Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).
- 13:42, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:42, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:42, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:42, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:41, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:40, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:40, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:40, 28 January 2023 (username removed) (log details removed) (edit summary removed)
- 13:40, 28 January 2023 SourMilk talk contribs deleted page Device Registration (content was: "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete...", and the only contributor was "Ali3nw3rx" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page SSH Authorized Keys (content was: "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configu...", and the only contributor was "Ali3nw3rx" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page DNS Calculation (content was: "Category:Dynamic Resolution Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.", and the only contributor was "SourMilk" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page Domain Generation Algorithms (content was: "Category:Dynamic Resolution Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there pote...", and the only contributor was "SourMilk" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page Fast Flux DNS (content was: "Category:Dynamic Resolution Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and...", and the only contributor was "SourMilk" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Outlook Rules (content was: "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Outlook Home Page (content was: "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Outlook Forms (content was: "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.[1] Once malicious forms have b...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Office Test (content was: "Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes w...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Office Template Macros (content was: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. [1] Office Visual Basic for Applications (VBA) macros [2] can be inserted into...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Add-ins (content was: "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. [1] There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Reversible Encryption (content was: "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functio...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Pluggable Authentication Modules (content was: "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authenti...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Password Filter DLL (content was: "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password pol...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Network Device Authentication (content was: "Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific passw...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Multi-Factor Authentication (content was: "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or c...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Domain Controller Authentication (content was: "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skel...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Hybrid Identity (content was: "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments....", and the only contributor was "Ali3nw3rx" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page Multi-hop Proxy (content was: "Category:Proxy To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of...", and the only contributor was "SourMilk" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page Internal Proxy (content was: "Category:Proxy Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromis...", and the only contributor was "SourMilk" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page External Proxy (content was: "Category:Proxy Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage comma...", and the only contributor was "SourMilk" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page Domain Fronting (content was: "Category:Proxy Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If bot...", and the only contributor was "SourMilk" (talk))
- 13:36, 28 January 2023 SourMilk talk contribs deleted page LLMNR/NBT-NS Poisoning and SMB Relay (content was: "Category:Adversary-in-the-Middle By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.", and the only contributor was "SourMilk" (talk))
- 13:36, 28 January 2023 SourMilk talk contribs deleted page DHCP Spoofing (content was: "Category:Adversary-in-the-Middle Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially...", and the only contributor was "SourMilk" (talk))
- 13:36, 28 January 2023 SourMilk talk contribs deleted page ARP Cache Poisoning (content was: "Category:Adversary-in-the-Middle Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page DNS (C2) (content was: "Category:Application Layer Protocol Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page File Transfer Protocols (content was: "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page Mail Protocols (content was: "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page Web Protocols (content was: "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page CDNs (content was: "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region. Adversaries may search CDN data to gather actionable info...", and the only contributor was "Ali3nw3rx" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page Digital Certificates (content was: "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about...", and the only contributor was "Ali3nw3rx" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page DNS/Passive DNS (content was: "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may search DNS data to gather actionable information. Threat actors can quer...", and the only contributor was "Ali3nw3rx" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page Scan Databases (content was: "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.[1] Adversaries may search scan databases to gather...", and the only contributor was "Ali3nw3rx" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page WHOIS (content was: "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and...", and the only contributor was "Ali3nw3rx" (talk))