mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 15:23:07 +08:00
1391 lines
33 KiB
JSON
1391 lines
33 KiB
JSON
{
|
|
"name": "layer",
|
|
"versions": {
|
|
"attack": "10",
|
|
"navigator": "4.5.1",
|
|
"layer": "4.2"
|
|
},
|
|
"domain": "enterprise-attack",
|
|
"description": "",
|
|
"filters": {
|
|
"platforms": [
|
|
"Linux"
|
|
]
|
|
},
|
|
"sorting": 0,
|
|
"layout": {
|
|
"layout": "side",
|
|
"aggregateFunction": "average",
|
|
"showID": false,
|
|
"showName": true,
|
|
"showAggregateScores": false,
|
|
"countUnscored": false
|
|
},
|
|
"hideDisabled": false,
|
|
"techniques": [
|
|
{
|
|
"techniqueID": "T1098",
|
|
"tactic": "persistence",
|
|
"color": "#3182bd",
|
|
"comment": "https://github.com/pathtofile/bad-bpf#sudo-add\n\nhttps://www.youtube.com/watch?v=g6SKWT7sROQ",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1547",
|
|
"tactic": "persistence",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1547",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1037",
|
|
"tactic": "persistence",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1037",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1176",
|
|
"tactic": "persistence",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1059",
|
|
"tactic": "execution",
|
|
"color": "#e6d60d",
|
|
"comment": "We should have some kind of program deployer for the rootkit",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1554",
|
|
"tactic": "persistence",
|
|
"color": "#e6d60d",
|
|
"comment": "We can at the very least fake an account, we might be able to overwrite a program too(?)\n\nhttps://www.youtube.com/watch?v=g6SKWT7sROQ",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1136",
|
|
"tactic": "persistence",
|
|
"color": "#3182bd",
|
|
"comment": "We could try to modify an auth file but we would rather 'fake' its contents while being read by a process checking privileges",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1543",
|
|
"tactic": "persistence",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1543",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1189",
|
|
"tactic": "initial-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1546",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e6d60d",
|
|
"comment": "uprobes, kprobes",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1546",
|
|
"tactic": "persistence",
|
|
"color": "#e6d60d",
|
|
"comment": "uprobes, kprobes",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1190",
|
|
"tactic": "initial-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1203",
|
|
"tactic": "execution",
|
|
"color": "#e6d60d",
|
|
"comment": "We might need to load a privileged ebpf without privileges. There exists https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1133",
|
|
"tactic": "persistence",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1133",
|
|
"tactic": "initial-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1200",
|
|
"tactic": "initial-access",
|
|
"color": "#e6550d",
|
|
"comment": "It may be fun to build a quick rubber ducky for deploying the program",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1106",
|
|
"tactic": "execution",
|
|
"color": "#e6550d",
|
|
"comment": "https://attack.mitre.org/techniques/T1106/ The part of dealing with defensive software may be applicable. https://www.youtube.com/watch?v=5zixNDolLrg Contains an example at the end",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1566",
|
|
"tactic": "initial-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1053",
|
|
"tactic": "execution",
|
|
"color": "#3182bd",
|
|
"comment": "Possible to modify data read from crontab or sshd. https://www.youtube.com/watch?v=5zixNDolLrg",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1053",
|
|
"tactic": "persistence",
|
|
"color": "#3182bd",
|
|
"comment": "Possible to modify data read from crontab or sshd. https://www.youtube.com/watch?v=5zixNDolLrg",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1053",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#3182bd",
|
|
"comment": "Possible to modify data read from crontab or sshd. https://www.youtube.com/watch?v=5zixNDolLrg",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1072",
|
|
"tactic": "execution",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1072",
|
|
"tactic": "lateral-movement",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1195",
|
|
"tactic": "initial-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1199",
|
|
"tactic": "initial-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1204",
|
|
"tactic": "execution",
|
|
"color": "#e6d60d",
|
|
"comment": "We may rely on the user to start certain actions so that we can uprobe some function or kprobe syscalls",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "persistence",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "initial-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1548",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#3182bd",
|
|
"comment": "on sudo, we can fake an user having privileges",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1548",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "on sudo, we can fake an user having privileges",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1087",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "we can read user memory when opening the /etc/passwd file",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1557",
|
|
"tactic": "credential-access",
|
|
"color": "#3182bd",
|
|
"comment": "Complete control over the network stack.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1557",
|
|
"tactic": "collection",
|
|
"color": "#3182bd",
|
|
"comment": "Complete control over the network stack.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1217",
|
|
