From 976f3ba40f2b6534b61b97f424ae91a8349eee1b Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Wed, 1 Nov 2017 16:02:40 -0700 Subject: [PATCH] Adds Security software discovery system time discovery --- .../Discovery/Security_Software_Discovery.md | 24 +++++++++++++++++++ Windows/Discovery/System_Time_Discovery.md | 22 +++++++++++++++++ Windows/Windows.md | 6 ++--- 3 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 Windows/Discovery/Security_Software_Discovery.md create mode 100644 Windows/Discovery/System_Time_Discovery.md diff --git a/Windows/Discovery/Security_Software_Discovery.md b/Windows/Discovery/Security_Software_Discovery.md new file mode 100644 index 00000000..8054c405 --- /dev/null +++ b/Windows/Discovery/Security_Software_Discovery.md @@ -0,0 +1,24 @@ +# Security Software Discovery + +MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1063) + +### netsh + + netsh.exe advfirewall firewall + +### tasklist + + tasklist.exe + + +### PowerShell + + powershell.exe get-process | ?{$_.Description -like "*virus*"} + +#### CarbonBlack + + powershell.exe get-process | ?{$_.Description -like "*carbonblack*"} + +#### Windows Defender + + powershell.exe get-process | ?{$_.Description -like "*defender*"} diff --git a/Windows/Discovery/System_Time_Discovery.md b/Windows/Discovery/System_Time_Discovery.md new file mode 100644 index 00000000..e7b4ace9 --- /dev/null +++ b/Windows/Discovery/System_Time_Discovery.md @@ -0,0 +1,22 @@ +# System Time Discovery + +MITRE ATT&CK Technique: [T1124](https://attack.mitre.org/wiki/Technique/T1124) + +### Net Time + + +Local: + + net time + +Remote: + + net time \\ + +### w32time + + w32tm /tz + +### PowerShell + + powershell.exe Get-Date diff --git a/Windows/Windows.md b/Windows/Windows.md index 21add36f..82ccc77f 100644 --- a/Windows/Windows.md +++ b/Windows/Windows.md @@ -3,7 +3,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | -| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | Data Compressed | Communication Through Removable Media | +| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | | [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy | | Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | | Bootkit | Bypass User Account Control | Component Firmware | Credentials in Files | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | @@ -12,13 +12,13 @@ | Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels | | DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | | External Remote Services | Local Port Monitor | Deobfuscate/Decode Files or Information | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | -| File System Permissions Weakness | New Service | Disabling Security Tools | | Security Software Discovery | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | +| File System Permissions Weakness | New Service | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | | Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy | | Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol | | Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol | | Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol | | Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port | -| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | System Time Discovery | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Web Service | +| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Web Service | | New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | | | Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | | | Path Interception | | [InstallUtil](Execution/InstallUtil.md) | | | | | | | |