Combined display of all available logs of RCATs. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).
- 13:37, 1 April 2023 SourMilk talk contribs protected Category:Collection [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
- 13:37, 1 April 2023 SourMilk talk contribs protected Category:Lateral Movement [Edit=Allow only administrators] (indefinite) (hist)
- 13:37, 1 April 2023 SourMilk talk contribs protected Category:Discovery [Edit=Allow only administrators] (indefinite) (hist)
- 13:36, 1 April 2023 SourMilk talk contribs protected Category:Credential Access [Edit=Allow only administrators] (indefinite) (hist)
- 13:36, 1 April 2023 SourMilk talk contribs protected Category:Defense Evasion [Edit=Allow only administrators] (indefinite) (hist)
- 13:36, 1 April 2023 SourMilk talk contribs protected Category:Privilege Escalation [Edit=Allow only administrators] (indefinite) (hist)
- 13:35, 1 April 2023 SourMilk talk contribs protected Category:Initial Access [Edit=Allow only administrators] (indefinite) (hist)
- 13:35, 1 April 2023 SourMilk talk contribs protected Category:Resource Development [Edit=Allow only administrators] (indefinite) (hist)
- 13:35, 1 April 2023 SourMilk talk contribs protected Category:Reconnaissance [Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) (hist)
- 13:26, 1 April 2023 SourMilk talk contribs created page Coder (Created page with "Category:Insane ==Box Information== Network: Hack The Box Operating System: Linux Release Date: 01 April 2023 Creator: [https://app.hackthebox.com/users/168546 ctrlzero] Difficulty: Insane Points: 50 ==Enumeration== === Nmap=== <syntaxhighlight lang="bash"> # Nmap </syntaxhighlight> ===Directory Scan=== <syntaxhighlight lang="bash"> ________________________________________________ </syntaxhighlight> ==Fo...")
- 12:26, 22 February 2023 SourMilk talk contribs created page MailSniper (Created page with "Category:Tools ==Description== ==Commands== <syntaxhighlight lang="powershell"> # Enumerate Netbios name Invoke-DomainHarvestOWA -ExchHostname mail.name.com # Uses timing attack to validate possible usernames with OWA server Invoke-UsernameHarvestOWA -ExchHostname mail.name.io -Domain name.io -UserList possible.txt -OutFile valid.txt # Password spray valid usernames with specific password Invoke-PasswordSprayOWA -ExchHostname mail.name.io -UserList valid.txt -Pass...") Tag: Visual edit
- 14:31, 13 February 2023 SourMilk talk contribs created page Cobalt Strike:Host Reconnaissance (Created page with "Category:Cobalt Strike ==Background== Prior to executing any post-exploitation steps, it is imperative for red teamers to assess the target system's security measures. This involves gathering information about the presence of antivirus (AV) software, endpoint detection and response (EDR) solutions, Windows audit policies, PowerShell logging, event forwarding, and other security-related components. Host reconnaissance serves as an important factor in determining the...")
- 14:22, 13 February 2023 SourMilk talk contribs created page Category:Cobalt Strike (Created page with "Category:Command and Control")
- 14:47, 5 February 2023 SourMilk talk contribs created page BroScience (Created page with "category:Medium ==Box Information== Network: Hack The Box Operating System: Linux Release Date: 7 January 2023 Creator: [https://app.hackthebox.com/users/485051 bmdyy] Difficulty: Medium Points: 30 ==Enumeration== ===Nmap=== <syntaxhighlight lang="powershell"> # Nmap 7.93 scan initiated Thu Jan 26 19:36:36 2023 as: nmap -sCV -oA nmap/broscience 10.129.5.153 Nmap scan report for 10.129.5.153 Host is up (0.077...") Tag: Visual edit: Switched
- 15:27, 31 January 2023 SourMilk talk contribs created page Fortress:Faraday (Created page with " Category:HackTheBox ==Description== ==Flag 1== ===Nmap=== <syntaxhighlight lang="powershell"> # Nmap 7.93 scan initiated Tue Jan 31 13:08:36 2023 as: nmap -sCV -oA nmap/10.13.37.14 10.13.37.14 Nmap scan report for 10.13.37.14 Host is up (0.15s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a80553aeb18d...") Tag: Visual edit: Switched
- 14:19, 30 January 2023 SourMilk talk contribs created page Rpivot (Created page with "Category:Tools Category:Tunneling & Port Forwarding ==Description== RPIVOT is a tool that provides secure and flexible access to an internal network by tunneling traffic through a SOCKS 4 proxy. It operates in the opposite direction of SSH dynamic port forwarding, allowing you to pivot into an internal network from an external system. RPIVOT provides a convenient way to bypass network restrictions and gain access to internal resources without the need for direct...") Tag: Visual edit: Switched
- 13:44, 30 January 2023 SourMilk talk contribs created page Sshuttle (Created page with "category:Tools ==Description== Sshuttle<ref>https://github.com/sshuttle/sshuttle</ref> is a free, open-source software tool that allows you to securely access network resources behind a firewall or router, by creating a VPN (Virtual Private Network) connection over an existing SSH (Secure Shell) connection. sshuttle works by forwarding all network traffic from your local machine to the remote network via an encrypted SSH tunnel, effectively bypassing any firewalls...") Tag: Visual edit: Switched
- 13:27, 30 January 2023 SourMilk talk contribs created page Plink.exe (Created page with "Category:Tools Category:Tunneling & Port Forwarding ==Description== PuTTY Link (Plink) is a command-line connection tool for Windows that is used for connecting to a remote computer using the Telnet and Secure Shell (SSH) network protocols. It is part of the PuTTY suite of tools, which also includes the PuTTY terminal emulator and the PuTTY Configuration Utility. Plink is commonly used to automate routine tasks, such as executing shell commands on a remote server...") Tag: Visual edit: Switched
- 13:14, 30 January 2023 SourMilk talk contribs created page Category:Tunneling & Port Forwarding (Created page with "Category:Command and Control ==Description== Tunneling and port forwarding are both techniques used in red teaming, a type of simulated cyber attack used to test an organization's security defenses. Tunneling involves creating a secure connection between two networked devices, allowing data to be transmitted between them even if they are behind a firewall or in different parts of the world. Port forwarding, on the other hand, is a method of redirecting incoming netwo...")
- 12:38, 30 January 2023 SourMilk talk contribs created page Socat (Created page with "Category:Tools ==Description== socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named p...") Tag: Visual edit: Switched
- 21:38, 28 January 2023 SourMilk talk contribs created page Encoding (Created page with "Category:Medium ==Box Information== Network: Hack The Box Operating System: Linux Release Date: 28 January 2023 Creator: [https://app.hackthebox.com/users/389926 kavigiha] Difficulty: Medium Points: 30 ==Enumeration==")
- 13:40, 28 January 2023 SourMilk talk contribs deleted page Device Registration (content was: "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete...", and the only contributor was "Ali3nw3rx" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page SSH Authorized Keys (content was: "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configu...", and the only contributor was "Ali3nw3rx" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page DNS Calculation (content was: "Category:Dynamic Resolution Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.", and the only contributor was "SourMilk" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page Domain Generation Algorithms (content was: "Category:Dynamic Resolution Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there pote...", and the only contributor was "SourMilk" (talk))
- 13:40, 28 January 2023 SourMilk talk contribs deleted page Fast Flux DNS (content was: "Category:Dynamic Resolution Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and...", and the only contributor was "SourMilk" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Outlook Rules (content was: "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Outlook Home Page (content was: "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Outlook Forms (content was: "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.[1] Once malicious forms have b...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Office Test (content was: "Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes w...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Office Template Macros (content was: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. [1] Office Visual Basic for Applications (VBA) macros [2] can be inserted into...", and the only contributor was "Ali3nw3rx" (talk))
- 13:39, 28 January 2023 SourMilk talk contribs deleted page Add-ins (content was: "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. [1] There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Reversible Encryption (content was: "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functio...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Pluggable Authentication Modules (content was: "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authenti...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Password Filter DLL (content was: "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password pol...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Network Device Authentication (content was: "Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific passw...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Multi-Factor Authentication (content was: "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or c...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Domain Controller Authentication (content was: "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skel...", and the only contributor was "Ali3nw3rx" (talk))
- 13:38, 28 January 2023 SourMilk talk contribs deleted page Hybrid Identity (content was: "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments....", and the only contributor was "Ali3nw3rx" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page Multi-hop Proxy (content was: "Category:Proxy To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of...", and the only contributor was "SourMilk" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page Internal Proxy (content was: "Category:Proxy Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromis...", and the only contributor was "SourMilk" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page External Proxy (content was: "Category:Proxy Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage comma...", and the only contributor was "SourMilk" (talk))
- 13:37, 28 January 2023 SourMilk talk contribs deleted page Domain Fronting (content was: "Category:Proxy Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If bot...", and the only contributor was "SourMilk" (talk))
- 13:36, 28 January 2023 SourMilk talk contribs deleted page LLMNR/NBT-NS Poisoning and SMB Relay (content was: "Category:Adversary-in-the-Middle By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.", and the only contributor was "SourMilk" (talk))
- 13:36, 28 January 2023 SourMilk talk contribs deleted page DHCP Spoofing (content was: "Category:Adversary-in-the-Middle Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially...", and the only contributor was "SourMilk" (talk))
- 13:36, 28 January 2023 SourMilk talk contribs deleted page ARP Cache Poisoning (content was: "Category:Adversary-in-the-Middle Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page DNS (C2) (content was: "Category:Application Layer Protocol Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page File Transfer Protocols (content was: "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page Mail Protocols (content was: "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))
- 13:35, 28 January 2023 SourMilk talk contribs deleted page Web Protocols (content was: "Category:Application Layer Protocol Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", and the only contributor was "SourMilk" (talk))