diff --git a/figures/layer.json b/figures/layer.json index eb9efdf..59d158f 100644 --- a/figures/layer.json +++ b/figures/layer.json @@ -539,8 +539,8 @@ { "techniqueID": "T1056", "tactic": "collection", - "color": "#e6d60d", - "comment": "i know there's a way to do it with lkm rootkits", + "color": "#3182bd", + "comment": "i know there's a way to do it with lkm rootkits. Also ebpf https://www.youtube.com/watch?v=q6Q8VfIyUgU", "enabled": true, "metadata": [], "showSubtechniques": false @@ -548,8 +548,8 @@ { "techniqueID": "T1056", "tactic": "credential-access", - "color": "#e6d60d", - "comment": "i know there's a way to do it with lkm rootkits", + "color": "#3182bd", + "comment": "i know there's a way to do it with lkm rootkits. Also ebpf https://www.youtube.com/watch?v=q6Q8VfIyUgU", "enabled": true, "metadata": [], "showSubtechniques": false @@ -913,6 +913,447 @@ "enabled": true, "metadata": [], "showSubtechniques": false + }, + { + "techniqueID": "T1071", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "Hiding payload in tcp/ip sections... Idea: build a PoC of a http server and client where our client is the rootkit client and we exfiltrate data within the protocol.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1560", + "tactic": "collection", + "color": "#3182bd", + "comment": "Possible to send encrypted packets, but the host should not process them anyway if we are in a higher layer.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1123", + "tactic": "collection", + "color": "#e6550d", + "comment": "Might be possible, but high effort low reward, easier to do in userspace", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1119", + "tactic": "collection", + "color": "#3182bd", + "comment": "We should define a set of target processes to scan and probe its calls for info.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1115", + "tactic": "collection", + "color": "#e6550d", + "comment": "clipboard data comes from X and not the kernel", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1092", + "tactic": "command-and-control", + "color": "#e6d60d", + "comment": "Rubber ducky which launches an unprivileged ebpf program (?). Need to research how much it can do", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1132", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1001", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1074", + "tactic": "collection", + "color": "#e60d0d", + "comment": "Don't think its needed and also not convenient, we must take advantage of packets being sent since we can't send ours.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1213", + "tactic": "collection", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1005", + "tactic": "collection", + "color": "#e6d60d", + "comment": "We may not be able to search arbitrary files only from ebpf, it may require a process accesing it.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1039", + "tactic": "collection", + "color": "#e6d60d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1025", + "tactic": "collection", + "color": "#e6d60d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1568", + "tactic": "command-and-control", + "color": "#e60d0d", + "comment": "Ebpf cannot send packets by itself so the client always initiates the connection, no dynamic resolution", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1114", + "tactic": "collection", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1573", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "But in this case our target would be hiding from network-wide protections, instead of the host, which cannot see anything", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1021", + "tactic": "lateral-movement", + "color": "#e6d60d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1113", + "tactic": "collection", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1080", + "tactic": "lateral-movement", + "color": "#e6550d", + "comment": "Requires a separate line of research, but it is interesting", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1531", + "tactic": "impact", + "color": "#3182bd", + "comment": "Maybe no writing to a protected file but rather faking read calls from it", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1020", + "tactic": "exfiltration", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1485", + "tactic": "impact", + "color": "#3182bd", + "comment": "not convenient for a rootkit which should be hidden", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1486", + "tactic": "impact", + "color": "#e6d60d", + "comment": "probably requires userspace helper", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1565", + "tactic": "impact", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1030", + "tactic": "exfiltration", + "color": "#3182bd", + "comment": "Using tcp packet resending, as in the con video", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1491", + "tactic": "impact", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1561", + "tactic": "impact", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1499", + "tactic": "impact", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1048", + "tactic": "exfiltration", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1041", + "tactic": "exfiltration", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1011", + "tactic": "exfiltration", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1052", + "tactic": "exfiltration", + "color": "#3182bd", + "comment": "Possible to write into removable media", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1567", + "tactic": "exfiltration", + "color": "#e6d60d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1008", + "tactic": "command-and-control", + "color": "#e6d60d", + "comment": "difficult to do given than we cannot start a new connection. But we may hijack an existing one and reroute it where we want, ex: telnet", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1495", + "tactic": "impact", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1105", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1490", + "tactic": "impact", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1104", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "Possible to do but benefits are limited since the host would not see the rootkit client IP in any case", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1498", + "tactic": "impact", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1095", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "Communicating via ICMP..", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1571", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1572", + "tactic": "command-and-control", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1090", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1219", + "tactic": "command-and-control", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1496", + "tactic": "impact", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1029", + "tactic": "exfiltration", + "color": "#3182bd", + "comment": "But a priori we depend on when our rootkit client sends us packets to respond to, and also on the internal host traffic", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1489", + "tactic": "impact", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1529", + "tactic": "impact", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1102", + "tactic": "command-and-control", + "color": "#e6550d", + "comment": "might be possible to hook some call and write on a file there, needs research. We might make a process read a php reverse shell from a file of the webpage, for instance", + "enabled": true, + "metadata": [], + "showSubtechniques": false } ], "gradient": { @@ -926,20 +1367,20 @@ }, "legendItems": [ { - "label": "Not applicable", - "color": "#e60d0d" + "color": "#e60d0d", + "label": "Not applicable" }, { - "label": "Needs research / don't know if applicable", - "color": "#e6550d" + "color": "#e6550d", + "label": "Needs research / don't know if applicable" }, { - "label": "Applicable / some hints on how to do it", - "color": "#e6d60d" + "color": "#e6d60d", + "label": "Applicable / some hints on how to do it" }, { - "label": "Applicable and very interesting to do it", - "color": "#00ffff" + "color": "#00ffff", + "label": "Applicable and very interesting to do it" } ], "metadata": [],