security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-05-06 16:23:27 +00:00
parent 1585dccdfa
commit 9c8c2edcd8
4 changed files with 193 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1489/T1489.md
+70
View File
@@ -0,0 +1,70 @@
# T1489 - Service Stop
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1489)
<blockquote>Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Windows - Stop service using Service Controller](#atomic-test-1---windows---stop-service-using-service-controller)
- [Atomic Test #2 - Windows - Stop service using net.exe](#atomic-test-2---windows---stop-service-using-netexe)
- [Atomic Test #3 - Windows - Stop service by killing process](#atomic-test-3---windows---stop-service-by-killing-process)
<br/>
## Atomic Test #1 - Windows - Stop service using Service Controller
Stops a specified service using the sc.exe command.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of a service to stop | String | spooler|
#### Run it with `command_prompt`!
```
sc.exe stop #{service_name}
```
<br/>
<br/>
## Atomic Test #2 - Windows - Stop service using net.exe
Stops a specified service using the net.exe command.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of a service to stop | String | spooler|
#### Run it with `command_prompt`!
```
net.exe stop #{service_name}
```
<br/>
<br/>
## Atomic Test #3 - Windows - Stop service by killing process
Stops a specified service killng the service's process.
This technique was used by WannaCry.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of a process to kill | String | sqlwriter.exe|
#### Run it with `command_prompt`!
```
taskkill.exe /f /im #{process_name}
```
<br/>
atomics/index.md
+4 -1
View File
@@ -779,7 +779,10 @@
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](./T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/index.yaml
+115
View File
@@ -20839,6 +20839,121 @@ impact:
- root
- SYSTEM
atomic_tests: []
T1489:
technique:
external_references:
- external_id: T1489
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1489
- url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
source_name: Talos Olympic Destroyer 2018
description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- url: https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
source_name: Novetta Blockbuster
description: 'Novetta Threat Research Group. (2016, February 24). Operation
Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
25, 2016.'
- url: https://www.secureworks.com/research/wcry-ransomware-analysis
source_name: SecureWorks WannaCry Analysis
description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
Analysis. Retrieved March 26, 2019.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_data_sources:
- Process command-line parameters
- Process monitoring
- Windows Registry
- API monitoring
modified: '2019-04-29T13:55:03.017Z'
x_mitre_detection: |-
Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
Monitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at <code>HKLM\SYSTEM\CurrentControlSet\Services</code>.
Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms:
- Windows
kill_chain_phases:
- phase_name: impact
kill_chain_name: mitre-attack
x_mitre_impact_type:
- Availability
id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
name: Service Stop
created: '2019-03-29T19:00:55.901Z'
x_mitre_version: '1.0'
type: attack-pattern
description: "Adversaries may stop or disable services on a system to render
those services unavailable to legitimate users. Stopping critical services
can inhibit or stop response to an incident or aid in the adversary's overall
objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer
2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by
disabling individual services of high importance to an organization, such
as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
(Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
2018) Services may not allow for modification of their data stores while running.
Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485)
or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)
on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks
WannaCry Analysis)"
x_mitre_permissions_required:
- Administrator
- SYSTEM
- User
identifier: T1489
atomic_tests:
- name: Windows - Stop service using Service Controller
description: 'Stops a specified service using the sc.exe command.
'
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of a service to stop
type: String
default: spooler
executor:
name: command_prompt
command: 'sc.exe stop #{service_name}
'
- name: Windows - Stop service using net.exe
description: 'Stops a specified service using the net.exe command.
'
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of a service to stop
type: String
default: spooler
executor:
name: command_prompt
command: 'net.exe stop #{service_name}
'
- name: Windows - Stop service by killing process
description: "Stops a specified service killng the service's process. \nThis
technique was used by WannaCry.\n"
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of a process to kill
type: String
default: sqlwriter.exe
executor:
name: command_prompt
command: 'taskkill.exe /f /im #{process_name}
'
initial-access:
'':
technique:
atomics/windows-index.md
+4 -1
View File
@@ -553,7 +553,10 @@
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](./T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)