From 9cbcd8977c460201188b852055ec9acbdb591233 Mon Sep 17 00:00:00 2001
From: hg8064 <qi.liu@kit.edu>
Date: Thu, 16 Mar 2023 17:49:53 +0100
Subject: [PATCH 1/4] update T1562.004 with more commands

---
 atomics/T1562.004/T1562.004.yaml | 48 ++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index 19e3ee35..896104ba 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -297,6 +297,54 @@ atomic_tests:
     command: |
       tail /var/log/ufw.log
     cleanup_command: |
+- name: "Disable" iptables 
+  auto_generated_guid: 
+  description: |
+    Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.) 
+    Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables 
+    rules, which in fact "disable" iptables. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if iptables is installed on the machine.
+    prereq_command: |
+      if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
+    get_prereq_command: |
+      echo ""
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      iptables-save > /tmp/iptables.rules
+      iptables -F
+    cleanup_command: | 
+      iptables-restore < /tmp/iptables.rules
+- name: Modify/delete iptables firewall rules 
+  auto_generated_guid: 
+  description: |
+    Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
+    By doing so, they may cause less noise to avoid detection. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if iptables is installed on the machine.
+    prereq_command: |
+      if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
+      if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
+    get_prereq_command: |
+      echo ""
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      iptables-save > /tmp/iptables.rules
+      iptables -D OUTPUT -p tcp --dport 21 -j DROP
+    cleanup_command: | 
+      iptables-restore < /tmp/iptables.rules
 - name: LockBit Black - Unusual Windows firewall registry modification -cmd
   auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
   description: |

From 26c4c7e2d4a37e44783f8c0f4960b366511a3a28 Mon Sep 17 00:00:00 2001
From: hg8064 <qi.liu@kit.edu>
Date: Thu, 13 Apr 2023 17:19:57 +0200
Subject: [PATCH 2/4] remove double quotes in test name to avoid invalid YAML

---
 atomics/T1562.004/T1562.004.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index 896104ba..6631e880 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -297,7 +297,7 @@ atomic_tests:
     command: |
       tail /var/log/ufw.log
     cleanup_command: |
-- name: "Disable" iptables 
+- name: Disable iptables 
   auto_generated_guid: 
   description: |
     Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.) 

From be7294e5bcdde33ab1a681dae83a0937e035e3b9 Mon Sep 17 00:00:00 2001
From: Jose Enrique Hernandez <josehelps@gmail.com>
Date: Thu, 1 Jun 2023 21:06:22 -0400
Subject: [PATCH 3/4] removed extra guid field

---
 atomics/T1562.004/T1562.004.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index 6631e880..c600b080 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -321,8 +321,7 @@ atomic_tests:
       iptables -F
     cleanup_command: | 
       iptables-restore < /tmp/iptables.rules
-- name: Modify/delete iptables firewall rules 
-  auto_generated_guid: 
+- name: Modify/delete iptables firewall rules
   description: |
     Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
     By doing so, they may cause less noise to avoid detection. 

From 1663919f614793e9882f8b5a9657f3f6beaef1d8 Mon Sep 17 00:00:00 2001
From: Jose Enrique Hernandez <josehelps@gmail.com>
Date: Thu, 1 Jun 2023 21:11:47 -0400
Subject: [PATCH 4/4] removed unecessary field

---
 atomics/T1562.004/T1562.004.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index c600b080..4c3a3204 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -298,7 +298,6 @@ atomic_tests:
       tail /var/log/ufw.log
     cleanup_command: |
 - name: Disable iptables 
-  auto_generated_guid: 
   description: |
     Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.) 
     Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables