security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adds a method to detect when extended attributes are used to hide files and folders.

Browse Source
This commit is contained in:
Colby Farley
2018-03-01 16:11:28 -06:00
parent a7ee6830f7
commit fd1e413566
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Mac/Defense_Evasion/Hidden_Files_and_Directories.md
+6
View File
@@ -0,0 +1,6 @@
# Hidden Users
MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
Mac/README.md
+1 -1
View File
@@ -10,7 +10,7 @@
| LC_LOAD_DYLIB Addition | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
| [Launch Agent](Persistence/Launch_Agent.md) | Startup Items | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Keychain](Credential_Access/Keychain.md) | [Process Discovery](Discovery/Process_Discovery.md) | SSH Hijacking | Source | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Third-party Software | [Space after Filename](Execution/Space_After_Filename.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
| Launchctl | Valid Accounts | Hidden Files and Directories | Private Keys | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Input Capture | Scheduled Transfer | Fallback Channels |
| Launchctl | Valid Accounts | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) | Private Keys | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Input Capture | Scheduled Transfer | Fallback Channels |
| [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) | Web Shell | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Securityd Memory | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | [Screen Capture](Collection/Screen_Capture.md) | | Multi-Stage Channels |
| Login Item | | Hidden Window | Two-Factor Authentication Interception | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multi-hop Proxy |
| [Logon Scripts](Persistence/Logon_Scripts.md) | | Indicator Removal from Tools | | System Network Connections Discovery | | | | | Multiband Communication |