security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1562/T1562.yaml
T
Atomic Red Team GUID generator 935bc9dd9d Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-03-22 22:58:18 +00:00

51 lines
2.7 KiB
YAML
Raw Permalink Blame History

attack_technique: T1562
display_name: 'Impair Defenses'
atomic_tests:
- name: Windows Disable LSA Protection
auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
description: |
The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
supported_platforms:
- windows
executor:
command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable journal logging via systemctl utility
auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
description: |
The atomic test disables the journal logging using built-in systemctl utility
supported_platforms:
- linux
executor:
command: |
sudo systemctl stop systemd-journald #disables journal logging
cleanup_command: |
sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time
name: sh
elevation_required: true
- name: Disable journal logging via sed utility
auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
description: |
The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
supported_platforms:
- linux
executor:
command: |
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
cleanup_command: |
sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service
name: sh
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink