Skip to content

kurogai/100-mitre-attack-projects

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

100 MITRE ATT&CK Programming Projects for RedTeamers

This repo organizes a full list of redteam projects to help everyone into this field gain knownledge and skills in programming aimed to offensive security exercices.

I recommend you to do them on the programming language you are most comfortable with. Implementing these projects will definitely help you gain more experience and, consequently, master the language. They are divided in categories, ranging from super basic to advanced projects.

If you enjoy this list please take the time to recommend it to a friend and follow me! I will be happy with that :) 🇦🇴.

And remember: With great power comes... (we already know).

Parent Project: 100 RedTeam Projects

Contributions

You can make a pull request for the "Projects" directory and name the file in compliance with the following convention:
[ID] PROJECT_NAME - <LANGUAGE> | AUTHOR

Example:

[91] Web Exploitation Framework - <C> | EONRaider

Consider to insert your notes during the development of any of those projects, to help others understand what dificultes might appear during the development. After your commit as been approved, share to your social medias and make a reference of your work so others can learn, help and use as reference.

Reconnaissance

Description

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
ID Title Reference Example
1 Active Network and Fingerprint Scanner Link
2 Social media profiling and data gathering script Link
3 Dork based OSINT tool Link
4 Website vulnerability scanner Link
5 WHOIS Link
6 DNS subdomain enumeration Link
7 Spearphishing Service Link
8 Victim Link
9 DNS enumeration and reconnaissance tool Link
Notable Projects
  • Project A by X

Resource Development

Description

Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.
ID Title Reference Example
10 Dynamic Website Phishing Tool Link
11 Eamil based phishing spread Link
12 Malware sample creation and analysis Link
13 Replicate a public exploit and use to create a backdoor Link
14 Crafting malicious documents for social engineering attacks Link
15 Wordpress C2 Infrastructure Link
Notable Projects
  • Project A by X

Initial Access

Description

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
ID Title Reference Example
16 Exploiting a vulnerable web application Link
17 Password spraying attack against Active Directory Link
18 Email spear-phishing campaign Link
19 Exploiting misconfigured network services Link
20 USB device-based attack vector development Link
21 Spearphishing Link Link
Notable Projects
  • Project A by X

Execution

Description

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
ID Title Reference Example
22 Remote code execution exploit development Link
23 Creating a backdoor using shellcode Link
24 Building a command-line remote administration tool Link
25 Malicious macro development for document-based attacks Link
26 Remote code execution via memory corruption vulnerability Link
27 Command Line Interpreter for C2 Link
28 Cron based execution Link
Notable Projects
  • Project A by X

Persistence

Description

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
ID Title Reference Example
29 Developing a rootkit for Windows Link
30 Implementing a hidden service in a web server Link
31 Backdooring a legitimate executable Link
32 Creating a scheduled task for persistent access Link
33 Developing a kernel-level rootkit for Linux Link
34 LSASS Driver Link
35 Shortcut modification Link
Notable Projects
  • Project A by X

Privilege Escalation

Description

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
  • SYSTEM/root level
  • local administrator
  • user account with admin-like access
  • user accounts with access to specific system or perform specific function

These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.


ID Title Reference Example
36 Exploiting a local privilege escalation vulnerability Link
37 Password cracking using GPU acceleration Link
38 Windows token manipulation for privilege escalation Link
39 Abusing insecure service configurations Link
40 Exploiting misconfigured sudoers file in Linux Link
41 Bypass UAC Link
42 Startup Itens Link
Notable Projects
  • Project A by X

Defense Evasion

Description

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
ID Title Reference Example
43 Developing an anti-virus evasion technique Link
44 Bypassing application whitelisting controls Link
45 Building a fileless malware variant Link
46 Detecting and disabling security products Link
47 Evading network-based intrusion detection systems Link
48 Parent PID spoofing Link
49 Disable Windows Event Logging Link
50 HTML Smuggling Link
51 DLL Injection Link
52 Pass The Hash Link
Notable Projects
  • Project A by X

Credential Access

Descrition

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
ID Title Reference Example
53 Password brute-forcing tool Link
54 Developing a keylogger for capturing credentials Link
55 Creating a phishing page to harvest login credentials Link
56 Exploiting password reuse across different systems Link
57 Implementing a pass-the-hash attack technique Link
58 OS Credential dumping (/etc/passwd and /etc/shadow) Link
Notable Projects
  • Project A by X

Discovery

Description

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
ID Title Reference Example
59 Network service enumeration tool Link
60 Active Directory enumeration script Link
61 Automated OS and software version detection Link
62 File and directory enumeration on a target system Link
63 Extracting sensitive information from memory dumps Link
64 Virtualization/Sandbox detection Link
Notable Projects
  • Project A by X

Lateral Movement

Description

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
ID Title Reference Example
65 Developing a remote desktop protocol (RDP) brute-forcer Link
66 Creating a malicious PowerShell script for lateral movement Link
67 Implementing a pass-the-ticket attack technique Link
68 Exploiting trust relationships between domains Link
69 Developing a tool for lateral movement through SMB Link
Notable Projects
  • Project A by X

Collection

Description

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
ID Title Reference Example
70 Keylogging and screen capturing tool Link
71 Developing a network packet sniffer Link
72 Implementing a clipboard data stealer Link
73 Building a tool for extracting browser history Link
74 Creating a memory scraper for credit card information Link
Notable Projects
  • Project A by X

Command and Control

Description

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
ID Title Reference Example
75 Building a custom command and control (C2) server Link
76 Developing a DNS-based covert channel for C2 communication Link
77 Implementing a reverse shell payload for C2 Link
78 Creating a botnet for command and control purposes Link
79 Developing a convert communication channel using social media platforms Link
80 C2 with multi-stage channels Link
Notable Projects
  • Project A by X

Exfiltration

Description

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
ID Title Reference Example
82 Building a file transfer tool using various protocols (HTTP, FTP, etc.) Link
83 Developing a steganography tool for hiding data within images Link
84 Implementing a DNS tunneling technique for data exfiltration Link
85 Creating a convert channel for exfiltrating data through email Link
86 Building a custom exfiltration tool using ICMP or DNS Link
87 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Link
Notable Projects
  • Project A by X

Impact

Description

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
ID Title Reference Example
88 Developing a ransomware variant Link
89 Building a destructive wiper malware Link
90 Creating a denial-of-service (DoS) attack tool Link
91 Implementing a privilege-escalation-based destructive attack Link
92 Internal defacement Link
93 Account Access Manipulation or Removal Link
94 Data encryption Link
95 Resource Hijack Link
96 DNS Traffic Analysis for Malicious Activity Detection Link
97 Endpoint Detection and Response (EDR) for Ransomware Link
99 Network Segmentation for Critical Systems Link
99 Memory Protection Mechanisms Implementation Link
100 SCADA Security Assessment and Improvement Link
Notable Projects
  • Project A by X

Guidelines

  • If you need to test webtools, use any public vulnerable app like DVWA or DVAA
  • All critical tools should be able to rollback the actions (like ransomwares)
  • Make a checklist of features of any tool you developed and the resources you used to make it

Disclaimer

All of those projects should be used inside controled enviorements, do not attemp to use any of those projects to hack, steal, destroy, evade, or any other illegal activities.

Want to support my work?

Buy Me A Coffee

Find me

Linkedin

About

Projects for security students and professionals

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published