├── .gitattributes ├── .github ├── main.yml └── workflows │ └── main.yml ├── .gitignore ├── README.md ├── docs ├── 0x1_侦察 │ ├── T1589-001-收集受害者身份信息-凭证.md │ ├── T1589-002-收集受害者身份信息-邮箱地址.md │ ├── T1589-003-收集受害者身份信息-员工姓名.md │ ├── T1590-001-收集受害者网络信息-域属性.md │ ├── T1590-002-收集受害者网络信息-DNS.md │ ├── T1590-003-收集受害者网络信息-网络信任关系.md │ ├── T1590-004-收集受害者网络信息-网络拓扑.md │ ├── T1590-005-收集受害者网络信息-IP地址.md │ ├── T1590-006-收集受害者网络信息-网络安全设备.md │ ├── T1591-001-收集受害者组织信息-确定物理位置.md │ ├── T1591-002-收集受害者组织信息-业务关系.md │ ├── T1591-003-收集受害者组织信息-确定业务节奏.md │ ├── T1591-004-收集受害者组织信息-确定角色.md │ ├── T1592-001-收集受害者主机信息-硬件信息.md │ ├── T1592-002-收集受害者主机信息-软件信息.md │ ├── T1592-003-收集受害者主机信息-固件信息.md │ ├── T1592-004-收集受害者主机信息-客户端配置.md │ ├── T1593-001-搜索开放的域_网站-社交媒体.md │ ├── T1593-002-搜索开放的域_网站-搜索引擎.md │ ├── T1594-搜索受害者所拥有的网站.md │ ├── T1595-001-主动扫描-IP地址.md │ ├── T1595-002-主动扫-漏洞扫描.md │ ├── T1596-001-搜索开放的技术数据库-DNS_被动DNS.md │ ├── T1596-002-搜索开放的技术数据库-WHOIS.md │ ├── T1596-003-搜索开放的技术数据库-数字证书.md │ ├── T1596-004-搜索开放的技术数据库-CDN.md │ └── T1596-005-搜索开放的技术数据库-扫描数据库.md ├── 0x2_资源开发 │ ├── T1583-001-购买基础设施-域名.md │ ├── T1583-002-购买基础设施-DNS服务.md │ ├── T1583-003-购买基础设施-虚拟专用服务器.md │ ├── T1583-004-购买基础设施-服务器.md │ ├── T1583-005-购买基础设施-僵尸网络.md │ ├── T1583-006-购买基础设施-web服务.md │ ├── T1584-001-盗取基础设施-域名.md │ ├── T1584-002-盗取基础设施-DNS服务.md │ ├── T1584-003-盗取基础设施-虚拟专用服务器.md │ ├── T1584-004-盗取基础设施-服务器.md │ ├── T1584-005-盗取基础设施-僵尸网络.md │ ├── T1584-006-盗取基础设施-web服务.md │ ├── T1585-001-创建账户-社交媒体账户.md │ ├── T1585-002-创建账户-电子邮箱账户.md │ ├── T1586-001-盗取账户-社交媒体账户.md │ ├── T1586-002-盗取账户-电子邮箱账户.md │ ├── T1587-001-开发能力-恶意软件.md │ ├── T1587-002-开发能力-代码签名证书.md │ ├── T1587-003-开发能力-数字证书.md │ ├── T1587-004-开发能力-漏洞利用.md │ ├── T1588-001-获取能力-恶意软件.md │ ├── T1588-002-获取能力-工具.md │ ├── T1588-003-获取能力-代码签名证书.md │ ├── T1588-004-获取能力-数字证书.md │ ├── T1588-005-获取能力-漏洞利用.md │ ├── T1588-006-获取能力-漏洞.md │ ├── T1608-001-阶段性能力-上传恶意软件.md │ ├── T1608-002-阶段性能力-上传工具.md │ ├── T1608-003-阶段性能力-安装数字证书.md │ ├── T1608-004-阶段性能力-Drive-by Target.md │ └── T1608-005-阶段性能力-Link Target.md ├── 0x3_初始访问 │ ├── T1078-003-win-多账户同时登陆.md │ ├── T1078-003-win-来自公网的登陆失败行为.md │ ├── T1078-003-win-账户登录失败.md │ ├── T1133-外部远程服务.md │ ├── T1190-CVE-2018-2894-Weblogic任意文件上传检测.md │ ├── T1190-CVE-2019-19781-远程代码执行检测.md │ ├── T1190-CVE-2019-3398-Confluence路径穿越漏洞.md │ ├── T1190-CVE-2020-0688-漏洞利用检测.md │ ├── T1190-CVE-2020-14882-Weblogic Console HTTP 协议远程代码执行漏洞.md │ ├── T1190-CVE-2020-1938-漏洞利用检测.md │ ├── T1190-CVE-2020-5902-F5_BIG-IP_远程代码执行漏洞.md │ ├── T1190-CVE-2020-8193-CVE-2020-8195.md │ ├── T1190-CVE-2021-2109_Weblogic_LDAP_远程代码执行漏洞.md │ ├── T1190-CVE-2021-21972 Vmware vcenter未授权任意文件:RCE漏洞.md │ ├── T1190-JumpServer v2.6.1 RCE攻击检测.md │ ├── T1190-SQL server滥用.md │ ├── T1190-Thinkphp 5.x远程命令执行检测.md │ ├── T1190-vBulletin5.X-RCE检测.md │ ├── T1190-可疑的SQL错误消息.md │ ├── T1190-通达V11.6-RCE.md │ ├── T1190-邮箱暴力破解攻击流量分析.md │ ├── T1505-003-Regeorg-HTTP隧道检测.md │ ├── T1505-003-web服务产生的可疑进程.md │ ├── T1505-003-windows下webshell检测.md │ └── T1566-001-win-可疑的MS Office子进程.md ├── 0x4_执行 │ ├── T1027-004-win-基于白名单Csc.exe配置payload.md │ ├── T1047-win-基于白名单Wmic执行payload.md │ ├── T1047-win-通过WMIC创建远程进程.md │ ├── T1053-002-win-交互式at计划任务.md │ ├── T1053-002-win-通过GPO计划任务进行大规模的持久性和执行.md │ ├── T1053-005-win-schtasks本地计划任务.md │ ├── T1059-001-win-基于白名单Powershell.exe执行Payload.md │ ├── T1059-001-win-检测PowerShell2.0版本执行.md │ ├── T1059-001-win-检测PowerShell下载文件.md │ ├── T1059-004-linux-脚本.md │ ├── T1059-win-基于白名单Certutil.exe执行Payload.md │ ├── T1059-win-基于白名单Ftp.exe执行Payload.md │ ├── T1059-win-进程生成CMD.md │ ├── T1085-win-基于白名单Zipfldr.dll执行Payload.md │ ├── T1086-win-powershell.md │ ├── T1127-win-基于白名单Msbuild.exe执行payload.md │ ├── T1154-linux-trap.md │ ├── T1218-001-win-基于白名单Compiler.exe执行payload.md │ ├── T1218-003-win-基于白名单Cmstp.exe执行Payload.md │ ├── T1218-004-win-基于白名单Installutil.exe执行payload.md │ ├── T1218-005-win-基于白名单Mshta.exe执行payload.md │ ├── T1218-007-win-基于白名单Msiexec.exe执行Payload.md │ ├── T1218-008-win-基于白名单Odbcconf.exe执行Payload.md │ ├── T1218-009-win-基于白名单Regasm.exe执行payload.md │ ├── T1218-010-win-基于白名单Regsvr32执行payload.md │ ├── T1218-011-win-基于白名单Rundll32.exe执行payload.md │ ├── T1218-011-win-基于白名单url.dll执行payload.md │ └── T1218-011-win-通过Rundll32的异常网络链接.md ├── 0x5_权限维持 │ ├── T1078-001-win-DSRM重置密码.md │ ├── T1098-win-AdminSDHolder.md │ ├── T1098-win-万能密码.md │ ├── T1098-win-账户操作.md │ ├── T1133-外部远程服务.md │ ├── T1136-001-linux-创建账户.md │ ├── T1136-001-win-创建本地账户.md │ ├── T1197-win-BITS Jobs权限维持.md │ ├── T1546-004-linux-.bash_profile and .bashrc.md │ ├── T1546-007-win-通过netsh key持久化.md │ ├── T1547-005-win-SSP权限维持.md │ ├── T1548-001-linux-Setuid and Setgid.md │ └── T1550-003-win-黄金票据.md ├── 0x6_权限提升 │ ├── T1078-003-win-多账户同时登陆.md │ ├── T1078-003-win-帐户篡改-可疑的失败登录原因.md │ ├── T1078-003-win-添加用户到本地组.md │ ├── T1134-001-win-CVE-2020-1472.md │ ├── T1134-005-win-SID历史记录注入.md │ ├── T1212-win-ms14-068-KEKEO.md │ ├── T1212-win-ms14-068-PYKEK.md │ ├── T1505-003-webshell-冰蝎v2.0.md │ ├── T1505-003-webshell-冰蝎v3.0.md │ ├── T1548-003-linux-CVE-2019-14287.md │ └── T1548-003-linux-Sudo.md ├── 0x7_逃避追踪 │ ├── T1027-003-win-Ping Hex IP.md │ ├── T1027-005-linux-主机上的监测组件删除.md │ ├── T1027-005-win-SDelete删除文件.md │ ├── T1036-win-隐藏用户账户带$符号.md │ ├── T1070-001-win-使用wevtutil命令删除日志.md │ ├── T1070-001-win-检测cipher.exe删除数据.md │ ├── T1070-001-win-清除事件日志.md │ ├── T1070-003-linux-清除历史记录.md │ ├── T1070-004-linux-文件删除.md │ ├── T1070-004-win-使用Fsutil删除卷USN日志.md │ ├── T1070-004-win-文件删除.md │ ├── T1140-win-去混淆解码文件或信息.md │ ├── T1202-win-基于白名单Forfiles执行payload.md │ ├── T1202-win-基于白名单Pcalua执行payload.md │ ├── T1218-002-win-签名的二进制代理执行:控制面板.md │ ├── T1218-007-win-签名的二进制代理执行-Msiexec.md │ ├── T1222-001-win-文件权限修改md.md │ ├── T1222-002-linux-文件权限修改.md │ ├── T1562-001-win-停止sysmon服务.md │ ├── T1562-001-win-停止windows防御服务.md │ ├── T1562-003-linux-Histcontrol.md │ ├── T1562-006-win-停止日志采集.md │ ├── T1564-001-linux-隐藏文件和目录.md │ ├── T1564-001-win-发现攻击者在回收站中隐藏恶意软件.md │ ├── T1564-001-win-隐藏的文件和目录.md │ └── T1564-003-win-隐藏窗口.md ├── 0x8_凭证获取 │ ├── T1003-002-win-SAM-reg凭证转储.md │ ├── T1003-003-win-NTDS.dit-凭证转储.md │ ├── T1003-003-win-ntds凭证获取.md │ ├── T1003-003-win-vssown.vbs获取NTDS.dit.md │ ├── T1003-003-win-使用ntdsutil获得NTDS.dit文件.md │ ├── T1003-003-win-基于应用日志检测Ntdsutil获取凭证.md │ ├── T1003-004-win-LSA-mimikatz凭证转储.md │ ├── T1003-005-win-DCC2-mimikatz凭证转储.md │ ├── T1003-006-win-DCsysnc-凭证转储.md │ ├── T1003-win-Procdump凭证转储.md │ ├── T1003-win-vaultcmd获取系统凭证基本信息.md │ ├── T1040-linux-网络嗅探.md │ ├── T1098-win-万能密码.md │ ├── T1098-win-账户操作.md │ ├── T1110-003-linux-ssh爆破.md │ ├── T1110-003-win-密码喷射.md │ ├── T1110-暴力破解.md │ ├── T1503-win-来自web浏览器的凭证.md │ ├── T1552-001-linux-文件中的凭据.md │ ├── T1552-001-win-文件中的凭证.md │ ├── T1552-002-win-注册表中的凭证.md │ ├── T1552-003-linux-Bash历史.md │ ├── T1552-004-linux-私钥.md │ ├── T1552-006-win-GPP-凭证转储.md │ ├── T1558-003-win-SPN-凭证转储.md │ └── T1558-003-win-kerberosing.md ├── 0x9_发现 │ ├── T1007-win-系统服务发现.md │ ├── T1010-win-应用程序窗口发现.md │ ├── T1012-win-查询注册表.md │ ├── T1016-win-系统网络配置发现.md │ ├── T1018-win-检测nbtscan活动.md │ ├── T1018-win-远程系统发现.md │ ├── T1033-win-系统所有者及用户发现.md │ ├── T1040-linux-网络嗅探.md │ ├── T1049-win-bloodhound使用.md │ ├── T1049-win-系统网络连接发现.md │ ├── T1057-win-进程发现.md │ ├── T1069-001-win-本地特权组用户枚举.md │ ├── T1069-002-win-AD特权组用户枚举.md │ ├── T1082-win-系统信息发现.md │ ├── T1083-win-文件和目录发现.md │ ├── T1087-001-linux-本地账户发现.md │ ├── T1114-001-win-本地电子邮件收集.md │ ├── T1119-win-自动收集.md │ ├── T1123-win-音频收集.md │ ├── T1124-win-系统时间发现.md │ ├── T1135-win-网络共享发现.md │ ├── T1201-win-密码策略发现.md │ ├── T1482-win-活动目录信息获取检测.md │ ├── T1518-001-win-安全软件发现.md │ ├── T1518-001-win-软件发现.md │ └── T1590-win-DNS记录获取.md ├── 0xA_横向移动 │ ├── T1021-002-win-基于白名单PsExec执行payload.md │ ├── T1021-002-win-管理员共享.md │ ├── T1021-006-win-远程powershell会话.md │ ├── T1210-win-异常的SMB链接行为.md │ ├── T1210-win-检测到匿名计算机账户更改的使用.md │ └── T1550-002-win-哈希传递.md ├── 0xB_命令与控制 │ ├── T1071.002-win-内网FTP链接到公网行为.md │ ├── T1071.004-win-内网主机向公网DNS发起可疑请求行为.md │ ├── T1090-001-win-端口转发代理.md │ ├── T1105-Windows Update可滥用于执行恶意程序行为检测.md │ └── T1105-win-命令提示符网络链接.md ├── 0xC_渗出 │ └── README.md ├── 0xD_影响 │ └── T1489-win-停止服务.md ├── CNAME ├── assets │ ├── favicon.ico │ └── logo_white.png └── index.md └── mkdocs.yml /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/.gitattributes -------------------------------------------------------------------------------- /.github/main.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/.github/main.yml -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/.github/workflows/main.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/README.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1589-001-收集受害者身份信息-凭证.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1589-001-收集受害者身份信息-凭证.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1589-002-收集受害者身份信息-邮箱地址.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1589-002-收集受害者身份信息-邮箱地址.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1589-003-收集受害者身份信息-员工姓名.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1589-003-收集受害者身份信息-员工姓名.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1590-001-收集受害者网络信息-域属性.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1590-001-收集受害者网络信息-域属性.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1590-002-收集受害者网络信息-DNS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1590-002-收集受害者网络信息-DNS.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1590-003-收集受害者网络信息-网络信任关系.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1590-003-收集受害者网络信息-网络信任关系.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1590-004-收集受害者网络信息-网络拓扑.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1590-004-收集受害者网络信息-网络拓扑.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1590-005-收集受害者网络信息-IP地址.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1590-005-收集受害者网络信息-IP地址.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1590-006-收集受害者网络信息-网络安全设备.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1590-006-收集受害者网络信息-网络安全设备.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1591-001-收集受害者组织信息-确定物理位置.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1591-001-收集受害者组织信息-确定物理位置.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1591-002-收集受害者组织信息-业务关系.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1591-002-收集受害者组织信息-业务关系.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1591-003-收集受害者组织信息-确定业务节奏.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1591-003-收集受害者组织信息-确定业务节奏.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1591-004-收集受害者组织信息-确定角色.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1591-004-收集受害者组织信息-确定角色.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1592-001-收集受害者主机信息-硬件信息.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1592-001-收集受害者主机信息-硬件信息.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1592-002-收集受害者主机信息-软件信息.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1592-002-收集受害者主机信息-软件信息.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1592-003-收集受害者主机信息-固件信息.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1592-003-收集受害者主机信息-固件信息.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1592-004-收集受害者主机信息-客户端配置.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1592-004-收集受害者主机信息-客户端配置.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1593-001-搜索开放的域_网站-社交媒体.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1593-001-搜索开放的域_网站-社交媒体.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1593-002-搜索开放的域_网站-搜索引擎.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1593-002-搜索开放的域_网站-搜索引擎.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1594-搜索受害者所拥有的网站.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1594-搜索受害者所拥有的网站.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1595-001-主动扫描-IP地址.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1595-001-主动扫描-IP地址.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1595-002-主动扫-漏洞扫描.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1595-002-主动扫-漏洞扫描.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1596-001-搜索开放的技术数据库-DNS_被动DNS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1596-001-搜索开放的技术数据库-DNS_被动DNS.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1596-002-搜索开放的技术数据库-WHOIS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1596-002-搜索开放的技术数据库-WHOIS.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1596-003-搜索开放的技术数据库-数字证书.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1596-003-搜索开放的技术数据库-数字证书.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1596-004-搜索开放的技术数据库-CDN.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1596-004-搜索开放的技术数据库-CDN.md -------------------------------------------------------------------------------- /docs/0x1_侦察/T1596-005-搜索开放的技术数据库-扫描数据库.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x1_侦察/T1596-005-搜索开放的技术数据库-扫描数据库.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1583-001-购买基础设施-域名.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1583-001-购买基础设施-域名.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1583-002-购买基础设施-DNS服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1583-002-购买基础设施-DNS服务.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1583-003-购买基础设施-虚拟专用服务器.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1583-003-购买基础设施-虚拟专用服务器.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1583-004-购买基础设施-服务器.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1583-004-购买基础设施-服务器.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1583-005-购买基础设施-僵尸网络.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1583-005-购买基础设施-僵尸网络.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1583-006-购买基础设施-web服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1583-006-购买基础设施-web服务.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1584-001-盗取基础设施-域名.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1584-001-盗取基础设施-域名.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1584-002-盗取基础设施-DNS服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1584-002-盗取基础设施-DNS服务.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1584-003-盗取基础设施-虚拟专用服务器.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1584-003-盗取基础设施-虚拟专用服务器.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1584-004-盗取基础设施-服务器.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1584-004-盗取基础设施-服务器.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1584-005-盗取基础设施-僵尸网络.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1584-005-盗取基础设施-僵尸网络.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1584-006-盗取基础设施-web服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1584-006-盗取基础设施-web服务.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1585-001-创建账户-社交媒体账户.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1585-001-创建账户-社交媒体账户.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1585-002-创建账户-电子邮箱账户.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1585-002-创建账户-电子邮箱账户.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1586-001-盗取账户-社交媒体账户.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1586-001-盗取账户-社交媒体账户.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1586-002-盗取账户-电子邮箱账户.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1586-002-盗取账户-电子邮箱账户.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1587-001-开发能力-恶意软件.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1587-001-开发能力-恶意软件.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1587-002-开发能力-代码签名证书.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1587-002-开发能力-代码签名证书.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1587-003-开发能力-数字证书.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1587-003-开发能力-数字证书.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1587-004-开发能力-漏洞利用.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1587-004-开发能力-漏洞利用.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1588-001-获取能力-恶意软件.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1588-001-获取能力-恶意软件.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1588-002-获取能力-工具.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1588-002-获取能力-工具.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1588-003-获取能力-代码签名证书.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1588-003-获取能力-代码签名证书.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1588-004-获取能力-数字证书.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1588-004-获取能力-数字证书.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1588-005-获取能力-漏洞利用.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1588-005-获取能力-漏洞利用.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1588-006-获取能力-漏洞.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1588-006-获取能力-漏洞.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1608-001-阶段性能力-上传恶意软件.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1608-001-阶段性能力-上传恶意软件.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1608-002-阶段性能力-上传工具.