security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update T1562.004 with more commands

Browse Source
This commit is contained in:
hg8064
2023-03-16 17:49:53 +01:00
parent 159dda49d8
commit 9cbcd8977c
1 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.004/T1562.004.yaml
+48
View File
@@ -297,6 +297,54 @@ atomic_tests:
command: |
tail /var/log/ufw.log
cleanup_command: |
- name: "Disable" iptables
auto_generated_guid:
description: |
Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.)
Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables
rules, which in fact "disable" iptables.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if iptables is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
iptables-save > /tmp/iptables.rules
iptables -F
cleanup_command: |
iptables-restore < /tmp/iptables.rules
- name: Modify/delete iptables firewall rules
auto_generated_guid:
description: |
Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
By doing so, they may cause less noise to avoid detection.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if iptables is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
iptables-save > /tmp/iptables.rules
iptables -D OUTPUT -p tcp --dport 21 -j DROP
cleanup_command: |
iptables-restore < /tmp/iptables.rules
- name: LockBit Black - Unusual Windows firewall registry modification -cmd
auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
description: |