├── .gitattributes
├── .gitignore
├── CONTRIBUTING.md
├── Draft
├── 10k-xkcd.png
├── ATT&CK-Stuff
│ ├── ATT&CK
│ │ ├── Collection.md
│ │ ├── Command_and_Control.md
│ │ ├── Credential_Access.md
│ │ ├── Defense_Evasion.md
│ │ ├── Discovery.md
│ │ ├── Execution.md
│ │ ├── Exfiltration.md
│ │ ├── Initial_Access.md
│ │ ├── Lateral Movement.md
│ │ ├── Persistence.md
│ │ └── Privilege_Escalation.md
│ ├── Pre-ATT&CK
│ │ ├── # Establish & Maintain Infrastructure.md
│ │ ├── Adversary_OPSEC.md
│ │ ├── Build_Capabilities.md
│ │ ├── Organizationa_ Information_Gathering.md
│ │ ├── Organizational_Weakness.md
│ │ ├── People_Information_Gathering.md
│ │ ├── People_Weakness_Identification.md
│ │ ├── Persona_Development.md
│ │ ├── Priority_Definition _lanning.md
│ │ ├── Priority_Definition_Directive.md
│ │ ├── Stage_Capabilities.md
│ │ ├── Target_Selection.md
│ │ ├── Technical_Information_Gathering.md
│ │ ├── Technical_Weakness_Identification.md
│ │ └── Test_Capabilities.md
│ └── README.md
├── Active_Directory.md
├── AnonOpSecPrivacy.md
├── Archiving.md
├── Basic.md
├── Building_A_Lab.md
├── CTFs_Wargames.md
├── CandE.md
├── Career.md
├── Cars.md
├── Cheat sheets reference pages Checklists -
│ ├── Linux
│ │ ├── Post Exploitation on Linux.txt
│ │ ├── QuickRef-Enum.txt
│ │ └── cheat sheet Basic Linux Privilege Escalation.txt
│ ├── Meterpreter Scripts and Description.txt
│ ├── Ncat_Cheat_Sheet.txt
│ ├── Nmap Cheat Sheet.md
│ ├── Radare2.md
│ ├── Windows
│ │ └── Post Exploitation on Windows.txt
│ ├── list_of_emoji.md
│ └── metasploit.md
├── Cheats.md
├── Cloud.md
├── Conferences.md
├── Containers.md
├── Courses_Training.md
├── Crypto_Encrypt.md
├── DFIR.md
├── Darknets.md
├── DataVis.md
├── Defense.md
├── Docs_and_Reports.md
├── Embedded.md
├── Exfiltration.md
├── Exploit_Dev.md
├── Fuzzing.md
├── Games.md
├── Interesting_Things.md
├── L-SM-TH.md
├── Malware.md
├── Network_Attacks.md
├── Osint.md
├── Passwords.md
├── Phishing.md
├── Physical_Security.md
├── Policy_Compliance.md
├── Port_List.md
├── PrivEscPostExWin.md
├── PrivescPostEx.md
├── PrivescPostExLin.md
├── PrivescPostExmac.md
├── Programming_Language_Security.md
├── RE.md
├── README.md
├── RT.md
├── Rants&Writeups
│ ├── Bitcoin_Hack.md
│ ├── Gamma_group_hack_writeup.txt
│ ├── Hacker_Manifesto
│ ├── Hacking Team Writeup.md
│ ├── Opsec_rant-alpraking.md
│ ├── Opsec_rant2-nachash.md
│ ├── Writeups
│ │ ├── Empire_and_Metasploit_101.md
│ │ ├── Lab_for_exploit_dev-basic.md
│ │ └── Maps-Models-Martial_Arts.md
│ ├── hackback3-original.txt
│ └── hackback3-translated.txt
├── Reverse Engineering - REMath Literature.md
├── Rootkits.md
├── SCA.md
├── SCADA.md
├── SE.md
├── UX.md
├── Unsorted-rt.md
├── Web.md
├── Wireless.md
├── _sidebar.md
├── bios_uefi.md
├── css
│ ├── docsify4.js
│ ├── emoji.min.js
│ ├── gfont.css
│ ├── search.min.js
│ ├── style.css
│ ├── theme-blue-min.css
│ ├── theme-min-blue.css
│ └── theme.min.css
├── help.md
├── honeypot.md
├── images
│ ├── 10k-xkcd.png
│ ├── LICENSE MIT.svg
│ ├── MARKDOWN.svg
│ └── mspaint.png
├── index.html
├── index.md
├── sysinternals.md
└── threatmodel.md
├── LICENSE
├── README.md
└── images
├── 10k-xkcd.png
├── Markdown-000000.svg
└── v1.svg
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 | *.sln merge=union
7 | *.csproj merge=union
8 | *.vbproj merge=union
9 | *.fsproj merge=union
10 | *.dbproj merge=union
11 |
12 | # Standard to msysgit
13 | *.doc diff=astextplain
14 | *.DOC diff=astextplain
15 | *.docx diff=astextplain
16 | *.DOCX diff=astextplain
17 | *.dot diff=astextplain
18 | *.DOT diff=astextplain
19 | *.pdf diff=astextplain
20 | *.PDF diff=astextplain
21 | *.rtf diff=astextplain
22 | *.RTF diff=astextplain
23 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Windows image file caches
2 | Thumbs.db
3 | ehthumbs.db
4 |
5 | # Folder config file
6 | Desktop.ini
7 |
8 | # Recycle Bin used on file shares
9 | $RECYCLE.BIN/
10 |
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 |
17 | # =========================
18 | # Operating System Files
19 | # =========================
20 |
21 | # OSX
22 | # =========================
23 |
24 | .DS_Store
25 | .AppleDouble
26 | .LSOverride
27 |
28 | # Icon must ends with two \r.
29 | Icon
30 |
31 | # Thumbnails
32 | ._*
33 |
34 | # Files that might appear on external disk
35 | .Spotlight-V100
36 | .Trashes
37 |
38 | Draft/Draft/To Do/add cull -2.txt
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | If you wish to contribute, simply fork the project, add your links/information/pages and make a pull request.
2 | As long as the links are non-malicious, I'll probably accept your pull request. Any help/contributions are welcomed.
3 |
--------------------------------------------------------------------------------
/Draft/10k-xkcd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rmusser01/Infosec_Reference/4bdf90b0b98b7641140f9bf3950addc42d1861db/Draft/10k-xkcd.png
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/ATT&CK/Exfiltration.md:
--------------------------------------------------------------------------------
1 | # Exfiltration
2 | -------------------------------
3 | See --> [Exfiltration](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Exfiltration.md)
4 |
5 |
6 |
7 | [MITRE ATT&CK - Exfiltration](https://attack.mitre.org/wiki/Exfiltration)
8 | * Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
9 |
10 |
11 | ## Automated Exfiltration
12 | -------------------------------
13 | * [Automated Exfiltration - ATT&CK](https://attack.mitre.org/wiki/Technique/T1020)
14 | * Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Collection. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.
15 |
16 | #### Linux
17 | #### OS X
18 | #### Windows
19 | * [LNKUp](https://github.com/Plazmaz/LNKUp)
20 | * This tool will allow you to generate LNK payloads. Upon rendering or being run, they will exfiltrate data.
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | ## Data Compressed
29 | -------------------------------
30 | * [Data Compressed - ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
31 | * An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | ## Data Encrypted
41 | -------------------------------
42 | * [Data Encrypted - ATT&CK](https://attack.mitre.org/wiki/Technique/T1022)
43 | * Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 | ## Data Transfer Size Limits
54 | -------------------------------
55 | * [Data Transfer Size Limits - ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
56 | * An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
57 |
58 |
59 |
60 |
61 |
62 |
63 | ## Exfiltration Over Alternative Protocol
64 | -------------------------------
65 | * [Exfiltration Over Alternative Protocol - ATT&CK](https://attack.mitre.org/wiki/Technique/T1048)
66 | * Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.
67 |
68 |
69 |
70 |
71 |
72 |
73 | ## Exfiltration Over Command and Control Channel
74 | -------------------------------
75 | * [Exfiltration Over Command and Control Channel - ATT&CK](https://attack.mitre.org/wiki/Technique/T1041)
76 | * Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 | ## Exfiltration Over Other Network Medium
85 | -------------------------------
86 | * [Exfiltration Over Other Network Medium - ATT&CK](https://attack.mitre.org/wiki/Technique/T1011)
87 | * Exfiltration could occur over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries could choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 | ## Exfiltration Over Physical Medium
97 | -------------------------------
98 | * [Exfiltration Over Physical Medium - ATT&CK](https://attack.mitre.org/wiki/Technique/T1052)
99 | * In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 | ## Scheduled Transfer
109 | -------------------------------
110 | * [Scheduled Transfer - ATT&CK](https://attack.mitre.org/wiki/Technique/T1029)
111 | * Data exfiltration may be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.
112 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/ATT&CK/Initial_Access.md:
--------------------------------------------------------------------------------
1 | # Initial Access
2 |
3 | * [MITRE ATT&CK - Initial Access](https://attack.mitre.org/wiki/Initial_Access)
4 | * The initial access tactic represents the vectors adversaries use to gain an initial foothold within a network.
5 |
6 | -------------------------------
7 | ## Drive-by-Compromise
8 | * [Drive-by-Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1189)
9 | * A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation.
10 |
11 |
12 | -------------------------------
13 | ## Exploit Public-Facing Application
14 | * [Exploit Public-Facing Application - ATT&CK](https://attack.mitre.org/wiki/Technique/T1190)
15 | * The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.
16 |
17 |
18 |
19 | -------------------------------
20 | ## Hardware Additions
21 | * [Drive-by-Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1200)
22 | * Computer accessories, computers or networking hardware may be introduced into a system as a vector to gain execution. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others.
23 |
24 |
25 |
26 | -------------------------------
27 | ## Replication Through Removable Media
28 | * [Replication Through Removable Media - ATT&CK](https://attack.mitre.org/wiki/Technique/T1091)
29 | * Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
30 |
31 |
32 |
33 | -------------------------------
34 | ## Spearphishing Link
35 | * [Spearphishing Link - ATT&CK](https://attack.mitre.org/wiki/Technique/T1189)
36 | * Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attachment malicious files to the email itself, to avoid defenses that may inspect email attachments.
37 |
38 |
39 |
40 | -------------------------------
41 | ## Spearphishing via Service
42 | * [Drive-by-Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1194)
43 | * Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
44 | * All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
45 | * A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
46 |
47 |
48 | -------------------------------
49 | ## Supply Chain Compromise
50 | * [Supply Chain Compromise - ATT&CK](https://attack.mitre.org/wiki/Technique/T1195)
51 | * Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including:
52 | * Manipulation of development tools
53 | * Manipulation of a development environment
54 | * Manipulation of source code repositories (public or private)
55 | * Manipulation of software update/distribution mechanisms
56 | * Compromised/infected system images (multiple cases of removable media infected at the factory)
57 | * Replacement of legitimate software with modified versions
58 | * Sales of modified/counterfeit products to legitimate distributors
59 | * Shipment interdiction
60 |
61 |
62 | -------------------------------
63 | ## Trusted Relationship
64 | * [Trusted Relationship - ATT&CK](https://attack.mitre.org/wiki/Technique/T1199)
65 | * Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
66 | * Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.
67 |
68 |
69 | -------------------------------
70 | ## Valid Accounts
71 | * [Valid Accounts - ATT&CK](https://attack.mitre.org/wiki/Technique/T1078)
72 | * Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.
73 | * Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
74 | * Adversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful.
75 | * The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise
76 |
77 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/# Establish & Maintain Infrastructure.md:
--------------------------------------------------------------------------------
1 | # Establish & Maintain Infrastructure
2 |
3 |
4 | ## Table of Contents
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 | - []()
14 | - []()
15 | - []()
16 | - []()
17 |
18 |
19 |
20 |
21 | [Establish & Maintain Infrastructure - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Establish_%26_Maintain_Infrastructure)
22 | * Establishing and maintaining infrastructure consists of building, purchasing, co-opting, and maintaining systems and services used to conduct cyber operations. An adversary will need to establish infrastructure used to communicate with and control assets used throughout the course of their operations.
23 |
24 |
25 |
26 | -------------------------------
27 | ### Acquire and/or use 3rd party infrastructure services
28 | * [Acquire and/or use 3rd party infrastructure services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106)
29 | * A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
30 |
31 |
32 | -------------------------------
33 | ### Acquire and/or use 3rd party software services
34 | * [Acquire and/or use 3rd party software services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1107)
35 | * A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
36 |
37 |
38 | -------------------------------
39 | ### Acquire or compromise 3rd party signing certificates
40 | * [Acquire or compromise 3rd party signing certificates - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109)
41 | * Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is.
42 |
43 |
44 | -------------------------------
45 | ### Buy domain name
46 | * [Buy domain name - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1105)
47 | * Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
48 |
49 |
50 | -------------------------------
51 | ### Compromise 3rd party infrastructure to support delivery
52 | * [Compromise 3rd party infrastructure to support delivery - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1111)
53 | * Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle.
54 |
55 |
56 | -------------------------------
57 | ### Create backup infrastructure
58 | * [Create backup infrastructure - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1116)
59 | * Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable.
60 |
61 |
62 | -------------------------------
63 | ### Domain registration hijacking
64 | * [Domain registration hijacking - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1103)
65 | * Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant.1
66 |
67 |
68 | -------------------------------
69 | ### Dynamic DNS
70 | * [Dynamic DNS - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1110)
71 | * Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs.
72 |
73 |
74 | -------------------------------
75 | ### Install and configure hardware, network, and systems
76 | * [Install and configure hardware, network, and systems - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1113)
77 | * An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure.
78 |
79 |
80 | -------------------------------
81 | ### Obfuscate infrastructure
82 | * [Obfuscate infrastructure - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108)
83 | * Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.
84 |
85 |
86 | -------------------------------
87 | ### Obtain booter/stressor subscription
88 | * [Obtain booter/stressor subscription - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1173)
89 | * Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks.
90 |
91 |
92 | -------------------------------
93 | ### Procure required equipment and software
94 | * [Procure required equipment and software - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1112)
95 | * An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.
96 |
97 |
98 | -------------------------------
99 | ### SSL certificate acquisition for domain
100 | * [SSL certificate acquisition for domain - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1114)
101 | * Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of Wachovia -- homoglyphs).
102 |
103 |
104 | -------------------------------
105 | ### SSL certificate acquisition for trust breaking
106 | * [SSL certificate acquisition for trust breaking - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1115)
107 | * Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks.
108 |
109 |
110 | -------------------------------
111 | ### Shadow DNS
112 | * [Shadow DNS - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1117)
113 | * The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.
114 |
115 |
116 | -------------------------------
117 | ### Use multiple DNS infrastructures
118 | * [Use multiple DNS infrastructures - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1104)
119 | * A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records.
120 |
121 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Adversary_OPSEC.md:
--------------------------------------------------------------------------------
1 | # Adversary OPSEC - Pre-ATT&CK
2 |
3 | ## Table of Contents
4 | - []()
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 | - []()
14 | - []()
15 | - []()
16 | - []()
17 |
18 |
19 |
20 |
21 | [Adversary OPSEC - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Adversary_OPSEC)
22 | * Adversary OPSEC consists of the use of various technologies or 3rd party services to obfuscate, hide, or blend in with accepted network traffic or system behavior. The adversary may use these techniques to evade defenses, reduce attribution, minimize discovery, and/or increase the time and effort required to analyze.
23 |
24 |
25 |
26 |
27 | -------------------------------
28 | ### Acquire and/or use 3rd party infrastructure services
29 | * [Acquire and/or use 3rd party infrastructure services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1084)
30 | * A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
31 |
32 |
33 |
34 | -------------------------------
35 | ### Acquire and/or use 3rd party software services
36 | * [Acquire and/or use 3rd party software services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1085)
37 | * A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
38 |
39 |
40 | -------------------------------
41 | ### Acquire or compromise 3rd party signing certificates
42 | * [Acquire or compromise 3rd party signing certificates - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1087)
43 | * Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is.
44 |
45 | -------------------------------
46 | ### Anonymity services
47 | * [Anonymity services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1083)
48 | * Anonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity.
49 |
50 |
51 |
52 | -------------------------------
53 | ### Common, high volume protocols and software
54 | * [Common, high volume protocols and software - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1098)
55 | * Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic.
56 |
57 |
58 | -------------------------------
59 | ### Compromise 3rd party infrastructure to support delivery
60 | * [Compromise 3rd party infrastructure to support delivery - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1089)
61 | * Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle.
62 |
63 |
64 | -------------------------------
65 | ### DNSCalc
66 | * [DNSCalc - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1101)
67 | * DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request.
68 |
69 |
70 |
71 | -------------------------------
72 | ### Data Hiding
73 | * [Data Hiding - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1097)
74 | * Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known.
75 |
76 |
77 | -------------------------------
78 | ### Domain Generation Algorithms (DGA)
79 | * [Domain Generation Algorithms (DGA) - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1100)
80 | * The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers.
81 |
82 |
83 | -------------------------------
84 | ### Dynamic DNS
85 | * [Dynamic DNS - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088)
86 | * Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service.
