-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
Copy pathT1562.008.yaml
396 lines (394 loc) · 17.6 KB
/
T1562.008.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
attack_technique: T1562.008
display_name: 'Impair Defenses: Disable Cloud Logs'
atomic_tests:
- name: AWS - CloudTrail Changes
auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
description: |
Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
supported_platforms:
- iaas:aws
input_arguments:
cloudtrail_name:
description: Name of the cloudTrail
type: string
default: "redatomictesttrail"
s3_bucket_name:
description: Name of the bucket
type: string
default: "redatomic-test"
region:
description: Name of the region
type: string
default: "us-east-1"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install the terraform and configure your aws default profile
- description: |
Check if the dependency resources are already present.
prereq_command: |
if [ -f $PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
terraform init
terraform apply -auto-approve
executor:
command: |
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
cleanup_command: |
cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
terraform destroy -auto-approve
name: sh
elevation_required: false
- name: Azure - Eventhub Deletion
auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
description: |
Identifies an Event Hub deletion in Azure.
An Event Hub is an event processing service that ingests and processes large volumes of events and data.
An adversary may delete an Event Hub in an attempt to evade detection.
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure username
type: string
default:
password:
description: Azure password
type: string
default:
event_hub_name:
description: Name of the eventhub
type: string
default: "test_eventhub"
resource_group:
description: Name of the resource group
type: string
default:
name_space_name:
description: Name of the NameSpace
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
Install-Module -Name Az
prereq_command: |
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name AzureAD -Force
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install the terraform.
- description: |
Check if the user is logged into Azure.
prereq_command: |
az account show
get_prereq_command: |
echo Configure your Azure account using: az login.
- description: |
Create dependency resources using terraform
prereq_command: |
try {if (Test-Path $PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate ){ exit 0 } else {exit 1}} catch {exit 1}
get_prereq_command: |
cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzureAD -Credential $creds
Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
name: powershell
elevation_required: false
cleanup_command: |
cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
terraform destroy -auto-approve
- name: Office 365 - Exchange Audit Log Disabled
auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
description: |
You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox.
Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default:
password:
description: office-365 password
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
ExchangeOnlineManagement PowerShell module must be installed
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
name: powershell
elevation_required: false
- name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
description: |
Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
supported_platforms:
- linux
- macos
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1562.008/src
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: |
Stratus binary must be present at the (#{stratus_path}/stratus)
prereq_command: |
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029
description: |
This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
supported_platforms:
- linux
- macos
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1562.008/src
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: |
Stratus binary must be present at the (#{stratus_path}/stratus)
prereq_command: |
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - Remove VPC Flow Logs using Stratus
auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
description: |
This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
supported_platforms:
- linux
- macos
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1562.008/src
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: |
Stratus binary must be present at the (#{stratus_path}/stratus)
prereq_command: |
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
cleanup_command: |
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - CloudWatch Log Group Deletes
auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
description: |
Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
supported_platforms:
- iaas:aws
input_arguments:
cloudwatch_log_group_name:
description: Name of the cloudWatch log group
type: string
default: "log-test"
region:
description: Name of the region
type: string
default: "us-east-1"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
name: sh
elevation_required: false
- name: AWS CloudWatch Log Stream Deletes
auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
description: |
Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
supported_platforms:
- iaas:aws
input_arguments:
cloudwatch_log_group_name:
description: Name of the cloudWatch log group
type: string
default: "test-logs"
cloudwatch_log_stream_name:
description: Name of the cloudWatch log stream
type: string
default: "20150601"
region:
description: Name of the region
type: string
default: "us-west-2"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
name: sh
elevation_required: false