"tactic": "discovery",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1110",
|
|
"tactic": "credential-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1555",
|
|
"tactic": "credential-access",
|
|
"color": "#e6d60d",
|
|
"comment": "Not stealing them, but hooking the user functions in charge of doing that and changing it by another fake additional user",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1140",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e6550d",
|
|
"comment": "Difficult to say. Don't think it should be our focus either",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1611",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1480",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "When dealing with hooked functions and syscalls we should always check that the process we are hooking is the one we want, or otherwise we might break things (and be noisy about it)",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1212",
|
|
"tactic": "credential-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1211",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1068",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e6d60d",
|
|
"comment": "https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490\nBut this shouldn't be our main focus",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1210",
|
|
"tactic": "lateral-movement",
|
|
"color": "#e6d60d",
|
|
"comment": "technically possible if we can first scan a host for a given vuln by sending packets crafted for that and then simulate a connection sending the paylaod. As seen in defcon this requires a external client which sends packets so that we can modify it (we cannot just craft them with ebpf)",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1083",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1222",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e6d60d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1606",
|
|
"tactic": "credential-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1564",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "We can hide a directory with the binaries we want via hooking getdents64\nhttps://embracethered.com/blog/posts/2021/offensive-bpf-libbpf-bpf_probe_write_user/",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1574",
|
|
"tactic": "persistence",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1574",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1574",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1562",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "We can study an specific defense (eg in the defcon rootkit they used a RASP) and see if we can reproduce that somehow",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1070",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "We must fake the kernel buffer when someone reads it so that the warning messages shown during the bpf helper of writing to user space are not shown. ",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1056",
|
|
"tactic": "collection",
|
|
"color": "#3182bd",
|
|
"comment": "i know there's a way to do it with lkm rootkits. Also ebpf https://www.youtube.com/watch?v=q6Q8VfIyUgU",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1056",
|
|
"tactic": "credential-access",
|
|
"color": "#3182bd",
|
|
"comment": "i know there's a way to do it with lkm rootkits. Also ebpf https://www.youtube.com/watch?v=q6Q8VfIyUgU",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1534",
|
|
"tactic": "lateral-movement",
|
|
"color": "#e60d0d",
|
|
"comment": "not really smth we should focus on",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1570",
|
|
"tactic": "lateral-movement",
|
|
"color": "#e6d60d",
|
|
"comment": "We can try this if we find some host in the network with an open known service ",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1036",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "although the techniques specified for this one on the webpage require research",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1556",
|
|
"tactic": "credential-access",
|
|
"color": "#e6d60d",
|
|
"comment": "we can hook some function of the process via uprobes and modify usr space in a favourable way, but requires some research.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1556",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e6d60d",
|
|
"comment": "we can hook some function of the process via uprobes and modify usr space in a favourable way, but requires some research.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1556",
|
|
"tactic": "persistence",
|
|
"color": "#e6d60d",
|
|
"comment": "we can hook some function of the process via uprobes and modify usr space in a favourable way, but requires some research.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1046",
|
|
"tactic": "discovery",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1135",
|
|
"tactic": "discovery",
|
|
"color": "#e6d60d",
|
|
"comment": "the majority of discovery is just hooking open calls and seeing what is going on in the system",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1040",
|
|
"tactic": "credential-access",
|
|
"color": "#3182bd",
|
|
"comment": "At least for a given host we can, but we might not be able to set promiscuous mode",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1040",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "At least for a given host we can, but we might not be able to set promiscuous mode",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1003",
|
|
"tactic": "credential-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1027",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e60d0d",
|
|
