LSASS Memory

The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.

Obfuscated Files or Information

This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters). Reference: https://wietze.github.io/blog/windows-command-line-obfuscation

Space after Filename

Space After Filename

Login Hook

Mac logon script

Exfiltration Over Unencrypted Non-C2 Protocol

A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltration on port 1337. Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.

Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration of specified file over DNS protocol.

PowerShell

Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.

Non-Application Layer Protocol

ICMP C2 (Command and Control) utilizes the Internet Control Message Protocol (ICMP), traditionally used for network diagnostics, as a covert communication channel for attackers. By using ICMP, adversaries can send commands, exfiltrate data, or maintain access to compromised systems without triggering network detection systems. This method allows attackers to communicate and control compromised devices while remaining undetected. For more details, check this blog: [ICMP Reverse Shell Blog](https://cryptsus.com/blog/icmp-reverse-shell.html) Important Notes: - Use [icmp-cnc] for the C2 server (Attacker) and [icmpdoor] for the C2 client (Victim). - Binaries work on Ubuntu 22.04.5 LTS; for CentOS Stream or other, use the Python file from the GitHub link [https://github.com/krabelize/icmpdoor]. - Root access is required.

Software Extensions

Turn on Chrome/Chromium developer mode and Load Extension found in the src directory

Software Extensions

Create a file called test.wma, with the duration of 30 seconds

Software Extensions

Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.

Dynamic Data Exchange

Executes commands via DDE using Microsfot Word

Dynamic Data Exchange

TrustedSec - Unicorn - https://github.com/trustedsec/unicorn SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ Word VBA Macro [Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)

Plist File Modification

Modify MacOS plist file in one of two directories

Prevent Command History Logging

The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile so that it will apply to all future settings as well. https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol