parent
533e27193f
commit
29cf36761a
|
@ -0,0 +1,9 @@
|
|||
## Network Service Scanning
|
||||
|
||||
MITRE ATT&CK Technique: [T1046](https://attack.mitre.org/wiki/Technique/T1046)
|
||||
|
||||
### Bash One Liner
|
||||
|
||||
Input:
|
||||
|
||||
for port in {1..65535}; do echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; done
|
|
@ -0,0 +1,18 @@
|
|||
## Network Share Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1135](https://attack.mitre.org/wiki/Technique/T1135)
|
||||
|
||||
### Local Mounts
|
||||
|
||||
Input:
|
||||
|
||||
df -aH
|
||||
|
||||
### Remote Find Mounts
|
||||
|
||||
smbutil view -g //<hostname>
|
||||
|
||||
|
||||
### NFS Show mounts
|
||||
|
||||
showmount hostname
|
|
@ -0,0 +1,20 @@
|
|||
## Permission Groups Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1069](https://attack.mitre.org/wiki/Technique/T1069)
|
||||
|
||||
|
||||
### Domain
|
||||
|
||||
Input:
|
||||
|
||||
dscacheutil -q group
|
||||
|
||||
### Local
|
||||
|
||||
Input:
|
||||
|
||||
dscl . -list /Groups
|
||||
|
||||
Input:
|
||||
|
||||
groups
|
|
@ -0,0 +1,14 @@
|
|||
## Process Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1057](https://attack.mitre.org/wiki/Technique/T1057)
|
||||
|
||||
|
||||
### Process Discovery
|
||||
|
||||
Input:
|
||||
|
||||
ps
|
||||
|
||||
Input:
|
||||
|
||||
ps aux
|
|
@ -0,0 +1,18 @@
|
|||
## Remote System Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
|
||||
|
||||
|
||||
### arp
|
||||
|
||||
Input:
|
||||
|
||||
arp -a | grep -v '^?'
|
||||
|
||||
|
||||
### Network scanning
|
||||
|
||||
|
||||
Input:
|
||||
|
||||
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
|
|
@ -0,0 +1,12 @@
|
|||
# Security Software Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1063](https://attack.mitre.org/wiki/Technique/T1063)
|
||||
|
||||
### LittleSnitch
|
||||
|
||||
ps -ef | grep Little\ Snitch | grep -v grep
|
||||
|
||||
|
||||
### CarbonBlack Response
|
||||
|
||||
ps aux | grep CbOsxSensorService
|
|
@ -0,0 +1,18 @@
|
|||
## System Information Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082)
|
||||
|
||||
### System Information
|
||||
|
||||
Input:
|
||||
|
||||
systemsetup
|
||||
|
||||
Input:
|
||||
|
||||
system_profiler
|
||||
|
||||
|
||||
Input:
|
||||
|
||||
ls -al /Applications
|
|
@ -0,0 +1,17 @@
|
|||
## System Network Configuration Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016)
|
||||
|
||||
### Network Data
|
||||
|
||||
Input:
|
||||
|
||||
arp -a
|
||||
|
||||
Input:
|
||||
|
||||
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
|
||||
|
||||
Input:
|
||||
|
||||
ifconfig
|
|
@ -0,0 +1,16 @@
|
|||
## System Owner/User Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033)
|
||||
|
||||
|
||||
Input:
|
||||
|
||||
Users
|
||||
|
||||
Input:
|
||||
|
||||
w
|
||||
|
||||
Input:
|
||||
|
||||
who
|
|
@ -6,15 +6,15 @@
|
|||
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
|
||||
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
|
||||
| Dylib Hijacking | [Launch Daemon](Persistence/Launch_Daemon.md) | Code Signing | [Create Account](Credential_Access/Create_Account.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
|
||||
| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
|
||||
| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||
| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||
| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | [Keychain](Credential_Access/Keychain.md) | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
|
||||
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
|
||||
| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
|
||||
| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | [Permission Groups Discovery](Discovery/Permissions_Groups_Summary.md) | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
|
||||
| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | [Process Discovery](Discovery/Process_Discovery.md) | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||
| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||
| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | [Keychain](Credential_Access/Keychain.md) | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
|
||||
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | | Scheduled Transfer | Multi-Stage Channels |
|
||||
| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multiband Communication |
|
||||
| [Plist Modification](Persistence/Plist_Modification.md) | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
|
||||
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy |
|
||||
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | | Remote File Copy |
|
||||
| [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol |
|
||||
| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol |
|
||||
| [Startup Items](Persistence/Startup_Items.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Non-Application Layer Protocol |
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Security Software Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1063)
|
||||
MITRE ATT&CK Technique: [T1063](https://attack.mitre.org/wiki/Technique/T1063)
|
||||
|
||||
### netsh
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
## System Owner/User Discovery
|
||||
|
||||
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
|
||||
MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033)
|
||||
|
||||
### cmd.exe
|
||||
|
||||
|
|
Loading…
Reference in New Issue