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1608-002-阶段性能力-上传工具.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1608-003-阶段性能力-安装数字证书.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1608-003-阶段性能力-安装数字证书.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1608-004-阶段性能力-Drive-by Target.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1608-004-阶段性能力-Drive-by Target.md -------------------------------------------------------------------------------- /docs/0x2_资源开发/T1608-005-阶段性能力-Link Target.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x2_资源开发/T1608-005-阶段性能力-Link Target.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1078-003-win-多账户同时登陆.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1078-003-win-多账户同时登陆.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1078-003-win-来自公网的登陆失败行为.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1078-003-win-来自公网的登陆失败行为.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1078-003-win-账户登录失败.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1078-003-win-账户登录失败.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1133-外部远程服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1133-外部远程服务.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2018-2894-Weblogic任意文件上传检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2018-2894-Weblogic任意文件上传检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2019-19781-远程代码执行检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2019-19781-远程代码执行检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2019-3398-Confluence路径穿越漏洞.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2019-3398-Confluence路径穿越漏洞.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2020-0688-漏洞利用检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2020-0688-漏洞利用检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2020-14882-Weblogic Console HTTP 协议远程代码执行漏洞.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2020-14882-Weblogic Console HTTP 协议远程代码执行漏洞.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2020-1938-漏洞利用检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2020-1938-漏洞利用检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2020-5902-F5_BIG-IP_远程代码执行漏洞.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2020-5902-F5_BIG-IP_远程代码执行漏洞.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2020-8193-CVE-2020-8195.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2020-8193-CVE-2020-8195.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2021-2109_Weblogic_LDAP_远程代码执行漏洞.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2021-2109_Weblogic_LDAP_远程代码执行漏洞.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-CVE-2021-21972 Vmware vcenter未授权任意文件:RCE漏洞.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-CVE-2021-21972 Vmware vcenter未授权任意文件:RCE漏洞.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-JumpServer v2.6.1 RCE攻击检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-JumpServer v2.6.1 RCE攻击检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-SQL server滥用.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-SQL server滥用.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-Thinkphp 5.x远程命令执行检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-Thinkphp 5.x远程命令执行检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-vBulletin5.X-RCE检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-vBulletin5.X-RCE检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-可疑的SQL错误消息.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-可疑的SQL错误消息.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-通达V11.6-RCE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-通达V11.6-RCE.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1190-邮箱暴力破解攻击流量分析.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1190-邮箱暴力破解攻击流量分析.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1505-003-Regeorg-HTTP隧道检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1505-003-Regeorg-HTTP隧道检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1505-003-web服务产生的可疑进程.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1505-003-web服务产生的可疑进程.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1505-003-windows下webshell检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1505-003-windows下webshell检测.md -------------------------------------------------------------------------------- /docs/0x3_初始访问/T1566-001-win-可疑的MS Office子进程.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x3_初始访问/T1566-001-win-可疑的MS Office子进程.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1027-004-win-基于白名单Csc.exe配置payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1027-004-win-基于白名单Csc.exe配置payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1047-win-基于白名单Wmic执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1047-win-基于白名单Wmic执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1047-win-通过WMIC创建远程进程.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1047-win-通过WMIC创建远程进程.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1053-002-win-交互式at计划任务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1053-002-win-交互式at计划任务.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1053-002-win-通过GPO计划任务进行大规模的持久性和执行.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1053-002-win-通过GPO计划任务进行大规模的持久性和执行.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1053-005-win-schtasks本地计划任务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1053-005-win-schtasks本地计划任务.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1059-001-win-基于白名单Powershell.exe执行Payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1059-001-win-基于白名单Powershell.exe执行Payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1059-001-win-检测PowerShell2.0版本执行.