Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).
- 13:01, 28 January 2023 Ali3nw3rx talk contribs deleted page Browser Session Hijacking (content was: "Category:Collection Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.", and the only contributor was "SourMilk" (talk))
- 13:01, 28 January 2023 SourMilk talk contribs created page Category:Privilege Escalation (Created blank page) Tag: Visual edit
- 13:01, 28 January 2023 Ali3nw3rx talk contribs deleted page Automated Collection (content was: "Category:Collection Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based envi...", and the only contributor was "SourMilk" (talk))
- 13:01, 28 January 2023 Ali3nw3rx talk contribs deleted page Audio Capture (content was: "Category:Collection An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", and the only contributor was "SourMilk" (talk))
- 13:01, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Input Capture (content was: "Category:Collection Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the...", and the only contributor was "SourMilk" (talk))
- 13:00, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Email Collection (content was: "Category:Collection Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.", and the only contributor was "SourMilk" (talk))
- 13:00, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Data Staged (content was: "Category:Collection Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.", and the only contributor was "SourMilk" (talk))
- 13:00, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Data from Information Repositories (content was: "Category:Collection Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target inform...", and the only contributor was "SourMilk" (talk))
- 13:00, 28 January 2023 Ali3nw3rx talk contribs deleted page Code Repositories (Collection) (content was: "Category:Data from Information Repositories Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositorie...", and the only contributor was "SourMilk" (talk))
- 13:00, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Data from Configuration Repository (content was: "Category:Collection Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.", and the only contributor was "SourMilk" (talk))
- 12:59, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Archive Collected Data (content was: "Category:Collection An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defen...", and the only contributor was "SourMilk" (talk))
- 12:59, 28 January 2023 Ali3nw3rx talk contribs deleted page Implant Internal Image (content was: "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuse...", and the only contributor was "Ali3nw3rx" (talk))
- 12:59, 28 January 2023 Ali3nw3rx talk contribs deleted page Compromise Client Software Binary (content was: "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications ar...", and the only contributor was "Ali3nw3rx" (talk))
- 12:59, 28 January 2023 Ali3nw3rx talk contribs deleted page Browser Extensions (content was: "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.[1][2...", and the only contributor was "Ali3nw3rx" (talk))
- 12:58, 28 January 2023 Ali3nw3rx talk contribs deleted page BITS Jobs (content was: "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).[1][2] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (...", and the only contributor was "Ali3nw3rx" (talk))
- 12:58, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Traffic Signaling (content was: "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and contro...")
- 12:58, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Create Account (content was: "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adv...", and the only contributor was "Ali3nw3rx" (talk))
- 12:57, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Adversary-in-the-Middle (content was: "Category:Collection Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.),...", and the only contributor was "SourMilk" (talk))
- 12:55, 28 January 2023 Ali3nw3rx talk contribs deleted page Windows Management Instrumentation (content was: "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and...", and the only contributor was "Ali3nw3rx" (talk))
- 12:55, 28 January 2023 Ali3nw3rx talk contribs deleted page Software Deployment Tools (content was: "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Acces...", and the only contributor was "Ali3nw3rx" (talk))
- 12:55, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Pre-OS Boot (Mass deletion of pages added by Ali3nw3rx)
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Shared Modules (content was: "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the W...", and the only contributor was "Ali3nw3rx" (talk))
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:User Execution (Mass deletion of pages added by Ali3nw3rx)
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Boot or Logon Autostart Execution (Mass deletion of pages added by Ali3nw3rx)
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Serverless Execution (content was: "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For...", and the only contributor was "Ali3nw3rx" (talk))
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Create or Modify System Process (Mass deletion of pages added by Ali3nw3rx)
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Hijack Execution Flow (Mass deletion of pages added by Ali3nw3rx)
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Native API (content was: "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.[1][2] These native APIs are leveraged by the OS during system boot (when other system components are not yet in...", and the only contributor was "Ali3nw3rx" (talk))
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Modify Authentication Process (Mass deletion of pages added by Ali3nw3rx)
- 12:54, 28 January 2023 Ali3nw3rx talk contribs deleted page Exploitation for Client Execution (content was: "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits t...", and the only contributor was "Ali3nw3rx" (talk))
- 12:53, 28 January 2023 Ali3nw3rx talk contribs deleted page Deploy Container (content was: "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitati...", and the only contributor was "Ali3nw3rx" (talk))
- 12:53, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Event Triggered Execution (Mass deletion of pages added by Ali3nw3rx)
- 12:53, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Office Application Startup (Mass deletion of pages added by Ali3nw3rx)
- 12:53, 28 January 2023 Ali3nw3rx talk contribs deleted page Container Administration Command (content was: "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.[1][2][3] In Docker, adversaries may specify an entrypoint during container deployment that executes a scri...", and the only contributor was "Ali3nw3rx" (talk))
- 12:53, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Account Manipulation (Mass deletion of pages added by Ali3nw3rx)
- 12:53, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Server Software Component (Mass deletion of pages added by Ali3nw3rx)
- 12:52, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Boot or Logon Initialization Scripts (Mass deletion of pages added by Ali3nw3rx)
- 12:22, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:System Services (content was: "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary ex...", and the only contributor was "Ali3nw3rx" (talk))
- 12:22, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Inter-Process Communication (content was: "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to ex...", and the only contributor was "Ali3nw3rx" (talk))
- 12:22, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Command and Scripting Interpreter (content was: "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions includ...", and the only contributor was "Ali3nw3rx" (talk))
- 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page Trusted Relationship (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
- 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page Replication Through Removable Media (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
- 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page Hardware Additions (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
- 12:17, 28 January 2023 Ali3nw3rx talk contribs deleted page External Remote Services (content was: "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.[1] Access to Valid Acc...")
- 12:16, 28 January 2023 Ali3nw3rx talk contribs deleted page Exploit Public-Facing Application (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
- 12:15, 28 January 2023 Ali3nw3rx talk contribs deleted page Drive-by Compromise (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
- 12:15, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Valid Accounts (content was: "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[1] Compromised credentials may also...")
- 12:15, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Phishing (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
- 12:14, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Supply Chain Compromise (content was: "Category:Initial Access", and the only contributor was "SourMilk" (talk))
- 12:14, 28 January 2023 Ali3nw3rx talk contribs deleted page Compromise Infrastructure (content was: "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[1][2][3][4] Additiona...", and the only contributor was "Ali3nw3rx" (talk))