From be902d17af74e31b60e3ff7ee7153bd7414bf451 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 23 Mar 2022 22:23:56 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-office-365.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/linux-index.md | 1 + atomics/Indexes/index.yaml | 41 ++++++++++++ atomics/T1562.008/T1562.008.md | 63 +++++++++++++++++++ 7 files changed, 109 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json index 4fe1a7d0..cf1385b7 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index f763fb6f..c886cd68 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -355,6 +355,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding wit defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell +defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 307e5c73..0ce693eb 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -98,6 +98,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell +defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 11060e2d..110093bf 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -580,6 +580,7 @@ - [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md) - Atomic Test #1: AWS CloudTrail Changes [iaas:aws] - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure] + - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365] - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md) - Atomic Test #1: Disable Windows IIS HTTP Logging [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 458794af..f944eb97 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -217,6 +217,7 @@ - [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md) - Atomic Test #1: AWS CloudTrail Changes [iaas:aws] - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure] + - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365] - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 07e3fc05..b93f6527 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -25171,6 +25171,47 @@ defense-evasion: Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name} name: powershell elevation_required: false + - name: Office 365 - Exchange Audit Log Disabled + auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c + description: | + You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox. + Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline. + https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml + supported_platforms: + - office-365 + input_arguments: + username: + description: office-365 username + type: String + default: + password: + description: office-365 password + type: String + default: + dependency_executor_name: powershell + dependencies: + - description: 'ExchangeOnlineManagement PowerShell module must be installed + +' + prereq_command: | + $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0} + get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \nImport-Module + ExchangeOnlineManagement\n" + executor: + command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-ExchangeOnline -Credential $creds + Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False + cleanup_command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-ExchangeOnline -Credential $creds + Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True + name: powershell + elevation_required: false T1600.002: technique: id: attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5 diff --git a/atomics/T1562.008/T1562.008.md b/atomics/T1562.008/T1562.008.md index 57fbeb8c..785f72f9 100644 --- a/atomics/T1562.008/T1562.008.md +++ b/atomics/T1562.008/T1562.008.md @@ -10,6 +10,8 @@ Cloud environments allow for collection and analysis of audit and application lo - [Atomic Test #2 - Azure - Eventhub Deletion](#atomic-test-2---azure---eventhub-deletion) +- [Atomic Test #3 - Office 365 - Exchange Audit Log Disabled](#atomic-test-3---office-365---exchange-audit-log-disabled) +
@@ -122,4 +124,65 @@ Install-Module -Name AzureAD -Force +
+
+ +## Atomic Test #3 - Office 365 - Exchange Audit Log Disabled +You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox. +Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline. +https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml + +**Supported Platforms:** Office-365 + + +**auto_generated_guid:** 1ee572f3-056c-4632-a7fc-7e7c42b1543c + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | office-365 username | String | | +| password | office-365 password | String | | + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force +$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd +Connect-ExchangeOnline -Credential $creds +Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False +``` + +#### Cleanup Commands: +```powershell +$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force +$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd +Connect-ExchangeOnline -Credential $creds +Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: ExchangeOnlineManagement PowerShell module must be installed +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name ExchangeOnlineManagement +Import-Module ExchangeOnlineManagement +``` + + + +