security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Audit Policy Config based Logging Impairment (#1378)

Browse Source 
* Added Audit Policy Config based Logging Impairment

Auditpol can be used to manipulate audit log configuration.  Test 3 simulates the adversary disabling certain audit policies to prevent respective events from being recorded in the log

* Add link, update test name

Adding in the Solarigate write-up link for reference and also removing the test # from the title (this gets added automatically to the Markdown file)

* added cleanup commands

Hi Carrie, The pre-req commands enables the auditpols initially so that it can be disabled when the atomic command is executed.  I have copied the same syntax as pre-req to clean-up so it is reinstated. Based on additional research I have several more commands of interest I would like to add which were not part of the MS article but would be considered suspicious.  Shall I add them as separate tests? i.e. sub-commands such as clear, restore, remove

* Removed the dependency section 

Removed the dependency section

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
BlueTeamOps
2021-02-10 05:13:25 +11:00
committed by GitHub
parent 802c6f33bc
commit f8c8fbcab1
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.002/T1562.002.yaml
+19
View File
@@ -40,3 +40,22 @@ atomic_tests:
Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red
name: powershell
elevation_required: true
- name: 'Impair Windows Audit Log Policy'
description: >-
Disables the windows audit policy to prevent key host based telemetry being
written into the event logs.
[Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
supported_platforms:
- windows
executor:
command: |
auditpol /set /category:"Account Logon" /success:disable /failure:disable
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
auditpol /set /category:"Detailed Tracking" /success:disable
cleanup_command: |
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
name: command_prompt
elevation_required: true