security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Repaired merge from PR 876 - RTA docs (#935)

Browse Source
This commit is contained in:
Justin Ibarra
2021-02-04 08:34:54 -09:00
committed by GitHub
parent 4900c9a018
commit e2c860693c
26 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+2
View File
@@ -12,8 +12,10 @@ This repository was first announced on Elastic's blog post, [Elastic Security op
## Table of Contents
- [Overview of this repository](#overview-of-this-repository)
- [Getting started](#getting-started)
- [Red Team Automation](rta)
- [How to contribute](#how-to-contribute)
- [Licensing](#licensing)
- [Questions? Problems? Suggestions?](#questions-problems-suggestions)
## Overview of this repository
rta/README.md
+25
View File
@@ -0,0 +1,25 @@
## Red Team Automation
[![Supported Python versions](https://img.shields.io/badge/python-3.7+-yellow.svg)](https://www.python.org/downloads/)
[![Chat](https://img.shields.io/badge/chat-%23security--detection--rules-blueviolet)](https://ela.st/slack)
The repo comes with some red team automation ([RTA](./)) python scripts that run on Windows, Mac OS, and \*nix.
RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.
```console
$ python -m rta -h
usage: rta [-h] ttp_name
positional arguments:
ttp_name
optional arguments:
-h, --help show this help message and exit
```
`ttp_name` can be found in the [rta](.) directory. For example to execute `./rta/wevtutil_log_clear.py` script, run command:
```console
$ python -m rta wevtutil_log_clear
```
Most of the RTA scripts contain a comment with the rule name, in `signal.rule.name`, that maps to the Kibana Detection Signals.
