admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-15 23:03:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Completed the matrix

Browse Source
This commit is contained in:
MARCOS SANCHEZ BAJO
2021-11-10 11:03:36 +01:00
parent 9b3e332bd8
commit 67ad3d7290
1 changed files with 453 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

465
figures/layer.json
View File

@@ -539,8 +539,8 @@
{
"techniqueID": "T1056",
"tactic": "collection",
"color": "#e6d60d",
"comment": "i know there's a way to do it with lkm rootkits",
"color": "#3182bd",
"comment": "i know there's a way to do it with lkm rootkits. Also ebpf https://www.youtube.com/watch?v=q6Q8VfIyUgU",
"enabled": true,
"metadata": [],
"showSubtechniques": false
@@ -548,8 +548,8 @@
{
"techniqueID": "T1056",
"tactic": "credential-access",
"color": "#e6d60d",
"comment": "i know there's a way to do it with lkm rootkits",
"color": "#3182bd",
"comment": "i know there's a way to do it with lkm rootkits. Also ebpf https://www.youtube.com/watch?v=q6Q8VfIyUgU",
"enabled": true,
"metadata": [],
"showSubtechniques": false
@@ -913,6 +913,447 @@
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "Hiding payload in tcp/ip sections... Idea: build a PoC of a http server and client where our client is the rootkit client and we exfiltrate data within the protocol.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560",
"tactic": "collection",
"color": "#3182bd",
"comment": "Possible to send encrypted packets, but the host should not process them anyway if we are in a higher layer.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1123",
"tactic": "collection",
"color": "#e6550d",
"comment": "Might be possible, but high effort low reward, easier to do in userspace",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1119",
"tactic": "collection",
"color": "#3182bd",
"comment": "We should define a set of target processes to scan and probe its calls for info.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1115",
"tactic": "collection",
"color": "#e6550d",
"comment": "clipboard data comes from X and not the kernel",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1092",
"tactic": "command-and-control",
"color": "#e6d60d",
"comment": "Rubber ducky which launches an unprivileged ebpf program (?). Need to research how much it can do",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1132",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1001",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1074",
"tactic": "collection",
"color": "#e60d0d",
"comment": "Don't think its needed and also not convenient, we must take advantage of packets being sent since we can't send ours.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1213",
"tactic": "collection",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1005",
"tactic": "collection",
"color": "#e6d60d",
"comment": "We may not be able to search arbitrary files only from ebpf, it may require a process accesing it.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1039",
"tactic": "collection",
"color": "#e6d60d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1025",
"tactic": "collection",
"color": "#e6d60d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568",
"tactic": "command-and-control",
"color": "#e60d0d",
"comment": "Ebpf cannot send packets by itself so the client always initiates the connection, no dynamic resolution",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114",
"tactic": "collection",
"color": "#e6550d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1573",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "But in this case our target would be hiding from network-wide protections, instead of the host, which cannot see anything",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021",
"tactic": "lateral-movement",
"color": "#e6d60d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1113",
"tactic": "collection",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1080",
"tactic": "lateral-movement",
"color": "#e6550d",
"comment": "Requires a separate line of research, but it is interesting",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1531",
"tactic": "impact",
"color": "#3182bd",
"comment": "Maybe no writing to a protected file but rather faking read calls from it",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1020",
"tactic": "exfiltration",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1485",
"tactic": "impact",
"color": "#3182bd",
"comment": "not convenient for a rootkit which should be hidden",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1486",
"tactic": "impact",
"color": "#e6d60d",
"comment": "probably requires userspace helper",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565",
"tactic": "impact",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1030",
"tactic": "exfiltration",
"color": "#3182bd",
"comment": "Using tcp packet resending, as in the con video",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1491",
"tactic": "impact",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1561",
"tactic": "impact",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499",
"tactic": "impact",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048",
"tactic": "exfiltration",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1041",
"tactic": "exfiltration",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1011",
"tactic": "exfiltration",
"color": "#e6550d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1052",
"tactic": "exfiltration",
"color": "#3182bd",
"comment": "Possible to write into removable media",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567",
"tactic": "exfiltration",
"color": "#e6d60d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1008",
"tactic": "command-and-control",
"color": "#e6d60d",
"comment": "difficult to do given than we cannot start a new connection. But we may hijack an existing one and reroute it where we want, ex: telnet",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1495",
"tactic": "impact",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1105",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1490",
"tactic": "impact",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1104",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "Possible to do but benefits are limited since the host would not see the rootkit client IP in any case",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1498",
"tactic": "impact",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1095",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "Communicating via ICMP..",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1571",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1572",
"tactic": "command-and-control",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090",
"tactic": "command-and-control",
"color": "#3182bd",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1219",
"tactic": "command-and-control",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1496",
"tactic": "impact",
"color": "#e6550d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1029",
"tactic": "exfiltration",
"color": "#3182bd",
"comment": "But a priori we depend on when our rootkit client sends us packets to respond to, and also on the internal host traffic",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1489",
"tactic": "impact",
"color": "#e6550d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1529",
"tactic": "impact",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102",
"tactic": "command-and-control",
"color": "#e6550d",
"comment": "might be possible to hook some call and write on a file there, needs research. We might make a process read a php reverse shell from a file of the webpage, for instance",
"enabled": true,
"metadata": [],
"showSubtechniques": false
}
],
"gradient": {
@@ -926,20 +1367,20 @@
},
"legendItems": [
{
"label": "Not applicable",
"color": "#e60d0d"
"color": "#e60d0d",
"label": "Not applicable"
},
{
"label": "Needs research / don't know if applicable",
"color": "#e6550d"
"color": "#e6550d",
"label": "Needs research / don't know if applicable"
},
{
"label": "Applicable / some hints on how to do it",
"color": "#e6d60d"
"color": "#e6d60d",
"label": "Applicable / some hints on how to do it"
},
{
"label": "Applicable and very interesting to do it",
"color": "#00ffff"
"color": "#00ffff",
"label": "Applicable and very interesting to do it"
}
],
"metadata": [],