infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Mac/Linux HISTCONTROL 

* Added HISTCONTROL for Mac and Linux, and updated Matrices
* Corrected Gatekeeper Bypass title
patch-1
atmathis 2018-01-01 16:02:52 -05:00
parent 232d5eea29
commit 0ddc31b336
5 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Linux/Defense_Evasion/HISTCONTROL.md Normal file
View File

@ -0,0 +1,8 @@
# HISTCONTROL
MITRE ATT&CK Technique: [T1148](https://attack.mitre.org/wiki/Technique/T1148)
### Set the environment variable, then preface commands with a space to exclude them from .bash_history
export HISTCONTROL=ignoreboth
ls

2
Linux/README.md
View File

@ -7,7 +7,7 @@
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | System Information Discovery | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Redundant Access | | HISTCONTROL | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |

3
Mac/Defense_Evasion/Gatekeeper_Bypass.md
View File

@ -1,4 +1,4 @@
# Defense Evasion
# Gatekeeper Bypass
MITRE ATT&CK Technique: [T1144](https://attack.mitre.org/wiki/Technique/T1144)
@ -6,4 +6,3 @@ MITRE ATT&CK Technique: [T1144](https://attack.mitre.org/wiki/Technique/T1144)
sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app
sudo spctl --master-disable

8
Mac/Defense_Evasion/HISTCONTROL.md Normal file
View File

@ -0,0 +1,8 @@
# HISTCONTROL
MITRE ATT&CK Technique: [T1148](https://attack.mitre.org/wiki/Technique/T1148)
### Set the environment variable, then preface commands with a space to exclude them from .bash_history
export HISTCONTROL=ignoreboth
ls

2
Mac/README.md
View File

@ -10,7 +10,7 @@
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| Launch Daemon | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| Launchctl | Valid Accounts | HISTCONTROL | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Launchctl | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | Hidden Users | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |