All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 16:43, 26 January 2023 Ali3nw3rx talk contribs created page XDG Autostart Entries (Created page with "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.[1] Wi...")
  • 16:43, 26 January 2023 Ali3nw3rx talk contribs created page Print Processors (Created page with "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternati...")
  • 16:42, 26 January 2023 Ali3nw3rx talk contribs created page Port Monitors (Created page with "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.[1] This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.[2] Alternatively, an arbitrary DLL can be loaded if permissions a...")
  • 16:41, 26 January 2023 Ali3nw3rx talk contribs created page Shortcut Modification (Created page with "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.[1] Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), ad...")
  • 16:40, 26 January 2023 Ali3nw3rx talk contribs created page LSASS Driver (Created page with "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of...")
  • 16:39, 26 January 2023 Ali3nw3rx talk contribs created page Re-opened Applications (Created page with "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[1] When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.[2][3] Applications listed in this fil...")
  • 16:38, 26 January 2023 Ali3nw3rx talk contribs created page Kernel Modules and Extensions (Created page with "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.[1] When used maliciously, LKMs can be a type of kernel-mode Rootkit that...")
  • 16:35, 26 January 2023 Ali3nw3rx talk contribs created page Security Support Provider (Created page with "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Pack...")
  • 16:35, 26 January 2023 Ali3nw3rx talk contribs created page Winlogon Helper DLL (Created page with "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalitie...")
  • 16:34, 26 January 2023 Ali3nw3rx talk contribs created page Time Providers (Created page with "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.[1] W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.[2] Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser...")
  • 16:32, 26 January 2023 SourMilk talk contribs created page Video Capture (Created page with "Category:Collection An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.")
  • 16:31, 26 January 2023 SourMilk talk contribs created page Screen Capture (Created page with "Category:Collection Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.")
  • 16:31, 26 January 2023 SourMilk talk contribs created page Credential API Hooking (Created page with "Category:Input Capture Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.")
  • 16:28, 26 January 2023 Ali3nw3rx talk contribs created page Authentication Package (Created page with "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.[1] Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location H...")
  • 16:28, 26 January 2023 SourMilk talk contribs created page Web Portal Capture (Created page with "Category:Input Capture Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.")
  • 16:27, 26 January 2023 SourMilk talk contribs created page GUI Input Capture (Created page with "Category:Input Capture Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).")
  • 16:27, 26 January 2023 SourMilk talk contribs created page Keylogging (Created page with "Category:Input Capture Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.")
  • 16:27, 26 January 2023 Ali3nw3rx talk contribs created page Registry Run Keys / Startup Folder (Created page with "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[1] These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user...")
  • 16:27, 26 January 2023 SourMilk talk contribs created page Category:Input Capture (Created page with "Category:Collection Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).")
  • 16:26, 26 January 2023 SourMilk talk contribs created page Email Forwarding Rule (Created page with "Category:Email Collection Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credenti...")
  • 16:26, 26 January 2023 Ali3nw3rx talk contribs created page Category:Boot or Logon Autostart Execution (Created page with "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[1][2][3][4][5] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configura...")
  • 16:26, 26 January 2023 SourMilk talk contribs created page Remote Email Collection (Created page with "Category:Email Collection Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate...")
  • 16:26, 26 January 2023 SourMilk talk contribs created page Local Email Collection (Created page with "Category:Email Collection Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.")
  • 16:25, 26 January 2023 Ali3nw3rx talk contribs created page BITS Jobs (Created page with "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).[1][2] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks...")
  • 16:25, 26 January 2023 SourMilk talk contribs created page Category:Email Collection (Created page with "Category:Collection Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.")
  • 16:25, 26 January 2023 Ali3nw3rx talk contribs created page Device Registration (Created page with "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in ord...")
  • 16:25, 26 January 2023 SourMilk talk contribs created page Remote Data Staging (Created page with "Category:Data Staged Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.")
  • 16:24, 26 January 2023 SourMilk talk contribs created page Local Data Staging (Created page with "Category:Data Staged Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.")
  • 16:24, 26 January 2023 SourMilk talk contribs created page Category:Data Staged (Created page with "Category:Collection Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.")
  • 16:24, 26 January 2023 Ali3nw3rx talk contribs created page SSH Authorized Keys (Created page with "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.[1...")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Data from Removable Media (Created page with "Category:Collection Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.")
  • 16:23, 26 January 2023 Ali3nw3rx talk contribs created page Additional Cloud Roles (Created page with "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[1][2][3][4] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[5][4] This accoun...")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Data from Network Shared Drive (Created page with "Category:Collection Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Data from Local System (Created page with "Category:Collection Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.")
  • 16:23, 26 January 2023 Ali3nw3rx talk contribs created page Additional Email Delegate Permissions (Created page with "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.[1][2][3] In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.[4][5] Adversaries may also assign mailbox...")
  • 16:23, 26 January 2023 SourMilk talk contribs created page Code Repositories (Collection) (Created page with "Category:Data from Information Repositories Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.")
  • 16:22, 26 January 2023 Ali3nw3rx talk contribs created page Additional Cloud Credentials (Created page with "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.[1][2][3] These credentials include both x509 keys and passwords.[1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal...")
  • 16:21, 26 January 2023 SourMilk talk contribs created page Sharepoint (Created page with "Category:Data from Information Repositories Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:")
  • 16:21, 26 January 2023 SourMilk talk contribs created page Confluence (Created page with "Category:Data from Information Repositories Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:")
  • 16:21, 26 January 2023 SourMilk talk contribs created page Category:Data from Information Repositories (Created page with "Category:Collection Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recip...")
  • 16:21, 26 January 2023 Ali3nw3rx talk contribs created page Category:Account Manipulation (Created page with "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or...")
  • 16:20, 26 January 2023 SourMilk talk contribs created page Network Device Configuration Dump (Created page with "Category:Data from Configuration Repository Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files t...")
  • 16:20, 26 January 2023 Ali3nw3rx talk contribs created page Category:Persistence (Created page with "The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.")
  • 16:20, 26 January 2023 SourMilk talk contribs created page SNMP (MIB Dump) (Created page with "Category:Data from Configuration Repository Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).")
  • 16:19, 26 January 2023 SourMilk talk contribs created page Category:Data from Configuration Repository (Created page with "Category:Collection Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.")
  • 16:19, 26 January 2023 SourMilk talk contribs created page Data from Cloud Storage (Created page with "Category:Collection Adversaries may access data from improperly secured cloud storage.")
  • 16:19, 26 January 2023 SourMilk talk contribs created page Clipboard Data (Created page with "Category:Collection Adversaries may collect data stored in the clipboard from users copying information within or between applications.")
  • 16:18, 26 January 2023 SourMilk talk contribs created page Browser Session Hijacking (Created page with "Category:Collection Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.")
  • 16:18, 26 January 2023 SourMilk talk contribs created page Automated Collection (Created page with "Category:Collection Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and...")
  • 16:18, 26 January 2023 SourMilk talk contribs created page Audio Capture (Created page with "Category:Collection An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.")
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)