From c121d1539b405d1983880ddc8c4c69868c1ee1cf Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 21 Nov 2017 12:16:00 -0800 Subject: [PATCH 1/3] Format Updates + System Service Discovery + Updated format to Discovery md files + Added System Service Discovery --- .../{Query Registry.md => Query_Registry.md} | 0 ...iscovery.md => Remote_System_Discovery.md} | 0 ...ery.md => System_Information_Discovery.md} | 0 ...very.md => System_Owner-User_Discovery.md} | 0 Windows/Discovery/System_Service_Discovery.md | 36 +++++++++++++++++++ Windows/README.md | 10 +++--- 6 files changed, 41 insertions(+), 5 deletions(-) rename Windows/Discovery/{Query Registry.md => Query_Registry.md} (100%) rename Windows/Discovery/{Remote System Discovery.md => Remote_System_Discovery.md} (100%) rename Windows/Discovery/{System Information Discovery.md => System_Information_Discovery.md} (100%) rename Windows/Discovery/{System Owner-User Discovery.md => System_Owner-User_Discovery.md} (100%) create mode 100644 Windows/Discovery/System_Service_Discovery.md diff --git a/Windows/Discovery/Query Registry.md b/Windows/Discovery/Query_Registry.md similarity index 100% rename from Windows/Discovery/Query Registry.md rename to Windows/Discovery/Query_Registry.md diff --git a/Windows/Discovery/Remote System Discovery.md b/Windows/Discovery/Remote_System_Discovery.md similarity index 100% rename from Windows/Discovery/Remote System Discovery.md rename to Windows/Discovery/Remote_System_Discovery.md diff --git a/Windows/Discovery/System Information Discovery.md b/Windows/Discovery/System_Information_Discovery.md similarity index 100% rename from Windows/Discovery/System Information Discovery.md rename to Windows/Discovery/System_Information_Discovery.md diff --git a/Windows/Discovery/System Owner-User Discovery.md b/Windows/Discovery/System_Owner-User_Discovery.md similarity index 100% rename from Windows/Discovery/System Owner-User Discovery.md rename to Windows/Discovery/System_Owner-User_Discovery.md diff --git a/Windows/Discovery/System_Service_Discovery.md b/Windows/Discovery/System_Service_Discovery.md new file mode 100644 index 00000000..55b0562c --- /dev/null +++ b/Windows/Discovery/System_Service_Discovery.md @@ -0,0 +1,36 @@ +## System Service Discovery + +MITRE ATT&CK Technique: [T1007](https://attack.mitre.org/wiki/Technique/T1007) + +## Tasklist.exe + +Input: + + tasklist.exe + +## sc.exe + +Input: + + sc query + +Input: + + sc query state= all + +Start/Stop a service + + sc start + +Stop: + + sc stop + + +GUI: + + services.msc + +## WMIC.exe + + wmic service where (displayname like "%%") get name diff --git a/Windows/README.md b/Windows/README.md index b4412191..9eee25c3 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -10,14 +10,14 @@ | [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | | Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Input Capture](Collection/Input_Capture.md) | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | | Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels | -| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | -| External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | +| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query_Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | +| External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | | File System Permissions Weakness | New Service | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | -| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy | +| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System_Information_Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy | | Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol | | Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol | -| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol | -| Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port | +| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol | +| Modify Existing Service | Web Shell | Indicator Blocking | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | Trusted Developer Utilities | | | Uncommonly Used Port | | [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Web Service | | New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | | | Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | | From f6bfcd4e52eb3fc1ad50b73c46f1aa11b54eb9f6 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 21 Nov 2017 12:17:55 -0800 Subject: [PATCH 2/3] Discovery.bat - add Added sc.exe query line --- Windows/Payloads/Discovery.bat | 1 + 1 file changed, 1 insertion(+) diff --git a/Windows/Payloads/Discovery.bat b/Windows/Payloads/Discovery.bat index c2038750..8c51854a 100644 --- a/Windows/Payloads/Discovery.bat +++ b/Windows/Payloads/Discovery.bat @@ -8,6 +8,7 @@ net config workstation net accounts net accounts /domain net view +sc query reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce From 874b3cd78789bb0c4d3b9a4d8ad40ab9c564a9a8 Mon Sep 17 00:00:00 2001 From: Michael Haag Date: Wed, 22 Nov 2017 06:55:57 -0800 Subject: [PATCH 3/3] Update README.md --- Windows/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Windows/README.md b/Windows/README.md index 9eee25c3..974c29a5 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -2,7 +2,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | +| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | | [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | | [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy | | Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | @@ -10,14 +10,14 @@ | [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | | Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Input Capture](Collection/Input_Capture.md) | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | | Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels | -| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query_Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | -| External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | -| File System Permissions Weakness | New Service | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | -| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System_Information_Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy | +| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | +| External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | +| File System Permissions Weakness | [New Service](Persistence/Service_Installation.md) | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | +| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy | | Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol | | Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol | -| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol | -| Modify Existing Service | Web Shell | Indicator Blocking | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | Trusted Developer Utilities | | | Uncommonly Used Port | +| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol | +| Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port | | [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Web Service | | New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | | | Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | |