infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #65 from redcanaryco/Haag 

Mac - Linux Matrix Update
patch-4
caseysmithrc 2018-01-17 09:17:22 -07:00 committed by GitHub
parent d36664c5c7 5e9b720ecf
commit 3e7dda54bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 41 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
View File

@ -7,11 +7,11 @@
:: Single Endpoint
:: for /F “tokens=1,2” %i in (qwinsta /server:<COMPUTERNAME> ^| findstr “Active Disc”) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
:: for /F "tokens=1,2" %i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
:: Multiple Endpoints
@FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (qwinsta /server:%n ^| findstr “Active Disc”) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in (qwinsta /server:%n ^| findstr "Active Disc") do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
@ -51,4 +51,4 @@ for /R c: %f in (*.docx) do copy %f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
powershell.exe dir c:\temp -Recurse | Compress-Archive -DestinationPath C:\temp\allthedataz.zip
cmd.exe /c powershell.exe dir c:\temp -Recurse | Compress-Archive -DestinationPath C:\temp\allthedataz.zip

20
Linux/README.md
View File

@ -1,17 +1,17 @@
## MITRE ATT&CK Matrix - Linux
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Bootkit | Setuid and Setgid | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | [Process Discovery](Discovery/Process_Discovery.md) | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [System Information Discovery](Discovery/System_Information_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [System Network Configuration Discovery](Discover/System_Network_Configuration_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
| | | Install Root Certificate | | | | | | | Multiband Communication |
| Bootkit | Setuid and Setgid | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Trap | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
| | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication |
| | | Masquerading | | | | | | | Multilayer Encryption |
| | | Redundant Access | | | | | | | Remote File Copy |
| | | Scripting | | | | | | | Standard Application Layer Protocol |

0
Mac/Credential_Access/Create_Account.md → Mac/Persistence/Create_Account.md
View File

0
Mac/Persistence/Cron_Job.md → Mac/Persistence/Local_Job_Scheduling.md
View File

64
Mac/README.md
View File

@ -1,40 +1,28 @@
## MITRE ATT&CK Matrix - Mac
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [].bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
<<<<<<< HEAD
| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | Launchctl | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| Launch Daemon | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| Launchctl | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy |
| Re-opened Applications | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol |
=======
| Dylib Hijacking | [Launch Daemon](Persistence/Launch_Daemon.md) | Code Signing | [Create Account](Credential_Access/Create_Account.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | [Permission Groups Discovery](Discovery/Permissions_Groups_Summary.md) | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | [Process Discovery](Discovery/Process_Discovery.md) | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | [Keychain](Credential_Access/Keychain.md) | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multiband Communication |
| [Plist Modification](Persistence/Plist_Modification.md) | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |
| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | | Remote File Copy |
| [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol |
>>>>>>> redcanaryco/master
| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol |
| [Startup Items](Persistence/Startup_Items.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Non-Application Layer Protocol |
| Trap | | Masquerading | | | | | | | Uncommonly Used Port |
| Valid Accounts | | Plist Modification | | | | | | | Web Service |
| Web Shell | | Redundant Access | | | | | | | |
| | | Scripting | | | | | | | |
| | | Space after Filename | | | | | | | |
| | | Valid Accounts | | | | | | | |
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Browser Extensions | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy |
| Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Logon Scripts | Launchctl | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol |
| Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
| [Launch Agent](Persistence/Launch_Agent.md) | Startup Items | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Keychain](Credential_Access/Keychain.md) | [Process Discovery](Discovery/Process_Discovery.md) | SSH Hijacking | Source | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Third-party Software | Space after Filename | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
| Launchctl | Valid Accounts | Hidden Files and Directories | Private Keys | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Input Capture | Scheduled Transfer | Fallback Channels |
| [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) | Web Shell | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Securityd Memory | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | Screen Capture | | Multi-Stage Channels |
| Login Item | | Hidden Window | Two-Factor Authentication Interception | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multi-hop Proxy |
| Logon Scripts | | Indicator Removal from Tools | | System Network Connections Discovery | | | | | Multiband Communication |
| [Plist Modification](Persistence/Plist_Modification.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | | Multilayer Encryption |
| Rc.common | | LC_MAIN Hijacking | | | | | | | Remote File Copy |
| [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Application Layer Protocol |
| Redundant Access | | Masquerading | | | | | | | Standard Cryptographic Protocol |
| [Startup Items](Persistence/Startup_Items.md) | | Obfuscated Files or Information | | | | | | | Standard Non-Application Layer Protocol |
| Trap | | Plist Modification | | | | | | | Uncommonly Used Port |
| Valid Accounts | | Process Injection | | | | | | | Web Service |
| Web Shell | | Redundant Access | | | | | | | |
| | | Rootkit | | | | | | | |
| | | Scripting | | | | | | | |
| | | Space after Filename | | | | | | | |
| | | Valid Accounts | | | | | | | |

4
Windows/README.md
View File

@ -20,8 +20,8 @@
| Hooking | Process Injection](Privilege_Escalation/Process_Injection.md) | Image File Execution Options Injection | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | Third-party Software | | | Standard Cryptographic Protocol |
| Hypervisor | SID-History Injection | Indicator Blocking | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | Standard Non-Application Layer Protocol |
| Image File Execution Options Injection | [Scheduled Task](Persistence/Scheduled_Task.md) | Indicator Removal from Tools | | | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Uncommonly Used Port |
| LSASS Driver | Service Registry Permissions Weakness | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) | | | | Windows Remote Management | | | Web Service |
| Logon Scripts | Valid Accounts | Install Root Certificate | | | | | | | |
| LSASS Driver | Service Registry Permissions Weakness | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | | | Web Service |
| Logon Scripts | Valid Accounts | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | |
| Modify Existing Service | Web Shell | InstallUtil | | | | | | | |
| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Masquerading | | | | | | | |
| [New Service](Persistence/New_Service.md) | | Modify Registry | | | | | | | |