87 |
88 |
89 |
90 | -------------------------------
91 | ### Fast Flux DNS
92 | * [Fast Flux DNS - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1102)
93 | * A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record.
94 |
95 |
96 | -------------------------------
97 | ### Host-based hiding techniques
98 | * [Host-based hiding techniques - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1091)
99 | * Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code.
100 |
101 |
102 | -------------------------------
103 | ### Misattributable credentials
104 | * [Misattributable credentials - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1099)
105 | * The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case.
106 |
107 |
108 |
109 | -------------------------------
110 | ### Network-based hiding techniques
111 | * [Network-based hiding techniques - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1092)
112 | * Technical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation.
113 |
114 |
115 | -------------------------------
116 | ### Non-traditional or less attributable payment options
117 | * [Non-traditional or less attributable payment options - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1093)
118 | * Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts.
119 |
120 |
121 | -------------------------------
122 | ### OS-vendor provided communication channels
123 | * [OS-vendor provided communication channels - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1167)
124 | * Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices.
125 |
126 |
127 |
128 | -------------------------------
129 | ### Obfuscate infrastructure
130 | * [Obfuscate infrastructure - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1086)
131 | * Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.
132 |
133 |
134 | -------------------------------
135 | ### Obfuscate operational infrastructure
136 | * [Obfuscate operational infrastructure - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1095)
137 | * Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.
138 |
139 |
140 |
141 | -------------------------------
142 | ### Obfuscate or encrypt code
143 | * [Obfuscate or encrypt code - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1096)
144 | * Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption.
145 |
146 |
147 |
148 | -------------------------------
149 | ### Obfuscation or cryptography
150 | * [Obfuscation or cryptography - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1090)
151 | * Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption.
152 |
153 |
154 | -------------------------------
155 | ### Private whois services
156 | * [Private whois services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1082)
157 | * Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain.
158 |
159 |
160 | -------------------------------
161 | ### Proxy/protocol relays
162 | * [Proxy/protocol relays - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1081)
163 | * Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication.
164 |
165 |
166 |
167 | -------------------------------
168 | ### Secure and protect infrastructure
169 | * [Secure and protect infrastructure - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1094)
170 | * An adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures.
171 |
172 |
173 |
174 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Build_Capabilities.md:
--------------------------------------------------------------------------------
1 | # Build Capabilities
2 |
3 | ## Table of Contents
4 | - []()
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 | - []()
14 | - []()
15 | - []()
16 |
17 |
18 |
19 |
20 | [Build Capabilities - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Build_Capabilities)
21 | * Building capabilities consists of developing and/or acquiring the software, data and techniques used at different phases of an operation. This is the process of identifying development requirements and implementing solutions such as malware, delivery mechanisms, obfuscation/cryptographic protections, and call back and O&M functions.
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 | ---------------------------------------------------------
38 | ### Build and configure delivery systems
39 | * [Build and configure delivery systems - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1124)
40 | * Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments.
41 |
42 |
43 |
44 |
45 | ---------------------------------------------------------
46 | ### Build or acquire exploits
47 | * [Build or acquire exploits - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1126)
48 | * An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise.12
49 |
50 |
51 |
52 |
53 |
54 | ---------------------------------------------------------
55 | ### C2 protocol development
56 | * [C2 protocol development - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1129)
57 | * Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media.
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 | ---------------------------------------------------------
67 | ### Compromise 3rd party or closed-source vulnerability/exploit information
68 | * [Compromise 3rd party or closed-source vulnerability/exploit information - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1131)
69 | * There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack.
70 |
71 |
72 |
73 |
74 | ---------------------------------------------------------
75 | ### Create custom payloads
76 | * [Create custom payloads - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1122)
77 | * A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment.
78 |
79 |
80 |
81 |
82 | ---------------------------------------------------------
83 | ### Create infected removable media
84 | * [Create infected removable media - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1132)
85 | * Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware.
86 |
87 |
88 |
89 |
90 | ---------------------------------------------------------
91 | ### Identify resources required to build capabilities
92 | * [Identify resources required to build capabilities - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1125)
93 | * As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out.
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 | ---------------------------------------------------------
103 | ### Obtain/re-use payloads
104 | * [Obtain/re-use payloads - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1123)
105 | * A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available.
106 |
107 |
108 |
109 |
110 |
111 | ---------------------------------------------------------
112 | ### Post compromise tool development
113 | * [Post compromise tool development - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1130)
114 | * After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data.
115 |
116 |
117 |
118 |
119 |
120 |
121 | ---------------------------------------------------------
122 | ### Remote access tool development
123 | * [Remote access tool development - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1128)
124 | * A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT.
125 |
126 |
127 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Organizationa_ Information_Gathering.md:
--------------------------------------------------------------------------------
1 | # Organizational Information Gathering
2 |
3 | ## Table of Contents
4 | - []()
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 | - []()
14 | - []()
15 | - []()
16 | - []()
17 | - []()
18 |
19 |
20 |
21 |
22 | [Organizational Information Gathering](https://attack.mitre.org/pre-attack/index.php/Organizational_Information_Gathering)
23 | * Organizational information gathering consists of the process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack. Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.
24 |
25 |
26 | ---------------------------------------------------------
27 | ### Acquire OSINT data sets and information - Pre-ATT&CK
28 | * [Acquire OSINT data sets and information - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054)
29 | * Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world.
30 |
31 |
32 |
33 |
34 |
35 | ---------------------------------------------------------
36 | ### Conduct social engineering
37 | * [Conduct social engineering - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1056)
38 | * Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.
39 |
40 |
41 |
42 |
43 |
44 | ---------------------------------------------------------
45 | ### Determine centralization of IT management
46 | * [Determine centralization of IT management - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1062)
47 | * Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards.
48 |
49 |
50 |
51 |
52 | ---------------------------------------------------------
53 | ### Determine physical locations
54 | * [Determine physical locations - Pre-ATT&CK]()(https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1059)
55 | * Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility.
56 |
57 |
58 |
59 |
60 | ---------------------------------------------------------
61 | ### Dumpster dive
62 | * [Dumpster dive - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1063)
63 | * Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest.
64 |
65 |
66 |
67 |
68 | ---------------------------------------------------------
69 | ### Identify business processes/tempo
70 | * [Identify business processes/tempo - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1057)
71 | * Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic.
72 |
73 |
74 |
75 |
76 | ---------------------------------------------------------
77 | ### Identify job postings and needs/gaps
78 | * [Identify job postings and needs/gaps - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1055)
79 | * Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts.
80 |
81 |
82 |
83 |
84 | ---------------------------------------------------------
85 | ### Obtain templates/branding materials
86 | * [Obtain templates/branding materials - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1058)
87 | * Templates and branding materials may be used by an adversary to add authenticity to social engineering message.
88 |
89 |
90 |
91 |
92 | ---------------------------------------------------------
93 | ### Identify supply chains
94 | * [Identify supply chains - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1053)
95 | * Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships.
96 |
97 |
98 |
99 |
100 | ---------------------------------------------------------
101 | ### Determine 3rd party infrastructure services
102 | * [Determine 3rd party infrastructure services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1061)
103 | * A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise.
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Organizational_Weakness.md:
--------------------------------------------------------------------------------
1 | # Organizational Weakness Identification
2 |
3 |
4 | ## Table of Contents
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 | - []()
14 | - []()
15 | - []()
16 | - []()
17 | - []()
18 | - []()
19 | - []()
20 |
21 | [Organizational Weakness Identification - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Organizational_Weakness_Identification)
22 | * Organizational weakness identification consists of identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases which can be leveraged to gain access to target or intermediate target organizations of interest.
23 |
24 |
25 |
26 | ---------------------------------------------------------
27 | ### Analyze business processes
28 | * [Analyze business processes - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1078)
29 | * Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other avenues of attack.
30 |
31 |
32 |
33 |
34 | ---------------------------------------------------------
35 | ### Analyze organizational skillsets and deficiencies
36 | * [Analyze organizational skillsets and deficiencies - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077)
37 | * Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.
38 |
39 |
40 |
41 |
42 | ---------------------------------------------------------
43 | ### Assess opportunities created by business deals
44 | * [Assess opportunities created by business deals - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1076)
45 | * During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable.
46 |
47 |
48 |
49 |
50 | ---------------------------------------------------------
51 | ### Assess security posture of physical locations
52 | * [Assess security posture of physical locations - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1079)
53 | * Physical access may be required for certain types of adversarial actions.
54 |
55 |
56 |
57 |
58 | ---------------------------------------------------------
59 | ### Assess vulnerability of 3rd party vendors
60 | * [Assess vulnerability of 3rd party vendors - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1075)
61 | * Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be.
62 |
63 |
64 |
65 |
66 | ---------------------------------------------------------
67 | ### Analyze presence of outsourced capabilities
68 | * [Analyze presence of outsourced capabilities - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1080)
69 | * Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing.
70 |
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/People_Information_Gathering.md:
--------------------------------------------------------------------------------
1 | # People Information Gathering - Pre-ATT&CK
2 |
3 | ## Table of Contents
4 | - []()
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 |
14 |
15 | [People Information Gathering - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/People_Information_Gathering)
16 | * People Information Gathering consists of the process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack. It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.
17 |
18 | ---------------------------------------------------------
19 | ### Acquire OSINT data sets and information
20 | * [Acquire OSINT data sets and information - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1043)
21 | * Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise.1
22 |
23 |
24 |
25 |
26 | ---------------------------------------------------------
27 | ### Aggregate individual's digital footprint
28 | * [Aggregate individual's digital footprint - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1052)
29 | * In addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources.
30 |
31 |
32 | ---------------------------------------------------------
33 | ### Conduct social engineering
34 | * [Conduct social engineering - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1045)
35 | * Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.
36 |
37 |
38 | ---------------------------------------------------------
39 | ### Identify business relationships
40 | * [Identify business relationships - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049)
41 | * Business relationship information includes the associates of a target and may be discovered via social media sites such as LinkedIn or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.
42 |
43 |
44 |
45 | ---------------------------------------------------------
46 | ### Identify groups/roles
47 | * [Identify groups/roles - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1047)
48 | * Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator.
49 |
50 |
51 | ---------------------------------------------------------
52 | ### Identify job postings and needs/gaps
53 | * [Identify job postings and needs/gaps - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1044)
54 | * Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts.
55 |
56 |
57 | ---------------------------------------------------------
58 | ### Identify people of interest
59 | * [Identify people of interest - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046)
60 | * The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target.
61 |
62 |
63 |
64 | ---------------------------------------------------------
65 | ### Identify personnel with an authority/privilege
66 | * [Identify personnel with an authority/privilege - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1048)
67 | * Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers.
68 |
69 |
70 | ---------------------------------------------------------
71 | ### Identify sensitive personnel information
72 | * [Identify sensitive personnel information - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1051)
73 | * An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online.
74 |
75 |
76 | ---------------------------------------------------------
77 | ### Identify supply chains
78 | * [Identify supply chains - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1042)
79 | * Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain.
80 |
81 |
82 |
83 | ---------------------------------------------------------
84 | ### Mine social media
85 | * [Mine social media - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1050)
86 | * An adversary may research available open source information about a target commonly found on social media sites such as Facebook, Instagram, or Pinterest. Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary.
87 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/People_Weakness_Identification.md:
--------------------------------------------------------------------------------
1 | # People Weakness Identification
2 |
3 |
4 |
5 |
6 | * [People Weakness Identification](https://attack.mitre.org/pre-attack/index.php/People_Weakness_Identification)
7 | * People weakness identification consists of identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases which can be leveraged to gain access to target or intermediate target persons of interest or social trust relationships.
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 | -------------------------------
17 | ### Analyze organizational skillsets and deficiencies
18 | * [Analyze organizational skillsets and deficiencies - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1074)
19 | * Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation.
20 |
21 |
22 |
23 | -------------------------------
24 | ### Analyze social and business relationships, interests, and affiliations
25 | * [Analyze social and business relationships, interests, and affiliations - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1072)
26 | * Social media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail.
27 |
28 |
29 |
30 |
31 | -------------------------------
32 | ### Assess targeting options
33 | * [Assess targeting options - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1073)
34 | * An adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments.12
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Persona_Development.md:
--------------------------------------------------------------------------------
1 | # Persona Development
2 |
3 | * [Persona Development - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Persona_Development)
4 | * Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 | -------------------------------
14 | ### Build social network persona
15 | * [Build social network persona](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1118)
16 | * For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (Facebook, LinkedIn, Twitter, Google+, etc.).
17 |
18 |
19 |
20 |
21 |
22 | -------------------------------
23 | ### Choose pre-compromised mobile app developer account credentials or signing keys
24 | * [Choose pre-compromised mobile app developer account credentials or signing keys](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1168)
25 | * The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps.
26 |
27 |
28 |
29 | -------------------------------
30 | ### Choose pre-compromised persona and affiliated accounts
31 | * [Choose pre-compromised persona and affiliated accounts](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1120)
32 | * For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
33 |
34 |
35 |
36 |
37 |
38 |
39 | -------------------------------
40 | ### Develop social network persona digital footprint
41 | * [Develop social network persona digital footprint - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1119)
42 | * Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.
43 |
44 |
45 |
46 |
47 | -------------------------------
48 | ### Friend/Follow/Connect to targets of interest
49 | * [Friend/Follow/Connect to targets of interest - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1121)
50 | * Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.
51 |
52 |
53 |
54 |
55 | -------------------------------
56 | * [Obtain Apple iOS enterprise distribution key pair and certificate - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1169)
57 | * The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected).
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Priority_Definition _lanning.md:
--------------------------------------------------------------------------------
1 | # Priority Definition Planning
2 |
3 |
4 |
5 | * [**Priority Definition Planning - Pre-ATT&CK**](https://attack.mitre.org/pre-attack/index.php/Priority_Definition_Planning)
6 | * Priority definition planning consists of the process of determining the set of Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) required for meeting key strategic, operational, or tactical goals. Leadership outlines the priority definition (may be considered a goal) around which the adversary designs target selection and a plan to achieve. An analyst may outline the priority definition when in the course of determining gaps in existing KITs or KIQs.
7 |
8 |
9 |
10 |
11 | -------------------------------
12 | ## Assess KITs/KIQs benefits
13 | * [Assess KITs/KIQs benefits - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1006)
14 | * Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose.
15 |
16 |
17 |
18 |
19 |
20 | -------------------------------
21 | ## Assess current holdings, needs, and wants
22 | * [Assess current holdings, needs, and wants - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1013)
23 | * Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement.
24 |
25 |
26 |
27 |
28 | -------------------------------
29 | ## Assess leadership areas of interest
30 | * [Assess leadership areas of interest - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1001)
31 | * Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT.
32 |
33 |
34 |
35 |
36 | -------------------------------
37 | ## Assign KITs/KIQs into categories
38 | * [Assign KITs/KIQs into categories - Pre-ATT&CK](https://attack.mitre.org/wiki/Technique/T1123)
39 | * Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor.
40 |
41 |
42 |
43 | -------------------------------
44 | ## Conduct cost/benefit analysis
45 | * [Conduct cost/benefit analysis - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1003)
46 | * Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries.
47 |
48 |
49 | -------------------------------
50 | ## Create implementation plan
51 | * [Create implementation plan - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1009)
52 | * Implementation plans specify how the goals of the strategic plan will be executed.
53 |
54 |
55 |
56 | -------------------------------
57 | ## Create strategic plan
58 | * [Create strategic plan - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1008)
59 | * Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out.
60 |
61 |
62 |
63 |
64 |
65 | -------------------------------
66 | ## Derive intelligence requirements
67 | * [Derive intelligence requirements - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1007)
68 | * Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement.
69 |
70 |
71 |
72 |
73 | -------------------------------
74 | ## Develop KITs/KIQs
75 | * [Develop KITs/KIQs](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1004)
76 | * Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations.
77 |
78 |
79 |
80 |
81 | -------------------------------
82 | ## Generate analyst intelligence requirements
83 | * [Generate analyst intelligence requirements - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1011)
84 | * Analysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question.
85 |
86 |
87 | -------------------------------
88 | ## Identify analyst level gaps
89 | * [Identify analyst level gaps - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1010)
90 | * Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ).
91 |
92 |
93 |
94 |
95 |
96 |
97 | -------------------------------
98 | ## Identify gap areas
99 | * [Identify gap areas](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1002)
100 | * Leadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ).
101 |
102 |
103 |
104 |
105 |
106 | -------------------------------
107 | ## Receive operator KITs/KIQs tasking
108 | * [Receive operator KITs/KIQs tasking - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1012)
109 | * Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement.
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Priority_Definition_Directive.md:
--------------------------------------------------------------------------------
1 | # Priority Definition Directive
2 |
3 |
4 | * [Priority Definition Direction - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Priority_Definition_Direction)
5 | * Priority definition direction consists of the process of collecting and assigning requirements for meeting Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) as determined by leadership.
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 | -------------------------------
15 | ## Assign KITs, KIQs, and/or intelligence requirements
16 | * [Assign KITs, KIQs, and/or intelligence requirements - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1015)
17 | * Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission.12
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 | -------------------------------
26 | ## Receive KITs/KIQs and determine requirements
27 | * [Receive KITs/KIQs and determine requirements - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1016)
28 | * Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities.
29 |
30 |
31 |
32 |
33 |
34 | -------------------------------
35 | ## Submit KITs, KIQs, and intelligence requirements
36 | * [Submit KITs, KIQs, and intelligence requirements - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1014)
37 | * Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system.
38 |
39 |
40 |
41 | -------------------------------
42 | ## Task requirements
43 | * [Task Requirements - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1017)
44 | * Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 | -------------------------------
53 | ##
54 |
55 |
56 | -------------------------------
57 | ##
58 |
59 | -------------------------------
60 | ##
61 |
62 |
63 |
64 |
65 | -------------------------------
66 | ## Commonly Used Port
67 | * [Commonly Used Port - ATT&CK](https://attack.mitre.org/wiki/Technique/T1043)
68 | * Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.
69 | * [List of TCP and UDP port numbers - Wikipedia](https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)
70 |
71 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Stage_Capabilities.md:
--------------------------------------------------------------------------------
1 | # Stage Capabilities
2 |
3 |
4 | * [Stage Capabilities - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Stage_Capabilities)
5 | * Staging capabilities consists of preparing operational environment required to conduct the operation. This includes activities such as deploying software, uploading data, enabling command and control infrastructure.
6 |
7 |
8 |
9 |
10 | --------------------------
11 | ### Disseminate removable media
12 | * [Disseminate removable media - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1156)
13 | * Removable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access.
14 |
15 |
16 |
17 | --------------------------
18 | ### Distribute malicious software development tools
19 | * [Distribute malicious software development tools - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1171)
20 | * An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools.
21 |
22 |
23 | --------------------------
24 | ### Friend/Follow/Connect to targets of interest
25 | * [Friend/Follow/Connect to targets of interest - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1141)
26 | * A form of social engineering designed build trust and to lay the foundation for future interactions or attacks.1
27 |
28 |
29 | --------------------------
30 | ### Hardware or software supply chain implant
31 | * [Hardware or software supply chain implant](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1142)
32 | * During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance.
33 |
34 |
35 |
36 |
37 | --------------------------
38 | ### Port Redirector
39 | * [Port Redirector - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1140)
40 | * Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack.
41 |
42 |
43 |
44 |
45 | --------------------------
46 | ### Upload, install, and configure software/tools
47 | * [Upload, install, and configure software/tools - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1139)
48 | * An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure.
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Target_Selection.md:
--------------------------------------------------------------------------------
1 | # Target Selection
2 |
3 |
4 |
5 | * [Target Selection - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Target_Selection)
6 | * Target selection consists of an iterative process in which an adversary determines a target by first beginning at the strategic level and then narrowing down operationally and tactically until a specific target is chosen. A target may be defined as an entity or object that performs a function considered for possible engagement or other action.
7 |
8 |
9 |
10 |
11 |
12 | -------------------------------
13 | ### Determine approach/attack vector
14 | * [Determine approach/attack vector](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1022)
15 | * The approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector.
16 |
17 |
18 |
19 |
20 |
21 | -------------------------------
22 | ### Determine highest level tactical element
23 | * [Determine highest level tactical element - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1020)
24 | * From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency.
25 |
26 |
27 |
28 |
29 |
30 | -------------------------------
31 | ### Determine operational element
32 | * [Determine operational element](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1019)
33 | * If going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government.
34 |
35 |
36 |
37 |
38 |
39 | -------------------------------
40 | ### Determine secondary level tactical element
41 | * [Determine secondary level tactical element](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1021)
42 | * The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability.
43 |
44 |
45 |
46 | -------------------------------
47 | ### Determine strategic target
48 | * [Determine strategic target - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1018)
49 | * An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector.
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Technical_Information_Gathering.md:
--------------------------------------------------------------------------------
1 | # Technical Information Gathering
2 |
3 | ## Table of Contents
4 | - []()
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 | - []()
14 |
15 |
16 | [Technical Information Gathering - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technical_Information_Gathering)
17 | * Technical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack. Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.
18 |
19 |
20 |
21 | ---------------------------------------------------------
22 | ### Acquire OSINT data sets and information
23 | * [Acquire OSINT data sets and information](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1024)
24 | * Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world.
25 |
26 | ---------------------------------------------------------
27 | ### Conduct Active Scanning
28 | * [Conduct Active Scanning - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1031)
29 | * Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system.
30 |
31 |
32 |
33 |
34 | ---------------------------------------------------------
35 | ### Conduct passive scanning
36 | * [Conduct passive scanning - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1030)
37 | * Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system.
38 |
39 |
40 |
41 | ---------------------------------------------------------
42 | ### Conduct social engineering
43 | * [Conduct social engineering - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026)
44 | * Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.
45 |
46 |
47 |
48 |
49 | ---------------------------------------------------------
50 | ### Determine 3rd party infrastructure services
51 | * [Determine 3rd party infrastructure services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1037)
52 | * Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization.
53 |
54 |
55 |
56 |
57 | ---------------------------------------------------------
58 | ### Determine domain and IP address space
59 | * [Determine domain and IP address space - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1027)
60 | * Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network.1
61 |
62 |
63 |
64 | ---------------------------------------------------------
65 | ### Determine external network trust dependencies
66 | * [Determine external network trust dependencies - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1036)
67 | * Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs).
68 |
69 |
70 |
71 |
72 | ---------------------------------------------------------
73 | ### Determine firmware version
74 | * [Determine firmware version - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1035)
75 | * Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions.
76 |
77 |
78 |
79 |
80 | ---------------------------------------------------------
81 | ### Discover target logon/email address format
82 | * [Discover target logon/email address format - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1032)
83 | * Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format.
84 |
85 |
86 | ---------------------------------------------------------
87 | ### Enumerate client configurations
88 | * [Enumerate client configurations - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1039)
89 | * Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers.
90 |
91 |
92 |
93 |
94 | ---------------------------------------------------------
95 | ### Enumerate externally facing software applications technologies, languages, and dependencies
96 | * [Enumerate externally facing software applications technologies, languages, and dependencies - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1038)
97 | * Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary.
98 |
99 |
100 |
101 |
102 | ---------------------------------------------------------
103 | ### Identify job postings and needs/gaps
104 | * [Identify job postings and needs/gaps - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1025)
105 | * Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms.
106 |
107 |
108 |
109 |
110 | ---------------------------------------------------------
111 | ### Identify security defensive capabilities
112 | * [Identify security defensive capabilities - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1040)
113 | * Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses.
114 |
115 |
116 |
117 | ---------------------------------------------------------
118 | ### Identify supply chains
119 | * [Identify supply chains - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023)
120 | * Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain.
121 |
122 | ---------------------------------------------------------
123 | ### Identify technology usage patterns
124 | * [Identify technology usage patterns - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1041)
125 | * Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.
126 |
127 |
128 | ---------------------------------------------------------
129 | ### Identify web defensive services
130 | * [Identify web defensive services - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1033)
131 | * An adversary can attempt to identify web defensive services as CloudFlare, IPBan, and Snort. This may be done by passively detecting services, like CloudFlare routing, or actively, such as by purposefully tripping security defenses.
132 |
133 |
134 |
135 |
136 |
137 | ---------------------------------------------------------
138 | ### Map network topology
139 | * [Map network topology - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1029)
140 | * A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related.
141 |
142 |
143 |
144 |
145 |
146 |
147 | ---------------------------------------------------------
148 | ### Mine technical blogs/forums
149 | * [Mine technical blogs/forums - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1034)
150 | * Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use.
151 |
152 |
153 |
154 |
155 |
156 | ---------------------------------------------------------
157 | ### Obtain domain/IP registration information
158 | * [Obtain domain/IP registration information - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1028)
159 | * For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization.
160 |
161 |
162 |
163 |
164 |
165 | ---------------------------------------------------------
166 | ### Spearphishing for Information
167 | * [Spearphishing for Information - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1174)
168 | * Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means.
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Technical_Weakness_Identification.md:
--------------------------------------------------------------------------------
1 | # Technical Weakness Identification
2 |
3 |
4 | ## Table of Contents
5 | - []()
6 | - []()
7 | - []()
8 | - []()
9 | - []()
10 | - []()
11 | - []()
12 | - []()
13 | - []()
14 |
15 |
16 |
17 | [Technical Weakness Identification](https://attack.mitre.org/pre-attack/index.php/Technical_Weakness_Identification)
18 | * Technical weakness identification consists of identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities (e.g., expediency, stealthiness).
19 |
20 |
21 |
22 |
23 |
24 | ---------------------------------------------------------
25 | ### Analyze application security posture
26 | * [Analyze application security posture- Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1070)
27 | * An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.
28 |
29 |
30 |
31 |
32 |
33 | ---------------------------------------------------------
34 | ### Analyze architecture and configuration posture
35 | * [Analyze architecture and configuration posture - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1065)
36 | * An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls.
37 |
38 |
39 |
40 |
41 |
42 | ---------------------------------------------------------
43 | ### Analyze data collected
44 | * [Analyze data collected- Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1064)
45 | * An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture.
46 |
47 |
48 |
49 |
50 |
51 | ---------------------------------------------------------
52 | ### Analyze hardware/software security defensive capabilities
53 | * [Analyze hardware/software security defensive capabilities- Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1071)
54 | * An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.
55 |
56 | ---------------------------------------------------------
57 | ### Analyze organizational skillsets and deficiencies
58 | * [Analyze organizational skillsets and deficiencies - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1066)
59 | * Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.
60 |
61 |
62 |
63 |
64 | ---------------------------------------------------------
65 | ### Identify vulnerabilities in third-party software libraries
66 | * [Identify vulnerabilities in third-party software libraries - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1166)
67 | * Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library.
68 |
69 |
70 |
71 | ---------------------------------------------------------
72 | ### Research visibility gap of security vendors
73 | * [Research visibility gap of security vendors - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1067)
74 | * If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools.
75 |
76 |
77 |
78 | ---------------------------------------------------------
79 | ### Test signature detection
80 | * [Test signature detection - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1069)
81 | * An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure.
82 |
83 |
84 |
85 | ---------------------------------------------------------
86 | ### Research relevant vulnerabilities/CVEs
87 | * [Research relevant vulnerabilities/CVEs - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1068)
88 | * Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable.
89 |
90 |
91 |
92 |
93 | ---------------------------------------------------------
94 | ###
95 | * [- Pre-ATT&CK]()()
96 | *
97 |
98 |
99 |
100 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/Pre-ATT&CK/Test_Capabilities.md:
--------------------------------------------------------------------------------
1 | # Test Capabilities
2 |
3 | * [Test Capabilities - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Test_Capabilities)
4 | * Testing capabilities takes place when adversaries may need to test capabilities externally to refine development goals and criteria and to ensure success during an operation. Certain testing may be done after a capability is staged.
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 | -------------------------------
13 | ### Review logs and residual traces
14 | * [Review logs and residual traces - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1135)
15 | * Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code.
16 |
17 |
18 |
19 |
20 |
21 | -------------------------------
22 | ### Test ability to evade automated mobile application security analysis performed by app stores
23 | * [Test ability to evade automated mobile application security analysis performed by app stores - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1170)
24 | * Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices.
25 |
26 |
27 |
28 |
29 | -------------------------------
30 | ### Test callback functionality
31 | * [Test callback functionality](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1133)
32 | * Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached.
33 |
34 |
35 |
36 |
37 | -------------------------------
38 | ### Test malware in various execution environments
39 | * [Test malware in various execution environments - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1134)
40 | * Malware may perform differently on different platforms (computer vs handheld) and different operating systems (Ubuntu vs OS X), and versions (Windows 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed.
41 |
42 |
43 | -------------------------------
44 | ### Test malware to evade detection
45 | * [Test malware to evade detection - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1136)
46 | * An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services.
47 |
48 |
49 |
50 |
51 | -------------------------------
52 | ### Test physical access
53 | * [Test physical access - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1137)
54 | * An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access.
55 |
56 |
57 |
58 |
59 | -------------------------------
60 | ### Test signature detection for file upload/email filters
61 | * [Test signature detection for file upload/email filters - Pre-ATT&CK](https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1138)
62 | * An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS).
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/Draft/ATT&CK-Stuff/README.md:
--------------------------------------------------------------------------------
1 | ### Mitre Pre-ATT&CK Mappings
2 | ---------------------------
3 | * MITRE Pre-ATT&CK Framework ([MITRE ATT&CK Framework](https://attack.mitre.org/pre-attack/index.php/Main_Page) for attackers.
4 | * This is a copy of the mappings with links to techniques and background information.
5 | - [Adversary Opsec]()
6 | - [Build Capabilities]()
7 | - [Organization Informational Gathering]()
8 | - [Organizational Weakness]()
9 | - [People Information Gathering]()
10 | - [People Weakness Identification]()
11 | - [Persona Development]()
12 | - [Priority Definition Planning]()
13 | - [Priority Definition Directive]()
14 | - [Stage Capabilities]()
15 | - [Target Selection]()
16 | - [Technical Information Gathering]()
17 | - [Test Capabilities]()
18 |
19 |
20 |
21 |
22 |
23 |
24 | ### MITRE ATT&CK Framework Mappings
25 | ---------------------------
26 | * MITRE ATT&CK Framework ([MITRE ATT&CK Framework](https://attack.mitre.org/wiki/Main_Page)) for attackers.
27 | * This is a copy of the mappings with links to techniques and background information rather than APT reports.
28 | * If you want to test your defenses against a lot of these things:
29 | * [Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.](https://github.com/redcanaryco/atomic-red-team)
30 | * [Collection](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Collection.md)
31 | * [Command and Control](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Command_and_Control.md)
32 | * [Credential Access](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Command_and_Control.md)
33 | * [Defense Evasion](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Defense_Evasion.md)
34 | * [Discovery](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Discovery.md)
35 | * [Execution](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Execution.md)
36 | * [Exfiltration](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Exfiltration.md)
37 | * [Initial Access](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Initial_Access.md)
38 | * [Lateral Movement](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Lateral%20Movement.md)
39 | * [Persistence](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Persistence.md)
40 | * [Privilege Escalation](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Privilege_Escalation.md)
41 | * If you want to test your defenses against a lot of these things:
42 | * [Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.](https://github.com/redcanaryco/atomic-red-team)
43 | * [Caldera](https://github.com/mitre/caldera)
44 | * CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.
45 | * [Metta](https://github.com/uber-common/metta)
46 | * An information security preparedness tool to do adversarial simulation. This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants. The project parses yaml files with actions and uses celery to queue these actions up and run them one at a time without interaction.
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
--------------------------------------------------------------------------------
/Draft/Archiving.md:
--------------------------------------------------------------------------------
1 | ### A Guide to Archiving Websites
2 | * From: https://gist.githubusercontent.com/mullnerz/9fff80593d6b442d5c1b/raw/2c511e82f998bc489d9e300870f8789c77c2b49b/archive-website.md
3 | * "The command I use to archive a single website"
4 | * `sh wget -mpck --html-extension --user-agent="" -e robots=off --wait 1 -P . www.foo.com`
5 | * **Explanation of the parameters used**
6 | * `-m` (Mirror) Turns on mirror-friendly settings like infinite recursion depth, timestamps, etc.
7 | * `-c` (Continue) Resumes a partially-downloaded transfer
8 | * `-p` (Page requisites) Downloads any page dependencies like images, style sheets, etc.
9 | * `-k` (Convert) After completing retrieval of all files…
10 | * converts all absolute links to other downloaded files into relative links
11 | * converts all relative links to any files that weren’t downloaded into absolute, external links
12 | * In a nutshell: makes your website archive work locally
13 | * `--html-extension` this adds .html after the downloaded filename, to make sure it plays nicely on whatever system you’re going to view the archive on
14 | * `–user-agent=””` - Sometimes websites use robots.txt to block certain agents like web crawlers (e.g. GoogleBot) and Wget. This tells Wget to send a blank user-agent, preventing identification. You could alternatively use a web browser’s user-agent and make it look like a web browser, but it probably doesn’t matter.
15 | * `-e robots=off` - Sometimes you’ll run into a site with a robots.txt that blocks everything. In these cases, this setting will tell Wget to ignore it. Like the user-agent, I usually leave this on for the sake of convenience.
16 | * `–wait 1` - Tells Wget to wait 1 second between each action. This will make it a bit less taxing on the servers.
17 | * `-P .` - set the download directory to something. I left it at the default “.” (which means “here”) but this is where you could pass in a directory path to tell wget to save the archived site. Handy, if you’re doing this on a regular basis (say, as a cron job or something…)
18 | * `http://url-to-site` - this is the full URL of the site to download. You’ll likely want to change this.
19 | * **Sources**
20 | - [Archiving a (WordPress) website with wget | D’Arcy Norman dot net](http://darcynorman.net/2011/12/24/archiving-a-wordpress-website-with-wget/)
21 | - [Archiving a Website With Wget](http://www.dheinemann.com/2011/archiving-with-wget/)
22 |
23 | ```
24 |
--------------------------------------------------------------------------------
/Draft/Cars.md:
--------------------------------------------------------------------------------
1 | # Car Hacking
2 |
3 | ## Table of Contents
4 | - [General](#general)
5 |
6 | ------------------
7 | ### General
8 | * **Seriously check this first --->** [Awesome Vehicle Security List(github awesome lists)](https://github.com/jaredthecoder/awesome-vehicle-security)
9 | * **101**
10 | * [Introduction to Hacking in Car Systems - Craig Smith - Troopers15](https://www.youtube.com/watch?v=WHDkf6kpE58)
11 | * [Intro to Automotive Security - Ariel Zentner](https://www.youtube.com/watch?v=yAzqFhq06_E)
12 | * **Blogposts/How-To's/Writeups**
13 | * [Broadcasting Your Attack: Security Testing DAB Radio In Cars](https://www.youtube.com/watch?v=ryNtz1nxmO4)
14 | * [Tesla Model S JSON API (unofficial RE post)](http://docs.timdorr.apiary.io/#reference/vehicles)
15 | * [Tesla Model S JSON API (unofficial RE post)](http://docs.timdorr.apiary.io/#reference/vehicles)
16 | * [Cyber-attacks on vehicles P-I!](http://dn5.ljuska.org/napadi-na-auto-sistem-1.html)
17 | * [Cyber-attacks on vehicles P-II!](http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html)
18 | * [An Introduction to the CAN Bus: How to Programmatically Control a Car: Hacking the Voyage Ford Fusion to Change A/C Temperature](https://news.voyage.auto/an-introduction-to-the-can-bus-how-to-programmatically-control-a-car-f1b18be4f377)
19 | * [CC1101-FSK](https://github.com/trishmapow/CC1101-FSK)
20 | * Jam and replay attack on vehicle keyless entry systems.
21 | * [rf-jam-replay](https://github.com/trishmapow/rf-jam-replay)
22 | * Jam and Replay Attack on Vehicular Keyless Entry Systems
23 | * **DMV**
24 | * [Report of Traffic Collision Involving an Autonomous Vehicle (OL 316) - dmv.ca.gov](https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/autonomousveh_ol316+)
25 | * **Papers**
26 | * [Remote Exploitation of an Unaltered Passenger Vehicle](http://illmatics.com/Remote%20Car%20Hacking.pdf)
27 | * **Talks & Presentations**
28 | * [Hacking Cars with Python -Eric Evenchick PyCon 2017](https://www.youtube.com/watch?v=3bZNhMcv4Y8&app=desktop)
29 | * Modern cars are networks of computers, and a high end vehicle could have nearly 100 different computers inside. These devices control everything from the engine to the airbags. By understanding how these systems work, we can interface with vehicles to read data, perform diagnostics, and even modify operation. In this talk, we'll discuss pyvit, the Python Vehicle Interface Toolkit. This library, combined with some open source hardware, allows developers to talk to automotive controllers from Python. We will begin with an introduction to automotive networks, to provide a basis for understanding the tools. Next, we will look at the tools and show the basics of using them. Finally, we'll discuss real world applications of these tools, and how they're being used in the automotive world today.
30 | * [Adventures in Automotive Networks and Control Units](https://www.youtube.com/watch?v=MEYCU62yeYk&app=desktop)
31 | * Charlie Miller & Chris Valasek
32 | * [Broadcasting your attack: Security testing DAB radio in cars - Andy Davis](http://2015.ruxcon.org.au/assets/2015/slides/Broadcasting-your-attack-Security-testing-DAB-radio-in-cars.pdf)
33 | * [A Survey of Remote Automotive Attack Surfaces - Black Hat USA 2014](https://www.youtube.com/watch?v=mNhFGJVq2HE)
34 | * [Broadcasting your attack: Security testing DAB radio in cars - Andy Davis](http://2015.ruxcon.org.au/assets/2015/slides/Broadcasting-your-attack-Security-testing-DAB-radio-in-cars.pdf)
35 | * [A Vulnerability in Modern Automotive Standards and How We Exploited It](https://documents.trendmicro.com/assets/A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf)
36 | * [Car hacking: getting from A to B with Eve (SHA2017)](https://www.youtube.com/watch?v=l9760bzUN3E)
37 | * Car security is, not surprisingly, a hot topic; after all they are fast and heavy computer controlled machinery that nowadays come with all kinds of internet connectivity. So we decided to have a look at it. In our presentation, we’ll first cover some theory behind the IT-part of car architecture. We’ll discuss attack vectors and their likelihood of success, and then discuss the various vulnerabilities we found. Finally, we will combine these vulnerabilities into a remote attack. Depending on the disclosure process with the vendor, which is pending, we might be able to demonstrate the attack.
38 | * **Tools**
39 | * **Hardware**
40 | * [CBM - The Bicho](https://github.com/UnaPibaGeek/CBM)
41 | * For the first time, a hardware backdoor tool is presented having several advanced features, such as: remote control via SMS commands, automated launch of attack payloads at a GPS location or when a specific car status is reached; and a configuration interface that allows users to create attack payloads in an easy manner. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Now it's possible :-)
42 | * [The OpenXC Platform](http://openxcplatform.com/)
43 | * OpenXC™ is a combination of open source hardware and software that lets you extend your vehicle with custom applications and pluggable modules.
44 | * **Software**
45 | * [CANBus Triple](https://canb.us/)
46 | * General purpose Controller Area Network swiss army knife / development platform.
47 | * [Yet Another Car Hacking Tool](https://asintsov.blogspot.ro/2016/03/yet-another-car-hacking-tool.html?m=1)
48 | * [CANToolz](https://github.com/eik00d/CANToolz)
49 | * CANToolz is a framework for analysing CAN networks and devices. This tool based on different modules which can be assembled in pipe together and can be used by security researchers and automotive/OEM security testers for black-box analysis and etc. You can use this software for ECU discovery, MITM testing, fuzzing, bruteforcing, scanning or R&D testing and validation
50 | * [canspy](https://github.com/manux81/canspy)
51 | * Very simple tool for users who need to interface with a device based on CAN (CAN/CANopen/J1939/NMEA2000/DeviceNet) such as motors, sensors and many other devices.
52 | * [CBM - The Bicho](https://github.com/UnaPibaGeek/CBM)
53 | * For the first time, a hardware backdoor tool is presented having several advanced features, such as: remote control via SMS commands, automated launch of attack payloads at a GPS location or when a specific car status is reached; and a configuration interface that allows users to create attack payloads in an easy manner. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Now it's possible :-)
54 | * **QNX**
55 | * [QNX Security Tools - Alex Plaskett & Georgi Geshev](https://github.com/alexplaskett/QNXSecurity)
56 | * Random scripts produced as part of the research into QNX security. For more information please see the following publications:
57 | * [QNX: 99 Problems but a Microkernel ain’t one!](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-qnx-troopers-99-problems-but-a-microkernel-aint-one.pdf)
58 | * [QNX Security Architecture - Alex Plaskett](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-qnx-security-whitepaper-2016-03-14.pdf)
59 |
60 |
61 |
62 | #### Sort
63 | * [Jailbreaking Subaru StarLink](https://github.com/sgayou/subaru-starlink-research/blob/master/doc/README.md)
64 |
65 | * [Vehicle Telematics Security; getting it right - Andrew Tierney](https://www.pentestpartners.com/security-blog/vehicle-telematics-security-getting-it-right/)
66 | * [Hacking All the Cars - Part 2 - ConsoleCowboys](https://console-cowboys.blogspot.com/2019/04/hacking-all-cars-part-2.html)
67 | * [Want to become an autonomous vehicle engineer? - Kyle Martin](https://becomeautonomous.com/)
68 | * [FREE-FALL: TESLA HACKING 2016: Hacking Tesla from Wireless to CAN Bus - Keenlab](https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus.pdf)
69 | * [Getting your head under the hood and out of the sand: Automotive security testing - Andrew Tierney](https://www.pentestpartners.com/security-blog/getting-your-head-under-the-hood-and-out-of-the-sand-automotive-security-testing/)
70 | * [Lojack’d: Pwning Smart vehicle trackers - Vangelis Stykas](https://www.pentestpartners.com/security-blog/lojackd-pwning-smart-vehicle-trackers/)
--------------------------------------------------------------------------------
/Draft/Cheat sheets reference pages Checklists -/Linux/Post Exploitation on Linux.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rmusser01/Infosec_Reference/4bdf90b0b98b7641140f9bf3950addc42d1861db/Draft/Cheat sheets reference pages Checklists -/Linux/Post Exploitation on Linux.txt
--------------------------------------------------------------------------------
/Draft/Cheat sheets reference pages Checklists -/Linux/QuickRef-Enum.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rmusser01/Infosec_Reference/4bdf90b0b98b7641140f9bf3950addc42d1861db/Draft/Cheat sheets reference pages Checklists -/Linux/QuickRef-Enum.txt
--------------------------------------------------------------------------------
/Draft/Cheat sheets reference pages Checklists -/Meterpreter Scripts and Description.txt:
--------------------------------------------------------------------------------
1 |
2 | Script Commands with Brief Descriptions
3 |
4 | arp_scanner.rb - Script for performing an ARP's Scan Discovery.
