security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0885032b2cc8ba826c67d92a30e873f300e8a4e7
sigma-rules/rta
T
History
Samirbous ec609d826a [New RTA] Input Capture via Keylog (#3033) 
* [New RTA] Input Capture via Keylog

APIs in scope covered by 2 seperate RTAs  :

SetWindowsHookEx (collection_keylog_hook_keystate)
GetAsyncKeyState (collection_keylog_hook_keystate)
RegisterRawInputDevices (collection_keylog_rawinputdevice)

* Update rta/collection_keylog_hook_keystate.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rta/collection_keylog_rawinputdevice.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2024-05-24 11:37:42 +01:00
..
bin
[New ER RTA] Potential Linux Rev Shell via Java (#2897)
2023-06-30 14:21:06 +02:00
deprecated
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
src
[New ER RTA] Potential Linux Rev Shell via Java (#2897)
2023-06-30 14:21:06 +02:00
__init__.py
Added unit test (#3038)
2023-09-05 15:27:04 -04:00
__main__.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
adobe_hijack.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
adobe_priv_helper_tool.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
app_bundler_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
app_hijack.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
appcompat_shim.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
at_command.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
at_job.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
atom_init_coffee.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
auth_plugin.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
automator_workflows.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
background_process_from_tmp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
bash_cmdline_history.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
bifrost_attack.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
binary_masquerade.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
bitsadmin_download.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
bitsadmin_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
browser_cred_access.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
browser_debugging.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
brute_force_login.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
builtin_cmd_file_delete.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
c2_dns_from_iso.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
calendar_file_mod.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
certutil_file_obfuscation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
certutil_webrequest.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
child_w3wp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
clr_logs_creation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
cmd_shell_via_word.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
cmstp_image_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
collection_keylog_hook_keystate.py
[New RTA] Input Capture via Keylog (#3033)
2024-05-24 11:37:42 +01:00
collection_keylog_rawinputdevice.py
[New RTA] Input Capture via Keylog (#3033)
2024-05-24 11:37:42 +01:00
common.py
[Bug] Updated os.path calls to pathlib (#3110)
2023-09-28 16:32:55 -04:00
comsvcs_dump.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
crashdump_disabled.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
credaccess_reg_query_privesc_token_manip.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
credaccess_sam_from_vss.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
credential_access_dump_hashes_via_cmd.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
credential_access_known_utilities.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
credential_access_osascript_phishing.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
credman_discovery.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
cron_tab_file_create.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
cscript_suspicious_args.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
curl_data_exfil.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
curl_payload_download.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
curl_sus_payload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
darkradiation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dcom_lateral_movement_with_mmc.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ddns_lolbas.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ddns_unsigned.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
defensive_evasion_reflective_loading.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
defensive_evasion_safari_modification.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
delete_bootconf.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
delete_catalogs.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
delete_quarantine_attrib.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
delete_usnjrnl.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
delete_volume_shadows.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
directory_service_plugin_file.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
disable_os_security_updates.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
disable_windows_fw.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
discovery_virtual_machine_grep.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dmg_create_in_tmp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dock_plist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
double_persist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dscl_hidden_account.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dseditgroup_admin_add.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dsenableroot_account.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dylib_injection.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
dynwrapx_image_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
echo_tmp_file_create.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
edmond_child_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
eggshell_backdoor.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
eicar.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
elevated_osascript_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
emond_child_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
emond_plist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
empire_stager.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
enum_commands.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
enumeration_linpeas.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
env_variable_hijacking.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
evasion_addinproc_certoc_odbc_gfxdwn.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
evasion_loadlib_via_callback.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
evasion_ntdll_from_unusual_path.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
evasion_oversized_dll_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
evasion_patch_etw_amsi.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
evasion_unhook_ldrloaddll.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_adfind.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_appcmd_logging.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_arp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_aspnet_regiis.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_attrib_hidden.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_auditpol.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_clear_history.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_compiled_html.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_endpoint_security_masquerading.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_fltmc_unload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_fsutil_fsinfo.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_hidden_share.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_mklink.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_mpcmdrun_download.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_msdt.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_mssql_xp_cmdshell.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_net_stop.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_net_use.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_netsh_advfirewall_network_discovery.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_netsh_remotedesktop.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_nltest.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_non_executable_file.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_ntdsdit.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_posh_mailbox.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_psexesvc.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_pwd_appcmd.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_rundll32_davsetcookie.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_rundll32.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_set_casmailbox.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_set_mppreference.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_short_name.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_windows_firewall_disabled.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_wmi_cmdexe.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_wmi_subscription.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_wmic_antivirus_enum.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_workfolders.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cmd_xwizard.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_conhost_indirect.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_control_panel_cpl.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cscript_archive_args.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_cscript_suspicious_powershell.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_dll_file_compressed.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_dnguard_program.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_echo_named_pipe.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_explorer_trampoline.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_from_mount.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_from_python.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_from_terminal.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_gfxdownloadwrapper.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_ingress_tool_posh.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_java_revshell_linux.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_java_via_scripting.py
[Bug] Updated os.path calls to pathlib (#3110)
2023-09-28 16:32:55 -04:00
exec_ms_dotnet_clickonce.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_msdt_diagcab.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_msiexec_dllregisterserver.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_nohup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_persistence_from_iso.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_privhelper_tool.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_renamed_msbuild.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_renamed_winword.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_scripting_persistence_locations.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_scripting_unusual_extension.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_scripting_via_html_app.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_shortcut_embedded_obj.py
[RTA] Adds RTAs for endpoint rules (#2621)
2023-03-23 18:14:06 -03:00
exec_sliver_posh.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_sqlserver_suspicious_child.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_susp_explorer.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_susp_msiexec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_susp_parent_child.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_svchost_child_schedule.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_tclsh.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_unusual_directory.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_unusual_path_msmpeng.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_vs_prebuildevent.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_vsls_agent.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
exec_winword_susp_parent.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
execution_iso_dll_rundll32.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
execution_iso_dll_sideload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
execution_node_child_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
execution_pubprn.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
extexport_sideload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_ads_creation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_dpapi_key.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_exchange_um.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_exec_pdf_reader.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_lsass_dump.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_mimilsa_log.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_ms_addins.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_mstsc_startup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_outlook_vba.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_powershell_profile.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_scripting_startup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_smss_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_task_file.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_create_vbs_startup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_creation_teamviewer.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_delete_spool_driver.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_delete_vbk.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_exe_ususual_extension.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_html_smuggling.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_mod_via_chmod.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_ms_template_macros.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_script_startup_folder.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
file_susp_browser_extension.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
finder_sync_plugin.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
findstr_pw_search.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
firewall_allowlist_modif_unsigned.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
fltmc_unload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
git_creds_access.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
globalflags.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
grep_software_discovery.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
hidden_file_mount.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
hidden_plist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
hosts_file_modify.py
[Bug] Updated os.path calls to pathlib (#3110)
2023-09-28 16:32:55 -04:00
html_help_file_written_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
image_load_dnguard.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
image_load_msbuild_vaultcli.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
image_load_phantomdll.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
image_load_rdp_client_dll.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
image_load_script_interpreter_wmiutils.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
image_load_taskhost.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
image_load_vaultcli.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
impersonate_trusted_installer.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
inhibit_system_recovery_and_rename.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
inhibit_system_recovery_cmd.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
inhibit_system_recovery_lolbas_child.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
inhibit_system_recovery_office.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
inhibit_system_recovery_renamed.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
inhibit_system_recovery.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
installutil_network.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ip_discovery_unsigned.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
iqy_file_writes.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
javascript_payload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
kcc_kerberos_dump.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
kerberos_netconn_file_creation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
kernel_module_removal_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
kernelext_agent_unload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
kext_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
keychain_cred_access.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
keychain_dump.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
keychain_pwd_cmdline.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
lateral_command_psexec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
lateral_commands.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
launchagent_plist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
launchd_load_plist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
launchdaemon_persistence.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ldapsearch_group_enumeration.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
link_to_tmp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
linux_compress_sensitive_files.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
login_hook.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
login_window_plist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
lua_image_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
mac_office_descendant.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
macos_installer_curl.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
mimikatz_cmdline.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
mimipenguin_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
modification_of_wdigest_security_provider.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
modify_bootconf.py
