Added tests for disable of firewall, syslog, Cb daemon, SELinux

2018-03-09 22:25:46 -06:00 · 2018-03-09 22:25:46 -06:00 · 8346a7a1f5
parent 4f65330559
commit 8346a7a1f5
2 changed files with 37 additions and 1 deletions
--- a/Linux/Defense_Evasion/Disabling_Security_Tools.md
+++ b/Linux/Defense_Evasion/Disabling_Security_Tools.md
@ -0,0 +1,36 @@
+# Disabling Security Tools
+
+MITRE ATT&CK Technique: [T1089](https://attack.mitre.org/wiki/Technique/T1089)
+
+
+## Stop and disable firewall on CentOS/RHEL 6 and below
+
+    service iptables stop
+    chkconfig off iptables
+
+    service ip6tables stop
+    chkconfig off ip6tables
+
+## Stop and disable firewall on CentOS/RHEL 7 and above
+
+    systemctl stop firewalld
+    systemctl disable firewalld
+
+## Stop and disable syslog on CentOS/RHEL 6 and below
+    service rsyslog stop
+    chkconfig off rsyslog
+
+## Stop and disable syslog on CentOS/RHEL 7 and above
+    systemctl stop rsyslog
+    systemctl disable rsyslog
+
+## Stop and disable Cb Response Daemon on CentOS/RHEL 6 and below
+    service cbdaemon stop
+    chkconfig off cbdaemon
+
+## Stop and disable Cb Response Daemon on CentOS/RHEL 7 and above
+    systemctl stop cbdaemon
+    systemctl disable cbdaemon
+
+## Disable SELinux Enforcement
+    setenforce 0
--- a/Linux/README.md
+++ b/Linux/README.md
@ -4,7 +4,7 @@
 |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
 | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md)    | Exploitation of Vulnerability | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md)                      | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md)   | Audio Capture                  | Automated Exfiltration                        | Commonly Used Port                      |
 | Bootkit                      | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md)             | [Clear Command History](Defense_Evasion/Clear_Command_History.md)         | Brute Force                            | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability   | Graphical User Interface | Automated Collection           | Data Compressed                               | Communication Through Removable Media   |
-| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo                          | Disabling Security Tools      | [Create Account](Credential_Access/Create_Account.md)                         | [Network Service Scanning](Discovery/Network_Service_Scanning.md)               | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md)                | Scripting                | [Browser Extensions](Collection/Browser_Extensions.md)                 | Data Encrypted                                | Connection Proxy                        |
+| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo                          | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)      | [Create Account](Credential_Access/Create_Account.md)                         | [Network Service Scanning](Discovery/Network_Service_Scanning.md)               | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md)                | Scripting                | [Browser Extensions](Collection/Browser_Extensions.md)                 | Data Encrypted                                | Connection Proxy                        |
 | [Cron Job](Persistence/Cron_Job.md) | Valid Accounts                | Exploitation of Vulnerability | Credentials in Files                   | Permission Groups Discovery            | Remote Services                 | Source                   | Clipboard Data                    | Data Transfer Size Limits                     | Custom Command and Control Protocol     |
 | [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell                     | File Deletion                 | Exploitation of Vulnerability          | [Process Discovery](Discovery/Process_Discovery.md)                      | Third-party Software            | Space after Filename     | Data Staged         | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md)        | Custom Cryptographic Protocol           |
 | Rc.common                    |                               | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md)                   | Input Capture                          | [Remote System Discovery](Discovery/Remote_System_Discovery.md)                |                                 | Third-party Software     | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding                           |