All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

• 13:15, 28 January 2023 SourMilk talk contribs deleted page Employee Names (content was: "Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Sear...", and the only contributor was "Ali3nw3rx" (talk))
• 13:15, 28 January 2023 SourMilk talk contribs deleted page Bidirectional Communication (content was: "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those c...", and the only contributor was "SourMilk" (talk))
• 13:15, 28 January 2023 SourMilk talk contribs deleted page Dead Drop Resolver (content was: "Category:Web Service Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redi...", and the only contributor was "SourMilk" (talk))
• 13:15, 28 January 2023 SourMilk talk contribs deleted page One-Way Communication (content was: "Category:Web Service Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from...", and the only contributor was "SourMilk" (talk))
• 13:14, 28 January 2023 SourMilk talk contribs deleted page Standard Encoding (content was: "Category:Data Encoding Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, B...", and the only contributor was "SourMilk" (talk))
• 13:14, 28 January 2023 SourMilk talk contribs deleted page Non-Standard Encoding (content was: "Category:Data Encoding Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or re...", and the only contributor was "SourMilk" (talk))
• 13:14, 28 January 2023 SourMilk talk contribs deleted page Remote Data Staging (content was: "Category:Data Staged Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy dat...", and the only contributor was "SourMilk" (talk))
• 13:14, 28 January 2023 SourMilk talk contribs deleted page Local Data Staging (content was: "Category:Data Staged Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging...", and the only contributor was "SourMilk" (talk))
• 13:14, 28 January 2023 SourMilk talk contribs deleted page Network Device Configuration Dump (content was: "Category:Data from Configuration Repository Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on...", and the only contributor was "SourMilk" (talk))
• 13:14, 28 January 2023 SourMilk talk contribs deleted page SNMP (MIB Dump) (content was: "Category:Data from Configuration Repository Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).", and the only contributor was "SourMilk" (talk))
• 13:13, 28 January 2023 SourMilk talk contribs deleted page Confluence (content was: "Category:Data from Information Repositories Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:", and the only contributor was "SourMilk" (talk))
• 13:13, 28 January 2023 SourMilk talk contribs deleted page Sharepoint (content was: "Category:Data from Information Repositories Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential v...", and the only contributor was "SourMilk" (talk))
• 13:13, 28 January 2023 SourMilk talk contribs deleted page Internal Defacement (content was: "Category:Defacement An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Inter...", and the only contributor was "SourMilk" (talk))
• 13:13, 28 January 2023 SourMilk talk contribs deleted page External Defacement (content was: "Category:Defacement An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often target...", and the only contributor was "SourMilk" (talk))
• 13:13, 28 January 2023 SourMilk talk contribs deleted page Symmetric Cryptography (content was: "Category:Encrypted Channel Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES,...", and the only contributor was "SourMilk" (talk))
• 13:12, 28 January 2023 SourMilk talk contribs deleted page Asymmetric Cryptography (content was: "Category:Encrypted Channel Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to...", and the only contributor was "SourMilk" (talk))
• 13:11, 28 January 2023 SourMilk talk contribs deleted page Disk Structure Wipe (content was: "Category:Disk Wipe Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.", and the only contributor was "SourMilk" (talk))
• 13:11, 28 January 2023 SourMilk talk contribs deleted page Disk Content Wipe (content was: "Category:Disk Wipe Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.", and the only contributor was "SourMilk" (talk))
• 13:11, 28 January 2023 SourMilk talk contribs deleted page Direct Network Flood (content was: "Category:Network Denial of Service Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towar...", and the only contributor was "SourMilk" (talk))
• 13:11, 28 January 2023 SourMilk talk contribs deleted page Reflection Amplification (content was: "Category:Network Denial of Service Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accom...", and the only contributor was "SourMilk" (talk))
• 13:10, 28 January 2023 SourMilk talk contribs deleted page Purchase Technical Data (content was: "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark...", and the only contributor was "Ali3nw3rx" (talk))
• 13:10, 28 January 2023 SourMilk talk contribs deleted page Threat Intel Vendors (content was: "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding bre...", and the only contributor was "Ali3nw3rx" (talk))
