bba8cd3b57
Updated common.requires_os calls ( #3109 )
2023-10-03 10:47:58 -04:00
16550b7144
[Bug] Updated os.path calls to pathlib ( #3110 )
...
* Updated os.path calls to pathlib
* fixed typo
* os.join replacement typo
* additional join typo
* updated os directory functions
* exist_ok typo
* cleanup
* Updated for cleanliness
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-09-28 16:32:55 -04:00
6f7e419f1e
[New RTA] Privesc via OverlayFS ( #3003 )
...
* [New RTA] Privesc via OverlayFS
* Update rta/overlayfs_privesc.py
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-09-27 10:45:19 +02:00
34ebcec679
Added unit test ( #3038 )
...
* Added unit test
* removed print from unit test
* fixed linting
* Updated to put validation in init
* Updated for cleanliness
* removed Literal import
2023-09-05 15:27:04 -04:00
5bb5994c6f
[Bug] Fix RTA Metadata ( #3036 )
2023-08-24 11:12:16 -05:00
d8969f8df1
RTA For Linux DR and ER Rules ( #2904 )
2023-07-04 18:46:28 +05:30
cf4bbfbcef
[New ER RTA] Potential Linux Rev Shell via Java ( #2897 )
...
* [New ER RTA] Potential Linux Rev Shell via Java
* Added execute permissions to the RTA
* Added 10 millisecond sleep to fix sequencing issue
* Update exec_java_revshell_linux.py
* Added source code
2023-06-30 14:21:06 +02:00
0f6ded452b
[New RTA] Endpoint Rules ( #2788 )
...
* [New RTA] Endpoint Rules
Suspicious Access to LSA Secrets Registry
Security Account Manager (SAM) Registry Access
Privilege Escalation via EXTENDED STARTUPINFO
Potential Privilege Escalation via Token Impersonation
Suspicious Impersonation as Trusted Installer
NTDLL Loaded from an Unusual Path
Sensitive File Access - Unattended Panther
Potential Discovery of Windows Credential Manager Store
Potential Discovery of DPAPI Master Keys
Potential Process Creation via ShellCode
* Update evasion_ntdll_from_unusual_path.py
* Update credaccess_reg_query_privesc_token_manip.py
* Create shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* fix import
* Update credaccess_reg_query_privesc_token_manip.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_winexec_calc.py
* DLL Side Loading via a Copied Microsoft Executable
* Update sideload_msbin_faultrep.py
* DLL SideLoad via a Microsoft Signed Binary
* Update sideload_msbin_faultrep.py
* C2 via ISO file
* ++
* persistence from ISO
* Update exec_persistence_from_iso.py
* replaced win32con with actual static values
* Update sensitive_file_access.py
* Update credaccess_reg_query_privesc_token_manip.py
* Update ExecFromISOFile.ps1
* Suspicious ImageLoad from an ISO Mounted Device
* Update execution_iso_dll_rundll32.py
* Update c2_dns_from_iso.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update impersonate_trusted_installer.py
* Library Loaded via a Callback Function
* Update evasion_loadlib_via_callback.py
* ++
* added ntds.dit access
* Security Account Manager (SAM) File Access
* Update sensitive_file_access.py
* Update sensitive_file_access.py
* Update sensitive_file_access.py
* Suspicious Execution via DotNet Remoting
* Update evasion_addinproc_certoc.py
* Update evasion_addinproc_certoc_odbc.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* ++
* Update evasion_unhook_ldrloaddll.py
* added ETW and AMSI patching
* Update evasion_oversized_dll_load.py
* Update sensitive_file_access.py
added technique ids
* Update c2_dns_from_iso.py
fixed endpoint rule.ids array
* moved getppid to common.py
* moved impersonate_system to common
* moved inject to common.py
* Update credaccess_sam_from_vss.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* Update evasion_loadlib_via_callback.py
* Update evasion_oversized_dll_load.py
* Update evasion_patch_etw_amsi.py
* Update execution_iso_dll_sideload.py
* Update evasion_unhook_ldrloaddll.py
* Update exec_persistence_from_iso.py
* Update execution_iso_dll_rundll32.py
* Update sensitive_file_access.py
* Update shellcode_load_ws2_32_unbacked.py
* ++
