security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updating atomics count and guids [ci skip]

Browse Source
This commit is contained in:
publish bot
2024-04-26 18:10:13 +00:00
parent 85660f12bf
commit ef6b9e2fd3
3 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1547-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1549-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/T1562.012/T1562.012.yaml
+2
View File
@@ -2,6 +2,7 @@ attack_technique: T1562.012
display_name: 'Impair Defenses: Disable or Modify Linux Audit System'
atomic_tests:
- name: Delete all auditd rules using auditctl
auto_generated_guid: 33a29ab1-cabb-407f-9448-269041bf2856
description: |
Using 'auditctl -D' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities, potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs.
supported_platforms:
@@ -22,6 +23,7 @@ atomic_tests:
cleanup_command: |
service auditd restart
- name: Disable auditd using auditctl
auto_generated_guid: 7906f0a6-b527-46ee-9026-6e81a9184e08
description: |
The command `auditctl -e 0` disables the audit system. By setting the parameter to `0`, auditing is deactivated, halting the monitoring and recording of security-related events. This action stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts.
supported_platforms:
atomics/used_guids.txt
+2
View File
@@ -1595,3 +1595,5 @@ ed952f70-91d4-445a-b7ff-30966bfb1aff
36657d95-d9d6-4fbf-8a31-f4085607bafd
d1fa2a69-b0a2-4e8a-9112-529b00c19a41
58bd8c8d-3a1a-4467-a69c-439c75469b07
33a29ab1-cabb-407f-9448-269041bf2856
7906f0a6-b527-46ee-9026-6e81a9184e08