rta/certutil_file_obfuscation.py
+1
View File
@@ -5,6 +5,7 @@
# Name: Certutil Encode / Decode
# RTA: certutil_file_obfuscation.py
# ATT&CK: T1140
# signal.rule.name: Encoding or Decoding Files via CertUtil
# Description: Uses certutil to create an encoded copy of cmd.exe. Then uses certutil to decode that copy.
import os
rta/delete_bootconf.py
+1
View File
@@ -5,6 +5,7 @@
# Name: Boot Config Deletion With bcdedit
# RTA: delete_bootconf.py
# ATT&CK: T1107
# signal.rule.name: Modification of Boot Configuration
# Description: Uses bcdedit.exe to backup the current boot configuration, and then to delete the current boot
# configuration, finally restoring the original.
rta/delete_usnjrnl.py
+1
View File
@@ -5,6 +5,7 @@
# Name: USN Journal Deletion with fsutil.exe
# RTA: delete_usnjrnl.py
# ATT&CK: T1107
# signal.rule.name: Delete Volume USN Journal with Fsutil
# Description: Uses fsutil to delete the USN journal.
import time
rta/delete_volume_shadows.py
+2
View File
@@ -4,6 +4,8 @@
# Name: Volume Shadow Copy Deletion with vssadmin and wmic
# RTA: delete_volume_shadow.py
# signal.rule.name: Volume Shadow Copy Deletion via VssAdmin
# ELastic Detection: Volume Shadow Copy Deletion via WMIC
# ATT&CK: T1107
# Description: Uses both vssadmin.exe and wmic.exe to delete volumne shadow copies.
rta/disable_windows_fw.py
+1
View File
@@ -5,6 +5,7 @@
# Name: Disable Windows Firewall
# RTA: disable_windows_fw.py
# ATT&CK: T1089
# signal.rule.name: Disable Windows Firewall Rules via Netsh
# Description: Uses netsh.exe to backup, disable and restore firewall rules.
import os
rta/installutil_network.py
+2
View File
@@ -5,6 +5,8 @@
# Name: Network Traffic from InstallUtil
# RTA: installutil_network.py
# ATT&CK: T1118
# Elastic detection: InstallUtil Process Making Network Connections
# Elastic detection: Unusual Network Activity from a Windows System Binary
# Description: Uses mock .NET malware and InstallUtil to create network activity from InstallUtil.
import os
rta/lateral_commands.py
+3
View File
@@ -4,6 +4,9 @@
# Name: Lateral Movement Commands
# RTA: lateral_commands.py
# Elatic Detection: Local Service Commands
# signal.rule.name: Local Scheduled Task Commands
# signal.rule.name: Whoami Process Activity
# ATT&CK: T1021, T1047, T1077, T1124, T1126
# Description: Runs various Windows commands typically used by attackers to move laterally from the local machine.
rta/msbuild_network.py
+2
View File
@@ -5,6 +5,8 @@
# Name: MsBuild with Network Activity
# RTA: msbuild_network.py
# ATT&CK: T1127
# signal.rule.name: Microsoft Build Engine Started an Unusual Process
# signal.rule.name: Trusted Developer Application Usage
# Description: Generates network traffic from msbuild.exe
from . import common
rta/net_user_add.py
+1
View File
@@ -5,6 +5,7 @@
# Name: Create User with net.exe
# RTA: net_user_add.py
# ATT&CK: T1136
# signal.rule.name: User Account Creation
# Description: Adds an account to the local host using the net.exe command
from . import common
rta/powershell_from_script.py
+1
View File
@@ -4,6 +4,7 @@
# Name: PowerShell Launched from Script
# RTA: powershell_from_script.py
# signal.rule.name: Windows Script Executing PowerShell
# ATT&CK: T1064, T1192, T1193
# Description: Creates a javascript file that will launch powershell.
rta/process_name_masquerade.py
+1
View File
@@ -4,6 +4,7 @@
# Name: Windows Core Process Masquerade
# RTA: process_name_masquerade.py
# signal.rule.name: Unusual Parent-Child Relationship
# ATT&CK: T1036
# Description: Creates several processes which mimic core Windows process names but that are not those executables.
rta/registry_persistence_create.py
+2
View File
@@ -4,6 +4,8 @@
# Name: Registry persistence creation
# RTA: registry_persistence_create.py
# signal.rule.name: Local Service Commands
# signal.rule.name: Potential Modification of Accessibility Binaries
# ATT&CK: T1015, T1103
# Description: Creates registry persistence for mock malware in Run and RunOnce keys, Services, NetSH and debuggers.
rta/registry_rdp_enable.py
+1
View File
@@ -4,6 +4,7 @@
# Name: Enable RDP Through Registry
# RTA: registry_rdp_enable.py
# signal.rule.name: Potential Modification of Accessibility Binaries
# ATT&CK: T1076
# Description: Identifies registry write modification to enable RDP access.
rta/rundll32_inf_callback.py
+2
View File
@@ -4,6 +4,8 @@
# Name: RunDll32 with .inf Callback
# RTA: rundll32_inf_callback.py
# signal.rule.name: Local Service Commands
# signal.rule.name: Potential Modification of Accessibility Binaries
# ATT&CK: T1105
# Description: Loads RunDll32 with a suspicious .inf file that makes a local http GET
rta/rundll32_javascript_callback.py
+2
View File
@@ -4,6 +4,8 @@
# Name: RunDLL32 Javascript Callback
# RTA: rundll32_javascript_callback.py
# signal.rule.name: Local Service Commands
# signal.rule.name: Potential Modification of Accessibility Binaries
# ATT&CK: T1085
# Description: Executes javascript code with an AJAX call via RunDll32.exe
rta/schtask_escalation.py
+4
View File
@@ -4,6 +4,10 @@
# Name: Scheduled Task Privilege Escalation
# RTA: schtask_escalation.py
# signal.rule.name: Local Scheduled Task Commands
# signal.rule.name: Whoami Process Activity
# signal.rule.name: Svchost spawning Cmd
# signal.rule.name: Net command via SYSTEM account
# ATT&CK: T1053
import os
rta/settingcontentms_files.py
+2
View File
@@ -4,6 +4,8 @@
# Name: Abusing SettingContent-ms Files
# RTA: settingcontentms_files.py
# signal.rule.name: Potential Modification of Accessibility Binaries
# signal.rule.name: Local Service Commands
# ATT&CK: T1193, T1204, T1064
# Description: SettingContent-ms file written to specific path or by risky process
rta/sticky_keys_write_execute.py
+3
View File
@@ -4,6 +4,9 @@
# Name: Overwrite Accessibiity Binaries
# RTA: sticky_keys_write_execute.py
# signal.rule.name: Potential Modification of Accessibility Binaries
# signal.rule.name: Local Service Commands
# signal.rule.name: Persistence via TelemetryController Scheduled Task Hijack
# ATT&CK: T1015
# Description: Writes different binaries into various accessibility locations.
rta/suspicious_office_children.py
+1
View File
@@ -4,6 +4,7 @@
# Name: Emulate Suspect MS Office Child Processes
# RTA: suspect_office_children.py
# signal.rule.name: Suspicious MS Office Child Process
# ATT&CK: T1064
# Description: Generates network traffic various children processes from emulated Office processes.
rta/suspicious_powershell_download.py
+1
View File
@@ -4,6 +4,7 @@
# Name: Suspicious PowerShell Download
# RTA: suspicious_powershell_download.py
# signal.rule.name: Suspicious MS Office Child Process
# ATT&CK: T1086
# Description: PowerShell using DownloadString or DownloadFile in suspicious context
rta/suspicious_wscript_parent.py
+1
View File
@@ -4,6 +4,7 @@
# Name: Suspicious WScript parent
# RTA: suspicious_wscript_parent.py
# signal.rule.name: Suspicious MS Outlook Child Process
# ATT&CK: T1064, T1192, T1193
# Description: WScript run with suspicious parent processes
rta/unusual_parent_child.py
+1
View File
@@ -4,6 +4,7 @@
# Name: Invalid Process Trees in Windows
# RTA: unusual_parent_child.py
# signal.rule.name: Unusual Parent-Child Relationship
# ATT&CK: T1093
# Description: Runs several Windows core processes directly, instead of from the proper parent in Windows.
rta/werfault_persistence.py
+1
View File
@@ -4,6 +4,7 @@
# Name: WerFault.exe Persistence
# RTA: werfault_persistence.py
# signal.rule.name: Process Potentially Masquerading as WerFault
# ATT&CK: T1112
# Description: Sets an executable to run when WerFault is run with -rp flags and runs it
rta/wevtutil_log_clear.py
+1
View File
@@ -4,6 +4,7 @@
# Name: Clearing Windows Event Logs
# RTA: wevutil_log_clear.py
# signal.rule.name: Clearing Windows Event Logs
# ATT&CK: T1070
# Description: Uses the native Windows Event utility to clear the Security, Application and System event logs.