All public logs

Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Unix Shell Configuration Modification (content was: "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scrip...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Trap (content was: "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can u...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Screensaver (content was: "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page PowerShell Profile (content was: "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be dif...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Netsh Helper DLL (content was: "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.[1] The paths to registered netsh.exe helper D...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page LC LOAD DYLIB Addition (content was: "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be adde...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Installer Packages (content was: "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Instal...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Image File Execution Options Injection (content was: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new pro...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Emond (content was: "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Component Object Model Hijacking (content was: "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.[1] References to various COM objects are stored in the Registry. Adversaries can use the COM system to insert maliciou...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:26, 28 January 2023 SourMilk talk contribs deleted page Change Default File Association (content was: "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry acces...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:25, 28 January 2023 SourMilk talk contribs deleted page AppInit DLLs (content was: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:25, 28 January 2023 SourMilk talk contribs deleted page Accessibility Features (content was: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:24, 28 January 2023 SourMilk talk contribs deleted page Software (content was: "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). Adversaries may ga...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:24, 28 January 2023 SourMilk talk contribs deleted page Hardware (content was: "<references group="https://attack.mitre.org/techniques/T1592/001/" /> Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of ad...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:24, 28 January 2023 SourMilk talk contribs deleted page Firmware (content was: "Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.). Adversaries may gather this inf...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:24, 28 January 2023 SourMilk talk contribs deleted page Client Configurations (content was: "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. Adversaries may gather this information in various ways, such...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:24, 28 January 2023 SourMilk talk contribs deleted page Data from Local System (content was: "Category:Collection Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.", and the only contributor was "SourMilk" (talk))
  • 13:24, 28 January 2023 SourMilk talk contribs deleted page Data from Network Shared Drive (content was: "Category:Collection Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common fun...", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Data from Removable Media (content was: "Category:Collection Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be u...", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Video Capture (content was: "Category:Collection An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Screen Capture (content was: "Category:Collection Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd,...", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Credential API Hooking (content was: "Category:Input Capture Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user cre...", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page GUI Input Capture (content was: "Category:Input Capture Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privilege...", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Keylogging (content was: "Category:Input Capture Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be su...", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Web Portal Capture (content was: "Category:Input Capture Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.", and the only contributor was "SourMilk" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Business Relationships (content was: "Attackers may collect information about the victim organization's business relationships that can be used to identify potential targets. This information may include details about second and third-party organizations or domains that have access to the network, and supply chains or shipment paths for the victim's hardware and software resources. They may collect this info...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Identify Roles (content was: "Attackers may collect information about identities and roles within the victim organization that can be used to identify potential targets. This information may include details about key personnel and the data and resources they have access to. They may collect this information through various methods such as directly requesting it through phishing emails, or by finding...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Identify Business Tempo (content was: "Attackers may collect information about the victim organization's business tempo that can be used to identify potential targets. This information may include details about the organization's operational hours and days of the week, as well as times and dates of purchases and shipments of hardware and software resources. They may collect this information through various me...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:23, 28 January 2023 SourMilk talk contribs deleted page Determine Physical Locations (content was: "Attackers may collect information about the physical locations of the victim organization that can be used to identify potential targets. This information can include details about where key resources and infrastructure are located and what legal jurisdiction the organization operates within. They may collect this information through various methods such as directly requ...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:22, 28 January 2023 SourMilk talk contribs deleted page XPC Services (content was: "Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level X...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:22, 28 January 2023 SourMilk talk contribs deleted page Component Object Model (content was: "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server o...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:22, 28 January 2023 SourMilk talk contribs deleted page Dynamic Data Exchange (content was: "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot da...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:21, 28 January 2023 SourMilk talk contribs deleted page Social Media Accounts (content was: "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may eng...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:21, 28 January 2023 SourMilk talk contribs deleted page Cloud Accounts (content was: "Category:Valid Accounts category:Compromise Accounts")
  • 13:21, 28 January 2023 SourMilk talk contribs deleted page Email Accounts (content was: "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:17, 28 January 2023 SourMilk talk contribs deleted page Archive via Utility (content was: "Category:Archive Collected Data Utility Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.", and the only contributor was "SourMilk" (talk))
  • 13:17, 28 January 2023 SourMilk talk contribs deleted page Archive via Library (content was: "Category:Archive Collected Data An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data.", and the only contributor was "SourMilk" (talk))
  • 13:17, 28 January 2023 SourMilk talk contribs deleted page Archive via Custom Method (content was: "Category:Archive Collected Data An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been...", and the only contributor was "SourMilk" (talk))
  • 13:17, 28 January 2023 SourMilk talk contribs deleted page Protocol Impersonation (content was: "Category:Data Obfuscation Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.", and the only contributor was "SourMilk" (talk))
  • 13:17, 28 January 2023 SourMilk talk contribs deleted page Junk Data (content was: "Category:Data Obfuscation Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with j...", and the only contributor was "SourMilk" (talk))
  • 13:17, 28 January 2023 SourMilk talk contribs deleted page Steganography (content was: "Category:Data Obfuscation Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of...", and the only contributor was "SourMilk" (talk))
  • 13:16, 28 January 2023 SourMilk talk contribs deleted page Social Media (content was: "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search in different social media sites depending on what information...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:16, 28 January 2023 SourMilk talk contribs deleted page Search Engines (content was: "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).[1][2] Adversaries may craft various search engine queries depending on wh...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:16, 28 January 2023 SourMilk talk contribs deleted page Code Repositories (content was: "Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Adversaries may search...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:16, 28 January 2023 SourMilk talk contribs deleted page Compromise Software Supply Chain (content was: "Category:Supply Chain Compromise", and the only contributor was "SourMilk" (talk))
  • 13:16, 28 January 2023 SourMilk talk contribs deleted page Compromise Software Dependencies and Development Tools (content was: "Category:Supply Chain Compromise", and the only contributor was "SourMilk" (talk))
  • 13:16, 28 January 2023 SourMilk talk contribs deleted page Compromise Hardware Supply Chain (content was: "Category:Supply Chain Compromise", and the only contributor was "SourMilk" (talk))
  • 13:15, 28 January 2023 SourMilk talk contribs deleted page Credentials (content was: "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. Adversaries may gather credentials from potential victims in various...", and the only contributor was "Ali3nw3rx" (talk))
  • 13:15, 28 January 2023 SourMilk talk contribs deleted page Email Addresses (content was: "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned...", and the only contributor was "Ali3nw3rx" (talk))
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
Retrieved from "https://rcats.dev/rcats/index.php/Special:Log/SourMilk"