From b392694779fa7cdac52b575dd0e8b00edbedd642 Mon Sep 17 00:00:00 2001 From: Andrew Beers Date: Fri, 3 Apr 2020 09:32:58 -0500 Subject: [PATCH] T1107 description updates, remove duplicate tests (#921) * random powershell errors :( * remove tests that are already in T1490 and fit better there * more fixes * finish tests * fix description names * fixes * fixes * fix input arg descriptions Co-authored-by: Carrie Roberts --- atomics/T1107/T1107.yaml | 160 +++++++++++++++++++++++---------------- 1 file changed, 93 insertions(+), 67 deletions(-) diff --git a/atomics/T1107/T1107.yaml b/atomics/T1107/T1107.yaml index a499be68..b8ee5210 100644 --- a/atomics/T1107/T1107.yaml +++ b/atomics/T1107/T1107.yaml @@ -52,96 +52,111 @@ atomic_tests: - name: Delete a single file - Windows cmd description: | - Delete a single file from the temporary directory using cmd.exe + Delete a single file from the temporary directory using cmd.exe. + Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. supported_platforms: - windows + + input_arguments: + file_to_delete: + description: File to delete. Run the prereq command to create it if it does not exist. + type: string + default: "%temp%\\deleteme_T1107" + + dependency_executor_name: command_prompt + dependencies: + - description: | + The file to delete must exist on disk at specified location (#{file_to_delete}) + prereq_command: | + IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) + get_prereq_command: | + echo deleteme_T1107 >> #{file_to_delete} + executor: name: command_prompt elevation_required: false command: | - echo "T1107" > %temp%\T1107.txt - del /f %temp%\T1107.txt >nul 2>&1 + del /f #{file_to_delete} - name: Delete an entire folder - Windows cmd description: | - Recursively delete the temporary directory and all files contained within it using cmd.exe + Recursively delete a folder in the temporary directory using cmd.exe. + Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. supported_platforms: - windows + + input_arguments: + folder_to_delete: + description: Folder to delete. Run the prereq command to create it if it does not exist. + type: string + default: "%temp%\\deleteme_T1107" + + dependency_executor_name: command_prompt + dependencies: + - description: | + The file to delete must exist on disk at specified location (#{folder_to_delete}) + prereq_command: | + IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) + get_prereq_command: | + mkdir #{folder_to_delete} + executor: name: command_prompt elevation_required: false command: | - mkdir %temp%\T1107 - rmdir /s /q %temp%\T1107 + rmdir /s /q #{folder_to_delete} - name: Delete a single file - Windows PowerShell description: | - Delete a single file from the temporary directory using Powershell + Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. supported_platforms: - windows + input_arguments: + file_to_delete: + description: File to delete. Run the prereq command to create it if it does not exist. + type: string + default: $env:TEMP\deleteme_T1107 + + dependency_executor_name: powershell + dependencies: + - description: | + The file to delete must exist on disk at specified location (#{file_to_delete}) + prereq_command: | + if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Path #{file_to_delete} | Out-Null + executor: name: powershell elevation_required: false command: | - New-Item $env:TEMP\T1107.txt - Remove-Item -path $env:TEMP\T1107.txt + Remove-Item -path #{file_to_delete} - name: Delete an entire folder - Windows PowerShell description: | - Recursively delete the temporary directory and all files contained within it using Powershell + Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. supported_platforms: - windows + input_arguments: + folder_to_delete: + description: Folder to delete. Run the prereq command to create it if it does not exist. + type: string + default: $env:TEMP\deleteme_folder_T1107 + + dependency_executor_name: powershell + dependencies: + - description: | + The folder to delete must exist on disk at specified location (#{folder_to_delete}) + prereq_command: | + if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Path #{folder_to_delete} -Type Directory | Out-Null + executor: name: powershell elevation_required: false command: | - New-Item $env:TEMP\T1107 -ItemType Directory - Remove-Item -path $env:TEMP\T1107 -recurse - -- name: Delete VSS - vssadmin - description: | - Delete all volume shadow copies with vssadmin.exe - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - vssadmin.exe Delete Shadows /All /Quiet - -- name: Delete VSS - wmic - description: | - Delete all volume shadow copies with wmic - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - wmic shadowcopy delete - -- name: bcdedit - description: | - This test leverages `bcdedit` to remove boot-time recovery measures. - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - bcdedit /set {default} bootstatuspolicy ignoreallfailures - bcdedit /set {default} recoveryenabled no - -- name: wbadmin - description: | - This test deletes Windows Backup catalogs. - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - wbadmin delete catalog -quiet + Remove-Item -Path #{folder_to_delete} -Recurse - name: Delete Filesystem - Linux description: | @@ -156,7 +171,8 @@ atomic_tests: - name: Delete-PrefetchFile description: | - Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. + Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count" + before and after the test to verify that the number of prefetch files decreases by 1. supported_platforms: - windows executor: @@ -169,19 +185,29 @@ atomic_tests: description: | Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer - log file format of TeamViewerXX_Logfile.log + log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. + https://twitter.com/SBousseaden/status/1197524463304290305?s=20 supported_platforms: - windows - - macos + + input_arguments: + teamviewer_log_file: + description: Teamviewer log file to delete. Run the prereq command to create it if it does not exist. + type: string + default: $env:TEMP\TeamViewer_54.log + + dependency_executor_name: powershell + dependencies: + - description: | + The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) + prereq_command: | + if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Path #{teamviewer_log_file} | Out-Null + executor: name: powershell elevation_required: false command: | - if ($env:os -eq "Windows_NT") { - New-Item $env:TEMP\TeamViewer_54.log - Remove-Item $env:TEMP\TeamViewer_54.log - } else { - New-Item $env:HOME\TeamViewer_54.log - Remove-Item $env:HOME\TeamViewer_54.log - } + Remove-Item #{teamviewer_log_file}