All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 16:24, 26 January 2023 SourMilk talk contribs created page Local Data Staging (Created page with "Category:Data Staged Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.")
  • 16:24, 26 January 2023 SourMilk talk contribs created page Category:Data Staged (Created page with "Category:Collection Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Data from Removable Media (Created page with "Category:Collection Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Data from Network Shared Drive (Created page with "Category:Collection Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Data from Local System (Created page with "Category:Collection Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Code Repositories (Collection) (Created page with "Category:Data from Information Repositories Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.")
  • 16:21, 26 January 2023 SourMilk talk contribs created page Sharepoint (Created page with "Category:Data from Information Repositories Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:")
  • 16:21, 26 January 2023 SourMilk talk contribs created page Confluence (Created page with "Category:Data from Information Repositories Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:")
  • 16:21, 26 January 2023 SourMilk talk contribs created page Category:Data from Information Repositories (Created page with "Category:Collection Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recip...")
  • 16:20, 26 January 2023 SourMilk talk contribs created page Network Device Configuration Dump (Created page with "Category:Data from Configuration Repository Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files t...")
  • 16:20, 26 January 2023 SourMilk talk contribs created page SNMP (MIB Dump) (Created page with "Category:Data from Configuration Repository Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).")
  • 16:19, 26 January 2023 SourMilk talk contribs created page Category:Data from Configuration Repository (Created page with "Category:Collection Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.")
  • 16:19, 26 January 2023 SourMilk talk contribs created page Data from Cloud Storage (Created page with "Category:Collection Adversaries may access data from improperly secured cloud storage.")
  • 16:19, 26 January 2023 SourMilk talk contribs created page Clipboard Data (Created page with "Category:Collection Adversaries may collect data stored in the clipboard from users copying information within or between applications.")
  • 16:18, 26 January 2023 SourMilk talk contribs created page Browser Session Hijacking (Created page with "Category:Collection Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.")
  • 16:18, 26 January 2023 SourMilk talk contribs created page Automated Collection (Created page with "Category:Collection Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and...")
  • 16:18, 26 January 2023 SourMilk talk contribs created page Audio Capture (Created page with "Category:Collection An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.")
  • 16:17, 26 January 2023 SourMilk talk contribs created page Archive via Custom Method (Created page with "Category:Archive Collected Data An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.")
  • 16:17, 26 January 2023 SourMilk talk contribs created page Archive via Library (Created page with "Category:Archive Collected Data An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data.")
  • 16:17, 26 January 2023 SourMilk talk contribs created page Archive via Utility (Created page with "Category:Archive Collected Data Utility Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.")
  • 16:16, 26 January 2023 SourMilk talk contribs created page Category:Archive Collected Data (Created page with "Category:Collection An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.")
  • 16:16, 26 January 2023 SourMilk talk contribs created page DHCP Spoofing (Created page with "Category:Adversary-in-the-Middle Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as N...")
  • 16:16, 26 January 2023 SourMilk talk contribs created page ARP Cache Poisoning (Created page with "Category:Adversary-in-the-Middle Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.")
  • 16:15, 26 January 2023 SourMilk talk contribs created page LLMNR/NBT-NS Poisoning and SMB Relay (Created page with "Category:Adversary-in-the-Middle By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.")
  • 16:15, 26 January 2023 SourMilk talk contribs created page Category:Adversary-in-the-Middle (Created page with "Category:Collection Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can c...")
  • 16:14, 26 January 2023 SourMilk talk contribs created page Category:Collection (Created page with "The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing scr...")
  • 16:10, 26 January 2023 SourMilk talk contribs created page One-Way Communication (Created page with "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Altern...")
  • 16:10, 26 January 2023 SourMilk talk contribs created page Bidirectional Communication (Created page with "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depe...")
  • 16:10, 26 January 2023 SourMilk talk contribs created page Dead Drop Resolver (Created page with "Category:Web Service Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.")
  • 16:09, 26 January 2023 SourMilk talk contribs created page Category:Web Service (Created page with "Category:Command and Control Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide...")
  • 16:09, 26 January 2023 SourMilk talk contribs created page Socket Filters (Created page with "Category:Traffic Signaling Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified)....")
  • 16:09, 26 January 2023 SourMilk talk contribs created page Port Knocking (Created page with "Category:Traffic Signaling Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.")
  • 16:08, 26 January 2023 SourMilk talk contribs created page Category:Traffic Signaling (Created page with "Category:Command and Control Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the...")
  • 16:08, 26 January 2023 SourMilk talk contribs deleted page Traffic Signaling (content was: "Category:Command and Control Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form...", and the only contributor was "SourMilk" (talk))
  • 16:07, 26 January 2023 SourMilk talk contribs created page Traffic Signaling (Created page with "Category:Command and Control Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the...")
  • 16:07, 26 January 2023 SourMilk talk contribs created page Remote Access Software (Created page with "Category:Command and Control An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used f...")
  • 16:07, 26 January 2023 SourMilk talk contribs created page Domain Fronting (Created page with "Category:Proxy Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP...")
  • 16:06, 26 January 2023 SourMilk talk contribs created page Multi-hop Proxy (Created page with "Category:Proxy To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic thr...")
  • 16:06, 26 January 2023 SourMilk talk contribs created page External Proxy (Created page with "Category:Proxy Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride ove...")
  • 16:06, 26 January 2023 SourMilk talk contribs created page Internal Proxy (Created page with "Category:Proxy Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resil...")
  • 16:05, 26 January 2023 SourMilk talk contribs created page Category:Proxy (Created page with "Category:Command and Control Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the...")
  • 16:05, 26 January 2023 SourMilk talk contribs created page Protocol Tunneling (Created page with "Category:Command and Control Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routi...")
  • 16:04, 26 January 2023 SourMilk talk contribs created page Non-Standard Port (Created page with "Category:Command and Control Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.")
  • 16:04, 26 January 2023 SourMilk talk contribs created page Non-Application Layer Protocol (Created page with "Category:Command and Control Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirecte...")
  • 16:04, 26 January 2023 SourMilk talk contribs created page Multi-Stage Channels (Created page with "Category:Command and Control Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.")
  • 16:03, 26 January 2023 SourMilk talk contribs created page Ingress Tool Transfer (Created page with "Category:Command and Control Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).")
  • 16:03, 26 January 2023 SourMilk talk contribs created page Fallback Channels (Created page with "Category:Command and Control Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.")
  • 16:03, 26 January 2023 SourMilk talk contribs created page Asymmetric Cryptography (Created page with "Category:Encrypted Channel Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the recei...")
  • 16:02, 26 January 2023 SourMilk talk contribs created page Symmetric Cryptography (Created page with "Category:Encrypted Channel Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.")
  • 16:02, 26 January 2023 SourMilk talk contribs created page Category:Encrypted Channel (Created page with "Category:Command and Control Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.")
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
Retrieved from "https://rcats.dev/rcats/index.php/Special:Log/SourMilk"