[Bug] Updated os.path calls to pathlib (#3110)
2023-09-28 16:32:55 -04:00
modify_sublime_app.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
mount_smbfs.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ms_office_drop_exe.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ms_office_task_creation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msbuild_network.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msbuild_unusual_args.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msequationeditor_file_written_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msequationeditor_net_conn.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
mshta_network.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msiexec_http_installer.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msiexec_remote_msi_install.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msiexec_remote_msi.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_addins_file.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_dcom_accessvbom.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_descendant_reg_mod_persistence.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_dll_image_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_file_dll_sideload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_file_drop_exec_wmi.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_file_exec_script_interpreter.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_potential_proc_inj.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_reg_mod.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_signed_binary_spawn.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_startup_persistence.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_untrusted_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msoffice_wmi_imageload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msxsl_image_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
msxsl_network.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
net_user_add.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_desktopimgdownldr.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_download_powershell.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_download_script_interpreter.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_external_ip_lookup_non_browser.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_freesslcert.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_iexplore_rundll32.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_kerberos_port.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_nslookup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_process_unusual_args.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_rdp_tunneling.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
network_connection_unusual_rundll32.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
networksetup_vpn.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
obfuscated_cmd_commands.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
obfuscated_powershell.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
office_app_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
office_application_startup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
office_child_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
openssl_decode_payload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
openssl_file_drop.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
opera_child_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
osascript_hidden_login_item.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
osascript_net_conn.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
osascript_sh_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
osascript_suspicious_cmdline.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
outlook_suspicious_child.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
overlayfs_privesc.py
[New RTA] Privesc via OverlayFS (#3003)
2023-09-27 10:45:19 +02:00
path_passed_to_system.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
payload_decode_bash_cmds.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
periodic_task_creation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
persistence_chrome_extension.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
persistence_mail_plist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
persistence_plist_masquerade.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
persistence_startup_item.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
persistence_startup_unusual_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
persistent_scripts.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ping_delayed_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
pkexec_shell.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
pkg_install_chmod.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
plist_creation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
plistbuddy_file_modification.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
port_monitor.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
powershell_args.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
powershell_base64_gzip.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
powershell_delete_shadow_copy.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
powershell_from_script.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
powershell_unsigned_defender_exclusion.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
powershell_vault_access.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
privilege_escalation_remote_thread.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
privilege_escalation_tcc_bypass.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
process_double_extension.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
process_extension_anomalies.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
process_name_masquerade.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ransomnote_delete_shadows.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
README.md
Repaired merge from PR 876 - RTA docs (#935)
2021-02-04 08:34:54 -09:00
recycle_bin_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_creation_servicedll.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_amsienable.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_appcertdlls.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_appinitdlls.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_autodialdll.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_base64_executable.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_builtindnsclientenabled.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_disable_uac.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_disableantispyware.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_driver_blocklist.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_enableat.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_enablescriptblocklogging.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_ifeo.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_lsa_ssp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_netwire.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_networkprovider.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_nullsessionpipes.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_plugx.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_point_and_print_dll.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_port_forwarding.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_print_processors.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_remcos.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_run_key_unusual_proc.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_shadow_rdp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_shim_sb.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_startup_shell_folder.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_suspicious_service.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_systemcertificates.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_time_provider.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_unusual_startup_folder.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_mod_windir.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_run_key_asterisk.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reg_vss_service_disable.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
registry_hive_export.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
registry_persistence_create.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
registry_rdp_enable.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
regsvr32_scrobj.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
regsvr32_unusual_args.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
renamed_autoit.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
renamed_automaton_interpreter.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
reverse_shell.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
root_cert_install.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
root_crontab_file_modification.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
