Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).
- 13:34, 28 January 2023 SourMilk talk contribs deleted page Startup Items (content was: "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.[1] This is technically a deprecated t...", and the only contributor was "Ali3nw3rx" (talk))
- 13:34, 28 January 2023 SourMilk talk contribs deleted page RC Scripts (content was: "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries can establish persistence by adding a malicious binary path or shell commands to rc....", and the only contributor was "Ali3nw3rx" (talk))
- 13:34, 28 January 2023 SourMilk talk contribs deleted page Network Logon Script (content was: "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.[1] These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply...", and the only contributor was "Ali3nw3rx" (talk))
- 13:34, 28 January 2023 SourMilk talk contribs deleted page Logon Script (Windows) (content was: "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[2] Adversaries may use these scripts to maintain...", and the only contributor was "Ali3nw3rx" (talk))
- 13:34, 28 January 2023 SourMilk talk contribs deleted page Login Hook (content was: "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for...", and the only contributor was "Ali3nw3rx" (talk))
- 13:34, 28 January 2023 SourMilk talk contribs deleted page Network Security Appliances (content was: "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrus...", and the only contributor was "Ali3nw3rx" (talk))
- 13:34, 28 January 2023 SourMilk talk contribs deleted page Network Topology (content was: "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, router...", and the only contributor was "Ali3nw3rx" (talk))
- 13:33, 28 January 2023 SourMilk talk contribs deleted page Network Trust Dependencies (content was: "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. Adversaries may gathe...", and the only contributor was "Ali3nw3rx" (talk))
- 13:33, 28 January 2023 SourMilk talk contribs deleted page IP Addresses (content was: "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a vi...", and the only contributor was "Ali3nw3rx" (talk))
- 13:33, 28 January 2023 SourMilk talk contribs deleted page Domain Properties (content was: "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone...", and the only contributor was "Ali3nw3rx" (talk))
- 13:33, 28 January 2023 SourMilk talk contribs deleted page DNS (content was: "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page Python (content was: "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled in...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page PowerShell (content was: "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.[1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdl...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page Network Device CLI (content was: "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain vari...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page JavaScript (content was: "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.[1] JScript is the Microsoft implementation of the same scripting standard. JScript i...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page AppleScript (content was: "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.[1] These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any op...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page Services File Permissions Weakness (content was: "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on th...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page Services Registry Permissions Weakness (content was: "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration inform...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page Path Interception by Unquoted Path (content was: "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. Service paths [1] and shortcut paths may also be vulnerable to p...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page Path Interception by Search Order Hijacking (content was: "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling progr...", and the only contributor was "Ali3nw3rx" (talk))
- 13:32, 28 January 2023 SourMilk talk contribs deleted page Path Interception by PATH Environment Variable (content was: "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script...", and the only contributor was "Ali3nw3rx" (talk))
- 13:31, 28 January 2023 SourMilk talk contribs deleted page KernelCallbackTable (content was: "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.[1][2] The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.[3] An adversary may hijack the execution flow of a process u...", and the only contributor was "Ali3nw3rx" (talk))
- 13:31, 28 January 2023 SourMilk talk contribs deleted page Executable Installer File Permissions Weakness (content was: "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target bin...", and the only contributor was "Ali3nw3rx" (talk))
- 13:31, 28 January 2023 SourMilk talk contribs deleted page Dynamic Linker Hijacking (content was: "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries s...", and the only contributor was "Ali3nw3rx" (talk))
- 13:31, 28 January 2023 SourMilk talk contribs deleted page COR PROFILER (content was: "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to mo...", and the only contributor was "Ali3nw3rx" (talk))
- 13:31, 28 January 2023 SourMilk talk contribs deleted page DLL Search Order Hijacking (content was: "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. [1][2] Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. There are many ways an adve...", and the only contributor was "Ali3nw3rx" (talk))
