diff --git a/Linux/Defense_Evasion/File_Deletion.md b/Linux/Defense_Evasion/File_Deletion.md new file mode 100644 index 0000000..c364bd5 --- /dev/null +++ b/Linux/Defense_Evasion/File_Deletion.md @@ -0,0 +1,23 @@ +## File Deletion + +MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107) + +### Victim Configuration + + echo "This file will be shredded" > /tmp/victim-shred.txt + mkdir /tmp/victim-files + cd /tmp/victim-files + touch a b c d e f g + +### Delete a single file + + rm -f /tmp/victim-files/a + +### Delete an entire folder + + rm -rf /tmp/victim-files + +### Overwrite and delete a file with shred + + shred -u /tmp/victim-shred.txt + diff --git a/Linux/Exfiltration/Data_Compressed.md b/Linux/Exfiltration/Data_Compressed.md new file mode 100644 index 0000000..2f4ea4d --- /dev/null +++ b/Linux/Exfiltration/Data_Compressed.md @@ -0,0 +1,30 @@ +## Data Compressed + +MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002) + +### Victim Configuration + + mkdir /tmp/victim-files + cd /tmp/victim-files + touch a b c d e f g + echo "This file will be gzipped" > /tmp/victim-gzip.txt + echo "This file will be tarred" > /tmp/victim-tar.txt + +### Compression with zip + + zip /tmp/victim-files.zip /tmp/victim-files/* + +### Compression with gzip + + gzip -f /tmp/victim-gzip.txt + +### Compression with tar + +Directory + + tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/ + +File + + tar -cvzf /tmp/victim-tar.tar.gz + diff --git a/Linux/Exfiltration/Data_Encrypted.md b/Linux/Exfiltration/Data_Encrypted.md new file mode 100644 index 0000000..11553c5 --- /dev/null +++ b/Linux/Exfiltration/Data_Encrypted.md @@ -0,0 +1,20 @@ +## Data Encrypted + +MITRE ATT&CK Technique: [T1022](https://attack.mitre.org/wiki/Technique/T1022) + +### Victim Configuration + + echo "This file will be encrypted" > /tmp/victim-gpg.txt + mkdir /tmp/victim-files + cd /tmp/victim-files + touch a b c d e f g + +### Zip and encrypt a directory + + zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/* + +### Encrypt a single file + + gpg -c /tmp/victim-gpg.txt + + ls -l diff --git a/Linux/Exfiltration/Data_Transfer_Size_Limits.md b/Linux/Exfiltration/Data_Transfer_Size_Limits.md new file mode 100644 index 0000000..c2b7f89 --- /dev/null +++ b/Linux/Exfiltration/Data_Transfer_Size_Limits.md @@ -0,0 +1,13 @@ +## Data Transfer Size Limits + +MITRE ATT&CK Technique: [T1030](https://attack.mitre.org/wiki/Technique/T1030) + +### Victim Configuration + + cd /tmp/ + dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 + +### Split into 5MB chunks + + split -b 5000000 /tmp/victim-whole-file + ls -l \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index 80003d0..ceaf637 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -3,10 +3,10 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | -| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md) | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | -| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | -| [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | +| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | +| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md) | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | [Data Encrypted](Exfiltration/Data_Encrypted.md) | Connection Proxy | +| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | [Data Transfer Size Limits](Exfiltration/Data_Transfer_Size_Limits.md) | Custom Command and Control Protocol | +| [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell | [File Deletion](Defense_Evasion/File_Deletion.md) | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | | Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | | Redundant Access | | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels |