Browse Source

Content update, ATT&CK update, formatting, put Honeypots into malware

pull/11/head
Robert Musser 5 years ago
parent
commit
3be1a45bc0
45 changed files with 3394 additions and 3193 deletions
  1. +32
    -31
      Draft/ATT&CK-Stuff/Collection.md
  2. +83
    -33
      Draft/ATT&CK-Stuff/Command_and_Control.md
  3. +72
    -14
      Draft/ATT&CK-Stuff/Credential_Access.md
  4. +91
    -76
      Draft/ATT&CK-Stuff/Defense_Evasion.md
  5. +5
    -9
      Draft/ATT&CK-Stuff/Discovery.md
  6. +62
    -64
      Draft/ATT&CK-Stuff/Persistence.md
  7. +76
    -25
      Draft/ATT&CK-Stuff/Privilege_Escalation.md
  8. +2
    -2
      Draft/ATT&CK-Stuff/README.md
  9. +205
    -210
      Draft/AnonOpsecPrivacy.md
  10. +5
    -0
      Draft/BIOS UEFI Attacks Defenses.md
  11. +7
    -2
      Draft/Building A Pentest Lab.md
  12. +6
    -7
      Draft/CTFs_Wargames.md
  13. +14
    -13
      Draft/Cheat sheets reference pages Checklists -.md
  14. +26
    -21
      Draft/Courses_Training.md
  15. +0
    -42
      Draft/CryptoCurrencies.md
  16. +213
    -197
      Draft/Cryptography & Encryption.md
  17. +63
    -27
      Draft/Defense.md
  18. +282
    -345
      Draft/Embedded Device & Hardware Hacking -.md
  19. +22
    -6
      Draft/Exfiltration.md
  20. +579
    -766
      Draft/Exploit Development.md
  21. +10
    -0
      Draft/Forensics Incident Response.md
  22. +14
    -7
      Draft/Fuzzing Bug Hunting.md
  23. +18
    -11
      Draft/Game Hacking.md
  24. +0
    -128
      Draft/Honeypots.md
  25. +4
    -0
      Draft/Interesting Things Useful stuff.md
  26. +275
    -139
      Draft/Malware.md
  27. +97
    -43
      Draft/Network Attacks & Defenses.md
  28. +18
    -9
      Draft/Network Security Monitoring & Logging.md
  29. +20
    -10
      Draft/Open Source Intelligence.md
  30. +19
    -11
      Draft/Password Bruting and Hashcracking.md
  31. +20
    -19
      Draft/Phishing.md
  32. +3
    -2
      Draft/Policy-Compliance.md
  33. +214
    -120
      Draft/Privilege Escalation & Post-Exploitation.md
  34. +73
    -45
      Draft/Programming - Languages Libs Courses References.md
  35. +157
    -0
      Draft/Rants&Writeups/Writeups/Empire_and_Metasploit_101.md
  36. +23
    -5
      Draft/Red-Teaming.md
  37. +17
    -4
      Draft/Reverse Engineering.md
  38. +12
    -0
      Draft/Rootkits.md
  39. +5
    -0
      Draft/SCADA.md
  40. +19
    -0
      Draft/Side-Channel Attacks.md
  41. +12
    -3
      Draft/System Internals Windows and Linux Internals Reference.md
  42. +16
    -4
      Draft/Web & Browsers.md
  43. +118
    -41
      Draft/Wireless Networks & RF.md
  44. +384
    -697
      Draft/things-added.md
  45. +1
    -5
      README.md

+ 32
- 31
Draft/ATT&CK-Stuff/Collection.md View File

@ -6,9 +6,8 @@
* Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
## Audio Capture
-------------------------------
## Audio Capture
* [Audio Capture - ATT&CK](https://attack.mitre.org/wiki/Technique/T1123)
* An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
* Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
@ -22,9 +21,8 @@
## Automated Collection
-------------------------------
## Automated Collection
* [Automated Collection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1119)
* Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Remote File Copy to identify and move files.
@ -49,10 +47,14 @@
* Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.
-------------------------------
## Browser Extensions
* [Browser Extensions - ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
* Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access.12
## Clipboard Data
-------------------------------
## Clipboard Data
* [Clipboard Data - ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
* Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
@ -71,18 +73,16 @@
## Data Staged
-------------------------------
## Data Staged
* [Data Staged - ATT&CK](https://attack.mitre.org/wiki/Technique/T1074)
* Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
## Data from Local System
-------------------------------
## Data from Local System
* [Data from Local System - ATT&CK](https://attack.mitre.org/wiki/Technique/T1005)
* Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration. Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.
@ -113,9 +113,8 @@
## Data from Network Shared Drive
-------------------------------
## Data from Network Shared Drive
* [Data from Network Shared Drive - ATT&CK](https://attack.mitre.org/wiki/Technique/T1039)
* Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Adversaries may search network shares on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
@ -125,21 +124,21 @@
## Data from Removable Media
-------------------------------
## Data from Removable Media
* [Data from Removable Media - ATT&CK](https://attack.mitre.org/wiki/Technique/T1025)
* Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Adversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media.
#### Linux
#### OS X
#### Windows
## Email Collection
-------------------------------
## Email Collection
* [Email Collection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1114)
* Adversaries may target user email to collect sensitive information from a target.
* Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
@ -153,21 +152,14 @@
## Input Capture
-------------------------------
## Input Capture
* [Input Capture - ATT&CK](https://attack.mitre.org/wiki/Technique/T1056)
* Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
* Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes,Adventures of a Keystroke but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider.Wrightson 2012
* Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.
* Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.Volexity Virtual Private Keylogging
#### Windows
* [Windows Interactive Logon Architecture - technet](https://technet.microsoft.com/en-us/library/ff404303(v=ws.10))
* [The Adventures of a KeyStroke: An in-depth look into Keyloggers on Windows](http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf)
* [Capturing Windows 7 Credentials at Logon Using Custom Credential Provider](https://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/)
* [Collection - Empire](http://www.powershellempire.com/?page_id=283)
#### Linux
* [How to Monitor Keyboard Keystrokes Using ‘LogKeys’ in Linux](https://www.tecmint.com/how-to-monitor-keyboard-keystrokes-using-logkeys-in-linux/)
* [logkeys - a GNU/Linux keylogger](https://github.com/kernc/logkeys)
@ -177,21 +169,26 @@
* SKeylogger is a simple keylogger. I had previously been using a few other open source keyloggers, but they stopped working when I upgraded my operating system. I tried to look through the code of those keyloggers, but it was undocumented, messy, and complex. I decided to make my own highly documented and very simple keylogger.
* [Using xkeyscan to Parse an X-Based Linux Keylogger](http://porterhau5.com/blog/xkeyscan-parse-linux-keylogger/)
#### Windows
* [Windows Interactive Logon Architecture - technet](https://technet.microsoft.com/en-us/library/ff404303(v=ws.10))
* [The Adventures of a KeyStroke: An in-depth look into Keyloggers on Windows](http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf)
* [Capturing Windows 7 Credentials at Logon Using Custom Credential Provider](https://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/)
* [Collection - Empire](http://www.powershellempire.com/?page_id=283)
## Man in the Browser
* [Man in the Browser - ATT&CK](https://attack.mitre.org/wiki/Technique/T1185)
* Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.1
* A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet.23
* Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication.4
## Screen Capture
-------------------------------
## Screen Capture
* [Screen Capture - ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
* Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
#### Windows
* [Using Problem Steps Recorder (PSR) Remotely with Metasploit](https://cyberarms.wordpress.com/2016/02/13/using-problem-steps-recorder-psr-remotely-with-metasploit/)
* [Collection - Empire](http://www.powershellempire.com/?page_id=283)
* [Capturing Screenshots with PowerShell and .NET](https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/)
#### Linux
* MITRE
* On Linux, there is the native command `xwd`.
@ -203,11 +200,15 @@
* On OSX, the native `command screencapture` is used to capture screenshots.
* [OSX Backdoor – Camera Control](http://patrickmosca.com/osx-backdoor-camera-control/)
#### Windows
* [Using Problem Steps Recorder (PSR) Remotely with Metasploit](https://cyberarms.wordpress.com/2016/02/13/using-problem-steps-recorder-psr-remotely-with-metasploit/)
* [Collection - Empire](http://www.powershellempire.com/?page_id=283)
* [Capturing Screenshots with PowerShell and .NET](https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/)
## Video Capture
-------------------------------
## Video Capture
* [Video Capture - ATT&CK](https://attack.mitre.org/wiki/Technique/T1125)
* An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen.


+ 83
- 33
Draft/ATT&CK-Stuff/Command_and_Control.md View File

@ -31,36 +31,43 @@
* A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap.Trend Micro APT Attack Tools
* The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.
* The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.
* [Mallory](https://bitbucket.org/IntrepidusGroup/mallory)
* Mallory is an extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.
* [SSLStrip](http://www.thoughtcrime.org/software/sslstrip/)
* This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
* [Echo Mirage](http://www.wildcroftsecurity.com/echo-mirage)
* Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified. Windows encryption and OpenSSL functions are also hooked so that plain text of data being sent and received over an encrypted session is also available. Traffic can be intercepted in real-time, or manipulated with regular expressions and a number of action directives
* [Burp Proxy](http://portswigger.net/burp/proxy.html)
* Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application
* [Charles Proxy](https://www.charlesproxy.com/)
* Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
* [OWASP Zed Attack Proxy](http://www.zaproxy.org/)
* [Zed Attack Proxy (ZAP) Community Scripts](https://github.com/zaproxy/community-scripts)
* A collection of ZAP scripts provided by the community - pull requests very welcome!
* [Phreebird](http://dankaminsky.com/phreebird/)
* Phreebird is a DNSSEC proxy that operates in front of an existing DNS server (such as BIND, Unbound, PowerDNS, Microsoft DNS, or QIP) and supplements its records with DNSSEC responses. Features of Phreebird include automatic key generation, realtime record signing, support for arbitrary responses, zero configuration, NSEC3 -White Lies-, caching and rate limiting to deter DoS attacks, and experimental support for both Coarse Time over DNS and HTTP Virtual Channels. The suite also contains a large amount of sample code, including support for federated identity over OpenSSH. Finally, -Phreeload- enhances existing OpenSSL applications with DNSSEC support.
* [TCP Catcher](http://www.tcpcatcher.org/)
* TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
* [DNS Chef](https://github.com/amckenna/DNSChef)
* This is a fork of the DNSChef project v0.2.1 hosted at: http://thesprawl.org/projects/dnschef/
* [Squid Proxy](http://www.squid-cache.org/)
* Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
* [SharpSocks](https://github.com/nettitude/SharpSocks)
* Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
* [ssf - Secure Socket Funneling](https://github.com/securesocketfunneling/ssf)
* Network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
* [PowerCat](https://github.com/secabstraction/PowerCat)
* A PowerShell TCP/IP swiss army knife that works with Netcat & Ncat
* **TCP/UDP**
* [Mallory](https://bitbucket.org/IntrepidusGroup/mallory)
* Mallory is an extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.
* [TCP Catcher](http://www.tcpcatcher.org/)
* TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
* [Squid Proxy](http://www.squid-cache.org/)
* Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
* [PowerCat](https://github.com/secabstraction/PowerCat)
* A PowerShell TCP/IP swiss army knife that works with Netcat & Ncat
* **DNS(SEC)**
* [Phreebird](http://dankaminsky.com/phreebird/)
* Phreebird is a DNSSEC proxy that operates in front of an existing DNS server (such as BIND, Unbound, PowerDNS, Microsoft DNS, or QIP) and supplements its records with DNSSEC responses. Features of Phreebird include automatic key generation, realtime record signing, support for arbitrary responses, zero configuration, NSEC3 -White Lies-, caching and rate limiting to deter DoS attacks, and experimental support for both Coarse Time over DNS and HTTP Virtual Channels. The suite also contains a large amount of sample code, including support for federated identity over OpenSSH. Finally, -Phreeload- enhances existing OpenSSL applications with DNSSEC support.
* [DNS Chef](https://github.com/amckenna/DNSChef)
* This is a fork of the DNSChef project v0.2.1 hosted at: http://thesprawl.org/projects/dnschef/
* **HTTP/HTTPS**
* [SSLStrip](http://www.thoughtcrime.org/software/sslstrip/)
* This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
* [SharpSocks](https://github.com/nettitude/SharpSocks)
* Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
* **Host Based**
* [Echo Mirage](http://www.wildcroftsecurity.com/echo-mirage)
* Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified. Windows encryption and OpenSSL functions are also hooked so that plain text of data being sent and received over an encrypted session is also available. Traffic can be intercepted in real-time, or manipulated with regular expressions and a number of action directives
* **Local**
* [Burp Proxy](http://portswigger.net/burp/proxy.html)
* Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application
* [Charles Proxy](https://www.charlesproxy.com/)
* Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
* [OWASP Zed Attack Proxy](http://www.zaproxy.org/)
* [Zed Attack Proxy (ZAP) Community Scripts](https://github.com/zaproxy/community-scripts)
* A collection of ZAP scripts provided by the community - pull requests very welcome!
* **Pivot Proxy**
* Netcat
* Ncat
* Socat
* [ssf - Secure Socket Funneling](https://github.com/securesocketfunneling/ssf)
* Network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
@ -75,9 +82,6 @@
## Custom Cryptographic Protocol
-------------------------------
* [Custom Cryptographic Protocol - ATT&CK](https://attack.mitre.org/wiki/Technique/T1024)
@ -116,7 +120,49 @@
## Domain Fronting
* [Domain Fronting - ATT&CK](https://attack.mitre.org/wiki/Technique/T1172)
* Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS.1 The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).
* For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.
* [FindFrontableDomains](https://github.com/rvrsh3ll/FindFrontableDomains)
* Search for potential frontable domains
* [High-reputation Redirectors and Domain Fronting](https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/)
* [Blocking-resistant communication through domain fronting](https://www.bamsoftware.com/talks/fronting-pets2015/)
* [Camouflage at encryption layer: domain fronting](https://www.securityartwork.es/2017/01/24/camouflage-at-encryption-layer-domain-fronting/)
* [Domain Fronting - Infosec Institute](http://resources.infosecinstitute.com/domain-fronting/)
* [Simple domain fronting PoC with GAE C2 server](https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/)
* In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.
* [TOR Fronting – Utilising Hidden Services for Privacy](https://www.mdsec.co.uk/2017/02/tor-fronting-utilising-hidden-services-for-privacy/)
* [Finding Domain frontable Azure domains - thoth / Fionnbharr (@a_profligate)](https://theobsidiantower.com/2017/07/24/d0a7cfceedc42bdf3a36f2926bd52863ef28befc.html)
* [Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike](https://www.cyberark.com/threat-research-blog/red-team-insights-https-domain-fronting-google-hosts-using-cobalt-strike/)
* [Domain Fronting Via Cloudfront Alternate Domains](https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/)
* **Domain Tools**
* [Domain Hunter](https://github.com/minisllc/domainhunter)
* Checks expired domains, bluecoat categorization, and Archive.org history to determine good candidates for phishing and C2 domain names
* [AIRMASTER](https://github.com/t94j0/AIRMASTER)
* Use ExpiredDomains.net and BlueCoat to find useful domains for red team.
* [Chameleon](https://github.com/mdsecactivebreach/Chameleon)
* A tool for evading Proxy categorisation
* [CatMyFish](https://github.com/Mr-Un1k0d3r/CatMyFish)
* Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. It relies on expireddomains.net to obtain a list of expired domains. The domain availability is validated using checkdomain.com
* [Finding Frontable Domain](https://github.com/rvrsh3ll/FindFrontableDomains)
* **Domain Reputation Sites**
* [Alien Vault](http://www.alienvault.com)
* [Isithacked?](http://www.isithacked.com)
* [Robtex](https://dns.robtex.com)
* [Scan4You](http://scan4you.net/)
* [Sucuri](http://sitecheck.sucuri.net/scanner/)
* [Trustedsource](http://www.trustedsource.org/)
* [urlQuery](http://urlquery.net/search.php)
* [URLVoid](http://www.urlvoid.com/scan/)
* [VirusTotal](https://www.virustotal.com/)
* [WOT](http://www.mywot.com/en/scorecard)
* [Zeltser BL](http://zeltser.com)
* Redirectors
* [Apache2Mod Rewrite Setup](https://github.com/n0pe-sled/Apache2-Mod-Rewrite-Setup)
* [Redirecting Cobalt Strike DNS Beacons](http://www.rvrsh3ll.net/blog/offensive/redirecting-cobalt-strike-dns-beacons/)
* [High-reputation Redirectors and Domain Fronting](https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/)
* [Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite - Jeff Dimmock](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/)
## Fallback Channels
@ -147,6 +193,10 @@
* [Multiband Communication - ATT&CK](https://attack.mitre.org/wiki/Technique/T1026)
* Some adversaries may split communications between different protocols. There could be one protocol for inbound command and control and another for outbound data, allowing it to bypass certain firewall restrictions. The split could also be random to simply avoid data threshold alerts on any one communication.
----------------------
## Multi-hop Proxy
* [Multi-hop Proxy - ATT&CK](https://attack.mitre.org/wiki/Technique/T1188)
* To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
## Multilayer Encryption


+ 72
- 14
Draft/ATT&CK-Stuff/Credential_Access.md View File

@ -16,8 +16,8 @@ Memory corruption is for wussies
## Account Manipulation
-------------------------------
## Account Manipulation
* [Account Manipulation - ATT&CK](https://attack.mitre.org/wiki/Technique/T1098)
* Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
@ -46,8 +46,8 @@ Memory corruption is for wussies
## Brute Force
-------------------------------
## Brute Force
* [Brute Force - ATT&CK](https://attack.mitre.org/wiki/Technique/T1110)
* Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.
* Credential Dumping to obtain password hashes may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network.Wikipedia Password cracking
@ -59,8 +59,8 @@ Memory corruption is for wussies
## Create Account
-------------------------------
## Create Account
* [Create Account - ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
* Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. The net user commands can be used to create a local or domain account.
* [Net user - technet](https://technet.microsoft.com/en-us/library/cc771865(v=ws.11).aspx)
@ -70,8 +70,8 @@ Memory corruption is for wussies
## Credential Dumping
-------------------------------
## Credential Dumping
* [Credential Dumping - ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
* Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Lateral Movement and access restricted information.
* Tools may dump credentials in many different ways: extracting credential hashes for offline cracking, extracting plaintext passwords, and extracting Kerberos tickets, among others. Examples of credential dumpers include pwdump7, Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.
@ -127,9 +127,8 @@ Memory corruption is for wussies
----------------------------
## Credentials in Files
-------------------------------
* [Credentials in Files](https://attack.mitre.org/wiki/Technique/T1081)
* Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through Credential Dumping.CG 2014 Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.
@ -147,9 +146,8 @@ Memory corruption is for wussies
----------------------------
## Exploitation of Vulnerability
-------------------------------
* [Exploitation of Vulnerability - ATT&CK](https://attack.mitre.org/wiki/Technique/T1068)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.
@ -162,6 +160,43 @@ Memory corruption is for wussies
----------------------------
## Forced Authentication
* [Forced Authentication - ATT&CK](https://attack.mitre.org/wiki/Technique/T1187)
* The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. 1 This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources. Web Distributed Authoring and Versioning (WebDAV) is typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.23
* Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary, or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information including the user's hashed credentials over SMB to the adversary controlled server.4 With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials, or reuse it for Pass the Hash.5
* There are different ways this can occur:
* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened. The document can include, for example, a request similar to `file[:]//[remote address]/Normal.dotm` to trigger the SMB request.6
* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as `\\[remote address]\pic.png` that will force the system to load the resource when the icon is rendered to repeatedly gather credentials.6
#### Windows
* [hashjacking](https://github.com/hob0/hashjacking)
* All current versions of Windows are affected by an architectural vulnerability due to the presumptive nature of SMB authentication. Hashed credentials will secretly be sent in cleartext across the Internet. This attack vector is trivial to execute and has critical consequences. See proof of concept videos below. The core of this issue is due to the presumptive nature of current SMB authentication methods. When a user accesses a file share or remote file, hashed Windows credentials from the current user are automatically sent to the remote server in cleartext in attempt to authenticate and access the remote file. The default behavior of assuming the remote server is trusted allows for systems to quickly access file shares in large corporations so that users won’t need to sign in with their company credentials each time to access network resources. However, this implementation presents a significant security risk to user accounts and passwords. Read more via the link below.
----------------------------
## Hooking
* [Hooking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1179)
* Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:
* Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.12
* Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.234
* Inline hooking, which overwrites the first bytes in an API function to redirect code flow.254
* Similar to Process Injection, adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.
* Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access.6
* Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors.7
* [Hooks Overview - msdn.ms](https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx)
* [Userland Rootkits: Part 1, IAT hooks - adlice.com](https://www.adlice.com/userland-rootkits-part-1-iat-hooks/)
* [Dynamic Hooking Techniques: User Mode - matt hillman](https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/)
* [Inline Hooking in Windows](https://webcache.googleusercontent.com/search?q=cache:mkBFZwQOVQAJ:https://www.exploit-db.com/docs/17802.pdf+&cd=1&hl=en&ct=clnk&gl=us)
* [gethooks](https://github.com/jay/gethooks)
* GetHooks is a program designed for the passive detection and monitoring of hooks from a limited user account.
* [winhook](https://github.com/prekageo/winhook)
## Input Capture
-------------------------------
* [Input Capture - ATT&CK](https://attack.mitre.org/wiki/Technique/T1056)
@ -231,9 +266,29 @@ Memory corruption is for wussies
## LLMNR/NBT-NS Poisoning
* [LLMNR/NBT-NS Poisoning - ATT&CK](https://attack.mitre.org/wiki/Technique/T1171)
* Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.12
* Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords.
#### Windows
* [Inveigh](https://github.com/Kevin-Robertson/Inveigh)
* Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
* [Responder - lgandx](https://github.com/lgandx/Responder-Windows)
* NBT-NS/LLMNR Responder and Cross-Protocol NTLM Relay Windows Version (Beta)
* [Pass the hash - Wikipedia](https://en.wikipedia.org/wiki/Pass_the_hash)
* [Pass the hash attacks: Tools and Mitigation - 2010 SANS paper](https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283)
* [Performing Pass-the-Hash Attacks with Mimikatz](https://blog.stealthbits.com/passing-the-hash-with-mimikatz)
* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
* [Still Passing the Hash 15 Years Later](https://passing-the-hash.blogspot.com/)
* Providing all the extra info that didn't make it into the BlackHat 2012 USA Presentation "Still Passing the Hash 15 Years Later? Using the Keys to the Kingdom to Access All Your Data" by Alva Lease 'Skip' Duckwall IV and Christopher Campbell.
* [Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash)
* Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB services are accessed through .NET TCPClient connections. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.
## Network Sniffing
-------------------------------
## Network Sniffing
* [Network Sniffing - ATT&CK](https://attack.mitre.org/wiki/Technique/T1040)
* Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. User credentials may be sent over an insecure, unencrypted protocol that can be captured and obtained through network packet analysis. An adversary may place a network interface into promiscuous mode, using a utility to capture traffic in transit over the network or use span ports to capture a larger amount of data. In addition, Address Resolution Protocol (ARP) and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
@ -249,7 +304,6 @@ Memory corruption is for wussies
* [OS X Yosemite Has A Secret Packet Sniffer](https://jacobsalmela.com/2014/11/23/os-x-yosemite-secret-packet-sniffer/)
* [Capture a packet trace using Terminal on your Mac - support.apple](https://support.apple.com/en-us/HT202013)
#### Windows
* [Packet Sniffing with PowerShell: Getting Started - technet](https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/12/packet-sniffing-with-powershell-getting-started/)
* [Network Monitor Automation/Scripting using PowerShell](https://channel9.msdn.com/Blogs/Darryl/Network-Monitor-AutomationScripting-using-PowerShell)
@ -260,13 +314,17 @@ Memory corruption is for wussies
-------------------------------
## Password Filter DLL
* [Password Filter DLL - ATT&CK](https://attack.mitre.org/wiki/Technique/T1174)
* Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.
* Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.
* Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.1
## Private Keys
-------------------------------
Private Keys
## Private Keys
* [Private Keys - ATT&CK](https://attack.mitre.org/wiki/Technique/T1145)
* Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.Wikipedia Public Key Crypto
* Adversaries may gather private keys from compromised systems for use in authenticating to Remote Services like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on `*nix-based systems` or `C:\Users\(username)\.ssh\` on Windows.
@ -288,8 +346,8 @@ Private Keys
## Two-Factor Authentication Interception
-------------------------------
## Two-Factor Authentication Interception
* [Two-Factor Authentication Interception](https://attack.mitre.org/wiki/Technique/T1111)
* Use of two- or multifactor authentication is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. Adversaries may target authentication mechanisms, such as smart cards, to gain access to systems, services, and network resources.
* If a smart card is used for two-factor authentication (2FA), then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token.Mandiant M Trends 2011


+ 91
- 76
Draft/ATT&CK-Stuff/Defense_Evasion.md View File

@ -7,9 +7,8 @@
## Access Token Manipulation
-------------------------------
## Access Token Manipulation
* [Access Token Manipulation - ATT&CK](https://attack.mitre.org/wiki/Technique/T1134)
* Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas. Microsoft runas
* Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level.Pentestlab Token Manipulation
@ -30,18 +29,16 @@
* [Account Hunting for Invoke-TokenManipulation](https://www.trustedsec.com/2015/01/account-hunting-invoke-tokenmanipulation/)
## Binary Padding
-------------------------------
## Binary Padding
* [Binary Padding - ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
* Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.
## Bypass User Account Control
-------------------------------
## Bypass User Account Control
* [Bypass User Account Control](https://attack.mitre.org/wiki/Technique/T1088)
* Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.TechNet How UAC Works
* If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box.TechNet Inside UACMSDN COM Elevation An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.Davidson Windows Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.
@ -70,9 +67,8 @@
* Methods to bypass UAC and load a DLL over webdav
## Clear Command History
-------------------------------
## Clear Command History
* [Clear Command History - ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
* macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as unset HISTFILE, export HISTFILESIZE=0, history -c, rm ~/.bash_history.
@ -86,9 +82,8 @@
## Code Signing
-------------------------------
## Code Signing
* [Code Signing - ATT&CK](https://attack.mitre.org/wiki/Technique/T1116)
* Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.Wikipedia Code Signing However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binariesJanicab. The certificates used during an operation may be created, forged, or stolen by the adversary.Securelist Digital CertificatesSymantec Digital Certificates
* Code signing to verify software on first run can be used on modern Windows and MacOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform.Wikipedia Code Signing
@ -111,16 +106,14 @@
* [How to Evade Application Whitelisting Using REGSVR32 - BHIS](https://www.blackhillsinfosec.com/evade-application-whitelisting-using-regsvr32/)
## Component Firmware
-------------------------------
## Component Firmware
* [Component Firmware - ATT&CK](https://attack.mitre.org/wiki/Technique/T1109)
* Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
* [HD Hacking - SpritesMods](http://spritesmods.com/?art=hddhack)
## Component Object Model Hijacking
-------------------------------
## Component Object Model Hijacking
* [Component Object Model Hijacking](https://attack.mitre.org/wiki/Defense_Evasion)
* The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.Microsoft Component Object Model Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.GDATA COM Hijacking An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.
@ -133,9 +126,8 @@ Component Object Model Hijacking
## DLL Injection
-------------------------------
## DLL Injection
* [DLL Injection - ATT&CK](https://attack.mitre.org/wiki/Defense_Evasion)
* DLL injection is used to run code in the context of another process by causing the other process to load and execute code. Running code in the context of another process provides adversaries many benefits, such as access to the process's memory and permissions. It also allows adversaries to mask their actions under a legitimate process. A more sophisticated kind of DLL injection, reflective DLL injection, loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Numerous methods of DLL injection exist on Windows, including modifying the Registry, creating remote threads, Windows hooking APIs, and DLL pre-loading.CodeProject Inject CodeWikipedia DLL Injection
@ -147,9 +139,8 @@ Component Object Model Hijacking
* [Code - Github](https://github.com/fdiskyou/injectAllTheThings)
## DLL Search Order Hijacking
-------------------------------
## DLL Search Order Hijacking
* [DLL Search Order Hijacking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1038)
* Windows systems use a common method to look for required DLLs to load into a program.Microsoft DLL Search Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.
* Adversaries may perform DLL preloading, also called binary planting attacks,OWASP Binary Planting by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL.Microsoft 2269637 Adversaries may use this behavior to cause the program to load a malicious DLL.
@ -166,9 +157,8 @@ Component Object Model Hijacking
## DLL Side-Loading
-------------------------------
## DLL Side-Loading
* [DLL Side Loading - ATT&CK](https://attack.mitre.org/wiki/Technique/T1073)
* Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifestsMSDN Manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.Stewart 2014 Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.
@ -181,9 +171,8 @@ Component Object Model Hijacking
* [Secure loading of libraries to prevent DLL preloading attacks - MSDN](https://support.microsoft.com/en-us/help/2389418/secure-loading-of-libraries-to-prevent-dll-preloading-attacks)
## Deobfuscate/Decode File or Information
-------------------------------
## Deobfuscate/Decode File or Information
* [Deobfuscate/Decode Files or Information - ATT&CK](https://attack.mitre.org/wiki/Technique/T1140)
* Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system. One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.Malwarebytes Targeted Attack against Saudi Arabia
* [Obfuscation - Wikipedia](https://en.wikipedia.org/wiki/Obfuscation_(software))
@ -192,9 +181,8 @@ Component Object Model Hijacking
## Disabling Security Tools
-------------------------------
## Disabling Security Tools
* [Disabling Security Tools - ATT&CK](https://attack.mitre.org/wiki/Technique/T1089)
* Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
@ -205,17 +193,26 @@ Component Object Model Hijacking
## Exploitation of Vulnerability
-------------------------------
## Exploitation of Vulnerability
* [Exploitation of Vulnerability - ATT&CK](https://attack.mitre.org/wiki/Technique/T1068)
* Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.Technet MS14-068ADSecurity Detecting Forged Tickets
----------------
## Extra Window Memory Injection
* [Extra Window Memory Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1181)
* Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).1 Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.23
* Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.
* Execution granted through EWM injection may take place in the address space of a separate live process. Similar to Process Injection, this may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.4 More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process
#### Windows
* [PowerLoader Injection – Something truly amazing - malwaretech](https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html)
## File Deletion
-------------------------------
## File Deletion
* [File Deletion - ATT&CK](https://attack.mitre.org/wiki/Technique/T1107)
* Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
@ -231,9 +228,8 @@ Component Object Model Hijacking
## File System Logical Offsets
-------------------------------
## File System Logical Offsets
* [File System Logical Offsets - ATT&CK](https://attack.mitre.org/wiki/Technique/T1006)
* Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools.Hakobyan 2009 Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.Github PowerSploit Ninjacopy
@ -244,9 +240,8 @@ Component Object Model Hijacking
* [Invoke-NinjaCopy.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
## Gatekeeper Bypass (OS X)
-----------------------------
## Gatekeeper Bypass (OS X)
* [Gatekeeper Bypass- ATT&CK](https://attack.mitre.org/wiki/Technique/T1144)
* In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.
* Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check1. The presence of the quarantine flag can be checked by the xattr command `xattr /path/to/MyApp.app for com.apple.quarantine`. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app.
@ -258,9 +253,8 @@ Component Object Model Hijacking
## Hidden Files and Directories
-------------------------------
## Hidden Files and Directories
* [Hidden Files and Directories - ATT&CK](https://attack.mitre.org/wiki/Technique/T1158)
* To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
@ -285,9 +279,8 @@ Component Object Model Hijacking
## Hidden Users (OS X)
-------------------------------
## Hidden Users (OS X)
* [Hidden Users - ATT&CK](https://attack.mitre.org/wiki/Technique/T1147)
* Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the Create Account technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401.
* [Hide a user account in macOS - support.apple](https://support.apple.com/en-us/HT203998)
@ -296,40 +289,52 @@ Component Object Model Hijacking
## Hidden Window
-------------------------------
## Hidden Window
* [Hidden Window - ATT&CK](https://attack.mitre.org/wiki/Technique/T1143)
* The configurations for how applications run on macOS and OS X are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.
## HISTCONTROL (Linux)
-------------------------------
## HISTCONTROL (Linux)
* [HISTCONTROL - ATT&CK](https://attack.mitre.org/wiki/Technique/T1148)
* The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.
* [15 Examples To Master Linux Command Line History](http://www.thegeekstuff.com/2008/08/15-examples-to-master-linux-command-line-history/)
---------------------------
## Image File Execution Options Injection
* [Image File Execution Options Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1183)
* Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, any executable file present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., `“C:\dbg\ntsd.exe -g notepad.exe”)`.
* IFEOs can be set directly via the Registry or in Global Flags via the Gflags tool.2 IFEOs are represented as Debugger Values in the Registry under `*HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>` where `<executable>` is the binary on which the debugger is attached.
* Similar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. Installing IFEO mechanisms may also provide Persistence via continuous invocation.
* Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications.
#### Windows
* [Image File Execution Options (IFEO) - blogs.msdn](https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/)
## Indicator Blocking
-------------------------------
## Indicator Blocking
* [Indicator Blocking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1054)
* An adversary may attempt to block indicators or events from leaving the host machine. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process or creating a host-based firewall rule to block traffic to a specific server.
## Indicator Removal from Tools
-------------------------------
## Indicator Removal from Tools
* [Indicator Removal from Tools - ATT&CK](https://attack.mitre.org/wiki/Technique/T1066)
* If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use Software Packing or otherwise modify the file so it has a different signature, and then re-use the malware.
## Indicator Removal on Host
-------------------------------
## Indicator Removal on Host
* [Indicator Removal on Host - ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
* Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
@ -340,9 +345,8 @@ Component Object Model Hijacking
## Install Root Certificate
-------------------------------
## Install Root Certificate
* [Install Root Certifcate](https://attack.mitre.org/wiki/Technique/T1130)
* Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Wikipedia Root Certificate Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
* Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.Operation Emmental
@ -364,8 +368,8 @@ Component Object Model Hijacking
## InstallUtil
-------------------------------
## InstallUtil
* [InstallUtil - ATT&CK](https://attack.mitre.org/wiki/Technique/T1118)
* InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries.MSDN InstallUtil InstallUtil is located in the .NET directory on a Windows system: C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe.InstallUtil.exe is digitally signed by Microsoft. Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].
@ -386,9 +390,8 @@ Component Object Model Hijacking
* [Methods Of Malware Persistence On Mac OS X](https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf)
## Launchctl
-------------------------------
## Launchctl
* [Launchctl - ATT&CK](https://attack.mitre.org/wiki/Technique/T1152)
* Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made Sofacy Komplex Trojan. Running a command from launchctl is as simple as `launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"`. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges. Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
@ -400,9 +403,8 @@ Component Object Model Hijacking
## Masquerading (Trusted Name/Path Execution Abuse)
-------------------------------
## Masquerading (Trusted Name/Path Execution Abuse)
* [Masquerading - ATT&CK](https://attack.mitre.org/wiki/Technique/T1036)
* Masquerading occurs when an executable, legitimate or malicious, is placed in a commonly trusted location (such as C:\Windows\System32) or named with a common name (such as "explorer.exe" or "svchost.exe") to bypass tools that trust executables by relying on file name or path. An adversary may even use a renamed copy of a legitimate utility, such as rundll32.exe. Masquerading also may be done to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
@ -421,9 +423,8 @@ Component Object Model Hijacking
## Modify Registry
-------------------------------
## Modify Registry
* [Modify Registry - ATT&CK](https://attack.mitre.org/wiki/Technique/T1112)
* Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
* Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.Microsoft Reg Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).
@ -437,9 +438,8 @@ Component Object Model Hijacking
## NTFS Extended Attributes & Alternate Data Streams
-------------------------------
## NTFS Extended Attributes & Alternate Data Streams
* [NTFS Extended Attributes - ATT&CK](https://attack.mitre.org/wiki/Technique/T1096)
* Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.Journey into IR ZeroAccess NTFS EA The NTFS format has a feature called Extended Attributes (EA), which allows data to be stored as an attribute of a file or folder.Microsoft File Streams
@ -469,9 +469,8 @@ Alternate Data Streams
## Network Share Connection Removal
-------------------------------
## Network Share Connection Removal
* [Network Share Connection Removal - ATT&CK](https://attack.mitre.org/wiki/Technique/T1126)
* Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the `net use \\system\share /delete` command. Use Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
@ -485,9 +484,8 @@ Alternate Data Streams
## Obfuscated Files or Information
-------------------------------
## Obfuscated Files or Information
* [Obfuscated Files or Information - ATT&CK](https://attack.mitre.org/wiki/Technique/T1027)
* Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.
@ -505,9 +503,8 @@ Alternate Data Streams
## Process Hollowing
-------------------------------
## Process Hollowing
* [Process Hollowing](https://attack.mitre.org/wiki/Technique/T1093)
* Process hollowing occurs when a process is created in a suspended state and the process's memory is replaced with the code of a second program so that the second program runs instead of the original program. Windows and process monitoring tools believe the original process is running, whereas the actual program running is different.Leitch Hollowing Process hollowing may be used similarly to DLL Injection to evade defenses and detection analysis of malicious process execution by launching adversary-controlled code under the context of a legitimate process.
@ -520,17 +517,40 @@ Alternate Data Streams
## Redundant Access
-------------------------------
## Process Injection
* [Process Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1055)
* Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
#### Linux & OS X
* Implementations for Linux and OS X/macOS systems include:
* LD_PRELOAD, LD_LIBRARY_PATH (Linux), DYLD_INSERT_LIBRARIES (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process.
* Ptrace system calls can be used to attach to a running process and modify it in runtime.
* /proc/[pid]/mem provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity.
* VDSO hijacking performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object.
* Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
#### Windows
There are multiple approaches to injecting code into a live process. Windows implementations include:
* Dynamic-link library (DLL) injection involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
* Portable executable injection involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue.
* Thread execution hijacking involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
* Asynchronous Procedure Call (APC) injection involves attaching malicious code to the APC Queue3 of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing is a variation that utilizes APCs to invoke malicious code previously written to the global atom table.
* Thread Local Storage (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point.
-------------------------------
## Redundant Access
* [Redundant Access - ATT&CK](https://attack.mitre.org/wiki/Technique/T1108)
* Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.
## Regsvcs/Regasm
-------------------------------
## Regsvcs/Regasm
* [Regsvcs/Regasm - ATT&CK](https://attack.mitre.org/wiki/Technique/T1121)
* Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft.MSDN RegsvcsMSDN Regasm Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: `[ComRegisterFunction]` or `[ComUnregisterFunction]` respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute.
@ -544,8 +564,8 @@ Alternate Data Streams
## Regsvr32
-------------------------------
## Regsvr32
* [Regsvr32 - ATT&CK](https://attack.mitre.org/wiki/Technique/T1117)
* Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries.Microsoft Regsvr32
* Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.
@ -558,9 +578,8 @@ Alternate Data Streams
* [Practical use of JavaScript and COM Scriptlets for Penetration Testing](http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html)
## Rootkit
-------------------------------
## Rootkit
* [Rootkit - ATT&CK](https://attack.mitre.org/wiki/Technique/T1014)
* Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware.Wikipedia Rootkit Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
@ -571,8 +590,9 @@ Alternate Data Streams
#### Windows
------------------------------
## Rundll32
-------------------------------
* [Rundll32 - ATT&CK](https://attack.mitre.org/wiki/Technique/T1085)
* The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
@ -581,9 +601,8 @@ Alternate Data Streams
* [AppLocker Bypass – Rundll32 - pentesterlab](https://pentestlab.blog/tag/rundll32/)
## Scripting
-------------------------------
## Scripting
* [Scripting - ATT&CK](https://attack.mitre.org/wiki/Technique/T1064)
* Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
@ -613,9 +632,8 @@ Alternate Data Streams
## Software Packing
-------------------------------
## Software Packing
* [Software Packing - ATT&CK](https://attack.mitre.org/wiki/Technique/T1045)
* Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
* [Executable compression - Wikipedia](https://en.wikipedia.org/wiki/Executable_compression)
@ -633,9 +651,8 @@ Alternate Data Streams
## Timestomp
-------------------------------
## Timestomp
* [Timestomp - ATT&CK](https://attack.mitre.org/wiki/Technique/T1099)
* Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools.
@ -650,9 +667,8 @@ Alternate Data Streams
## Trusted Developer Utilites
------------------------------
## Trusted Developer Utilites
* [Trusted Developer Utilities - ATT&CK](https://attack.mitre.org/wiki/Technique/T1127)
* There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.
@ -687,9 +703,8 @@ Alternate Data Streams
* [Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner - exploitmonday](http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html)
## Valid Accounts
--------------------
## Valid Accounts
* [Valid Accounts - ATT&CK](https://attack.mitre.org/wiki/Technique/T1078)
* Adversaries may steal the credentials of a specific user or service account using Credential Access techniques. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network and may even be used for persistent access to remote systems. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. Adversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful. The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.


+ 5
- 9
Draft/ATT&CK-Stuff/Discovery.md View File

@ -8,9 +8,8 @@
### Account Discovery
-------------------------------
### Account Discovery
* [Account Discovery - ATT&CK](https://attack.mitre.org/wiki/Technique/T1087)
* Adversaries may attempt to get a listing of local system or domain accounts.
@ -36,9 +35,8 @@
### Application Window Discovery
-------------------------------
### Application Window Discovery
* [Application Window Discovery - ATT&CK](https://attack.mitre.org/wiki/Technique/T1010)
* Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small AppleScript script.
@ -288,7 +286,8 @@ Web
* [Nmap NSE - smb-enum-shares](https://nmap.org/nsedoc/scripts/smb-enum-shares.html)
* Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked. Running NetShareEnumAll will work anonymously against Windows 2000, and requires a user-level account on any other Windows version. Calling NetShareGetInfo requires an administrator account on all versions of Windows up to 2003, as well as Windows Vista and Windows 7, if UAC is turned down. Even if NetShareEnumAll is restricted, attempting to connect to a share will always reveal its existence. So, if NetShareEnumAll fails, a pre-generated list of shares, based on a large test network, are used. If any of those succeed, they are recorded.
* [List Shares in Windows w/ PowerShell](http://krypted.com/windows-server/list-shares-in-windows-w-powershell/)
* '''
*
```
The command, from PowerShell would be something similar to the following:
get-WmiObject -class Win32_Share
@ -299,10 +298,7 @@ Assuming communication is working as intended, you can also query for the shares
One can also list shared printers with a little trickeration in the {} side of things:
get-WmiObject -list | where {$_.name -match “Printer”}
'''
```


+ 62
- 64
Draft/ATT&CK-Stuff/Persistence.md View File

@ -5,8 +5,8 @@
* Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.
-------------------------------
## .bash_profile and .bashrc
-------------------------------
* [.bash_profile and .bashrc - ATT&CK](https://attack.mitre.org/wiki/Technique/T1156)
* `~/.bash_profile` and `~/.bashrc` are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. `~/.bash_profile` is executed for login shells and `~/.bashrc` is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), `~/.bash_profile` is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, `~/.bashrc` is executed. This allows users more fine grained control over when they want certain commands executed.
* Mac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc.
@ -21,8 +21,8 @@
## Accessibility Features
-------------------------------
## Accessibility Features
* [Accessibility Features - ATT&CK](https://attack.mitre.org/wiki/Technique/T1015)
* Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
* Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen.FireEye Hikit Rootkit
@ -44,9 +44,20 @@
* [Privilege Escalation via "Sticky" Keys](http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html)
-------------------------------
## AppCert DLLs
* [AppCert DLLs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1182)
* Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions:1
* CreateProcess
* CreateProcessAsUser
* CreateProcessWithLoginW
* CreateProcessWithTokenW
* WinExec
* Similar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
## AppInit DLLs
-------------------------------
## AppInit DLLs
* [AppInit DLLs - ATT&CK](https://attack.mitre.org/wiki/Technique/T1103)
* DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program. This value can be abused to obtain persistence by causing a DLL to be loaded into most processes on the computer.AppInit Registry The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled.AppInit Secure Boot
@ -58,9 +69,8 @@
* [AppInit DLLs and Secure Boot](https://msdn.microsoft.com/en-us/library/dn280412)
## Application Shimming
-------------------------------
## Application Shimming
* [Application Shimming - ATT&CK](https://attack.mitre.org/wiki/Technique/T1138)
* The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow compatibility of programs as Windows updates and changes its code. For example, application shimming feature that allows programs that were created for Windows XP to work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses API hooking to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
* `%WINDIR%\AppPatch\sysmain.sdb`
@ -87,8 +97,8 @@
## Authentication Package
-------------------------------
## Authentication Package
* [Authentication Package - ATT&CK](https://attack.mitre.org/wiki/Technique/T1131)
* Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.MSDN Authentication Packages Adversaries can use the autostart mechanism provided by LSA Authentication Packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.
@ -101,8 +111,8 @@
## Bootkit
-------------------------------
## Bootkit
* [Bootkit - ATT&CK](https://attack.mitre.org/wiki/Technique/T1067)
* A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).
* Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
@ -113,8 +123,8 @@
## Change Default File Association
-------------------------------
## Change Default File Association
* [Change Default File Association - ATT&CK](https://attack.mitre.org/wiki/Technique/T1042)
* When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access.Microsoft Change Default ProgramsMicrosoft File Handlers Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
@ -125,8 +135,8 @@
## Component Firmware
-------------------------------
## Component Firmware
* [Component Firmware - ATT&CK](https://attack.mitre.org/wiki/Technique/T1109)
* Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
* [HD Hacking - SpritesMods](http://spritesmods.com/?art=hddhack)
@ -136,8 +146,8 @@
## Component Object Model Hijacking
-------------------------------
## Component Object Model Hijacking
* [Component Object Model Hijacking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1122)
* The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.Microsoft Component Object Model Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.GDATA COM Hijacking An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.
@ -154,8 +164,8 @@
-------------------------------
## Cron Job
-------------------------------
* [Cron Job - ATT&CK](https://attack.mitre.org/wiki/Technique/T1168)
* System-wide cron jobs are installed by modifying /etc/crontab while per-user cron jobs are installed using crontab with specifically formatted crontab files 1. This works on Mac and Linux systems.
* Both methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence234, to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
@ -177,8 +187,8 @@
## DLL Search Order Hijacking
-------------------------------
## DLL Search Order Hijacking
* [DLL Search Order Hijacking - ATT&CK](https://attack.mitre.org/wiki/Technique/T1038)
* Windows systems use a common method to look for required DLLs to load into a program.Microsoft DLL Search Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.
* Adversaries may perform DLL preloading, also called binary planting attacks,OWASP Binary Planting by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL.Microsoft 2269637 Adversaries may use this behavior to cause the program to load a malicious DLL.
@ -204,8 +214,8 @@
* [Dylib Hijacking on OS X](https://www.virusbtn.com/pdf/magazine/2015/vb201503-dylib-hijacking.pdf)
## External Remote Services
-------------------------------
## External Remote Services
* [External Remote Services - ATT&CK](https://attack.mitre.org/wiki/Technique/T1133)
* Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Adversaries may use remote services to access and persist within a network.Volexity Virtual Private Keylogging Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of Redundant Access during an operation.
* VPN/RDP/Citrix Hijacking
@ -216,8 +226,8 @@
## File System Permissions Weakness
-------------------------------
## File System Permissions Weakness
* [File System Permissions Weakness - ATT&CK](https://attack.mitre.org/wiki/Technique/T1044)
* Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
* Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
@ -234,8 +244,8 @@
## Hidden Files and Directories
-------------------------------
## Hidden Files and Directories
* [Hidden Files and Directories - ATT&CK](https://attack.mitre.org/wiki/Technique/T1158)
* To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
*
@ -253,21 +263,28 @@
* Users can mark specific files as hidden by using the attrib.exe binary. Simply do attrib +h filename to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.
## Hypervisor
-------------------------------
## Hypervisor
* [Hypervisor - ATT&CK](https://attack.mitre.org/wiki/Technique/T1062)
* A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware.Wikipedia Hypervisor It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen.Wikipedia Xen A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system.Myers 2007 A malicious hypervisor of this nature could be used to persist on systems through interruption.
* [An Introduction to Hardware-Assisted Virtual Machine (HVM) - pdf](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf)
---------------------------
## Image File Execution Options Injection
* [Image File Execution Options Injection - ATT&CK](https://attack.mitre.org/wiki/Technique/T1183)
* Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, any executable file present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., `“C:\dbg\ntsd.exe -g notepad.exe”)`.
* IFEOs can be set directly via the Registry or in Global Flags via the Gflags tool.2 IFEOs are represented as Debugger Values in the Registry under `*HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>` where `<executable>` is the binary on which the debugger is attached.
* Similar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. Installing IFEO mechanisms may also provide Persistence via continuous invocation.
* Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications.
#### Windows
* [Image File Execution Options (IFEO) - blogs.msdn](https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/)
## LC_LOAD_DYLIB Addition
-------------------------------
## LC_LOAD_DYLIB Addition
* [LC_LOAD_DYLIB Addition - ATT&CK](https://attack.mitre.org/wiki/Technique/T1161)
* Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependenciesWriting Bad Malware for OSX. There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load timeMalware Persistence on OS X.
@ -278,9 +295,8 @@
## Launch Agent
-------------------------------
## Launch Agent
* [Launch Agent - ATT&CK](https://attack.mitre.org/wiki/Technique/T1159)
* Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgentsAppleDocs Launch Agent DaemonsOSX Keydnap malwareAntiquated Mac Malware. These launch agents have property list files which point to the executables that will be launchedOSX.Dok Malware. Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories Sofacy Komplex Trojan Methods of Mac Malware Persistence. The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log inOSX Malware DetectionOceanLotus for OS X. They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
@ -295,9 +311,8 @@
## Launch Daemon
-------------------------------
## Launch Daemon
* [Launch Daemon - ATT&CK](https://attack.mitre.org/wiki/Technique/T1160)
* Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemonsAppleDocs Launch Agent Daemons. These LaunchDaemons have property list files which point to the executables that will be launchedMethods of Mac Malware Persistence.
* Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directoriesOSX Malware Detection. The daemon name may be disguised by using a name from a related operating system or benign software WireLurker. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.
@ -306,9 +321,8 @@
#### OS X
## Launchctl
-------------------------------
## Launchctl
* [Launchctl - ATT&CK](https://attack.mitre.org/wiki/Technique/T1152)
* Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made Sofacy Komplex Trojan. Running a command from launchctl is as simple as `launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"`. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges. Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
@ -316,9 +330,8 @@
## Local Port Monitor
-------------------------------