"comment": "at least just with ebpf, if we use an userspace program additionally then we could",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1201",
|
|
"tactic": "discovery",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1069",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1542",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e60d0d",
|
|
"comment": "requires additional non ebpf program",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1542",
|
|
"tactic": "persistence",
|
|
"color": "#e60d0d",
|
|
"comment": "requires additional non ebpf program",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1057",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1055",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1055",
|
|
"tactic": "privilege-escalation",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1620",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1563",
|
|
"tactic": "lateral-movement",
|
|
"color": "#3182bd",
|
|
"comment": "This is very interesting. If we have a running telnet connection for example, we may be able to modify the sent contents ",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1018",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "Passive scanning as seen in defcon, or research some other way",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1014",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1505",
|
|
"tactic": "persistence",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1518",
|
|
"tactic": "discovery",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1539",
|
|
"tactic": "credential-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1558",
|
|
"tactic": "credential-access",
|
|
"color": "#e6550d",
|
|
"comment": "looks possible but needs research",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1553",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1082",
|
|
"tactic": "discovery",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1614",
|
|
"tactic": "discovery",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1016",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "we can control the network stack and infer data from there",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1049",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1033",
|
|
"tactic": "discovery",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1205",
|
|
"tactic": "defense-evasion",
|
|
"color": "#3182bd",
|
|
"comment": "The rootkit can filter packets and check if a specific magic string has been received, to which we react. We need to build a remote client for communication. C&C",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1205",
|
|
"tactic": "persistence",
|
|
"color": "#3182bd",
|
|
"comment": "The rootkit can filter packets and check if a specific magic string has been received, to which we react. We need to build a remote client for communication. C&C",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1205",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "The rootkit can filter packets and check if a specific magic string has been received, to which we react. We need to build a remote client for communication. C&C",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1111",
|
|
"tactic": "credential-access",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1552",
|
|
"tactic": "credential-access",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1497",
|
|
"tactic": "defense-evasion",
|
|
"color": "#e6d60d",
|
|
"comment": "Escaping th eebpf virtual machine and go to kernel CVE-2021-3490, CVE-2021-3489",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1497",
|
|
"tactic": "discovery",
|
|
"color": "#e6d60d",
|
|
"comment": "Escaping th eebpf virtual machine and go to kernel CVE-2021-3490, CVE-2021-3489",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1071",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "Hiding payload in tcp/ip sections... Idea: build a PoC of a http server and client where our client is the rootkit client and we exfiltrate data within the protocol.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1560",
|
|
"tactic": "collection",
|
|
"color": "#3182bd",
|
|
"comment": "Possible to send encrypted packets, but the host should not process them anyway if we are in a higher layer.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1123",
|
|
"tactic": "collection",
|
|
"color": "#e6550d",
|
|
"comment": "Might be possible, but high effort low reward, easier to do in userspace",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1119",
|
|
"tactic": "collection",
|
|
"color": "#3182bd",
|
|
"comment": "We should define a set of target processes to scan and probe its calls for info.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1115",
|
|
"tactic": "collection",
|
|
"color": "#e6550d",
|
|
"comment": "clipboard data comes from X and not the kernel",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1092",
|
|
"tactic": "command-and-control",
|
|
"color": "#e6d60d",
|
|
"comment": "Rubber ducky which launches an unprivileged ebpf program (?). Need to research how much it can do",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1132",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1001",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1074",
|
|
"tactic": "collection",
|
|
"color": "#e60d0d",
|
|
"comment": "Don't think its needed and also not convenient, we must take advantage of packets being sent since we can't send ours.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1213",
|
|
"tactic": "collection",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1005",
|
|
"tactic": "collection",
|
|
"color": "#e6d60d",
|
|
"comment": "We may not be able to search arbitrary files only from ebpf, it may require a process accesing it.",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1039",
|
|
"tactic": "collection",
|
|
"color": "#e6d60d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1025",
|
|
"tactic": "collection",
|
|
"color": "#e6d60d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1568",
|
|
"tactic": "command-and-control",
|
|
"color": "#e60d0d",
|
|
"comment": "Ebpf cannot send packets by itself so the client always initiates the connection, no dynamic resolution",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1114",
|
|
"tactic": "collection",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1573",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "But in this case our target would be hiding from network-wide protections, instead of the host, which cannot see anything",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1021",
|
|
"tactic": "lateral-movement",
|
|
"color": "#e6d60d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1113",
|
|
"tactic": "collection",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1080",
|
|
"tactic": "lateral-movement",
|
|
"color": "#e6550d",
|
|
"comment": "Requires a separate line of research, but it is interesting",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1531",
|
|
"tactic": "impact",
|
|
"color": "#3182bd",
|
|
"comment": "Maybe no writing to a protected file but rather faking read calls from it",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1020",
|
|
"tactic": "exfiltration",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1485",
|
|
"tactic": "impact",
|
|
"color": "#3182bd",
|
|
"comment": "not convenient for a rootkit which should be hidden",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1486",
|
|
"tactic": "impact",
|
|
"color": "#e6d60d",
|
|
"comment": "probably requires userspace helper",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1565",
|
|
"tactic": "impact",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1030",
|
|
"tactic": "exfiltration",
|
|
"color": "#3182bd",
|
|
"comment": "Using tcp packet resending, as in the con video",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1491",
|
|
"tactic": "impact",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1561",
|
|
"tactic": "impact",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1499",
|
|
"tactic": "impact",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1048",
|
|
"tactic": "exfiltration",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1041",
|
|
"tactic": "exfiltration",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1011",
|
|
"tactic": "exfiltration",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1052",
|
|
"tactic": "exfiltration",
|
|
"color": "#3182bd",
|
|
"comment": "Possible to write into removable media",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1567",
|
|
"tactic": "exfiltration",
|
|
"color": "#e6d60d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1008",
|
|
"tactic": "command-and-control",
|
|
"color": "#e6d60d",
|
|
"comment": "difficult to do given than we cannot start a new connection. But we may hijack an existing one and reroute it where we want, ex: telnet",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1495",
|
|
"tactic": "impact",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1105",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1490",
|
|
"tactic": "impact",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1104",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "Possible to do but benefits are limited since the host would not see the rootkit client IP in any case",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1498",
|
|
"tactic": "impact",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1095",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "Communicating via ICMP..",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1571",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1572",
|
|
"tactic": "command-and-control",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1090",
|
|
"tactic": "command-and-control",
|
|
"color": "#3182bd",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1219",
|
|
"tactic": "command-and-control",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1496",
|
|
"tactic": "impact",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1029",
|
|
"tactic": "exfiltration",
|
|
"color": "#3182bd",
|
|
"comment": "But a priori we depend on when our rootkit client sends us packets to respond to, and also on the internal host traffic",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1489",
|
|
"tactic": "impact",
|
|
"color": "#e6550d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1529",
|
|
"tactic": "impact",
|
|
"color": "#e60d0d",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
},
|
|
{
|
|
"techniqueID": "T1102",
|
|
"tactic": "command-and-control",
|
|
"color": "#e6550d",
|
|
"comment": "might be possible to hook some call and write on a file there, needs research. We might make a process read a php reverse shell from a file of the webpage, for instance",
|
|
"enabled": true,
|
|
"metadata": [],
|
|
"showSubtechniques": false
|
|
}
|
|
],
|
|
"gradient": {
|
|
"colors": [
|
|
"#ff6666",
|
|
"#ffe766",
|
|
"#8ec843"
|
|
],
|
|
"minValue": 0,
|
|
"maxValue": 100
|
|
},
|
|
"legendItems": [
|
|
{
|
|
"color": "#e60d0d",
|
|
"label": "Not applicable"
|
|
},
|
|
{
|
|
"color": "#e6550d",
|
|
"label": "Needs research / don't know if applicable"
|
|
},
|
|
{
|
|
"color": "#e6d60d",
|
|
"label": "Applicable / some hints on how to do it"
|
|
},
|
|
{
|
|
"color": "#00ffff",
|
|
"label": "Applicable and very interesting to do it"
|
|
}
|
|
],
|
|
"metadata": [],
|
|
"showTacticRowBackground": false,
|
|
"tacticRowBackground": "#dddddd",
|
|
"selectTechniquesAcrossTactics": true,
|
|
"selectSubtechniquesWithParent": false
|
|
} |