security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2369 from iai-rsa/T1562.004

Browse Source 
update T1562.004 with more commands
This commit is contained in:
Jose Enrique Hernandez
2023-06-01 21:15:13 -04:00
committed by GitHub
parent 215898b25a 1663919f61
commit bee33f444a
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.004/T1562.004.yaml
+46
View File
@@ -297,6 +297,52 @@ atomic_tests:
command: |
tail /var/log/ufw.log
cleanup_command: |
- name: Disable iptables
description: |
Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.)
Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables
rules, which in fact "disable" iptables.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if iptables is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
iptables-save > /tmp/iptables.rules
iptables -F
cleanup_command: |
iptables-restore < /tmp/iptables.rules
- name: Modify/delete iptables firewall rules
description: |
Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
By doing so, they may cause less noise to avoid detection.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if iptables is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
iptables-save > /tmp/iptables.rules
iptables -D OUTPUT -p tcp --dport 21 -j DROP
cleanup_command: |
iptables-restore < /tmp/iptables.rules
- name: LockBit Black - Unusual Windows firewall registry modification -cmd
auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
description: |