infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10 from redcanaryco/dev-mh 

Dev mh
readmes
caseysmithrc 2017-10-31 14:14:33 -06:00 committed by GitHub
parent 480a201741 be85bb6afe
commit e5236e6146
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Windows/Defense Evasion/Indicator_Removal_on_Host.md
View File

@ -11,3 +11,17 @@ Clear system logs
Clear Security logs
wevtutil cl Security
Clear Setup logs
wevtutil cl Setup
Clear Application logs
wevtutil cl Application
## Fsutil
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
fsutil usn deletejournal /D C:

11
Windows/Exfiltration/Data_Compressed.md Normal file
View File

@ -0,0 +1,11 @@
# File Deletion
MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
## PowerShell
powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip
## Rar
rar a -r exfilthis.rar *.docx

17
Windows/Payloads/Discovery.bat
View File

@ -8,6 +8,23 @@ net config workstation
net accounts
net accounts /domain
net view
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
wmic useraccount list
wmic useraccount get /ALL
wmic startup list brief