## Local Port Monitor
* [Local Port Monitor - ATT&CK](https://attack.mitre.org/wiki/Technique/T1013)
* A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.AddMonitor This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot.Bloxham Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.Bloxham The spoolsv.exe process also runs under SYSTEM level permissions. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
@ -328,9 +341,8 @@
## Login Item
-------------------------------
## Login Item
* [Login Item - ATT&CK](https://attack.mitre.org/wiki/Technique/T1162)
* MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created themAdding Login Items. Users have direct control over login items installed using a shared file list which are also visible in System PreferencesAdding Login Items. These login items are stored in the user's `~/Library/Preferences/` directory in a plist file called `com.apple.loginitems.plist`. Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs inMalware Persistence on OS XOSX.Dok Malware.
@ -338,9 +350,8 @@
## Logon Scripts
-------------------------------
## Logon Scripts
* [Logon Scripts - ATT&CK](https://attack.mitre.org/wiki/Technique/T1037)
#### OS X
@ -357,9 +368,8 @@
## Modify Existing Service
-------------------------------
## Modify Existing Service
* [Modify Existing Service - ATT&CK](https://attack.mitre.org/wiki/Technique/T1031)
* Windows service configuration information, including the file path to the service's executable, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg. Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
@ -373,9 +383,8 @@
### Netsh Helper DLL
-------------------------------
### Netsh Helper DLL
Netsh Helper DLL
* [Netsh Helper DLL - ATT&CK](https://attack.mitre.org/wiki/Technique/T1128)
* Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.TechNet Netsh The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
@ -404,10 +413,8 @@ Netsh Helper DLL
## Office Application Startup
-------------------------------
Office Application Startup
## Office Application Startup
* [Office Application Startup - ATT&CK](https://attack.mitre.org/wiki/Technique/T1137)
* Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.
* Office template Macros
@ -434,10 +441,8 @@ Office Application Startup
* Add-ins provide optional commands and features for Microsoft Excel. By default, add-ins are not immediately available in Excel, so you must first install and (in some cases) activate these add-ins so that you can use them.
## Path Interception
-------------------------------
Path Interception
## Path Interception
* [Path Interception - ATT&CK](https://attack.mitre.org/wiki/Technique/T1034)
* Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function.TechNet MS14-019
* There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
@ -469,9 +474,8 @@ Path Interception
## Plist Modification
-------------------------------
## Plist Modification
[Plist Modification - ATT&CK](https://attack.mitre.org/wiki/Technique/T1150)
* Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UT-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanismSofacy Komplex Trojan.
@ -480,8 +484,8 @@ Path Interception
-------------------------------
## Rc.common
-------------------------------
* [Rc.common - ATT&CK](https://attack.mitre.org/wiki/Technique/T1163)
* During the boot process, macOS and Linux both execute source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item ScriptsStartup Items. In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used. Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root userMethods of Mac Malware Persistence.
@ -497,18 +501,16 @@ Path Interception
## Re-opened Applications
-------------------------------
## Re-opened Applications
* [Re-opened Applications - ATT&CK](https://attack.mitre.org/wiki/Technique/T1164)
* Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at `~/Library/Preferences/com.apple.loginwindow.plist` and `~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist`. An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machineMethods of Mac Malware Persistence.
#### OS X
## Redundant Access
-------------------------------
## Redundant Access
* [Redundant Access - ATT&CK](https://attack.mitre.org/wiki/Technique/T1108)
* Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.Mandiant APT1 Use of a Web Shell is one such way to maintain access to a network through an externally accessible Web server.
* Don't just use one backdoor. Use multiple avenues of exfil. Plan ahead and exepct observation/discovery. Prepare backup solutions ready to go in case SHTF.
@ -516,9 +518,8 @@ Path Interception
## Registry Run Key/ Start Folder
-------------------------------
## Registry Run Key/ Start Folder
* [Registry Run Keys / Start Folder - ATT&CK](https://attack.mitre.org/wiki/Technique/T1060)
* Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.Microsoft Run Key The program will be executed under the context of the user and will have the account's associated permissions level. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
@ -536,10 +537,8 @@ Path Interception
## Scheduled Tasks
-------------------------------
Scheduled Tasks
## Scheduled Tasks
* [Scheduled Tasks - ATT&CK](https://attack.mitre.org/wiki/Technique/T1053)
* Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. The account used to create the task must be in the Administrators group on the local system. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.TechNet Task Scheduler Security An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
@ -557,8 +556,8 @@ Scheduled Tasks
## Security Support Provider
-------------------------------
## Security Support Provider
* [Security Support Provider - ATT&CK](https://attack.mitre.org/wiki/Technique/T1101)
* Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages` and `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages`. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.
@ -569,9 +568,8 @@ Scheduled Tasks
## Service Registry Permissions Weakness
-------------------------------
Service Registry Permissions Weakness
## Service Registry Permissions Weakness
* [Service Registry Permissions Weakness - ATT&CK](https://attack.mitre.org/wiki/Technique/T1058)
* Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions.MSDN Registry Key Security If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
@ -582,8 +580,8 @@ Service Registry Permissions Weakness
## Shortcut Modification
-------------------------------
## Shortcut Modification
* [Shortcut Modification - ATT&CK](https://attack.mitre.org/wiki/Technique/T1023)
* Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
@ -607,8 +605,8 @@ Service Registry Permissions Weakness
## Startup Items
-------------------------------
## Startup Items
* [Startup Items - ATT&CK](https://attack.mitre.org/wiki/Technique/T1165)
* Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup itemsStartup Items. This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanismMethods of Mac Malware Persistence. Additionally, since StartupItems run during the bootup phase of macOS, they will run as root. If an adversary is able to modify an existing Startup Item, then they will be able to Privilege Escalate as well.
@ -616,8 +614,8 @@ Service Registry Permissions Weakness
## System Firmware
-------------------------------
## System Firmware
* [System Firmware - ATT&CK](https://attack.mitre.org/wiki/Technique/T1019)
* The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.Wikipedia BIOSWikipedia UEFIAbout UEFI System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
@ -626,8 +624,8 @@ Service Registry Permissions Weakness
## Trap
-------------------------------
## Trap
* [Trap - ATT&CK](https://attack.mitre.org/wiki/Technique/T1154)
* The `trap` command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.
@ -643,8 +641,8 @@ Service Registry Permissions Weakness
## Valid Accounts
-------------------------------
## Valid Accounts
* [Valid Accounts - ATT&CK](https://attack.mitre.org/wiki/Technique/T1078)
* Adversaries may steal the credentials of a specific user or service account using Credential Access techniques. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network and may even be used for persistent access to remote systems. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
* Adversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful.
@ -667,8 +665,8 @@ also grant an adversary increased privilege to specific systems or access to res
## Web Shell
-------------------------------
## Web Shell
* [Web Shell - ATT&CK](https://attack.mitre.org/wiki/Technique/T1100)
* A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client).Lee 2013 Web shells may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
@ -683,8 +681,8 @@ also grant an adversary increased privilege to specific systems or access to res
* Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.
## Windows Management Instrumentation(WMI) Event Subscription
-------------------------------
## Windows Management Instrumentation(WMI) Event Subscription
* [Windows Management Instrumentation Event Subscription - ATT&CK](https://attack.mitre.org/wiki/Technique/T1084)
* Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts.Dell WMI Persistence Examples of events that may be subscribed to are the wall clock time or the computer's uptime.Kazanciyan 2014 Several threat groups have reportedly used this technique to maintain persistence.Mandiant M-Trends 2015
@ -705,8 +703,8 @@ also grant an adversary increased privilege to specific systems or access to res
## Winlogon Helper DLL
-------------------------------
## Winlogon Helper DLL
* [Winlogon Helper DLL - ATT&CK](https://attack.mitre.org/wiki/Technique/T1004)
* Winlogon is a part of some Windows versions that performs actions at logon. In Windows systems prior to Windows Vista, a Registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup for persistence.

+ 76
- 25
Draft/ATT&CK-Stuff/Privilege_Escalation.md View File

@ -2,8 +2,8 @@
[MITRE ATT&CK - Privilege Escalation](https://attack.mitre.org/wiki/Privilege_Escalation)
## Access Token Manipulation
-------------------------------
## Access Token Manipulation
* [Access Token Manipulation - ATT&CK](https://attack.mitre.org/wiki/Technique/T1134)
* Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas. Microsoft runas
* Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level.Pentestlab Token Manipulation
@ -27,8 +27,8 @@
## Accessibility Features
-------------------------------
## Accessibility Features
* [Accessibility Features - ATT&CK](https://attack.mitre.org/wiki/Technique/T1015)