From e5da8a341ae434a6b9265df8fba6b4bcc4a0d55f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 12 Nov 2019 07:37:40 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1070/T1070.md | 42 ++++++++++++++++++++++++++++++++++++++++ atomics/index.md | 2 ++ atomics/index.yaml | 33 ++++++++++++++++++++++++++++++- atomics/windows-index.md | 2 ++ 4 files changed, 78 insertions(+), 1 deletion(-) diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index 370ec5ed..3871a50f 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -30,6 +30,10 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https:// - [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log) +- [Atomic Test #6 - Delete System Logs Using PowerShell](#atomic-test-6---delete-system-logs-using-powershell) + +- [Atomic Test #7 - Delete System Logs Using Clear-EventLogId](#atomic-test-7---delete-system-logs-using-clear-eventlogid) +
@@ -126,4 +130,42 @@ echo 0> #{log_path} +
+
+ +## Atomic Test #6 - Delete System Logs Using PowerShell +Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! Elevation Required (e.g. root or admin) +``` +$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId +Stop-Process -Id $eventLogId -Force +Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx +``` + + +#### Cleanup Commands: +``` +Start-Service -Name EventLog +``` + +
+
+ +## Atomic Test #7 - Delete System Logs Using Clear-EventLogId +Clear event logs using built-in PowerShell commands + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! Elevation Required (e.g. root or admin) +``` +Clear-EventLog -logname Application +``` + + +
diff --git a/atomics/index.md b/atomics/index.md index 3d8fd219..5847f96d 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -272,6 +272,8 @@ - Atomic Test #3: rm -rf [macos, linux] - Atomic Test #4: Overwrite Linux Mail Spool [linux] - Atomic Test #5: Overwrite Linux Log [linux] + - Atomic Test #6: Delete System Logs Using PowerShell [windows] + - Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows] - [T1202 Indirect Command Execution](./T1202/T1202.md) - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index ef998e6b..829c5021 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -7970,7 +7970,38 @@ defense-evasion: default: "/var/log/secure" executor: name: bash - command: 'echo 0> #{log_path}' + command: 'echo 0> #{log_path} + +' + - name: Delete System Logs Using PowerShell + description: 'Recommended Detection: Monitor for use of the windows event log + filepath in PowerShell couple with delete arguments + +' + supported_platforms: + - windows + executor: + name: powershell + elevation_required: true + command: | + $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId + Stop-Process -Id $eventLogId -Force + Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx + cleanup_command: 'Start-Service -Name EventLog + +' + - name: Delete System Logs Using Clear-EventLogId + description: 'Clear event logs using built-in PowerShell commands + +' + supported_platforms: + - windows + executor: + name: powershell + elevation_required: true + command: 'Clear-EventLog -logname Application + +' T1202: technique: x_mitre_data_sources: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 3321a6c1..1e506f29 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -77,6 +77,8 @@ - [T1070 Indicator Removal on Host](./T1070/T1070.md) - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: FSUtil [windows] + - Atomic Test #6: Delete System Logs Using PowerShell [windows] + - Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows] - [T1202 Indirect Command Execution](./T1202/T1202.md) - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]