infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Evasion and exfil 

+ Added wevtutil and fsutil per what was used recently by BadBuddy Ransomware.
+ Added 2 ways to compress data with Powershell and rar.
readmes
Michael Haag 2017-10-31 12:56:52 -07:00
parent 480a201741
commit 66c37e8b53
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Windows/Defense Evasion/Indicator_Removal_on_Host.md
View File

@ -11,3 +11,17 @@ Clear system logs
Clear Security logs
wevtutil cl Security
Clear Setup logs
wevtutil cl Setup
Clear Application logs
wevtutil cl Application
## Fsutil
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
fsutil usn deletejournal /D C:

11
Windows/Exfiltration/Data_Compressed.md Normal file
View File

@ -0,0 +1,11 @@
# File Deletion
MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
## PowerShell
powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip
## Rar
rar a -r exfilthis.rar *.docx