Skip to content

Instantly share code, notes, and snippets.

@invictus-ir
invictus-ir / CloudTrail.csv
Last active October 23, 2024 18:21
An overview of CloudTrail events that are interesting from an Incident Response perspective
We can make this file beautiful and searchable if this error is corrected: It looks like row 8 should actually have 10 columns, instead of 9 in line 7.
"Initial Access","Execution","Persistence","Privilege Escalation","Defense Evasion","Credential Access","Discovery","Lateral Movement","Exfiltration","Impact"
ConsoleLogin,StartInstance,CreateAccessKey,CreateGroup,StopLogging,GetSecretValue,ListUsers,AssumeRole,CreateSnapShot,PutBucketVersioning
PasswordRecoveryRequested,StartInstances,CreateUser,CreateRole,DeleteTrail,GetPasswordData,ListRoles,SwitchRole,ModifySnapshotAttributes ,RunInstances
,Invoke,CreateNetworkAclEntry,UpdateAccessKey,UpdateTrail,RequestCertificate,ListIdentities,,ModifyImageAttribute,DeleteAccountPublicAccessBlock
,SendCommand,CreateRoute,PutGroupPolicy,PutEventSelectors,UpdateAssumeRolePolicy,ListAccessKeys,,SharedSnapshotCopyInitiated,
,,CreateLoginProfile,PutRolePolicy,DeleteFlowLogs,,ListServiceQuotas,,SharedSnapshotVolumeCreated,
,,AuthorizeSecurityGroupEgress,PutUserPolicy,DeleteDetector,,ListInstanceProfiles,,ModifyDBSnapshotAttribute,
,,AuthorizeSecurityGroupIngress,AddRoleToInstanceProfile,DeleteMembers,,ListBuckets,,PutBucketP
@invictus-ir
invictus-ir / Royal_TTPs.csv
Last active December 16, 2022 14:53
Royal ransomware TTPs
Tactic Technique Procedure
Initial Access (TA0001) Phishing: Spearphishing Attachment A spearphishing email was sent to employees
Execution (TA0002) Command and Scripting Interpreter: Windows Command Shell Qbot was launched through the Windows Command Shell with cmd.exe.
Execution (TA0001) Command and Scripting Interpreter: PowerShell Cobalt Strike was executed through encoded PowerShell commands.
Persistence (TA0003) Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Qbot DLL was added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Persistence (TA0003) Create or Modify System Process: Windows Service Cobalt Strike was installed as a Windows service on multiple systems.
Privilege Escalation (TA0004) Domain Accounts Royal ransomware operators used (privileged) domain accounts for lateral movement
Privilege Escalation (TA0004) Abuse Elevation Control Mechanism: Bypass User Account Control Royal ransomware operations executed a known UAC bypass that abuses a default sche
Technique File Location Note
T1543.001 /System/Library/LaunchAgents Apple-supplied agents that apply to all users on a per-user basis
/Library/LaunchAgents Third-party agents that apply to all users on a per-user basis
~/Library/LaunchAgents Third-party agents that apply only to the logged-in user
T1543.004 /System/Library/LaunchDaemons Apple-supplied system daemons
/Library/LaunchDaemons Third-party system daemons
T1546.014 /private/var/db/emondClients
/private/etc/emon.d/rules
T1546.004 /etc/zshenv File can also exist in user home directory
/etc/zprofile File can also exist in user home directory
tell application "Google Chrome"
get title of first window
end tell
Part Link Mitre Phase
Part 1 https://invictus-ir.medium.com/responding-to-macos-attacks-33f32332e0c Initial Access & Execution
Part 2 https://invictus-ir.medium.com/responding-to-macos-attacks-part-ii-8a23179cbc3d Persistence
Part 3(todo) https://medium.com Defense Evasion & Credential Access
Part 4(todo) https://medium.com Discovery Lateral Movement & Collection
Part 5(todo) https://medium.com Famous MacOS Malware Samples