security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1686/T1686.yaml
T
philhagen-rc 113f30c97c Attack v19 migration (#3329)
2026-05-01 23:10:14 -04:00

546 lines
22 KiB
YAML
Raw Permalink Blame History

attack_technique: T1686
display_name: 'Disable or Modify System Firewall'
atomic_tests:
- name: Disable Microsoft Defender Firewall
auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f
description: |
Disables the Microsoft Defender Firewall for the current profile.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
supported_platforms:
- windows
executor:
command: |
netsh advfirewall set currentprofile state off
cleanup_command: |
netsh advfirewall set currentprofile state on >nul 2>&1
name: command_prompt
- name: Disable Microsoft Defender Firewall via Registry
auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
description: |
Disables the Microsoft Defender Firewall for the public profile via registry
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
cleanup_command: |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
name: command_prompt
- name: Allow SMB and RDP on Microsoft Defender Firewall
auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
description: |
Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.
Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...
supported_platforms:
- windows
executor:
command: |
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
cleanup_command: |
netsh advfirewall reset >nul 2>&1
name: command_prompt
- name: Opening ports for proxy - HARDRAIN
auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80
description: |
This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
supported_platforms:
- windows
executor:
command: |
netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450
cleanup_command: netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1
name: command_prompt
elevation_required: true
- name: Open a local port through Windows Firewall to any profile
auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
description: This test will attempt to open a local port defined by input arguments to any profile
supported_platforms:
- windows
input_arguments:
local_port:
description: This is the local port you wish to test opening
type: integer
default: 3389
executor:
command: netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
cleanup_command: netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
name: powershell
elevation_required: true
- name: Allow Executable Through Firewall Located in Non-Standard Location
auto_generated_guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c
description: This test will attempt to allow an executable through the system firewall located in the Users directory
supported_platforms:
- windows
input_arguments:
exe_file_path:
description: path to exe file
type: path
default: PathToAtomicsFolder\T1686\bin\AtomicTest.exe
executor:
command: |
Copy-Item "#{exe_file_path}" -Destination "C:\Users\$env:UserName" -Force
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes
cleanup_command: |
netsh advfirewall firewall delete rule name="Atomic Test" | Out-Null
Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Stop/Start UFW firewall
auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a
description: |
Stop the Uncomplicated Firewall (UFW) if installed.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if ufw is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
ufw disable
cleanup_command: |
ufw enable
ufw status verbose
- name: Stop/Start Packet Filter
auto_generated_guid: 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7
description: |
Stop the Packet Filter if installed.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if pfctl is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
service pf stop
service pf disable
cleanup_command: |
service pf enable
service pf start
service pf status
- name: Stop/Start UFW firewall systemctl
auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1
description: |
Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if systemctl and ufw is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
systemctl stop ufw
cleanup_command: |
systemctl start ufw
systemctl status ufw
- name: Turn off UFW logging
auto_generated_guid: 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad
description: |
Turn off the Uncomplicated Firewall (UFW) logging.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if ufw is installed on the machine and enabled.
prereq_command: |
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
ufw logging off
cleanup_command: |
ufw logging low
ufw status verbose
- name: Add and delete UFW firewall rules
auto_generated_guid: b2563a4e-c4b8-429c-8d47-d5bcb227ba7a
description: |
Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if ufw is installed on the machine and enabled.
prereq_command: |
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
ufw prepend deny from 1.2.3.4
ufw status numbered
cleanup_command: |
{ echo y; echo response; } | ufw delete 1
ufw status numbered
- name: Add and delete Packet Filter rules
auto_generated_guid: 8b23cae1-66c1-41c5-b79d-e095b6098b5b
description: |
Add and delete a rule on the Packet Filter (PF) if installed and enabled.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if pf is installed on the machine and enabled.
prereq_command: |
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
get_prereq_command: |
echo "anchor pf-rules >> /etc/pf.conf"
pfctl -f /etc/pf.conf
executor:
name: sh
elevation_required: true
command: |
echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f -
pfctl -a pf-rules -s rules
cleanup_command: |
pfctl -a pf-rules -F rules
sed -i "" '/anchor pf-rules/d'
pfctl -f /etc/pf.conf
- name: Edit UFW firewall user.rules file
auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c
description: |
Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if /etc/ufw/user.rules exists.
prereq_command: |
if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
grep "# THIS IS A COMMENT" /etc/ufw/user.rules
cleanup_command: |
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules
- name: Edit UFW firewall ufw.conf file
auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b
description: |
Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf
which controls if the firewall starts on boot and its logging level.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if /etc/ufw/ufw.conf exists.
prereq_command: |
if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
cleanup_command: |
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf
cat /etc/ufw/ufw.conf
- name: Edit UFW firewall sysctl.conf file
auto_generated_guid: c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
description: |
Edit the Uncomplicated Firewall (UFW) configuration file for setting network
variables /etc/ufw/sysctl.conf.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if /etc/ufw/sysctl.conf exists.
