security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #10 from redcanaryco/dev-mh

Browse Source 
Dev mh
This commit is contained in:
caseysmithrc
2017-10-31 14:14:33 -06:00
committed by GitHub
parent 480a201741 be85bb6afe
commit e5236e6146
3 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Defense Evasion/Indicator_Removal_on_Host.md
+14
View File
@@ -11,3 +11,17 @@ Clear system logs
Clear Security logs
wevtutil cl Security
Clear Setup logs
wevtutil cl Setup
Clear Application logs
wevtutil cl Application
## Fsutil
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
fsutil usn deletejournal /D C:
Windows/Exfiltration/Data_Compressed.md
+11
View File
@@ -0,0 +1,11 @@
# File Deletion
MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
## PowerShell
powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip
## Rar
rar a -r exfilthis.rar *.docx
Windows/Payloads/Discovery.bat
+17
View File
@@ -8,6 +8,23 @@ net config workstation
net accounts
net accounts /domain
net view
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
wmic useraccount list
wmic useraccount get /ALL
wmic startup list brief