* Update rta/c2_dns_from_iso.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_reg_query_privesc_token_manip.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update shellcode_winexec_calc.py
* Update shellcode_load_ws2_32_unbacked.py
* Update c2_dns_from_iso.py
* Update evasion_oversized_dll_load.py
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update evasion_oversized_dll_load.py
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update credaccess_sam_from_vss.py
* Update c2_dns_from_iso.py
* ++
* ++
* ++
* Update impersonate_trusted_installer.py
* Update evasion_patch_etw_amsi.py
* Update credaccess_reg_query_privesc_token_manip.py
* ++
* Update evasion_ntdll_from_unusual_path.py
* Update evasion_oversized_dll_load.py
* ++
* Update common.py
* Update ExecFromISOFile.ps1
* Update evasion_ntdll_from_unusual_path.py
* add cpp source files
* Update rta/common.py
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/src/LoadLib-Callback64.cpp
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/src/rta_unhook_ldrload.cpp
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/impersonate_trusted_installer.py
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 16:58:30 +01:00
9713384888
Add Rule Id and Rule Name to the RTA Test List Function ( #2680 )
2023-03-31 16:08:42 -04:00
11d79912f1
[FR] Add new macOS RTAs for Endpoint Rules - 2 ( #2661 )
2023-03-24 17:29:22 -04:00
62ec0ae086
[FR] Add new macOS RTAs for Endpoint Rules ( #2632 )
2023-03-24 16:53:37 -04:00
fd0d7a1d00
[RTA] Adds RTAs to Windows Rules - 2 ( #2628 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-24 10:13:12 -03:00
95b8b1688b
[RTA] Add RTAs for Endpoint Rules - 2 ( #2633 )
...
* [RTA] Add RTAs for Endpoint Rules - 2
* Update exec_conhost_indirect.py
* Update msoffice_file_dll_sideload.py
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-24 09:55:32 -03:00
5c792b86d7
[RTA] Adds RTAs for endpoint rules ( #2621 )
...
* [RTA] Adds RTAs for endpoint rules
* Update exec_cscript_archive_args.py
* Review RTAs 1/2
* Update suspicious_msiexec_child.py
* Update rta/exec_cscript_archive_args.py
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-23 18:14:06 -03:00
f41c5288cc
[RTA] New RTAs for Windows Rules ( #2426 )
...
* Part 1
* Part 2
* Part3
* Part4
* Final Part
* Dedup RTA where Office app loads wmiutils
* Add techniques
* Remove helper
* Update exec_cmd_set_mppreference.py
2023-03-20 07:56:51 -03:00
0273d118a6
[Rule Tuning] Add endgame support for Windows Rules ( #2428 )
...
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* 1/2
* bump updated_date
* 2/3
* Finale
* Update persistence_evasion_registry_ifeo_injection.toml
* .
* Multiple fixes
* Missing index
* Missing AND
2023-03-06 12:47:11 -03:00
273c589bd4
RTA Deprecation ( #2303 )
2022-09-15 23:00:02 +05:30
0358ec9d9a
Release ER Production RTAs to DR ( #2270 )
2022-09-08 12:50:39 -04:00
0fc8006e7a
Update RTA common.py for py3 ( #2287 )
...
* add run-all argument and initial p2 conversion
* remove unicode
* format with black
2022-09-01 09:16:39 -06:00
ddec37b731
Fix typos discovered by codespell ( #1430 )
2021-08-14 20:29:10 -08:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
e2c860693c
Repaired merge from PR 876 - RTA docs ( #935 )
2021-02-04 08:34:54 -09:00
d68e4ac7f0
[New Rule] Hosts File Modified ( #25 )
2020-09-30 15:24:07 -08:00
e2d97b0a74
Remove unreachable and legacy code
...
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-30 10:12:23 -06:00
fac5473aca
Rename PsRunner_License to PsRunner_LICENSE
2020-06-30 10:04:11 -06:00
ba50b6dd20
Create PsRunner_License
2020-06-30 10:03:41 -06:00
a0d3b4bd23
Populate RTA directory.
...
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-Authored-By: Daniel Stepanic <57736958+dstepanic17@users.noreply.github.com >
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com >
Co-Authored-By: Joe Desimone <56411054+joe-desimone@users.noreply.github.com >
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-29 23:07:18 -06:00
eric-forte-elastic