rubeus_alike_commandline.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
rundll32_inf_callback.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
rundll32_inf.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
rundll32_javascript_callback.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
rundll32_unusual_args.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
rundll32_unusual_dll_extension.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
schtask_escalation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
schtasks_xml_masqueraded.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
scp_privacy_bypass.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
screensaver_child_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
screensaver_plist_mod.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
scrobj_com_hijack.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
secure_file_deletion.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
security_authtrampoline.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
sensitive_file_access.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
settingcontentms_files.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
sevenzip_encrypted.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
shellcode_load_ws2_32_unbacked.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
shellcode_winexec_calc.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
shlayer_payload.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
shortcut_file_suspicious_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
shove_sip_bypass.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
signed_proxy_file_written_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
silentprocessexit_lsass.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
sip_provider.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
smb_connection.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
solarmaker_backdoor.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
spctl_gatekeeper_bypass.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
special_chars_zip_file.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
sqlite_db_evasion.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
ssh_bruteforce.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
sticky_keys_write_execute.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
sudo_exploit.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
susp_scheduled_task_creation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
susp_script_file_name.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_bits_job_notify.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_acrobat.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_childless_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_compattelrunner.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_dns.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_exchange_um.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_explorer.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_services.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_solarwinds_businesslayerhost.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_solarwindsdiagnostics.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_svchost_sch.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_wmiprvse.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_child_zoom.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_dll_registration_regsvr32.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_lineage_script.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_msiexec_child.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_office_child.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_office_children.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_office_descendant_fp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_parent_cmd.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_parent_csc.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_parent_msbuild_explorer.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_parent_msbuild_office.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_parent_msbuild_script.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_parent_sc.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_parent_smss.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_powershell_download.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_wmic_script.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
suspicious_wscript_parent.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
system_restore_process.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
systemkey_credential_access.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
systemsetup_ssh_enable.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
tar_dylib.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
tcc_bypass_mounted_apfs.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
tcc_modification.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
trust_provider.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_cdssync.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_clipup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_computerdefaults.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_dccw.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_diskcleanup.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_dism_dll_side_loading.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_eventviewer.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_eventvwr.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_fodhelper.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_icmluautil.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_mmc_deserialization.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_mmc_hijack.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_mmc_net_core_profiler.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_sdclt.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_sysprep.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_windir_masq.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_windows_activation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_winfw_mmc.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_wow64log.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uac_wsreset.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
uncommon_persistence.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unshadow_execution.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unsigned_startup_item_netconn.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unusual_kerberos_client.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unusual_ms_tool_network.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unusual_parent_child.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unusual_parent_chrome_extension.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unusual_powershell_engine_image_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unusual_rdp_client.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
unzip_to_tmp.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
user_action_script.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
user_dir_escalation.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
user_mode_smb_connection.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
vaultcmd_commands.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
webproxy_modification.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
webservice_lolbas.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
webservice_unsigned.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
werfault_masquerading.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
werfault_persistence.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
wevtutil_log_clear.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
windefend_svc_stop.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
windows_script_host_file_written_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
winrar_encrypted.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
winrar_startup_folder.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
wizardupdate_infection.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
wmi_incoming_logon.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
wmic_xsl_exec.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
wuauclt_image_load.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00
xcsset_infection.py
Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00

README.md

Red Team Automation

Supported Python versions Chat

The repo comes with some red team automation (RTA) python scripts that run on Windows, Mac OS, and *nix. RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.

$   python -m rta -h
usage: rta [-h] ttp_name

positional arguments:
  ttp_name

optional arguments:
  -h, --help  show this help message and exit

ttp_name can be found in the rta directory. For example to execute ./rta/wevtutil_log_clear.py script, run command:

$ python -m rta wevtutil_log_clear

Most of the RTA scripts contain a comment with the rule name, in signal.rule.name, that maps to the Kibana Detection Signals.

Reference in New Issue View Git Blame Copy Permalink