• 13:10, 28 January 2023 SourMilk talk contribs deleted page Launchctl (content was: "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.[1] Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcomman...", and the only contributor was "Ali3nw3rx" (talk))
• 13:10, 28 January 2023 SourMilk talk contribs deleted page Service Execution (content was: "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. PsExec can also be used to execute commands...", and the only contributor was "Ali3nw3rx" (talk))
• 13:10, 28 January 2023 SourMilk talk contribs deleted page Socket Filters (content was: "Category:Traffic Signaling Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to...", and the only contributor was "SourMilk" (talk))
• 13:10, 28 January 2023 SourMilk talk contribs deleted page Port Knocking (content was: "Category:Traffic Signaling Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by cus...", and the only contributor was "SourMilk" (talk))
• 13:10, 28 January 2023 SourMilk talk contribs deleted page Domains (content was: "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.[1] Adversaries may choose...", and the only contributor was "Ali3nw3rx" (talk))
• 13:09, 28 January 2023 SourMilk talk contribs deleted page Spearphishing via Service (content was: "Category:Phishing", and the only contributor was "SourMilk" (talk))
• 13:02, 28 January 2023 SourMilk talk contribs created page Category:Lateral Movement (Created blank page) Tag: Visual edit
• 13:02, 28 January 2023 SourMilk talk contribs created page Category:Discovery (Created blank page) Tag: Visual edit
• 13:02, 28 January 2023 SourMilk talk contribs created page Category:Credential Access (Created blank page) Tag: Visual edit
• 13:01, 28 January 2023 SourMilk talk contribs created page Category:Defense Evasion (Created blank page) Tag: Visual edit
• 13:01, 28 January 2023 SourMilk talk contribs created page Category:Privilege Escalation (Created blank page) Tag: Visual edit
• 18:39, 26 January 2023 SourMilk talk contribs created page Category:PwnTillDawn (Created page with "=Description= PwnTillDawn<ref>https://online.pwntilldawn.com/</ref> Online Battlefield is a penetration testing lab created by wizlynx group where participants can test their offensive security skills in a safe and legal environment, but also having fun! The goal is simple, break into as many machines as possible using a succession of weaknesses and vulnerabilities and collect flags to prove the successful exploitation. Each target machine that can be compromised contain...") Tag: Visual edit
• 16:59, 26 January 2023 SourMilk talk contribs protected Category:Collection [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
• 16:58, 26 January 2023 SourMilk talk contribs protected Category:Command and Control [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
• 16:58, 26 January 2023 SourMilk talk contribs protected Category:Exfiltration [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
• 16:58, 26 January 2023 SourMilk talk contribs protected Category:Impact [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
• 16:32, 26 January 2023 SourMilk talk contribs created page Video Capture (Created page with "Category:Collection An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.")
• 16:31, 26 January 2023 SourMilk talk contribs created page Screen Capture (Created page with "Category:Collection Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.")
• 16:31, 26 January 2023 SourMilk talk contribs created page Credential API Hooking (Created page with "Category:Input Capture Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.")
• 16:28, 26 January 2023 SourMilk talk contribs created page Web Portal Capture (Created page with "Category:Input Capture Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.")
• 16:27, 26 January 2023 SourMilk talk contribs created page GUI Input Capture (Created page with "Category:Input Capture Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).")
• 16:27, 26 January 2023 SourMilk talk contribs created page Keylogging (Created page with "Category:Input Capture Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.")
• 16:27, 26 January 2023 SourMilk talk contribs created page Category:Input Capture (Created page with "Category:Collection Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).")
• 16:26, 26 January 2023 SourMilk talk contribs created page Email Forwarding Rule (Created page with "Category:Email Collection Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credenti...")
• 16:26, 26 January 2023 SourMilk talk contribs created page Remote Email Collection (Created page with "Category:Email Collection Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate...")
• 16:26, 26 January 2023 SourMilk talk contribs created page Local Email Collection (Created page with "Category:Email Collection Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.")
• 16:25, 26 January 2023 SourMilk talk contribs created page Category:Email Collection (Created page with "Category:Collection Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.")
• 16:25, 26 January 2023 SourMilk talk contribs created page Remote Data Staging (Created page with "Category:Data Staged Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.")