Merge branch 'master' into master
commit
3aa4c528d9
|
@ -0,0 +1,21 @@
|
|||
## Rootkits
|
||||
|
||||
MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014)
|
||||
|
||||
### Loadable Kernel Module based Rootkit
|
||||
|
||||
Input:
|
||||
|
||||
sudo insmod MODULE.ko
|
||||
|
||||
OR
|
||||
|
||||
Input:
|
||||
|
||||
sudo modprobe MODULE.ko
|
||||
|
||||
### LD_PRELOAD based Rootkit
|
||||
|
||||
Input:
|
||||
|
||||
export LD_PRELOAD=$PWD/libmy_r00tkit.so
|
|
@ -13,7 +13,8 @@
|
|||
| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels |
|
||||
| Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication |
|
||||
| | | Masquerading | | | | | | | Multilayer Encryption |
|
||||
| | | Redundant Access | | | | | | | Remote File Copy |
|
||||
| | | Redundant Access |
|
||||
| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy |
|
||||
| | | Scripting | | | | | | | Standard Application Layer Protocol |
|
||||
| | | Space after Filename | | | | | | | Standard Cryptographic Protocol |
|
||||
| | | Timestomp | | | | | | | Standard Non-Application Layer Protocol |
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
# Credentials in Files
|
||||
|
||||
MITRE ATT&CK Technique: [T1081](https://attack.mitre.org/wiki/Technique/T1081)
|
||||
|
||||
## Browser and System credentials
|
||||
|
||||
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
|
||||
|
||||
Input:
|
||||
|
||||
python2 laZagne.py all
|
|
@ -0,0 +1,15 @@
|
|||
# rc.common
|
||||
|
||||
MITRE ATT&CK Technique: [T1163](https://attack.mitre.org/wiki/Technique/T1163)
|
||||
|
||||
Input:
|
||||
|
||||
echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
|
||||
|
||||
Modify:
|
||||
|
||||
/etc/rc.common
|
||||
|
||||
|
||||
|
||||
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
|
|
@ -4,7 +4,7 @@
|
|||
|------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||
| [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
||||
| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy |
|
||||
| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy |
|
||||
| Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Launchctl | Clipboard Data | Data Transfer Size Limits | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md) |
|
||||
| Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
|
||||
| LC_LOAD_DYLIB Addition | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||
|
@ -15,7 +15,7 @@
|
|||
| Login Item | | Hidden Window | Two-Factor Authentication Interception | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multi-hop Proxy |
|
||||
| [Logon Scripts](Persistence/Logon_Scripts.md) | | Indicator Removal from Tools | | System Network Connections Discovery | | | | | Multiband Communication |
|
||||
| [Plist Modification](Persistence/Plist_Modification.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | | Multilayer Encryption |
|
||||
| Rc.common | | LC_MAIN Hijacking | | | | | | | Remote File Copy |
|
||||
| [Rc.common](Persistence/Rc.common.md) | | LC_MAIN Hijacking | | | | | | | Remote File Copy |
|
||||
| [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Application Layer Protocol |
|
||||
| Redundant Access | | Masquerading | | | | | | | Standard Cryptographic Protocol |
|
||||
| [Startup Items](Persistence/Startup_Items.md) | | Obfuscated Files or Information | | | | | | | Standard Non-Application Layer Protocol |
|
||||
|
|
Loading…
Reference in New Issue