prereq_command: |
if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
cleanup_command: |
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf
cat /etc/ufw/sysctl.conf
- name: Edit UFW firewall main configuration file
auto_generated_guid: 7b697ece-8270-46b5-bbc7-6b9e27081831
description: |
Edit the Uncomplicated Firewall (UFW) main configuration file for setting
default policies /etc/default/ufw.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if /etc/default/ufw exists.
prereq_command: |
if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
echo "# THIS IS A COMMENT" >> /etc/default/ufw
grep "# THIS IS A COMMENT" /etc/default/ufw
cleanup_command: |
sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw
- name: Tail the UFW firewall log file
auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27
description: |
Print the last 10 lines of the Uncomplicated Firewall (UFW) log file
/var/log/ufw.log.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if /var/log/ufw.log exists.
prereq_command: |
if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
tail /var/log/ufw.log
cleanup_command: |
- name: Disable iptables
auto_generated_guid: 7784c64e-ed0b-4b65-bf63-c86db229fd56
description: |
Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.)
Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables
rules, which in fact "disable" iptables.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if iptables is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
get_prereq_command: |
sudo apt-get install iptables
executor:
name: sh
elevation_required: true
command: |
iptables-save > /tmp/iptables.rules
iptables -F
cleanup_command: |
iptables-restore < /tmp/iptables.rules
- name: Modify/delete iptables firewall rules
auto_generated_guid: 899a7fb5-d197-4951-8614-f19ac4a73ad4
description: |
Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
By doing so, they may cause less noise to avoid detection.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if iptables is installed on the machine.
prereq_command: |
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
get_prereq_command: |
iptables-save > /tmp/iptables.rules
if echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo "Rule found"; else echo "Rule not found. Setting it..."; iptables -A OUTPUT -p tcp --dport 21 -j DROP; fi
executor:
name: sh
elevation_required: true
command: |
iptables -D OUTPUT -p tcp --dport 21 -j DROP
cleanup_command: |
iptables-restore < /tmp/iptables.rules
- name: LockBit Black - Unusual Windows firewall registry modification -cmd
auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
description: |
An adversary tries to modify the windows firewall registry
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Unusual Windows firewall registry modification -Powershell
auto_generated_guid: 80b453d1-eec5-4144-bf08-613a6c3ffe12
description: |
An adversary tries to modify the windows firewall registry.
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
cleanup_command: |
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Blackbit - Disable Windows Firewall using netsh firewall
auto_generated_guid: 91f348e6-3760-4997-a93b-2ceee7f254ee
description: |
An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).
supported_platforms:
- windows
executor:
command: |
netsh firewall set opmode mode=disable
cleanup_command: |
netsh firewall set opmode mode=enable >nul 2>&1
name: command_prompt
elevation_required: true
- name: ESXi - Disable Firewall via Esxcli
auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
description: |
Adversaries may disable the ESXI firewall via ESXCLI
supported_platforms:
- windows
input_arguments:
vm_host:
description: Specify the host name of the ESXi Server
type: string
default: atomic.local
plink_file:
description: Path to Putty
type: path
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
username:
description: username used to log into ESXi
type: string
default: root
password:
description: password used to log into ESXI
type: string
default: n/a
dependency_executor_name: powershell
dependencies:
- description: |
The plink executable must be found in the ExternalPayloads folder.
prereq_command: |
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
executor:
command: |
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_disable_firewall.txt
cleanup_command: |
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_enable_firewall.txt
name: command_prompt
elevation_required: false
- name: Set a firewall rule using New-NetFirewallRule
auto_generated_guid: 94be7646-25f6-467e-af23-585fb13000c8
description: This test will attempt to create a new inbound/outbound firewall rule using the New-NetFirewallRule commandlet.
supported_platforms:
- windows
input_arguments:
direction:
description: Direction can be Inbound or Outbound
type: string
default: Inbound
local_port:
description: This is the local port you wish to test opening
type: integer
default: 21
protocol:
description: This is the protocol
type: string
default: TCP
action:
description: This is the action
type: string
default: allow
executor:
command: New-NetFirewallRule -DisplayName "New rule" -Direction "#{direction}" -LocalPort "#{local_port}" -Protocol "#{protocol}" -Action "#{action}"
cleanup_command: Remove-NetFirewallRule -DisplayName "New rule"
name: powershell
elevation_required: true
- name: ESXi - Set Firewall to PASS Traffic
auto_generated_guid: a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d
description: |
This test sets the default ESXi firewall action to PASS instead of DROP. This allows all incoming and outgoing traffic.
supported_platforms:
- windows
input_arguments:
vm_host:
description: Specify the host name or IP of the ESXi server.
type: string
default: atomic.local
vm_user:
description: Specify the privilege user account on the ESXi server.
type: string
default: root
vm_pass:
description: Specify the privileged user's password.
type: string
default: password
plink_file:
description: Path to Plink
type: path
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
dependency_executor_name: powershell
dependencies:
- description: |
The plink executable must be found in the ExternalPayloads folder.
prereq_command: |
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
executor:
command: |
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli network firewall set --default-action true"
cleanup_command: |
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli network firewall set --default-action false"
name: command_prompt
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink