security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
41ca459532cf4e8f57948fb4f03d4e418f220929
sigma-rules/rta
T
History
Jonhnathan 0273d118a6 [Rule Tuning] Add endgame support for Windows Rules (#2428) 
* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* 1/2

* bump updated_date

* 2/3

* Finale

* Update persistence_evasion_registry_ifeo_injection.toml

* .

* Multiple fixes

* Missing index

* Missing AND
2023-03-06 12:47:11 -03:00
..
bin
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
deprecated
RTA Deprecation (#2303)
2022-09-15 23:00:02 +05:30
__init__.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
__main__.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
adobe_hijack.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
adobe_priv_helper_tool.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
app_bundler_execution.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
appcompat_shim.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
at_command.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
atom_init_coffee.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
auth_plugin.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
automator_workflows.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
bifrost_attack.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
binary_masquerade.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
bitsadmin_download.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
bitsadmin_execution.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
browser_cred_access.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
browser_debugging.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
brute_force_login.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
calendar_file_mod.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
certutil_file_obfuscation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
certutil_webrequest.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
child_w3wp.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
clr_logs_creation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
cmd_shell_via_word.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
cmstp_image_load.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
common.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
comsvcs_dump.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
crashdump_disabled.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
credential_access_dump_hashes_via_cmd.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
credential_access_known_utilities.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
credential_access_osascript_phishing.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
credman_discovery.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
cscript_suspicious_args.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
curl_payload_download.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
darkradiation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
dcom_lateral_movement_with_mmc.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ddns_lolbas.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ddns_unsigned.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
defensive_evasion_reflective_loading.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
defensive_evasion_safari_modification.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
delete_bootconf.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
delete_catalogs.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
delete_usnjrnl.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
delete_volume_shadows.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
directory_service_plugin_file.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
disable_os_security_updates.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
disable_windows_fw.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
discovery_virtual_machine_grep.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
dock_plist.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
double_persist.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
dscl_hidden_account.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
dseditgroup_admin_add.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
dynwrapx_image_load.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
edmond_child_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
eggshell_backdoor.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
elevated_osascript_execution.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
emond_child_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
emond_plist.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
empire_stager.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
enum_commands.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
enumeration_linpeas.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
env_variable_hijacking.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_control_panel_cpl.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_cscript_suspicious_powershell.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_echo_named_pipe.py
[Rule Tuning] Add endgame support for Windows Rules (#2428)
2023-03-06 12:47:11 -03:00
exec_explorer_trampoline.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_ms_dotnet_clickonce.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_msdt_diagcab.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_scripting_persistence_locations.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_scripting_unusual_extension.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_scripting_via_html_app.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_sqlserver_suspicious_child.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_susp_explorer.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_susp_msiexec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_susp_parent_child.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_svchost_child_schedule.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_unusual_directory.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
exec_winword_susp_parent.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
execution_node_child_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
execution_pubprn.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
extexport_sideload.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
file_exe_ususual_extension.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
file_html_smuggling.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
finder_sync_plugin.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
findstr_pw_search.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
firewall_allowlist_modif_unsigned.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
fltmc_unload.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
git_creds_access.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
globalflags.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
grep_software_discovery.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
hosts_file_modify.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
html_help_file_written_exec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
inhibit_system_recovery_and_rename.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
inhibit_system_recovery_cmd.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
inhibit_system_recovery_lolbas_child.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
inhibit_system_recovery_office.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
inhibit_system_recovery_renamed.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
inhibit_system_recovery.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
installutil_network.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ip_discovery_unsigned.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
iqy_file_writes.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
javascript_payload.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
kcc_kerberos_dump.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
kerberos_netconn_file_creation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
kernelext_agent_unload.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
keychain_cred_access.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
keychain_dump.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
keychain_pwd_cmdline.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
lateral_command_psexec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
lateral_commands.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
launchagent_plist.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
launchdaemon_persistence.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ldapsearch_group_enumeration.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
linux_compress_sensitive_files.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
login_hook.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
login_window_plist.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
lua_image_load.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
mac_office_descendant.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
macos_installer_curl.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
mimikatz_cmdline.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
modification_of_wdigest_security_provider.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
modify_bootconf.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
modify_sublime_app.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
mount_smbfs.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ms_office_drop_exe.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ms_office_task_creation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msbuild_network.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msbuild_unusual_args.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msequationeditor_file_written_exec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msequationeditor_net_conn.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
mshta_network.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msiexec_http_installer.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msiexec_remote_msi_install.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msiexec_remote_msi.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_dcom_accessvbom.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_descendant_reg_mod_persistence.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_dll_image_load.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_file_drop_exec_wmi.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_file_exec_script_interpreter.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_reg_mod.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_signed_binary_spawn.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_startup_persistence.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_untrusted_exec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msoffice_wmi_imageload.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msxsl_image_load.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
msxsl_network.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
net_user_add.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
network_connection_process_unusual_args.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
network_connection_unusual_rundll32.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
networksetup_vpn.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
obfuscated_cmd_commands.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
obfuscated_powershell.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
office_app_execution.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
office_application_startup.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
office_child_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
opera_child_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
osascript_hidden_login_item.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
osascript_net_conn.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
osascript_sh_execution.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
osascript_suspicious_cmdline.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
outlook_suspicious_child.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
periodic_task_creation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
persistence_chrome_extension.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
persistence_startup_unusual_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
persistent_scripts.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ping_delayed_exec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
pkexec_shell.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
plist_creation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
plistbuddy_file_modification.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
port_monitor.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
powershell_args.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
powershell_base64_gzip.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
powershell_from_script.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
powershell_unsigned_defender_exclusion.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
powershell_vault_access.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
privilege_escalation_remote_thread.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
privilege_escalation_tcc_bypass.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
process_double_extension.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
process_extension_anomalies.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
process_name_masquerade.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ransomnote_delete_shadows.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
README.md
Repaired merge from PR 876 - RTA docs (#935)
2021-02-04 08:34:54 -09:00
recycle_bin_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_creation_servicedll.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_mod_netwire.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_mod_nullsessionpipes.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_mod_plugx.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_mod_remcos.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_mod_run_key_unusual_proc.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_mod_windir.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_run_key_asterisk.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reg_vss_service_disable.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
registry_hive_export.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
registry_persistence_create.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
registry_rdp_enable.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
regsvr32_scrobj.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
regsvr32_unusual_args.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
renamed_autoit.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
renamed_automaton_interpreter.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
reverse_shell.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
root_cert_install.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
root_crontab_file_modification.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
rubeus_alike_commandline.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
rundll32_inf_callback.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
rundll32_inf.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
rundll32_javascript_callback.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
rundll32_unusual_args.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
rundll32_unusual_dll_extension.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
schtask_escalation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
schtasks_xml_masqueraded.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
scp_privacy_bypass.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
screensaver_child_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
screensaver_plist_mod.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
scrobj_com_hijack.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
secure_file_deletion.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
security_authtrampoline.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
settingcontentms_files.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
sevenzip_encrypted.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
shlayer_payload.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
shortcut_file_suspicious_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
signed_proxy_file_written_exec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
silentprocessexit_lsass.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
sip_provider.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
smb_connection.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
solarmaker_backdoor.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
spctl_gatekeeper_bypass.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
special_chars_zip_file.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
sqlite_db_evasion.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
ssh_bruteforce.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
sticky_keys_write_execute.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
sudo_exploit.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
susp_scheduled_task_creation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
susp_script_file_name.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
suspicious_dll_registration_regsvr32.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
suspicious_office_child.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
suspicious_office_children.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
suspicious_office_descendant_fp.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
suspicious_powershell_download.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
suspicious_wmic_script.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
suspicious_wscript_parent.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
system_restore_process.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
systemkey_credential_access.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
systemsetup_ssh_enable.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
tcc_bypass_mounted_apfs.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
tcc_modification.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
trust_provider.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_cdssync.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_computerdefaults.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_dccw.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_diskcleanup.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_dism_dll_side_loading.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_eventviewer.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_eventvwr.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_fodhelper.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_icmluautil.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_mmc_deserialization.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_mmc_hijack.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_mmc_net_core_profiler.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_sdclt.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_sysprep.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_windows_activation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_winfw_mmc.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_wow64log.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uac_wsreset.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
uncommon_persistence.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
unsigned_startup_item_netconn.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
unusual_kerberos_client.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
unusual_ms_tool_network.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
unusual_parent_child.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
unusual_powershell_engine_image_load.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
unusual_rdp_client.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
user_action_script.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
user_dir_escalation.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
user_mode_smb_connection.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
vaultcmd_commands.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
webproxy_modification.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
webservice_lolbas.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
webservice_unsigned.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
werfault_masquerading.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
werfault_persistence.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
wevtutil_log_clear.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
windefend_svc_stop.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
windows_script_host_file_written_exec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
winrar_encrypted.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
winrar_startup_folder.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
wmi_incoming_logon.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
wmic_xsl_exec.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00
wuauclt_image_load.py
Release ER Production RTAs to DR (#2270)
2022-09-08 12:50:39 -04:00

README.md

Red Team Automation

Supported Python versions Chat

The repo comes with some red team automation (RTA) python scripts that run on Windows, Mac OS, and *nix. RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.

$   python -m rta -h
usage: rta [-h] ttp_name

positional arguments:
  ttp_name

optional arguments:
  -h, --help  show this help message and exit

ttp_name can be found in the rta directory. For example to execute ./rta/wevtutil_log_clear.py script, run command:

$ python -m rta wevtutil_log_clear

Most of the RTA scripts contain a comment with the rule name, in signal.rule.name, that maps to the Kibana Detection Signals.

Reference in New Issue View Git Blame Copy Permalink