diff --git a/Linux/Defense_Evasion/Rootkits.md b/Linux/Defense_Evasion/Rootkits.md new file mode 100644 index 00000000..06becd24 --- /dev/null +++ b/Linux/Defense_Evasion/Rootkits.md @@ -0,0 +1,21 @@ +## Rootkits + +MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014) + +### Loadable Kernel Module based Rootkit + +Input: + + sudo insmod MODULE.ko + +OR + +Input: + + sudo modprobe MODULE.ko + +### LD_PRELOAD based Rootkit + +Input: + + export LD_PRELOAD=$PWD/libmy_r00tkit.so \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index 504087b8..83e03254 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -13,7 +13,8 @@ | Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels | | Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | -| | | Redundant Access | | | | | | | Remote File Copy | +| | | Redundant Access | +| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy | | | | Scripting | | | | | | | Standard Application Layer Protocol | | | | Space after Filename | | | | | | | Standard Cryptographic Protocol | | | | Timestomp | | | | | | | Standard Non-Application Layer Protocol | diff --git a/Mac/Credential_Access/Credentials_in_Files.md b/Mac/Credential_Access/Credentials_in_Files.md new file mode 100644 index 00000000..ebf2e353 --- /dev/null +++ b/Mac/Credential_Access/Credentials_in_Files.md @@ -0,0 +1,11 @@ +# Credentials in Files + +MITRE ATT&CK Technique: [T1081](https://attack.mitre.org/wiki/Technique/T1081) + +## Browser and System credentials + +[LaZagne Source](https://github.com/AlessandroZ/LaZagne) + +Input: + + python2 laZagne.py all diff --git a/Mac/Persistence/Rc.common.md b/Mac/Persistence/Rc.common.md new file mode 100644 index 00000000..4109295e --- /dev/null +++ b/Mac/Persistence/Rc.common.md @@ -0,0 +1,15 @@ +# rc.common + +MITRE ATT&CK Technique: [T1163](https://attack.mitre.org/wiki/Technique/T1163) + +Input: + + echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common + +Modify: + + /etc/rc.common + + + +[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) diff --git a/Mac/README.md b/Mac/README.md index 64fab2b0..acd8e410 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -4,7 +4,7 @@ |------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | | [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy | +| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy | | Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Launchctl | Clipboard Data | Data Transfer Size Limits | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md) | | Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | | LC_LOAD_DYLIB Addition | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | @@ -15,7 +15,7 @@ | Login Item | | Hidden Window | Two-Factor Authentication Interception | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multi-hop Proxy | | [Logon Scripts](Persistence/Logon_Scripts.md) | | Indicator Removal from Tools | | System Network Connections Discovery | | | | | Multiband Communication | | [Plist Modification](Persistence/Plist_Modification.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | | Multilayer Encryption | -| Rc.common | | LC_MAIN Hijacking | | | | | | | Remote File Copy | +| [Rc.common](Persistence/Rc.common.md) | | LC_MAIN Hijacking | | | | | | | Remote File Copy | | [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Application Layer Protocol | | Redundant Access | | Masquerading | | | | | | | Standard Cryptographic Protocol | | [Startup Items](Persistence/Startup_Items.md) | | Obfuscated Files or Information | | | | | | | Standard Non-Application Layer Protocol |