From 21cdce977754e196eed0db565a61797b0d830e56 Mon Sep 17 00:00:00 2001 From: JeremyNGalloway Date: Wed, 28 Feb 2018 16:43:07 -0600 Subject: [PATCH 1/2] initial upload --- Mac/Credential_Access/Credentials_in_Files.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 Mac/Credential_Access/Credentials_in_Files.md diff --git a/Mac/Credential_Access/Credentials_in_Files.md b/Mac/Credential_Access/Credentials_in_Files.md new file mode 100644 index 00000000..ebf2e353 --- /dev/null +++ b/Mac/Credential_Access/Credentials_in_Files.md @@ -0,0 +1,11 @@ +# Credentials in Files + +MITRE ATT&CK Technique: [T1081](https://attack.mitre.org/wiki/Technique/T1081) + +## Browser and System credentials + +[LaZagne Source](https://github.com/AlessandroZ/LaZagne) + +Input: + + python2 laZagne.py all From 75145a2766633633b8d5eef543c539586f41780a Mon Sep 17 00:00:00 2001 From: JeremyNGalloway Date: Wed, 28 Feb 2018 16:44:33 -0600 Subject: [PATCH 2/2] updated readme with link to Credential_Access/Credentials_in_Files.md --- Mac/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Mac/README.md b/Mac/README.md index 457ba910..59be71ad 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -4,7 +4,7 @@ |------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | | [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | +| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Launchctl | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | | Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | | LC_LOAD_DYLIB Addition | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |