Search For Content
Search Result
9 item(s) found so far for this keyword.
Event Triggered Execution: Linux Inotify
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.
Read moreRemoving Commands from SELinux Audit Logs
SELinux audit logs record all executed commands and policy enforcement actions, including commands like /bin/web, setenforce, mount, and /bin/rm. Using sed -i, attackers delete specific entries from these logs that could reveal the commands they executed. This manipulation ensures that traces of their activity, such as disabling security policies or deleting evidence, are erased from …
LOLbins
A lolbin (short for "Living Off the Land Binaries") is a legitimate Windows utility that can be used by adversaries to execute arbitrary commands. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, the Program Compatibility Assistant (pcalua.exe) and components of the Windows Subsystem for Linux (WSL) are examples of lolbins that can be …
Read moreClearing Kernel Message
The dmesg -C command clears the kernel message buffer, which stores diagnostic messages generated by the kernel. These messages include logs about hardware interactions, system events, kernel module loads, and errors such as segmentation faults. The attacker can run this command to make sure that no trace of kernel-related activity, including any anomalies caused by exploitation, remains in the message …
Manipulating Debug Logs
Using the sed -i command, specific entries in debug logs, such as errors (segfault, SystemError) or trace information (e.g., filenames like main.cc), are surgically removed. This allows attackers to target only incriminating evidence without erasing the entire log file. The process preserves the structure and authenticity of the log while removing key evidence of exploitation or system errors.
…
Read moreImpair Defenses: Impair Command History Logging
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
--windows-- The PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default).
Adversaries may …
Read moreProcess Argument Spoofing
Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started.
--windows-- This is done by tampering with the Process Environment Block (PEB).
The PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's …
Read moreXBEL Recently Opened Files Check
The recently-used.xbel XML file documents recent files on a Linux system that were accessed by applications. By parsing the file & checking how many files were recently accessed, we can determine whether or not a system is likely a sandbox or virtual machine. If a system has a low amount of files being accessed, it's likely a sandbox/VM.
Deleting Troubleshoot Information and Core Dumps
Commands like rm -rf /data/var/statedumps/* and rm -rf /data/var/cores/* delete state dumps and core dumps, which are generated when processes crash. These files contain memory snapshots, stack traces, and runtime states of processes at the time of failure. They are often used to debug and understand the causes of crashes or application malfunctions.
Attackers use this technique to eliminate …
Read more