Generated docs from job=generate-docs branch=master [ci skip]

2024-03-13 18:00:02 +00:00
parent 25e8d49800
commit be9944dba6
11 changed files with 80 additions and 20 deletions
@@ -142,9 +142,10 @@ defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Cle
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear Docker Container Logs,553b39f9-1e8c-47b1-abf5-8daf7b0391e9,bash
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -47,6 +47,7 @@ defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Cle
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear Docker Container Logs,553b39f9-1e8c-47b1-abf5-8daf7b0391e9,bash
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
@@ -80,9 +80,9 @@ defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,9,Msiexec.exe -
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
 defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -185,9 +185,10 @@
  - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
  - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
  - Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
-  - Atomic Test #10: Prevent Powershell History Logging [windows]
-  - Atomic Test #11: Clear Powershell History by Deleting History File [windows]
-  - Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
+  - Atomic Test #10: Clear Docker Container Logs [linux]
+  - Atomic Test #11: Prevent Powershell History Logging [windows]
+  - Atomic Test #12: Clear Powershell History by Deleting History File [windows]
+  - Atomic Test #13: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -66,6 +66,7 @@
  - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
  - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
  - Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
+  - Atomic Test #10: Clear Docker Container Logs [linux]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #3: Base64 decoding with Python [linux, macos]
  - Atomic Test #4: Base64 decoding with Perl [linux, macos]
@@ -112,9 +112,9 @@
  - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
-  - Atomic Test #10: Prevent Powershell History Logging [windows]
-  - Atomic Test #11: Clear Powershell History by Deleting History File [windows]
-  - Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
+  - Atomic Test #11: Prevent Powershell History Logging [windows]
+  - Atomic Test #12: Clear Powershell History by Deleting History File [windows]
+  - Atomic Test #13: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -7153,6 +7153,19 @@ defense-evasion:

          '
        name: sh
+    - name: Clear Docker Container Logs
+      auto_generated_guid: 553b39f9-1e8c-47b1-abf5-8daf7b0391e9
+      description: 'Clears Docker container logs using the Docker CLI and the truncate
+        command, removing all log entries.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        command: 'docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
+
+          '
    - name: Prevent Powershell History Logging
      auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
      description: 'Prevents Powershell history
@@ -4175,6 +4175,19 @@ defense-evasion:

          '
        name: sh
+    - name: Clear Docker Container Logs
+      auto_generated_guid: 553b39f9-1e8c-47b1-abf5-8daf7b0391e9
+      description: 'Clears Docker container logs using the Docker CLI and the truncate
+        command, removing all log entries.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        command: 'docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
+
+          '
  T1202:
    technique:
      x_mitre_platforms:
@@ -34,11 +34,13 @@ Adversaries may run the PowerShell command <code>Clear-History</code> to flush t

 - [Atomic Test #9 - Disable Bash History Logging with SSH -T](#atomic-test-9---disable-bash-history-logging-with-ssh--t)

- [Atomic Test #10 - Prevent Powershell History Logging](#atomic-test-10---prevent-powershell-history-logging)
+- [Atomic Test #10 - Clear Docker Container Logs](#atomic-test-10---clear-docker-container-logs)

- [Atomic Test #11 - Clear Powershell History by Deleting History File](#atomic-test-11---clear-powershell-history-by-deleting-history-file)
+- [Atomic Test #11 - Prevent Powershell History Logging](#atomic-test-11---prevent-powershell-history-logging)

- [Atomic Test #12 - Set Custom AddToHistoryHandler to Avoid History File Logging](#atomic-test-12---set-custom-addtohistoryhandler-to-avoid-history-file-logging)
+- [Atomic Test #12 - Clear Powershell History by Deleting History File](#atomic-test-12---clear-powershell-history-by-deleting-history-file)
+
+- [Atomic Test #13 - Set Custom AddToHistoryHandler to Avoid History File Logging](#atomic-test-13---set-custom-addtohistoryhandler-to-avoid-history-file-logging)


 <br/>
@@ -350,7 +352,35 @@ $(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
 <br/>
 <br/>

-## Atomic Test #10 - Prevent Powershell History Logging
+## Atomic Test #10 - Clear Docker Container Logs
+Clears Docker container logs using the Docker CLI and the truncate command, removing all log entries.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 553b39f9-1e8c-47b1-abf5-8daf7b0391e9
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Prevent Powershell History Logging
 Prevents Powershell history

 **Supported Platforms:** Windows
@@ -382,7 +412,7 @@ Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
 <br/>
 <br/>

-## Atomic Test #11 - Clear Powershell History by Deleting History File
+## Atomic Test #12 - Clear Powershell History by Deleting History File
 Clears Powershell history

 **Supported Platforms:** Windows
@@ -410,7 +440,7 @@ Remove-Item (Get-PSReadlineOption).HistorySavePath
 <br/>
 <br/>

-## Atomic Test #12 - Set Custom AddToHistoryHandler to Avoid History File Logging
+## Atomic Test #13 - Set Custom AddToHistoryHandler to Avoid History File Logging
 The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if 
 the line should be written to the history file. Here we simply return $false so nothing gets added to 
 the history file for the current session.