5 | autoroute.rb - Meterpreter session without having to background the current session.
6 | checkvm.rb - Script for detecting if target host is a virtual machine.
7 | credcollect.rb - Script to harvest credentials found on the host and store them in the database.
8 | domain_list_gen.rb - Script for extracting domain admin account list for use.
9 | dumplinks.rb - Dumplinks parses .lnk files from a user's recent documents folder and Microsoft Office's Recent documents folder, if present. The .lnk files contain time stamps, file locations, including share names, volume serial #s and more. This info may help you target additional systems.
10 | duplicate.rb - Uses a meterpreter session to spawn a new meterpreter session in a different process. A new process allows the session to take "risky" actions that might get the process killed by A/V, giving a meterpreter session to another controller, or start a keylogger on another process.
11 | enum_chrome.rb - Script to extract data from a chrome installation.
12 | enum_firefox.rb - Script for extracting data from Firefox. enum_logged_on_users.rb - Script for enumerating current logged users and users that have logged in to the system. enum_powershell_env.rb - Enumerates PowerShell and WSH configurations.
13 | enum_putty.rb - Enumerates Putty connections.
14 | enum_shares.rb - Script for Enumerating shares offered and history of mounted shares.
15 | enum_vmware.rb - Enumerates VMware configurations for VMware products.
16 | event_manager.rb - Show information about Event Logs on the target system and their configuration.
17 | file_collector.rb - Script for searching and downloading files that match a specific pattern.
18 | get_application_list.rb - Script for extracting a list of installed applications and their version.
19 | getcountermeasure.rb - Script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration. Provides also the option to kill the processes of detected products and disable the built-in firewall.
20 | get_env.rb - Script for extracting a list of all System and User environment variables.
21 | getfilezillacreds.rb - Script for extracting servers and credentials from Filezilla.
22 | getgui.rb - Script to enable Windows RDP.
23 | get_local_subnets.rb - Get a list of local subnets based on the host's routes.
24 | get_pidgen_creds.rb - Script for extracting configured services with username and passwords.
25 | gettelnet.rb - Checks to see whether telnet is installed.
26 | get_valid_community.rb - Gets a valid community string from SNMP.
27 | getvncpw.rb - Gets the VNC password.
28 | hashdump.rb - Grabs password hashes from the SAM.
29 | hostedit.rb - Script for adding entries in to the Windows Hosts file.
30 | keylogrecorder.rb - Script for running keylogger and saving all the keystrokes.
31 | killav.rb - Terminates nearly every antivirus software on victim.
32 | metsvc.rb - Delete one meterpreter service and start another.
33 | migrate - Moves the meterpreter service to another process.
34 | multicommand.rb - Script for running multiple commands on Windows 2003, Windows Vistaand Windows XP and Windows 2008 targets.
35 | multi_console_command.rb - Script for running multiple console commands on a meterpreter session.
36 | multi_meter_inject.rb - Script for injecting a reverce tcp Meterpreter Payload into memory of multiple PIDs, if none is provided a notepad process will be created and a Meterpreter Payload will be injected in to each.
37 | multiscript.rb - Script for running multiple scripts on a Meterpreter session.
38 | netenum.rb - Script for ping sweeps on Windows 2003, Windows Vista, Windows 2008 and Windows XP targets using native Windows commands.
39 | packetrecorder.rb - Script for capturing packets in to a PCAP file.
40 | panda2007pavsrv51.rb - This module exploits a privilege escalation vulnerability in Panda Antivirus 2007. Due to insecure permission issues, a local attacker can gain elevated privileges.
41 | persistence.rb - Script for creating a persistent backdoor on a target host.
42 | pml_driver_config.rb - Exploits a privilege escalation vulnerability in Hewlett-Packard's PML Driver HPZ12. Due to an insecure SERVICE_CHANGE_CONFIG DACL permission, a local attacker can gain elevated privileges.
43 | powerdump.rb - Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry keys. This script requires you to be running as system in order to work properly. This has currently been ested on Server 2008 and Windows 7, which installs PowerShell by default.
44 | prefetchtool.rb - Script for extracting information from windows prefetch folder.
45 | process_memdump.rb - Script is based on the paper Neurosurgery With Meterpreter.
46 | remotewinenum.rb - This script will enumerate windows hosts in the target environment given a username and password or using the credential under which Meterpeter is running using WMI wmic windows native tool.
47 | scheduleme.rb - Script for automating the most common scheduling tasks during a pentest. This script works with Windows XP, Windows 2003, Windows Vista and Windows 2008.
48 | schelevator.rb - Exploit for Windows Vista/7/2008 Task Scheduler 2.0 Privilege Escalation. This script exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
49 | schtasksabuse.rb - Meterpreter script for abusing the scheduler service in Windows by scheduling and running a list of command against one or more targets. Using schtasks command to run them as system. This script works with Windows XP, Windows 2003, Windows Vista and Windows 2008.
50 | scraper.rb - The goal of this script is to obtain system information from a victim through an existing Meterpreter session.
51 | screenspy.rb - This script will open an interactive view of remote hosts. You will need Firefox installed on your machine.
52 | screen_unlock.rb - Script to unlock a windows screen. Needs system privileges to run and known signatures for the target system.
53 | screen_dwld.rb - Script that recursively search and download files matching a given pattern.
54 | service_manager.rb - Script for managing Windows services.
55 | service_permissions_escalate.rb This script attempts to create a service, then searches through a list of existing services to look for insecure file or configuration permissions that will let it replace the executable with a payload. It will then attempt to restart the replaced service to run the payload. If that fails, the next time the service is started (such as on reboot) the attacker will gain elevated privileges.
56 | sound_recorder.rb - Script for recording in intervals the sound capture by a target host microphone.
57 | srt_webdrive_priv.rb - Exploits a privilege escalation vulnerability in South River Technologies WebDrive.
58 | uploadexec.rb - Script to upload executable file to host.
59 | virtualbox_sysenter_dos - Script to DoS Virtual Box.
60 | virusscan_bypass.rb - Script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes.
61 | vnc.rb - Meterpreter script for obtaining a quick VNC session.
62 | webcam.rb - Script to enable and capture images from the host webcam.
63 | win32-sshclient.rb - Script to deploy & run the "plink" commandline ssh-client. Supports only MS-Windows-2k/XP/Vista Hosts.
64 | win32-sshserver.rb - Script to deploy and run OpenSSH on the target machine.
65 | winbf.rb - Function for checking the password policy of current system. This policy may resemble the policy of other servers in the target environment.
66 | winenum.rb - Enumerates Windows system including environment variables, network interfaces, routing, user accounts, etc
67 | wmic.rb - Script for running WMIC commands on Windows 2003, Windows Vista and Windows XP and Windows 2008 targets.
68 |
--------------------------------------------------------------------------------
/Draft/Cheat sheets reference pages Checklists -/Ncat_Cheat_Sheet.txt:
--------------------------------------------------------------------------------
1 | Ncat
2 |
3 | Ncat is a piece of software created by the same person who made Nmap, Fyodor, as an upgrade to netcat.
4 |
5 | http://alexcreek.com/ncat-cheatsheet.html
6 |
7 | https://bitrot.sh/cheatsheet/19-12-2017-ncat/
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 | Ncat command output:(from: http://nmap.org/book/ncat-man-options-summary.html)
16 | Ncat 6.46 ( http://nmap.org/ncat )
17 | Usage: ncat [options] [hostname] [port]
18 |
19 | Options taking a time assume seconds. Append 'ms' for milliseconds,
20 | 's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
21 | -4 Use IPv4 only
22 | -6 Use IPv6 only
23 | -U, --unixsock Use Unix domain sockets only
24 | -C, --crlf Use CRLF for EOL sequence
25 | -c, --sh-exec Executes the given command via /bin/sh
26 | -e, --exec Executes the given command
27 | --lua-exec Executes the given Lua script
28 | -g hop1[,hop2,...] Loose source routing hop points (8 max)
29 | -G Loose source routing hop pointer (4, 8, 12, ...)
30 | -m, --max-conns Maximum simultaneous connections
31 | -h, --help Display this help screen
32 | -d, --delay