From 0ddc31b336a310c0423b845afaa13ec6a8b19688 Mon Sep 17 00:00:00 2001 From: atmathis Date: Mon, 1 Jan 2018 16:02:52 -0500 Subject: [PATCH] Mac/Linux HISTCONTROL * Added HISTCONTROL for Mac and Linux, and updated Matrices * Corrected Gatekeeper Bypass title --- Linux/Defense_Evasion/HISTCONTROL.md | 8 ++++++++ Linux/README.md | 2 +- Mac/Defense_Evasion/Gatekeeper_Bypass.md | 3 +-- Mac/Defense_Evasion/HISTCONTROL.md | 8 ++++++++ Mac/README.md | 2 +- 5 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 Linux/Defense_Evasion/HISTCONTROL.md create mode 100644 Mac/Defense_Evasion/HISTCONTROL.md diff --git a/Linux/Defense_Evasion/HISTCONTROL.md b/Linux/Defense_Evasion/HISTCONTROL.md new file mode 100644 index 0000000..08c7dbb --- /dev/null +++ b/Linux/Defense_Evasion/HISTCONTROL.md @@ -0,0 +1,8 @@ +# HISTCONTROL + +MITRE ATT&CK Technique: [T1148](https://attack.mitre.org/wiki/Technique/T1148) + + +### Set the environment variable, then preface commands with a space to exclude them from .bash_history + export HISTCONTROL=ignoreboth + ls diff --git a/Linux/README.md b/Linux/README.md index 08d028c..ebb84ad 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -7,7 +7,7 @@ | [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | | Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | | Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | System Information Discovery | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | -| Redundant Access | | HISTCONTROL | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | +| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | | Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | | Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels | | Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | diff --git a/Mac/Defense_Evasion/Gatekeeper_Bypass.md b/Mac/Defense_Evasion/Gatekeeper_Bypass.md index 4e447c5..5e5ac28 100644 --- a/Mac/Defense_Evasion/Gatekeeper_Bypass.md +++ b/Mac/Defense_Evasion/Gatekeeper_Bypass.md @@ -1,4 +1,4 @@ -# Defense Evasion +# Gatekeeper Bypass MITRE ATT&CK Technique: [T1144](https://attack.mitre.org/wiki/Technique/T1144) @@ -6,4 +6,3 @@ MITRE ATT&CK Technique: [T1144](https://attack.mitre.org/wiki/Technique/T1144) sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app sudo spctl --master-disable - diff --git a/Mac/Defense_Evasion/HISTCONTROL.md b/Mac/Defense_Evasion/HISTCONTROL.md new file mode 100644 index 0000000..08c7dbb --- /dev/null +++ b/Mac/Defense_Evasion/HISTCONTROL.md @@ -0,0 +1,8 @@ +# HISTCONTROL + +MITRE ATT&CK Technique: [T1148](https://attack.mitre.org/wiki/Technique/T1148) + + +### Set the environment variable, then preface commands with a space to exclude them from .bash_history + export HISTCONTROL=ignoreboth + ls diff --git a/Mac/README.md b/Mac/README.md index 684208f..3215546 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -10,7 +10,7 @@ | LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding | | Launch Daemon | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation | -| Launchctl | Valid Accounts | HISTCONTROL | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels | +| Launchctl | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels | | Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels | | Logon Scripts | | Hidden Users | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication | | Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |