All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 16:02, 26 January 2023 SourMilk talk contribs created page Symmetric Cryptography (Created page with "Category:Encrypted Channel Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.")
  • 16:02, 26 January 2023 Ali3nw3rx talk contribs created page Category:Scheduled Task/Job (Created page with "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of...")
  • 16:02, 26 January 2023 SourMilk talk contribs created page Category:Encrypted Channel (Created page with "Category:Command and Control Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.")
  • 16:02, 26 January 2023 SourMilk talk contribs created page DNS Calculation (Created page with "Category:Dynamic Resolution Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.")
  • 16:01, 26 January 2023 SourMilk talk contribs created page Domain Generation Algorithms (Created page with "Category:Dynamic Resolution Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.")
  • 16:01, 26 January 2023 Ali3nw3rx talk contribs created page Native API (Created page with "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.[1][2] These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Native API functions...")
  • 16:01, 26 January 2023 SourMilk talk contribs created page Fast Flux DNS (Created page with "Category:Dynamic Resolution Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.")
  • 16:01, 26 January 2023 SourMilk talk contribs created page Category:Dynamic Resolution (Created page with "Category:Command and Control Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.")
  • 16:00, 26 January 2023 SourMilk talk contribs created page Protocol Impersonation (Created page with "Category:Data Obfuscation Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.")
  • 16:00, 26 January 2023 SourMilk talk contribs created page Steganography (Created page with "Category:Data Obfuscation Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and c...")
  • 15:59, 26 January 2023 SourMilk talk contribs created page Junk Data (Created page with "Category:Data Obfuscation Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.")
  • 15:59, 26 January 2023 SourMilk talk contribs created page Category:Data Obfuscation (Created page with "Category:Command and Control Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonatin...")
  • 15:59, 26 January 2023 SourMilk talk contribs created page Non-Standard Encoding (Created page with "Category:Data Encoding Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of...")
  • 15:58, 26 January 2023 SourMilk talk contribs created page Standard Encoding (Created page with "Category:Data Encoding Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.")
  • 15:58, 26 January 2023 SourMilk talk contribs created page Category:Data Encoding (Created page with "Category:Command and Control Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as...")
  • 15:57, 26 January 2023 SourMilk talk contribs created page Communication Through Removable Media (Created page with "Category:Command and Control Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to th...")
  • 15:57, 26 January 2023 SourMilk talk contribs created page DNS (C2) (Created page with "Category:Application Layer Protocol Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:57, 26 January 2023 Ali3nw3rx talk contribs created page XPC Services (Created page with "Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated...")
  • 15:57, 26 January 2023 SourMilk talk contribs created page Mail Protocols (Created page with "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:56, 26 January 2023 SourMilk talk contribs created page File Transfer Protocols (Created page with "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:56, 26 January 2023 Ali3nw3rx talk contribs created page Dynamic Data Exchange (Created page with "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking...")
  • 15:56, 26 January 2023 SourMilk talk contribs created page Web Protocols (Created page with "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:55, 26 January 2023 Ali3nw3rx talk contribs created page Component Object Model (Created page with "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).[2] Remote COM ex...")
  • 15:55, 26 January 2023 SourMilk talk contribs created page Category:Application Layer Protocol (Created page with "Category:Command and Control Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:54, 26 January 2023 Ali3nw3rx talk contribs created page Category:Inter-Process Communication (Created page with "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a...")
  • 15:53, 26 January 2023 Ali3nw3rx talk contribs created page Exploitation for Client Execution (Created page with "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because...")
  • 15:52, 26 January 2023 Ali3nw3rx talk contribs created page Deploy Container (Created page with "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. Containers can be deployed by various m...")
  • 15:51, 26 January 2023 Ali3nw3rx talk contribs created page Container Administration Command (Created page with "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.[1][2][3] In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running con...")
  • 15:50, 26 January 2023 Ali3nw3rx talk contribs created page Network Device CLI (Created page with "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and exte...")
  • 15:49, 26 January 2023 Ali3nw3rx talk contribs created page JavaScript (Created page with "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.[1] JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such a...")
  • 15:49, 26 January 2023 Ali3nw3rx talk contribs created page Python (Created page with "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. Python comes with many built-in packages to interact with the underlying syste...")
  • 15:48, 26 January 2023 Ali3nw3rx talk contribs created page Visual Basic (Created page with "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.[1][2] Derivative languages based on VB have also been created, such as Visual Basic for Applicati...")
  • 15:47, 26 January 2023 Ali3nw3rx talk contribs created page Unix Shell (Created page with "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.[1][2] Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Unix shells also support scripts that enable sequential execution of commands as well as other typical pr...")
  • 15:46, 26 January 2023 Ali3nw3rx talk contribs created page Windows Command Shell (Created page with "Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.[1] Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to ru...") Tag: Visual edit: Switched
  • 15:46, 26 January 2023 Ali3nw3rx talk contribs created page AppleScript (Created page with "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.[1] These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. Scripts can be run from the command-line via osascript /path/to/s...") Tag: Visual edit
  • 15:45, 26 January 2023 Ali3nw3rx talk contribs created page PowerShell (Created page with "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.[1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a comm...") Tag: Visual edit: Switched
  • 15:42, 26 January 2023 SourMilk talk contribs created page Category:Command and Control (Created page with "Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.")
  • 15:40, 26 January 2023 SourMilk talk contribs created page Transfer Data to Cloud Account (Created page with "Category:Exfiltration Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.")
  • 15:40, 26 January 2023 SourMilk talk contribs created page Scheduled Transfer (Created page with "Category:Exfiltration Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.")
  • 15:39, 26 January 2023 SourMilk talk contribs created page Exfiltration to Cloud Storage (Created page with "Category:Exfiltration Over Web Service Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.")
  • 15:39, 26 January 2023 SourMilk talk contribs created page Exfiltration to Code Repository (Created page with "Category:Exfiltration Over Web Service Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.")
  • 15:38, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration Over Web Service (Created page with "Category:Exfiltration Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.")
  • 15:38, 26 January 2023 SourMilk talk contribs created page Exfiltration over USB (Created page with "Category:Exfiltration Over Physical Medium Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.")
  • 15:37, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration Over Physical Medium (Created page with "Category:Exfiltration Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point...")
  • 15:37, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Bluetooth (Created page with "Category:Exfiltration Over Other Network Medium Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.")
  • 15:36, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration Over Other Network Medium (Created page with "Category:Exfiltration Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.")
  • 15:36, 26 January 2023 SourMilk talk contribs created page Exfiltration Over C2 Channel (Created page with "Category:Exfiltration Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.")
  • 15:36, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Unencrypted Non-C2 Protocol (Created page with "Category:Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.")
  • 15:35, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (Created page with "Category:Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.")
  • 15:35, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Symmetric Encrypted Non-C2 Protocol (Created page with "Category:Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.")
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
Retrieved from "https://rcats.dev/rcats/index.php/Special:Log"