diff --git a/Mac/Discovery/Network_Service_Scanning.md b/Mac/Discovery/Network_Service_Scanning.md new file mode 100644 index 0000000..6fb5e13 --- /dev/null +++ b/Mac/Discovery/Network_Service_Scanning.md @@ -0,0 +1,9 @@ +## Network Service Scanning + +MITRE ATT&CK Technique: [T1046](https://attack.mitre.org/wiki/Technique/T1046) + +### Bash One Liner + +Input: + + for port in {1..65535}; do echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; done diff --git a/Mac/Discovery/Network_Share_Discovery.md b/Mac/Discovery/Network_Share_Discovery.md new file mode 100644 index 0000000..84b27cd --- /dev/null +++ b/Mac/Discovery/Network_Share_Discovery.md @@ -0,0 +1,18 @@ +## Network Share Discovery + +MITRE ATT&CK Technique: [T1135](https://attack.mitre.org/wiki/Technique/T1135) + +### Local Mounts + +Input: + + df -aH + +### Remote Find Mounts + + smbutil view -g // + + +### NFS Show mounts + + showmount hostname diff --git a/Mac/Discovery/Permissions_Groups_Discovery.md b/Mac/Discovery/Permissions_Groups_Discovery.md new file mode 100644 index 0000000..db96519 --- /dev/null +++ b/Mac/Discovery/Permissions_Groups_Discovery.md @@ -0,0 +1,20 @@ +## Permission Groups Discovery + +MITRE ATT&CK Technique: [T1069](https://attack.mitre.org/wiki/Technique/T1069) + + +### Domain + +Input: + + dscacheutil -q group + +### Local + +Input: + + dscl . -list /Groups + +Input: + + groups diff --git a/Mac/Discovery/Process_Discovery.md b/Mac/Discovery/Process_Discovery.md new file mode 100644 index 0000000..a63072a --- /dev/null +++ b/Mac/Discovery/Process_Discovery.md @@ -0,0 +1,14 @@ +## Process Discovery + +MITRE ATT&CK Technique: [T1057](https://attack.mitre.org/wiki/Technique/T1057) + + +### Process Discovery + +Input: + + ps + +Input: + + ps aux diff --git a/Mac/Discovery/Remote_System_Discovery.md b/Mac/Discovery/Remote_System_Discovery.md new file mode 100644 index 0000000..6dd4ab1 --- /dev/null +++ b/Mac/Discovery/Remote_System_Discovery.md @@ -0,0 +1,18 @@ +## Remote System Discovery + +MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018) + + +### arp + +Input: + + arp -a | grep -v '^?' + + +### Network scanning + + +Input: + + for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done diff --git a/Mac/Discovery/Security_Software_Discovery.md b/Mac/Discovery/Security_Software_Discovery.md new file mode 100644 index 0000000..6ee85e6 --- /dev/null +++ b/Mac/Discovery/Security_Software_Discovery.md @@ -0,0 +1,12 @@ +# Security Software Discovery + +MITRE ATT&CK Technique: [T1063](https://attack.mitre.org/wiki/Technique/T1063) + +### LittleSnitch + + ps -ef | grep Little\ Snitch | grep -v grep + + +### CarbonBlack Response + + ps aux | grep CbOsxSensorService diff --git a/Mac/Discovery/System_Information_Discovery.md b/Mac/Discovery/System_Information_Discovery.md new file mode 100644 index 0000000..bad69c7 --- /dev/null +++ b/Mac/Discovery/System_Information_Discovery.md @@ -0,0 +1,18 @@ +## System Information Discovery + +MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082) + +### System Information + +Input: + + systemsetup + +Input: + + system_profiler + + +Input: + + ls -al /Applications diff --git a/Mac/Discovery/System_Network_Configuration_Discovery.md b/Mac/Discovery/System_Network_Configuration_Discovery.md new file mode 100644 index 0000000..1947728 --- /dev/null +++ b/Mac/Discovery/System_Network_Configuration_Discovery.md @@ -0,0 +1,17 @@ +## System Network Configuration Discovery + +MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016) + +### Network Data + +Input: + + arp -a + +Input: + + netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c + +Input: + + ifconfig diff --git a/Mac/Discovery/System_Owner_User_Discovery.md b/Mac/Discovery/System_Owner_User_Discovery.md new file mode 100644 index 0000000..5cd6ee3 --- /dev/null +++ b/Mac/Discovery/System_Owner_User_Discovery.md @@ -0,0 +1,16 @@ +## System Owner/User Discovery + +MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033) + + +Input: + + Users + +Input: + + w + +Input: + + who diff --git a/Mac/README.md b/Mac/README.md index 9663160..629c4cf 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -6,15 +6,15 @@ | .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port | | [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media | | Dylib Hijacking | [Launch Daemon](Persistence/Launch_Daemon.md) | Code Signing | [Create Account](Credential_Access/Create_Account.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy | -| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol | -| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | -| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding | -| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation | -| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | [Keychain](Credential_Access/Keychain.md) | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels | -| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels | -| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication | +| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol | +| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | [Permission Groups Discovery](Discovery/Permissions_Groups_Summary.md) | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | +| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | [Process Discovery](Discovery/Process_Discovery.md) | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding | +| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | [Keychain](Credential_Access/Keychain.md) | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels | +| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | | Scheduled Transfer | Multi-Stage Channels | +| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multiband Communication | | [Plist Modification](Persistence/Plist_Modification.md) | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption | -| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy | +| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | | Remote File Copy | | [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | | | | | | Standard Application Layer Protocol | | Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol | | [Startup Items](Persistence/Startup_Items.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Non-Application Layer Protocol | diff --git a/Windows/Discovery/Security_Software_Discovery.md b/Windows/Discovery/Security_Software_Discovery.md index 4843654..e55378d 100644 --- a/Windows/Discovery/Security_Software_Discovery.md +++ b/Windows/Discovery/Security_Software_Discovery.md @@ -1,6 +1,6 @@ # Security Software Discovery -MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1063) +MITRE ATT&CK Technique: [T1063](https://attack.mitre.org/wiki/Technique/T1063) ### netsh diff --git a/Windows/Discovery/System_Owner-User_Discovery.md b/Windows/Discovery/System_Owner-User_Discovery.md index c6f69d0..98f4110 100644 --- a/Windows/Discovery/System_Owner-User_Discovery.md +++ b/Windows/Discovery/System_Owner-User_Discovery.md @@ -1,6 +1,6 @@ ## System Owner/User Discovery -MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018) +MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033) ### cmd.exe