All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 16:02, 26 January 2023 SourMilk talk contribs created page DNS Calculation (Created page with "Category:Dynamic Resolution Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.")
  • 16:01, 26 January 2023 SourMilk talk contribs created page Domain Generation Algorithms (Created page with "Category:Dynamic Resolution Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.")
  • 16:01, 26 January 2023 SourMilk talk contribs created page Fast Flux DNS (Created page with "Category:Dynamic Resolution Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.")
  • 16:01, 26 January 2023 SourMilk talk contribs created page Category:Dynamic Resolution (Created page with "Category:Command and Control Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.")
  • 16:00, 26 January 2023 SourMilk talk contribs created page Protocol Impersonation (Created page with "Category:Data Obfuscation Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.")
  • 16:00, 26 January 2023 SourMilk talk contribs created page Steganography (Created page with "Category:Data Obfuscation Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and c...")
  • 15:59, 26 January 2023 SourMilk talk contribs created page Junk Data (Created page with "Category:Data Obfuscation Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.")
  • 15:59, 26 January 2023 SourMilk talk contribs created page Category:Data Obfuscation (Created page with "Category:Command and Control Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonatin...")
  • 15:59, 26 January 2023 SourMilk talk contribs created page Non-Standard Encoding (Created page with "Category:Data Encoding Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of...")
  • 15:58, 26 January 2023 SourMilk talk contribs created page Standard Encoding (Created page with "Category:Data Encoding Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.")
  • 15:58, 26 January 2023 SourMilk talk contribs created page Category:Data Encoding (Created page with "Category:Command and Control Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as...")
  • 15:57, 26 January 2023 SourMilk talk contribs created page Communication Through Removable Media (Created page with "Category:Command and Control Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to th...")
  • 15:57, 26 January 2023 SourMilk talk contribs created page DNS (C2) (Created page with "Category:Application Layer Protocol Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:57, 26 January 2023 SourMilk talk contribs created page Mail Protocols (Created page with "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:56, 26 January 2023 SourMilk talk contribs created page File Transfer Protocols (Created page with "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:56, 26 January 2023 SourMilk talk contribs created page Web Protocols (Created page with "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:55, 26 January 2023 SourMilk talk contribs created page Category:Application Layer Protocol (Created page with "Category:Command and Control Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.")
  • 15:42, 26 January 2023 SourMilk talk contribs created page Category:Command and Control (Created page with "Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.")
  • 15:40, 26 January 2023 SourMilk talk contribs created page Transfer Data to Cloud Account (Created page with "Category:Exfiltration Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.")
  • 15:40, 26 January 2023 SourMilk talk contribs created page Scheduled Transfer (Created page with "Category:Exfiltration Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.")
  • 15:39, 26 January 2023 SourMilk talk contribs created page Exfiltration to Cloud Storage (Created page with "Category:Exfiltration Over Web Service Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.")
  • 15:39, 26 January 2023 SourMilk talk contribs created page Exfiltration to Code Repository (Created page with "Category:Exfiltration Over Web Service Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.")
  • 15:38, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration Over Web Service (Created page with "Category:Exfiltration Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.")
  • 15:38, 26 January 2023 SourMilk talk contribs created page Exfiltration over USB (Created page with "Category:Exfiltration Over Physical Medium Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.")
  • 15:37, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration Over Physical Medium (Created page with "Category:Exfiltration Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point...")
  • 15:37, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Bluetooth (Created page with "Category:Exfiltration Over Other Network Medium Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.")
  • 15:36, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration Over Other Network Medium (Created page with "Category:Exfiltration Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.")
  • 15:36, 26 January 2023 SourMilk talk contribs created page Exfiltration Over C2 Channel (Created page with "Category:Exfiltration Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.")
  • 15:36, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Unencrypted Non-C2 Protocol (Created page with "Category:Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.")
  • 15:35, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (Created page with "Category:Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.")
  • 15:35, 26 January 2023 SourMilk talk contribs created page Exfiltration Over Symmetric Encrypted Non-C2 Protocol (Created page with "Category:Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.")
  • 15:34, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration Over Alternative Protocol (Created page with "Category:Exfiltration Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.")
  • 15:34, 26 January 2023 SourMilk talk contribs created page Data Transfer Size Limits (Created page with "Category:Exfiltration An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.")
  • 15:34, 26 January 2023 SourMilk talk contribs created page Traffic Duplication (Created page with "Category:Automated Exfiltration Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.")
  • 15:33, 26 January 2023 SourMilk talk contribs created page Category:Automated Exfiltration (Created page with "Category:Exfiltration Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.")
  • 15:32, 26 January 2023 SourMilk talk contribs created page Category:Exfiltration (Created page with "Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.")
  • 15:31, 26 January 2023 SourMilk talk contribs created page System Shutdown/Reboot (Created page with "Category:Impact Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload). Shutting down or rebooting systems may disrupt access to computer resources for legitimate...")
  • 15:31, 26 January 2023 SourMilk talk contribs created page Service Stop (Created page with "Category:Impact Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.")
  • 15:30, 26 January 2023 SourMilk talk contribs created page Resource Hijacking (Created page with "Category:Impact Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.")
  • 15:30, 26 January 2023 SourMilk talk contribs created page Reflection Amplification (Created page with "Category:Network Denial of Service Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim...")
  • 15:30, 26 January 2023 SourMilk talk contribs created page Direct Network Flood (Created page with "Category:Network Denial of Service Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless...")
  • 15:29, 26 January 2023 SourMilk talk contribs created page Category:Network Denial of Service (Created page with "Category:Impact Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distrac...")
  • 15:29, 26 January 2023 SourMilk talk contribs created page Inhibit System Recovery (Created page with "Category:Impact Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.")
  • 15:28, 26 January 2023 SourMilk talk contribs created page Firmware Corruption (Created page with "Category:Impact Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive,...")
  • 15:28, 26 January 2023 SourMilk talk contribs created page Application or System Exploitation (Created page with "Category:Endpoint Denial of Service Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.")
  • 15:27, 26 January 2023 SourMilk talk contribs created page Application Exhaustion Flood (Created page with "Category:Endpoint Denial of Service Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.")
  • 15:27, 26 January 2023 SourMilk talk contribs created page Service Exhaustion Flood (Created page with "Category:Endpoint Denial of Service Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.")
  • 15:26, 26 January 2023 SourMilk talk contribs created page OS Exhaustion Flood (Created page with "Category:Endpoint Denial of Service Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.")
  • 15:26, 26 January 2023 SourMilk talk contribs created page Category:Endpoint Denial of Service (Created page with "Category:Impact Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to suppo...")
  • 15:25, 26 January 2023 SourMilk talk contribs created page Disk Structure Wipe (Created page with "Category:Disk Wipe Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.")
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
Retrieved from "https://rcats.dev/rcats/index.php/Special:Log/SourMilk"