Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).
- 16:17, 26 January 2023 SourMilk talk contribs created page Archive via Custom Method (Created page with "Category:Archive Collected Data An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.")
- 16:17, 26 January 2023 SourMilk talk contribs created page Archive via Library (Created page with "Category:Archive Collected Data An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data.")
- 16:17, 26 January 2023 SourMilk talk contribs created page Archive via Utility (Created page with "Category:Archive Collected Data Utility Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.")
- 16:16, 26 January 2023 SourMilk talk contribs created page Category:Archive Collected Data (Created page with "Category:Collection An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.")
- 16:16, 26 January 2023 SourMilk talk contribs created page DHCP Spoofing (Created page with "Category:Adversary-in-the-Middle Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as N...")
- 16:16, 26 January 2023 SourMilk talk contribs created page ARP Cache Poisoning (Created page with "Category:Adversary-in-the-Middle Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.")
- 16:15, 26 January 2023 SourMilk talk contribs created page LLMNR/NBT-NS Poisoning and SMB Relay (Created page with "Category:Adversary-in-the-Middle By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.")
- 16:15, 26 January 2023 SourMilk talk contribs created page Category:Adversary-in-the-Middle (Created page with "Category:Collection Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can c...")
- 16:14, 26 January 2023 Ali3nw3rx talk contribs protected Category:Execution [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
- 16:14, 26 January 2023 SourMilk talk contribs created page Category:Collection (Created page with "The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing scr...")
- 16:13, 26 January 2023 Ali3nw3rx talk contribs created page Windows Management Instrumentation (Created page with "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).[1] Remote WMI over DCOM operates using port 135, whereas WMI over W...")
- 16:13, 26 January 2023 Ali3nw3rx talk contribs created page Malicious Image (Created page with "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing...")
- 16:12, 26 January 2023 Ali3nw3rx talk contribs created page Malicious File (Created page with "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms...")
- 16:11, 26 January 2023 Ali3nw3rx talk contribs created page Malicious Link (Created page with "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead u...")
- 16:11, 26 January 2023 Ali3nw3rx talk contribs created page Category:User Execution (Created page with "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in...")
- 16:10, 26 January 2023 SourMilk talk contribs created page One-Way Communication (Created page with "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Altern...")
- 16:10, 26 January 2023 Ali3nw3rx talk contribs created page Service Execution (Created page with "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.[2] Tools...")
- 16:10, 26 January 2023 SourMilk talk contribs created page Bidirectional Communication (Created page with "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depe...")
- 16:10, 26 January 2023 SourMilk talk contribs created page Dead Drop Resolver (Created page with "Category:Web Service Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.")
- 16:09, 26 January 2023 Ali3nw3rx talk contribs created page Launchctl (Created page with "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1] Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manua...")
- 16:09, 26 January 2023 SourMilk talk contribs created page Category:Web Service (Created page with "Category:Command and Control Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide...")
- 16:09, 26 January 2023 Ali3nw3rx talk contribs created page Category:System Services (Created page with "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. category: execution")
- 16:09, 26 January 2023 SourMilk talk contribs created page Socket Filters (Created page with "Category:Traffic Signaling Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified)....")
- 16:09, 26 January 2023 SourMilk talk contribs created page Port Knocking (Created page with "Category:Traffic Signaling Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.")
- 16:08, 26 January 2023 SourMilk talk contribs created page Category:Traffic Signaling (Created page with "Category:Command and Control Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the...")
- 16:08, 26 January 2023 Ali3nw3rx talk contribs deleted page System Services (content was: "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary ex...", and the only contributor was "Ali3nw3rx" (talk))
- 16:08, 26 January 2023 Ali3nw3rx talk contribs created page System Services (Created page with "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. category: execution")
- 16:08, 26 January 2023 SourMilk talk contribs deleted page Traffic Signaling (content was: "Category:Command and Control Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form...", and the only contributor was "SourMilk" (talk))
- 16:07, 26 January 2023 SourMilk talk contribs created page Traffic Signaling (Created page with "Category:Command and Control Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the...")
- 16:07, 26 January 2023 SourMilk talk contribs created page Remote Access Software (Created page with "Category:Command and Control An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used f...")
- 16:07, 26 January 2023 Ali3nw3rx talk contribs created page Software Deployment Tools (Created page with "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have rem...")
- 16:07, 26 January 2023 SourMilk talk contribs created page Domain Fronting (Created page with "Category:Proxy Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP...")
- 16:06, 26 January 2023 Ali3nw3rx talk contribs created page Shared Modules (Created page with "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.[1] The module loader can load DLLs: via specification of the (fully-qualified or relative)...")
- 16:06, 26 January 2023 SourMilk talk contribs created page Multi-hop Proxy (Created page with "Category:Proxy To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic thr...")
- 16:06, 26 January 2023 Ali3nw3rx talk contribs created page Serverless Execution (Created page with "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining mal...")
- 16:06, 26 January 2023 SourMilk talk contribs created page External Proxy (Created page with "Category:Proxy Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride ove...")
- 16:06, 26 January 2023 SourMilk talk contribs created page Internal Proxy (Created page with "Category:Proxy Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resil...")
- 16:05, 26 January 2023 Ali3nw3rx talk contribs created page Container Orchestration Job (Created page with "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster....")
- 16:05, 26 January 2023 SourMilk talk contribs created page Category:Proxy (Created page with "Category:Command and Control Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the...")
- 16:05, 26 January 2023 SourMilk talk contribs created page Protocol Tunneling (Created page with "Category:Command and Control Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routi...")
- 16:05, 26 January 2023 Ali3nw3rx talk contribs created page Systemd Timers (Created page with "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.[1] Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.[2] Ea...")
- 16:04, 26 January 2023 SourMilk talk contribs created page Non-Standard Port (Created page with "Category:Command and Control Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.")
- 16:04, 26 January 2023 Ali3nw3rx talk contribs created page Scheduled Task (Created page with "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, ad...")
- 16:04, 26 January 2023 SourMilk talk contribs created page Non-Application Layer Protocol (Created page with "Category:Command and Control Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirecte...")
- 16:04, 26 January 2023 SourMilk talk contribs created page Multi-Stage Channels (Created page with "Category:Command and Control Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.")
- 16:03, 26 January 2023 SourMilk talk contribs created page Ingress Tool Transfer (Created page with "Category:Command and Control Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).")
- 16:03, 26 January 2023 Ali3nw3rx talk contribs created page Cron (Created page with "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.[1] The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. An adversary may use cron in Linux or Unix environments to execute programs at system startup or...")
- 16:03, 26 January 2023 SourMilk talk contribs created page Fallback Channels (Created page with "Category:Command and Control Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.")
- 16:03, 26 January 2023 Ali3nw3rx talk contribs created page At (Created page with "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. On Linux and...")
- 16:03, 26 January 2023 SourMilk talk contribs created page Asymmetric Cryptography (Created page with "Category:Encrypted Channel Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the recei...")