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1059-001-win-检测PowerShell2.0版本执行.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1059-001-win-检测PowerShell下载文件.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1059-001-win-检测PowerShell下载文件.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1059-004-linux-脚本.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1059-004-linux-脚本.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1059-win-基于白名单Certutil.exe执行Payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1059-win-基于白名单Certutil.exe执行Payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1059-win-基于白名单Ftp.exe执行Payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1059-win-基于白名单Ftp.exe执行Payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1059-win-进程生成CMD.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1059-win-进程生成CMD.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1085-win-基于白名单Zipfldr.dll执行Payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1085-win-基于白名单Zipfldr.dll执行Payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1086-win-powershell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1086-win-powershell.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1127-win-基于白名单Msbuild.exe执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1127-win-基于白名单Msbuild.exe执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1154-linux-trap.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1154-linux-trap.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-001-win-基于白名单Compiler.exe执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-001-win-基于白名单Compiler.exe执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-003-win-基于白名单Cmstp.exe执行Payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-003-win-基于白名单Cmstp.exe执行Payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-004-win-基于白名单Installutil.exe执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-004-win-基于白名单Installutil.exe执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-005-win-基于白名单Mshta.exe执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-005-win-基于白名单Mshta.exe执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-007-win-基于白名单Msiexec.exe执行Payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-007-win-基于白名单Msiexec.exe执行Payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-008-win-基于白名单Odbcconf.exe执行Payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-008-win-基于白名单Odbcconf.exe执行Payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-009-win-基于白名单Regasm.exe执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-009-win-基于白名单Regasm.exe执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-010-win-基于白名单Regsvr32执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-010-win-基于白名单Regsvr32执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-011-win-基于白名单Rundll32.exe执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-011-win-基于白名单Rundll32.exe执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-011-win-基于白名单url.dll执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-011-win-基于白名单url.dll执行payload.md -------------------------------------------------------------------------------- /docs/0x4_执行/T1218-011-win-通过Rundll32的异常网络链接.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x4_执行/T1218-011-win-通过Rundll32的异常网络链接.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1078-001-win-DSRM重置密码.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1078-001-win-DSRM重置密码.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1098-win-AdminSDHolder.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1098-win-AdminSDHolder.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1098-win-万能密码.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1098-win-万能密码.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1098-win-账户操作.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1098-win-账户操作.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1133-外部远程服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1133-外部远程服务.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1136-001-linux-创建账户.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1136-001-linux-创建账户.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1136-001-win-创建本地账户.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1136-001-win-创建本地账户.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1197-win-BITS Jobs权限维持.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1197-win-BITS Jobs权限维持.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1546-004-linux-.bash_profile and .bashrc.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1546-004-linux-.bash_profile and .bashrc.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1546-007-win-通过netsh key持久化.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1546-007-win-通过netsh key持久化.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1547-005-win-SSP权限维持.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1547-005-win-SSP权限维持.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1548-001-linux-Setuid and Setgid.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1548-001-linux-Setuid and Setgid.md -------------------------------------------------------------------------------- /docs/0x5_权限维持/T1550-003-win-黄金票据.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x5_权限维持/T1550-003-win-黄金票据.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1078-003-win-多账户同时登陆.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1078-003-win-多账户同时登陆.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1078-003-win-帐户篡改-可疑的失败登录原因.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1078-003-win-帐户篡改-可疑的失败登录原因.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1078-003-win-添加用户到本地组.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1078-003-win-添加用户到本地组.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1134-001-win-CVE-2020-1472.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1134-001-win-CVE-2020-1472.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1134-005-win-SID历史记录注入.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1134-005-win-SID历史记录注入.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1212-win-ms14-068-KEKEO.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1212-win-ms14-068-KEKEO.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1212-win-ms14-068-PYKEK.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1212-win-ms14-068-PYKEK.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1505-003-webshell-冰蝎v2.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1505-003-webshell-冰蝎v2.0.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1505-003-webshell-冰蝎v3.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1505-003-webshell-冰蝎v3.0.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1548-003-linux-CVE-2019-14287.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1548-003-linux-CVE-2019-14287.md -------------------------------------------------------------------------------- /docs/0x6_权限提升/T1548-003-linux-Sudo.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x6_权限提升/T1548-003-linux-Sudo.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1027-003-win-Ping Hex IP.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1027-003-win-Ping Hex IP.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1027-005-linux-主机上的监测组件删除.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1027-005-linux-主机上的监测组件删除.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1027-005-win-SDelete删除文件.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1027-005-win-SDelete删除文件.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1036-win-隐藏用户账户带$符号.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1036-win-隐藏用户账户带$符号.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1070-001-win-使用wevtutil命令删除日志.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1070-001-win-使用wevtutil命令删除日志.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1070-001-win-检测cipher.exe删除数据.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1070-001-win-检测cipher.exe删除数据.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1070-001-win-清除事件日志.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1070-001-win-清除事件日志.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1070-003-linux-清除历史记录.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1070-003-linux-清除历史记录.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1070-004-linux-文件删除.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1070-004-linux-文件删除.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1070-004-win-使用Fsutil删除卷USN日志.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1070-004-win-使用Fsutil删除卷USN日志.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1070-004-win-文件删除.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1070-004-win-文件删除.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1140-win-去混淆解码文件或信息.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1140-win-去混淆解码文件或信息.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1202-win-基于白名单Forfiles执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1202-win-基于白名单Forfiles执行payload.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1202-win-基于白名单Pcalua执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1202-win-基于白名单Pcalua执行payload.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1218-002-win-签名的二进制代理执行:控制面板.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1218-002-win-签名的二进制代理执行:控制面板.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1218-007-win-签名的二进制代理执行-Msiexec.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1218-007-win-签名的二进制代理执行-Msiexec.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1222-001-win-文件权限修改md.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1222-001-win-文件权限修改md.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1222-002-linux-文件权限修改.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1222-002-linux-文件权限修改.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1562-001-win-停止sysmon服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1562-001-win-停止sysmon服务.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1562-001-win-停止windows防御服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1562-001-win-停止windows防御服务.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1562-003-linux-Histcontrol.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1562-003-linux-Histcontrol.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1562-006-win-停止日志采集.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1562-006-win-停止日志采集.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1564-001-linux-隐藏文件和目录.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1564-001-linux-隐藏文件和目录.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1564-001-win-发现攻击者在回收站中隐藏恶意软件.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1564-001-win-发现攻击者在回收站中隐藏恶意软件.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1564-001-win-隐藏的文件和目录.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1564-001-win-隐藏的文件和目录.md -------------------------------------------------------------------------------- /docs/0x7_逃避追踪/T1564-003-win-隐藏窗口.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x7_逃避追踪/T1564-003-win-隐藏窗口.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-002-win-SAM-reg凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-002-win-SAM-reg凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-003-win-NTDS.dit-凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-003-win-NTDS.dit-凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-003-win-ntds凭证获取.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-003-win-ntds凭证获取.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-003-win-vssown.vbs获取NTDS.dit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-003-win-vssown.vbs获取NTDS.dit.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-003-win-使用ntdsutil获得NTDS.dit文件.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-003-win-使用ntdsutil获得NTDS.dit文件.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-003-win-基于应用日志检测Ntdsutil获取凭证.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-003-win-基于应用日志检测Ntdsutil获取凭证.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-004-win-LSA-mimikatz凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-004-win-LSA-mimikatz凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-005-win-DCC2-mimikatz凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-005-win-DCC2-mimikatz凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-006-win-DCsysnc-凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-006-win-DCsysnc-凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-win-Procdump凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-win-Procdump凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1003-win-vaultcmd获取系统凭证基本信息.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1003-win-vaultcmd获取系统凭证基本信息.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1040-linux-网络嗅探.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1040-linux-网络嗅探.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1098-win-万能密码.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1098-win-万能密码.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1098-win-账户操作.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1098-win-账户操作.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1110-003-linux-ssh爆破.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1110-003-linux-ssh爆破.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1110-003-win-密码喷射.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1110-003-win-密码喷射.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1110-暴力破解.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1110-暴力破解.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1503-win-来自web浏览器的凭证.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1503-win-来自web浏览器的凭证.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1552-001-linux-文件中的凭据.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1552-001-linux-文件中的凭据.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1552-001-win-文件中的凭证.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1552-001-win-文件中的凭证.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1552-002-win-注册表中的凭证.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1552-002-win-注册表中的凭证.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1552-003-linux-Bash历史.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1552-003-linux-Bash历史.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1552-004-linux-私钥.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1552-004-linux-私钥.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1552-006-win-GPP-凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1552-006-win-GPP-凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1558-003-win-SPN-凭证转储.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1558-003-win-SPN-凭证转储.md -------------------------------------------------------------------------------- /docs/0x8_凭证获取/T1558-003-win-kerberosing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x8_凭证获取/T1558-003-win-kerberosing.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1007-win-系统服务发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1007-win-系统服务发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1010-win-应用程序窗口发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1010-win-应用程序窗口发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1012-win-查询注册表.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1012-win-查询注册表.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1016-win-系统网络配置发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1016-win-系统网络配置发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1018-win-检测nbtscan活动.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1018-win-检测nbtscan活动.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1018-win-远程系统发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1018-win-远程系统发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1033-win-系统所有者及用户发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1033-win-系统所有者及用户发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1040-linux-网络嗅探.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1040-linux-网络嗅探.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1049-win-bloodhound使用.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1049-win-bloodhound使用.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1049-win-系统网络连接发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1049-win-系统网络连接发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1057-win-进程发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1057-win-进程发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1069-001-win-本地特权组用户枚举.