- 13:31, 28 January 2023 SourMilk talk contribs deleted page DLL Side-Loading (content was: "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then inv...", and the only contributor was "Ali3nw3rx" (talk))
- 13:31, 28 January 2023 SourMilk talk contribs deleted page Dylib Hijacking (content was: "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array...", and the only contributor was "Ali3nw3rx" (talk))
- 13:29, 28 January 2023 SourMilk talk contribs deleted page Active Setup (content was: "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.[1] These programs will be executed under the context of the user and will have the accoun...", and the only contributor was "Ali3nw3rx" (talk))
- 13:29, 28 January 2023 SourMilk talk contribs deleted page Authentication Package (content was: "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.[1] Adversaries can use the autostart mechanism provided by LSA authent...", and the only contributor was "Ali3nw3rx" (talk))
- 13:29, 28 January 2023 SourMilk talk contribs deleted page Kernel Modules and Extensions (content was: "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardwar...", and the only contributor was "Ali3nw3rx" (talk))
- 13:29, 28 January 2023 SourMilk talk contribs deleted page Login Items (content was: "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.[1] Login items can be added via a shared file list or Service Management Framework.[2] Shared file list login items can be set using scripting la...", and the only contributor was "Ali3nw3rx" (talk))
- 13:29, 28 January 2023 SourMilk talk contribs deleted page LSASS Driver (content was: "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link...", and the only contributor was "Ali3nw3rx" (talk))
- 13:29, 28 January 2023 SourMilk talk contribs deleted page Port Monitors (content was: "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.[1] This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also...", and the only contributor was "Ali3nw3rx" (talk))
- 13:28, 28 January 2023 SourMilk talk contribs deleted page Print Processors (content was: "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed th...", and the only contributor was "Ali3nw3rx" (talk))
- 13:28, 28 January 2023 SourMilk talk contribs deleted page Re-opened Applications (content was: "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[1] When selected, all applications currently open are added to a property list file named com.apple.loginwindow...", and the only contributor was "Ali3nw3rx" (talk))
- 13:28, 28 January 2023 SourMilk talk contribs deleted page Registry Run Keys / Startup Folder (content was: "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[1] These programs will be executed under the context of the user and will have the account's associated permissions...", and the only contributor was "Ali3nw3rx" (talk))
- 13:27, 28 January 2023 SourMilk talk contribs deleted page Security Support Provider (content was: "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP...", and the only contributor was "Ali3nw3rx" (talk))
- 13:27, 28 January 2023 SourMilk talk contribs deleted page Shortcut Modification (content was: "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve per...", and the only contributor was "Ali3nw3rx" (talk))
- 13:27, 28 January 2023 SourMilk talk contribs deleted page Time Providers (content was: "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.[1] W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.[2] Time providers are implemented as dynamic-link...", and the only contributor was "Ali3nw3rx" (talk))
- 13:27, 28 January 2023 SourMilk talk contribs deleted page Winlogon Helper DLL (content was: "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsof...", and the only contributor was "Ali3nw3rx" (talk))
- 13:27, 28 January 2023 SourMilk talk contribs deleted page XDG Autostart Entries (content was: "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored withi...", and the only contributor was "Ali3nw3rx" (talk))
- 13:27, 28 January 2023 Ali3nw3rx talk contribs created page Category:Collection (Created blank page)
- 13:27, 28 January 2023 SourMilk talk contribs deleted page Application Shimming (content was: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feat...", and the only contributor was "Ali3nw3rx" (talk))
- 13:27, 28 January 2023 SourMilk talk contribs deleted page Windows Management Instrumentation Event Subscription (content was: "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging...", and the only contributor was "Ali3nw3rx" (talk))
- 13:26, 28 January 2023 SourMilk talk contribs deleted page AppCert DLLs (content was: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used applicatio...", and the only contributor was "Ali3nw3rx" (talk))
- 13:26, 28 January 2023 SourMilk talk contribs deleted page Unix Shell Configuration Modification (content was: "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scrip...", and the only contributor was "Ali3nw3rx" (talk))
- 13:26, 28 January 2023 SourMilk talk contribs deleted page Trap (content was: "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can u...", and the only contributor was "Ali3nw3rx" (talk))
- 13:26, 28 January 2023 SourMilk talk contribs deleted page Screensaver (content was: "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on...", and the only contributor was "Ali3nw3rx" (talk))
- 13:26, 28 January 2023 SourMilk talk contribs deleted page PowerShell Profile (content was: "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be dif...", and the only contributor was "Ali3nw3rx" (talk))