From ef6b9e2fd3357aa19d2db42aba72f4681e2f47a3 Mon Sep 17 00:00:00 2001 From: publish bot Date: Fri, 26 Apr 2024 18:10:13 +0000 Subject: [PATCH] updating atomics count and guids [ci skip] --- README.md | 2 +- atomics/T1562.012/T1562.012.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9106c8c1..fb23d3d1 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1547-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1549-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use diff --git a/atomics/T1562.012/T1562.012.yaml b/atomics/T1562.012/T1562.012.yaml index 3a674d67..62384d49 100644 --- a/atomics/T1562.012/T1562.012.yaml +++ b/atomics/T1562.012/T1562.012.yaml @@ -2,6 +2,7 @@ attack_technique: T1562.012 display_name: 'Impair Defenses: Disable or Modify Linux Audit System' atomic_tests: - name: Delete all auditd rules using auditctl + auto_generated_guid: 33a29ab1-cabb-407f-9448-269041bf2856 description: | Using 'auditctl -D' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities, potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs. supported_platforms: @@ -22,6 +23,7 @@ atomic_tests: cleanup_command: | service auditd restart - name: Disable auditd using auditctl + auto_generated_guid: 7906f0a6-b527-46ee-9026-6e81a9184e08 description: | The command `auditctl -e 0` disables the audit system. By setting the parameter to `0`, auditing is deactivated, halting the monitoring and recording of security-related events. This action stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index d9dd58ff..010e613b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1595,3 +1595,5 @@ ed952f70-91d4-445a-b7ff-30966bfb1aff 36657d95-d9d6-4fbf-8a31-f4085607bafd d1fa2a69-b0a2-4e8a-9112-529b00c19a41 58bd8c8d-3a1a-4467-a69c-439c75469b07 +33a29ab1-cabb-407f-9448-269041bf2856 +7906f0a6-b527-46ee-9026-6e81a9184e08