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1069-001-win-本地特权组用户枚举.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1069-002-win-AD特权组用户枚举.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1069-002-win-AD特权组用户枚举.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1082-win-系统信息发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1082-win-系统信息发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1083-win-文件和目录发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1083-win-文件和目录发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1087-001-linux-本地账户发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1087-001-linux-本地账户发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1114-001-win-本地电子邮件收集.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1114-001-win-本地电子邮件收集.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1119-win-自动收集.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1119-win-自动收集.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1123-win-音频收集.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1123-win-音频收集.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1124-win-系统时间发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1124-win-系统时间发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1135-win-网络共享发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1135-win-网络共享发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1201-win-密码策略发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1201-win-密码策略发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1482-win-活动目录信息获取检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1482-win-活动目录信息获取检测.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1518-001-win-安全软件发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1518-001-win-安全软件发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1518-001-win-软件发现.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1518-001-win-软件发现.md -------------------------------------------------------------------------------- /docs/0x9_发现/T1590-win-DNS记录获取.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0x9_发现/T1590-win-DNS记录获取.md -------------------------------------------------------------------------------- /docs/0xA_横向移动/T1021-002-win-基于白名单PsExec执行payload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xA_横向移动/T1021-002-win-基于白名单PsExec执行payload.md -------------------------------------------------------------------------------- /docs/0xA_横向移动/T1021-002-win-管理员共享.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xA_横向移动/T1021-002-win-管理员共享.md -------------------------------------------------------------------------------- /docs/0xA_横向移动/T1021-006-win-远程powershell会话.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xA_横向移动/T1021-006-win-远程powershell会话.md -------------------------------------------------------------------------------- /docs/0xA_横向移动/T1210-win-异常的SMB链接行为.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xA_横向移动/T1210-win-异常的SMB链接行为.md -------------------------------------------------------------------------------- /docs/0xA_横向移动/T1210-win-检测到匿名计算机账户更改的使用.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xA_横向移动/T1210-win-检测到匿名计算机账户更改的使用.md -------------------------------------------------------------------------------- /docs/0xA_横向移动/T1550-002-win-哈希传递.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xA_横向移动/T1550-002-win-哈希传递.md -------------------------------------------------------------------------------- /docs/0xB_命令与控制/T1071.002-win-内网FTP链接到公网行为.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xB_命令与控制/T1071.002-win-内网FTP链接到公网行为.md -------------------------------------------------------------------------------- /docs/0xB_命令与控制/T1071.004-win-内网主机向公网DNS发起可疑请求行为.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xB_命令与控制/T1071.004-win-内网主机向公网DNS发起可疑请求行为.md -------------------------------------------------------------------------------- /docs/0xB_命令与控制/T1090-001-win-端口转发代理.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xB_命令与控制/T1090-001-win-端口转发代理.md -------------------------------------------------------------------------------- /docs/0xB_命令与控制/T1105-Windows Update可滥用于执行恶意程序行为检测.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xB_命令与控制/T1105-Windows Update可滥用于执行恶意程序行为检测.md -------------------------------------------------------------------------------- /docs/0xB_命令与控制/T1105-win-命令提示符网络链接.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xB_命令与控制/T1105-win-命令提示符网络链接.md -------------------------------------------------------------------------------- /docs/0xC_渗出/README.md: -------------------------------------------------------------------------------- 1 | 暂无 -------------------------------------------------------------------------------- /docs/0xD_影响/T1489-win-停止服务.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/0xD_影响/T1489-win-停止服务.md -------------------------------------------------------------------------------- /docs/CNAME: -------------------------------------------------------------------------------- 1 | red.y1ng.org -------------------------------------------------------------------------------- /docs/assets/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/assets/favicon.ico -------------------------------------------------------------------------------- /docs/assets/logo_white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/assets/logo_white.png -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/docs/index.md -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/satan1a/RedBook/HEAD/mkdocs.yml --------------------------------------------------------------------------------