Skip to content

BankSecurity/Red_Team

Repository files navigation

Red_Team

Some scripts useful for red team activities

Covered MITRE ATT&CK Tactics & Techniques (https://attack.mitre.org/):

Initial Access:

T1192 - Spearphishing Link - https://attack.mitre.org/techniques/T1192/

T1193 - Spearphishing Attachment - https://attack.mitre.org/techniques/T1193/

Execution:

T1047 - Windows Management Instrumentation - https://attack.mitre.org/techniques/T1047/

T1059 - Command-Line Interface - https://attack.mitre.org/techniques/T1059/

T1061 - Graphical User Interface - https://attack.mitre.org/techniques/T1061/

T1064 - Scripting https://attack.mitre.org/techniques/T1064/

T1085 - Rundll32 - https://attack.mitre.org/techniques/T1085/

T1086 - PowerShell - https://attack.mitre.org/techniques/T1086/

T1127 - Trusted Developer Utilities - https://attack.mitre.org/techniques/T1127/

T1170 - Mshta (TBD) - https://attack.mitre.org/techniques/T1170/

Persistence:

T1060 - Registry Run Keys / Startup Folder - https://attack.mitre.org/techniques/T1060/

Defense Evasion:

T1027 - Obfuscated Files or Information - https://attack.mitre.org/techniques/T1027/

T1107 - File Deletion - https://attack.mitre.org/techniques/T1107/

T1140 - Deobfuscate/Decode Files or Information - https://attack.mitre.org/techniques/T1140/

T1143 - Hidden Window - https://attack.mitre.org/techniques/T1143/

Credential Access:

T1003 - Credential Dumping - https://attack.mitre.org/techniques/T1003/

T1081 - Credentials in Files - https://attack.mitre.org/techniques/T1081/

T1214 - Credentials in Registry (TBD) - https://attack.mitre.org/techniques/T1214/

T1503 - Credentials from Web Browsers - https://attack.mitre.org/techniques/T1503/

Discovery:

T1007 - System Service Discovery - https://attack.mitre.org/techniques/T1007/

T1010 - Application Window Discovery - https://attack.mitre.org/techniques/T1010/

T1016 - System Network Configuration Discovery - https://attack.mitre.org/techniques/T1016/

T1018 - Remote System Discovery - https://attack.mitre.org/techniques/T1018/

T1033 - System Owner/User Discovery - https://attack.mitre.org/techniques/T1033/

T1049 - System Network Connections Discovery - https://attack.mitre.org/techniques/T1049/

T1057 - Process Discovery - https://attack.mitre.org/techniques/T1057/

T1063 - Security Software Discovery - https://attack.mitre.org/techniques/T1063/

T1069 - Permission Groups Discovery - https://attack.mitre.org/techniques/T1069/

T1082 - System Information Discovery - https://attack.mitre.org/techniques/T1082/

T1083 - File and Directory Discovery - https://attack.mitre.org/techniques/T1083/

T1087 - Account Discovery - https://attack.mitre.org/techniques/T1087/

T1135 - Network Share Discovery - https://attack.mitre.org/techniques/T1135/

T1217 - Browser Bookmark Discovery - https://attack.mitre.org/techniques/T1217/

T1201 - Password Policy Discovery - https://attack.mitre.org/techniques/T1201/

T1518 - Software Discovery - https://attack.mitre.org/techniques/T1518/

Collection:

T1005 - Data from Local System - https://attack.mitre.org/techniques/T1005/

T1056 - Input Capture - https://attack.mitre.org/techniques/T1056/

T1074 - Data Staged - https://attack.mitre.org/techniques/T1074/

T1113 - Screen Capture - https://attack.mitre.org/techniques/T1113/

T1119 - Automated Collection - https://attack.mitre.org/techniques/T1119/

T1123 - Audio Capture - https://attack.mitre.org/techniques/T1123/

T1125 - Video Capture (TBD) - https://attack.mitre.org/techniques/T1125/

Command and Control & Exfiltration:

T1020 - Automated Exfiltration - https://attack.mitre.org/techniques/T1020/

T1043 - Commonly Used Port - https://attack.mitre.org/tactics/TA0011/

T1537 - Transfer Data to Cloud Account - https://attack.mitre.org/techniques/T1537/