Merge branch 'master' into master

2018-03-06 09:05:52 +11:00 · 2018-03-06 09:05:52 +11:00 · 3aa4c528d9
parent 4353a6719e 41801d14ed
commit 3aa4c528d9
5 changed files with 51 additions and 3 deletions
--- a/Linux/Defense_Evasion/Rootkits.md
+++ b/Linux/Defense_Evasion/Rootkits.md
@ -0,0 +1,21 @@
+## Rootkits
+
+MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014)
+
+### Loadable Kernel Module based Rootkit
+
+Input:
+
+    sudo insmod MODULE.ko
+
+OR
+
+Input:
+
+    sudo modprobe MODULE.ko
+
+### LD_PRELOAD based Rootkit
+
+Input:
+
+    export LD_PRELOAD=$PWD/libmy_r00tkit.so
--- a/Linux/README.md
+++ b/Linux/README.md
@ -13,7 +13,8 @@
 | Valid Accounts               |                               | Indicator Removal on Host     | Two-Factor Authentication Interception | System Network Connections Discovery   |                                 |                          | Input Capture                  | Scheduled Transfer                            | Multi-Stage Channels                    |
 | Web Shell                    |                               | Install Root Certificate      |                                        | System Owner/User Discovery            |                                 |                          | Screen Capture                 |                                               | Multiband Communication                 |
 |                              |                               | Masquerading                  |                                        |                                        |                                 |                          |                                |                                               | Multilayer Encryption                   |
-|                              |                               | Redundant Access              |                                        |                                        |                                 |                          |                                |                                               | Remote File Copy                        |
+|                              |                               | Redundant Access              |                        
+|                              |                               | [Rootkits](Defense_Evasion/Rootkits.md)              |                        |                                        |                                 |                          |                                |                                               | Remote File Copy                        |
 |                              |                               | Scripting                     |                                        |                                        |                                 |                          |                                |                                               | Standard Application Layer Protocol     |
 |                              |                               | Space after Filename          |                                        |                                        |                                 |                          |                                |                                               | Standard Cryptographic Protocol         |
 |                              |                               | Timestomp                     |                                        |                                        |                                 |                          |                                |                                               | Standard Non-Application Layer Protocol |
--- a/Mac/Credential_Access/Credentials_in_Files.md
+++ b/Mac/Credential_Access/Credentials_in_Files.md
@ -0,0 +1,11 @@
+# Credentials in Files
+
+MITRE ATT&CK Technique: [T1081](https://attack.mitre.org/wiki/Technique/T1081)
+
+## Browser and System credentials
+
+[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
+
+Input:
+
+    python2 laZagne.py all
--- a/Mac/Persistence/Rc.common.md
+++ b/Mac/Persistence/Rc.common.md
@ -0,0 +1,15 @@
+# rc.common
+
+MITRE ATT&CK Technique: [T1163](https://attack.mitre.org/wiki/Technique/T1163)
+
+Input:
+
+    echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
+
+Modify:
+
+    /etc/rc.common
+
+
+
+[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
--- a/Mac/README.md
+++ b/Mac/README.md
@ -4,7 +4,7 @@
 |------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
 | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md)    | Dylib Hijacking               | Binary Padding                  | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md)                      | [AppleScript](Execution/AppleScript.md)                     | [AppleScript](Execution/AppleScript.md)              | Audio Capture                  | Automated Exfiltration                        | Commonly Used Port                      |
 | [Browser Extensions](Persistence/Browser_Extensions.md)             | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md)           | Brute Force                            | Application Window Discovery           | Application Deployment Software | Command-Line Interface   | Automated Collection           | Data Compressed                               | Communication Through Removable Media   |
-| [Create Account](Persistence/Create_Account.md)               | Launch Daemon                 | Code Signing                    | Credentials in Files                   | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability   | Graphical User Interface | Browser Extensions             | Data Encrypted                                | Connection Proxy                        |
+| [Create Account](Persistence/Create_Account.md)               | Launch Daemon                 | Code Signing                    | [Credentials in Files](Credential_Access/Credentials_in_Files.md)                   | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability   | Graphical User Interface | Browser Extensions             | Data Encrypted                                | Connection Proxy                        |
 | Dylib Hijacking              | Plist Modification            | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)        | Exploitation of Vulnerability          | [Network Service Scanning](Discovery/Network_Service_Scanning.md)               | [Logon Scripts](Persistence/Logon_Scripts.md)                    | Launchctl                | Clipboard Data                 | Data Transfer Size Limits                     | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md)     |
 | Hidden Files and Directories | Process Injection             | Exploitation of Vulnerability   | Input Capture                          | [Network Share Discovery](Discovery/Network_Share_Discovery.md)                | Remote File Copy                | Local Job Scheduling     | Data Staged                    | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md)        | Custom Cryptographic Protocol           |
 | LC_LOAD_DYLIB Addition       | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md)             | File Deletion                   | [Input Prompt](Credential_Access/Input_Prompt.md)                           | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md)            | Remote Services                 | Scripting                | Data from Local System         | Exfiltration Over Command and Control Channel | Data Encoding                           |
@ -15,7 +15,7 @@
 | Login Item                   |                               | Hidden Window                   | Two-Factor Authentication Interception | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) |                                 |                          |                                |                                               | Multi-hop Proxy                         |
 |  [Logon Scripts](Persistence/Logon_Scripts.md)                |                               | Indicator Removal from Tools    |                                        | System Network Connections Discovery   |                                 |                          |                                |                                               | Multiband Communication                 |
 | [Plist Modification](Persistence/Plist_Modification.md)           |                               | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md)       |                                        | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md)            |                                 |                          |                                |                                               | Multilayer Encryption                   |
-| Rc.common                    |                               | LC_MAIN Hijacking               |                                        |                                        |                                 |                          |                                |                                               | Remote File Copy                        |
+| [Rc.common](Persistence/Rc.common.md)                    |                               | LC_MAIN Hijacking               |                                        |                                        |                                 |                          |                                |                                               | Remote File Copy                        |
 | [Re-opened Applications](Persistence/Re-opened_Applications.md)       |                               | [Launchctl](Defense_Evasion/Launchctl.md)                       |                                        |                                        |                                 |                          |                                |                                               | Standard Application Layer Protocol     |
 | Redundant Access             |                               | Masquerading                    |                                        |                                        |                                 |                          |                                |                                               | Standard Cryptographic Protocol         |
 | [Startup Items](Persistence/Startup_Items.md)                |                               | Obfuscated Files or Information |                                        |                                        |                                 |                          |                                |                                               | Standard Non-Application Layer Protocol |