-
-
Save flaing/024030f9b770116f19f587d748f775e5 to your computer and use it in GitHub Desktop.
12 essentials in apt with most common tools
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
\textbf{Obfuscation.} To hide weaponized exploitation signatures and anomaly. {\footnotesize Tools: Invoke-Obfuscation, demiguise, Veil-evasion, Invoke-DOSfuscation, morphHTA, Unicorn, Ruler.} | |
\textbf{Encryption.} To encrypt victims files. {\footnotesize Tools: zip, gzip, rar, winzip32, 7z.} | |
\textbf{Exploitation for Privilege Escalation.} To exploit some CVE of Microsoft. {\footnotesize Tools: getsystem, bitsadmin, msbuild, privesc.} | |
\textbf{File Deletion.} To wipe victims machine. {\footnotesize Tools: rm, shred, del, rmdir, Remove-Item, vssadmin, wmic, bcdedit, wbadmin.} | |
\textbf{Rundll32 Tricks.} To bypass things like whitelisting. {\footnotesize Tools: rundll32, {\textbar}javascript{\textbar}vbscript{\textbar}http{\textbar}https{\textbar}.dll | |
} | |
\textbf{Network Configuration Discovery.} To recon victims' configurations. {\footnotesize Tools: ipconfig, shell, enum{\_}domains, arp, | |
route, nbtstat, net, nltest, powerview, | |
get{\_}subnet.} | |
\textbf{Web Shell.} To exploit victims with web shell. {\footnotesize Tools: xcopy, ieexec.} | |
\textbf{Windows Management Instrumentation.} To exfiltrate (exploit) victims' machine. {\footnotesize Tools: wmic, elevated{\_}wmi, invoke{\_}wmi.} | |
\textbf{Bypass User Account Control.} To excape from user account control of victims' machine. {\footnotesize Tools: uacbypass, reg, New-Item, Set-ItemProperty, Start-Process, fodhelper, mklink, eventvwr, mshta, verclsid, winword, cmmgr32, privesc, bypassuac{\_}tokenmanipulation.} | |
\textbf{Credential Dumping.} To steal credentials, even for cloud platforms. {\footnotesize Tools: hashdump, mimikatz, smart{\_}hashdump, logonpasswords, domain{\_}hashdump, | |
wdigest, msv, gsecdump, IEX, reg, wce, vsadmin, ntdsutil, Get-GPPPassword, copy, kerberos{\_}inject, ChromeDump, FoxDump, ninjacopy, vaults, enum{\_}cred{\_}store, powerdump, silver{\_}ticket, trust{\_}keys, privesc, downgrade\_{}account, wdigest{\_}downgrade, etcd{\_}crawler.} | |
\textbf{Exfiltration Over Alternative Protocol.} To steal the victims and hide traces. {\footnotesize Tools: ssh, tar, ping, exfil\_{}dropbox, Invoke\_{}ExfilDataToGithub.} | |
\textbf{Powershell Tricks.} Most dangerous, to generate massive damage yet remain persistence remotely, with multiple pipelines, most dangerous. {\footnotesize Tools: powershell, IEX .DownloadString, New-Object, ::ReadAllBytes, ForEach-Object, Set-Variable, Set-Item, .PsObject, .Invoke, .InvokeCommand, Shell, Get-ItemProperty, SandKeys, New-LocalUser, reg, Add-Content, Invoke-Expression, excel, cmd, | |
invoke\_{}psremoting, spawn, Invoke-Mimikatz, SharpHound, Invoke-BloodHound.} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment