Added File Deletion, Data Compression/Encryption, Data splitting tests
Tony M Lambert
parent
cbc36697f0
commit
376512f6e2
|
|
@ -0,0 +1,23 @@
|
||||||
|
## File Deletion
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107)
|
||||||
|
|
||||||
|
### Victim Configuration
|
||||||
|
|
||||||
|
echo "This file will be shredded" > /tmp/victim-shred.txt
|
||||||
|
mkdir /tmp/victim-files
|
||||||
|
cd /tmp/victim-files
|
||||||
|
touch a b c d e f g
|
||||||
|
|
||||||
|
### Delete a single file
|
||||||
|
|
||||||
|
rm -f /tmp/victim-files/a
|
||||||
|
|
||||||
|
### Delete an entire folder
|
||||||
|
|
||||||
|
rm -rf /tmp/victim-files
|
||||||
|
|
||||||
|
### Overwrite and delete a file with shred
|
||||||
|
|
||||||
|
shred -u /tmp/victim-shred.txt
|
||||||
|
|
||||||
|
|
@ -0,0 +1,30 @@
|
||||||
|
## Data Compressed
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
|
||||||
|
|
||||||
|
### Victim Configuration
|
||||||
|
|
||||||
|
mkdir /tmp/victim-files
|
||||||
|
cd /tmp/victim-files
|
||||||
|
touch a b c d e f g
|
||||||
|
echo "This file will be gzipped" > /tmp/victim-gzip.txt
|
||||||
|
echo "This file will be tarred" > /tmp/victim-tar.txt
|
||||||
|
|
||||||
|
### Compression with zip
|
||||||
|
|
||||||
|
zip /tmp/victim-files.zip /tmp/victim-files/*
|
||||||
|
|
||||||
|
### Compression with gzip
|
||||||
|
|
||||||
|
gzip -f /tmp/victim-gzip.txt
|
||||||
|
|
||||||
|
### Compression with tar
|
||||||
|
|
||||||
|
Directory
|
||||||
|
|
||||||
|
tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
|
||||||
|
|
||||||
|
File
|
||||||
|
|
||||||
|
tar -cvzf /tmp/victim-tar.tar.gz
|
||||||
|
|
||||||
|
|
@ -0,0 +1,20 @@
|
||||||
|
## Data Encrypted
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1022](https://attack.mitre.org/wiki/Technique/T1022)
|
||||||
|
|
||||||
|
### Victim Configuration
|
||||||
|
|
||||||
|
echo "This file will be encrypted" > /tmp/victim-gpg.txt
|
||||||
|
mkdir /tmp/victim-files
|
||||||
|
cd /tmp/victim-files
|
||||||
|
touch a b c d e f g
|
||||||
|
|
||||||
|
### Zip and encrypt a directory
|
||||||
|
|
||||||
|
zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/*
|
||||||
|
|
||||||
|
### Encrypt a single file
|
||||||
|
|
||||||
|
gpg -c /tmp/victim-gpg.txt
|
||||||
|
<enter passphrase and confirm>
|
||||||
|
ls -l
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
## Data Transfer Size Limits
|
||||||
|
|
||||||
|
MITRE ATT&CK Technique: [T1030](https://attack.mitre.org/wiki/Technique/T1030)
|
||||||
|
|
||||||
|
### Victim Configuration
|
||||||
|
|
||||||
|
cd /tmp/
|
||||||
|
dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
|
||||||
|
|
||||||
|
### Split into 5MB chunks
|
||||||
|
|
||||||
|
split -b 5000000 /tmp/victim-whole-file
|
||||||
|
ls -l
|
||||||
|
|
@ -3,10 +3,10 @@
|
||||||
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
||||||
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||||
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||||
| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media |
|
||||||
| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md) | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy |
|
| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md) | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | [Data Encrypted](Exfiltration/Data_Encrypted.md) | Connection Proxy |
|
||||||
| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol |
|
| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | [Data Transfer Size Limits](Exfiltration/Data_Transfer_Size_Limits.md) | Custom Command and Control Protocol |
|
||||||
| [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
|
| [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell | [File Deletion](Defense_Evasion/File_Deletion.md) | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
|
||||||
| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
|
| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||||
| Redundant Access | | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
|
| Redundant Access | | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||||
| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels |
|
| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels |
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue