + source_name: FireEye WannaCry 2017 + description: Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry + Malware Profile. Retrieved March 15, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_contributors: + - Yonatan Gotlib, Deep Instinct + x_mitre_data_sources: + - Windows Registry + - Services + - Windows event logs + - Process command-line parameters + - Process monitoring + modified: '2019-04-29T13:52:06.387Z' + x_mitre_detection: |- + Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. + + Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage). + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + x_mitre_platforms: + - Windows + - macOS + - Linux + kill_chain_phases: + - phase_name: impact + kill_chain_name: mitre-attack + x_mitre_impact_type: + - Availability + id: attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a + name: Inhibit System Recovery + created: '2019-04-02T13:54:43.136Z' + x_mitre_version: '1.0' + type: attack-pattern + description: |- + Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) + + A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: + + * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet + * [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete + * wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet + * bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no + x_mitre_permissions_required: + - Administrator + - root + - SYSTEM + - User + identifier: T1490 + atomic_tests: + - name: Windows - Delete Volume Shadow Copies + description: 'Deletes Windows Volume Shadow Copies. This technique is used by + numerous ransomware families and APT malware such as Olympic Destroyer. + +' + supported_platforms: + - windows + executor: + name: command_prompt + command: 'vssadmin.exe delete shadows /all /quiet + +' + - name: Windows - Delete Volume Shadow Copies via WMI + description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is + used by numerous ransomware families and APT malware such as Olympic Destroyer. + +' + supported_platforms: + - windows + executor: + name: command_prompt + command: 'wmic.exe shadowcopy delete + +' + - name: Windows - Delete Windows Backup Catalog + description: 'Deletes Windows Backup Catalog. This technique is used by numerous + ransomware families and APT malware such as Olympic Destroyer. + +' + supported_platforms: + - windows + executor: + name: command_prompt + command: 'wbadmin.exe delete catalog -quiet + +' + - name: Windows - Disable Windows Recovery Console Repair + description: "Disables repair by the Windows Recovery Console on boot. \nThis + technique is used by numerous ransomware families and APT malware such as + Olympic Destroyer.\n" + supported_platforms: + - windows + executor: + name: command_prompt + command: | + bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures + bcdedit.exe /set {default} recoveryenabled no T1489: technique: external_references: diff --git a/atomics/linux-index.md b/atomics/linux-index.md index b63b52c9..ef207935 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -271,7 +271,7 @@ - T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1490 Inhibit System Recovery](./T1490/T1490.md) - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 13e67e06..970d5dd6 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -309,7 +309,7 @@ - T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1490 Inhibit System Recovery](./T1490/T1490.md) - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/windows-index.md b/atomics/windows-index.md index a727d0d2..c54a9d1c 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -555,7 +555,11 @@ - T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1490 Inhibit System Recovery](./T1490/T1490.md) + - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] + - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows] + - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] + - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)