mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
4.3 KiB
4.3 KiB
T1089 - Disabling Security Tools
Description from ATT&CK
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Atomic Tests
Atomic Test #1 - Disable iptables firewall
Disables the iptables firewall
Supported Platforms: Linux
Run it with sh!
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service iptables stop
chkconfig off iptables
service ip6tables stop
chkconfig off ip6tables
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop firewalld
systemctl disable firewalld
fi
Atomic Test #2 - Disable syslog
Disables syslog collection
Supported Platforms: Linux
Run it with sh!
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service rsyslog stop
chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop rsyslog
systemctl disable rsyslog
fi
Atomic Test #3 - Disable Cb Response
Disable the Cb Response service
Supported Platforms: Linux
Run it with sh!
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
Atomic Test #4 - Disable SELinux
Disables SELinux enforcement
Supported Platforms: Linux
Run it with sh!
setenforce 0
Atomic Test #5 - Disable Carbon Black Response
Disables Carbon Black Response
Supported Platforms: macOS
Run it with sh!
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
Atomic Test #6 - Disable LittleSnitch
Disables LittleSnitch
Supported Platforms: macOS
Run it with sh!
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
Atomic Test #7 - Disable OpenDNS Umbrella
Disables OpenDNS Umbrella
Supported Platforms: macOS
Run it with sh!
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
Atomic Test #8 - Unload Sysmon Filter Driver
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv |
Run it with command_prompt!
fltmc.exe unload #{sysmon_driver}
Atomic Test #9 - Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked.
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| website_name | The name of the website on a server | string | Default Web Site |
Run it with command_prompt!
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true