security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #56 from redcanaryco/Haag

Browse Source 
Mac - Credential Access
This commit is contained in:
caseysmithrc
2018-01-09 10:07:55 -07:00
committed by GitHub
parent f4fe0d67d6 c4bbef438a
commit 72a010b9b1
3 changed files with 49 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Mac/Credential_Access/Create_Account.md
+15
View File
@@ -0,0 +1,15 @@
# Create Account
MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136)
### dscl - add user
Input:
dscl . -create /User/AtomicRedTeam
###
Input:
/usr/sbin/sysadminctl -addUser AtomicRedTeam
Mac/Credential_Access/Keychain.md
+32
View File
@@ -0,0 +1,32 @@
# Keychain
MITRE ATT&CK Technique: [T1142](https://attack.mitre.org/wiki/Technique/T1142)
### Keychain Files
~/Library/Keychains/
/Library/Keychains/
/Network/Library/Keychains/
### security command line
Input:
security -h
Input:
security find-certificate -a -p > allcerts.pem
Input:
security import /tmp/certs.pem -k
### References
[Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
[Keychain dumper](https://github.com/juuso/keychaindump)
Mac/README.md
+2 -2
View File
@@ -5,12 +5,12 @@
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md ) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port |
| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media |
| Dylib Hijacking | [Launch Daemon](Persistence/Launch_Daemon.md) | Code Signing | Create Account | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| Dylib Hijacking | [Launch Daemon](Persistence/Launch_Daemon.md) | Code Signing | [Create Account](Credential_Access/Create_Account.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy |
| [Hidden Files and Directories](/Persistence/Hidden_Files_and_Directories.md) | [Plist Modification](Persistence/Plist_Modification.md) | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Credentials in Files | Network Share Discovery | Logon Scripts | [Launchctl](Defense_Evasion/Launchctl.md) | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol |
| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| [Launch Agent](Persistence/Launch_Agent.md) | [Startup Items](Persistence/Startup_Items.md) | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding |
| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Input Prompt](Credential_Access/Input_Prompt.md) | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| [Launchctl](Defense_Evasion/Launchctl.md) | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | [Keychain](Credential_Access/Keychain.md) | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels |
| Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication |
| [Plist Modification](Persistence/Plist_Modification.md) | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption |