📓
Red Team Notes 2.0
  • Introduction
  • Red Team
  • Red Team Techniques
    • Initial Access
      • T1659: Content Injection
      • T1190: Exploit Public-Facing Applications
        • Rejetto HTTP File Server (HFS) 2.3
      • T1133: External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1566: Phishing
        • Phishing: Spearphishing via Service
        • Phishing: Spearphishing Link
          • Links: Social Engineering Toolkit
          • Links: Binaries
          • Links: HTA Files
        • Phishing: Spearphishing Attachment
          • Attachments: LNK Files
          • Attachments: SCR Files
          • Attachments: Dynamic Data Exchange
          • Attachments: Macros
          • Attachments: Macros - Linux
          • Attachments: Scripting Files
          • Attachments: Desktop Files
      • T1195: Supply Chain Compromise
        • Compromise Hardware Supply Chain
        • Compromise Software Supply Chain
        • Compromise Software Dependencies and Development Tools
      • T1078: Valid Accounts
        • Local Accounts
        • Domain Accounts
        • Default Accounts
      • T1199: Trusted Relationship
    • Execution
      • T1047:Windows Management Instrumentation
      • T1204: User Execution
        • Malicious File
        • Malicious Link
      • T1569: Service Execution
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
      • T1106: Native API
      • T1559: Inter-Process Communication
        • Dynamic Data Exchange
        • Component Object Model
      • T1203: Exploitation for Client Execution
        • Common Third-Party Applications
        • Office Applications
      • T1059: Command and Scripting Interpreter
        • Network Device CLI
        • JavaScript/JScript
        • Python
        • Visual Basic
        • Unix Shell
        • Windows Command Shell
        • PowerShell
        • AutoHotKey & AutoIT
        • Deploy Container
        • Native API - Linux
    • Persistence
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
        • Dynamic Linker Hijacking
      • T1133:External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1546:Event Triggered Execution
        • Component Object Model Hijacking
        • PowerShell Profile
        • Application Shimming
        • Accessibility Features
        • Netsh Helper DLL
        • Screensaver
        • Default File Association
        • Unix Shell Configuration Modification
        • Trap
        • Installer Packages
      • T1543:Create or Modify System Process
        • Windows Services
        • Systemd Service
      • T1136: Create Account
        • Domain Account
        • Local Account
      • T1554:Compromise Client Software Binary
      • T1547:Boot or Logon AutoStart Execution
        • Shortcut Modification
        • Winlogon Helper DLL
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1037: Boot or Logon Initialization Scripts
        • RC Scripts
      • T1197: BITS Jobs
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
        • Cron
        • Systemd Timers
      • T1098: Account Manipulation
        • SSH Authorized Keys
      • T1556: Modify Authentication Process
        • Pluggable Authentication Modules
      • T1653: Power Settingss
      • T1505: Server Software Component
        • WebShell
    • Privilege Escalation
      • T1546:Event Triggered Execution
        • PowerShell Profile
        • Component Object Model Hijacking
        • Application Shimming
        • Accessibility Features
        • Screensaver
        • Default File Association
      • T1612: Build Image on Host
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1543:Create or Modify System Process
        • Windows Services
      • T1547:Boot or Logon AutoStart Execution
        • Winlogon Helper DLL
        • Shortcut Modification
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
        • Setuid and Setgid
        • Sudo and Sudo Caching
      • T1611: Escape to Host
    • Defense Evasion
      • T1497: Virtualization/Sandbox Evasion
        • Time Based Evasion
        • User Activity Based Checks
        • System Checks
      • T1550: Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
      • T1127: Trusted Developer Utilities Proxy Execution
        • MSBuild
      • T1221: Template Injection
      • T1553: Subvert Trust Controls
        • SIP and Trust Provider Hijacking
        • Code Signing
      • T1216: Signed Script Proxy Execution
      • T1218: Signed Binary Proxy Execution
        • Compiled HTML File
        • Control Panel
        • CMSTP
        • InstallUtil
        • MSHTA
        • MSIEXEC
        • ODBCCONF
        • Regsvcs/Regasm
        • Regsvr32
        • Rundll32
        • Verclsid
      • T1055: Process Injection
        • Dynamic-Link Library Injection
        • Portable Execution Injection
        • Thread Execution Hijacking
        • Asynchronous Procedure Call
        • Thread Local Storage
        • Extra Window Memory Injection
        • Process Hollowing
        • Process Doppelganging
      • T0127: Obfuscated Files or Information
        • Binary Padding
        • Software Packing
        • Steganography
        • Compile After Delivery
        • Indicator Removal from Tools
      • T1036: Masquerading
        • Invalid Code Signature
        • Right-to-Left-Override
        • Rename System Utilities
        • Masquerade Task or Service
        • Match Legitimate Name or location
      • T1202: Indirect Command Execution
      • T1562: Impair Defenses
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Disable or Modify System Firewall
        • Disable or Modify Linux Audit System
        • Indicator Blocking
      • T1070: Indicator Removal on Host
        • Clear Windows Event Logs
        • Clear Command History
        • File Deletion
        • Network Share Connection Removal
        • TimeStomping
      • T1574: Hijack Execution Flow
        • Path Interception by Unquoted Path
        • Service File permissions Weakness
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1564: Hide Artifacts
        • VBA Stomping
        • Run Virtual Instance
        • NTFS File Attributes
        • Hidden Window
        • Hidden File System
        • Hidden Users
        • Ignore Process Interrupts
        • File/Path Exclusions
        • Hidden Files and Directories
      • T1222: File Directory Permissions Modification
        • Linux and Mac File and Directory Permissions Modification
        • Windows File and Directory Permissions Modification
      • T1480: Execution Guardrails
        • Environmental Keying Linux
        • Environmental Keying
      • T1197: BITS Jobs
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
      • De-obfuscate/Decode Files or Information
    • Credential Access
      • T1552: Unsecured Credentials
        • Group Policy Preferences
        • Private Keys
        • Credentials in Registry
        • Credentials in Files
      • T1558: Steal or Forge Kerberos Tickets
        • AS-REP Roasting
        • Kerberoasting
        • Silver Ticket
        • Golden Ticket
      • T1003: OS Credential Dumping
        • DCSync
        • Cached Domain Credentials
        • LSA Secrets
        • NTDS
        • Security Account Manager
        • LSASS Memory
      • T1040: Network Sniffing
      • T1556: Modify Authentication Process
        • Password Filter DLL
        • Domain Controller Authentication
      • T1557: Man-in-the-Middle
        • Arp Cache Poisoning
        • LLMNR/NBT-NS Poisoning and SMB Relay
      • T1056: Input Capture
        • Web Portal Capture
        • GUI Input Capture
        • Keylogging
      • T1187: Forced Authentication
      • T1555: Credentials from Password Stores
        • Credentials from Web Browsers
      • T1110: Brute Force
        • Credential Stuffing
        • Password Spraying
        • Password Cracking
        • Password Guessing
    • Discovery
      • T1124: System Time Discovery
      • T1007: System Service Disvcovery
      • T1033: System Owner/User Directory
      • T1049: System Network Connections Discovery
      • T1016: System Network Configuration Discovery
      • T1082: System Information Discovery
      • T1518: Software Discovery
        • Security Software Discovery
      • T1018: Remote System Discovery
      • T1012: Query Registry
      • T1057: Process Discovery
      • T1069: Permissions Groups Discovery
        • Local Groups
        • Domain Groups
      • T1120: Peripheral Device Discovery
      • T1201: Password Policy Discovery
      • T1040: Network Sniffing
      • T1135: Network Share Discovery
      • T1046: Network Servie Scanning
      • T1083: File and Directory Discovery
      • T1486: Domain Trust Discovery
      • T1217: Browser Bookmark Discovery
      • T1010: Application Window Discovery
      • T1087: Account Discovery
        • Domain Account
        • Local Account
    • Lateral Movement
      • T1080: Taint Shared Content
      • T1072: Software Deployment Tools
      • T1021: Remote Services
        • Windows Remote Management
        • VNC
        • Distributed Component Object Model
        • SMB/Windows Admin Shares
        • Remote Desktop Protocol
      • T1563: Remote Service Session Hijacking
        • RDP Hijacking
      • T1570: Lateral Tool Transfer
      • T1534: Internal Spearphishing
      • T1210: Exploitation of Remote Services
      • T1550 Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
  • Active Directory
    • Active Directory
      • Lightweight Directory Access Protocol
      • Kerberos
      • Forest, Tress and Domains
    • Active Directory Attacks
      • Kerberoasting
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Golden Tickets
      • Silver Tickets
      • Skeleton Keys
      • Active Directory Certificate Services
      • NTLMRelay
      • AS-REP Roasting
  • Red Team Infrastructure
    • RED TEAM INFRASTRUCTURE
    • Domain Name and Categorization
    • Reconnaissance
      • Passive
      • Active
    • Weaponization
      • Macros
      • HTA
      • ZIP
      • ISO
    • Delivery
      • Gophish
      • EvilGinx
      • PwnDrop
  • Situational Awareness
    • Covenant and C#
    • Empire and PowerShell
  • Credential Dumping
    • Mimikatz
    • Lsass Dumping
    • SharpChromium
  • Persistence
    • Userland Persistence
    • Elevated Persistence
  • Defense Evasion
    • Disable or Modify Tools
    • Obfuscating Files
  • Privilege Escalation
    • PowerUp
    • PrivescCheck
  • Lateral Movement
    • RDP
    • PowerShell Remoting
  • Files
    • Red Team Guide
Powered by GitBook
On this page

Was this helpful?

  1. Red Team Techniques
  2. Initial Access
  3. T1566: Phishing
  4. Phishing: Spearphishing Attachment

Attachments: Scripting Files

PreviousAttachments: Macros - LinuxNextAttachments: Desktop Files

Last updated 6 months ago

Was this helpful?

Scripting files are used commonly in Linux distributions with the files doing things such as, setting up an Operating System to the Company policies, Automate Tasks, Development, Monitoring and Logging, Managing User Permissions and much more, a sample script on a SH Script file just running the calculator:

#!/bin/bash
 
# Print welcome message
echo "========================="
echo "Hello to my first script!!"
echo "========================="
# Launch GNOME Calculator
gnome-calculator

The previous script would Print out a message and then finally proceed into executing the calculator app, but we can also call a simple reverse shell, we can utilize pentestmonkey one-liners for this

Our Shell

As seen here, we gain a reverse shell connection back to our attacking host, but do realize this requires extra social engineering steps as Linux considers everything a file until you tell it that it's something else like a scripting language or an executable so the user needs to run a setup to this before executing.

Now in my testing I've noticed that if files come inside a container their execution feature isn't removed just as working with a Windows OS, take a notice in the image below an SH script that has execution properties from another Linux machine

Execution properties have been removed, these applies to files downloaded from browsers or using LOLBINs, but if the file is placed inside a container lets say a ZIP container the execution properties aren't removed