Samirbous
0f6ded452b
* [New RTA] Endpoint Rules Suspicious Access to LSA Secrets Registry Security Account Manager (SAM) Registry Access Privilege Escalation via EXTENDED STARTUPINFO Potential Privilege Escalation via Token Impersonation Suspicious Impersonation as Trusted Installer NTDLL Loaded from an Unusual Path Sensitive File Access - Unattended Panther Potential Discovery of Windows Credential Manager Store Potential Discovery of DPAPI Master Keys Potential Process Creation via ShellCode * Update evasion_ntdll_from_unusual_path.py * Update credaccess_reg_query_privesc_token_manip.py * Create shellcode_load_ws2_32_unbacked.py * Update shellcode_load_ws2_32_unbacked.py * fix import * Update credaccess_reg_query_privesc_token_manip.py * Update shellcode_load_ws2_32_unbacked.py * Update shellcode_load_ws2_32_unbacked.py * Update shellcode_load_ws2_32_unbacked.py * Update shellcode_load_ws2_32_unbacked.py * Update shellcode_winexec_calc.py * DLL Side Loading via a Copied Microsoft Executable * Update sideload_msbin_faultrep.py * DLL SideLoad via a Microsoft Signed Binary * Update sideload_msbin_faultrep.py * C2 via ISO file * ++ * persistence from ISO * Update exec_persistence_from_iso.py * replaced win32con with actual static values * Update sensitive_file_access.py * Update credaccess_reg_query_privesc_token_manip.py * Update ExecFromISOFile.ps1 * Suspicious ImageLoad from an ISO Mounted Device * Update execution_iso_dll_rundll32.py * Update c2_dns_from_iso.py * Update shellcode_load_ws2_32_unbacked.py * Update shellcode_load_ws2_32_unbacked.py * Update impersonate_trusted_installer.py * Library Loaded via a Callback Function * Update evasion_loadlib_via_callback.py * ++ * added ntds.dit access * Security Account Manager (SAM) File Access * Update sensitive_file_access.py * Update sensitive_file_access.py * Update sensitive_file_access.py * Suspicious Execution via DotNet Remoting * Update evasion_addinproc_certoc.py * Update evasion_addinproc_certoc_odbc.py * Update evasion_addinproc_certoc_odbc_gfxdwn.py * Update evasion_addinproc_certoc_odbc_gfxdwn.py * ++ * Update evasion_unhook_ldrloaddll.py * added ETW and AMSI patching * Update evasion_oversized_dll_load.py * Update sensitive_file_access.py added technique ids * Update c2_dns_from_iso.py fixed endpoint rule.ids array * moved getppid to common.py * moved impersonate_system to common * moved inject to common.py * Update credaccess_sam_from_vss.py * Update evasion_addinproc_certoc_odbc_gfxdwn.py * Update evasion_loadlib_via_callback.py * Update evasion_oversized_dll_load.py * Update evasion_patch_etw_amsi.py * Update execution_iso_dll_sideload.py * Update evasion_unhook_ldrloaddll.py * Update exec_persistence_from_iso.py * Update execution_iso_dll_rundll32.py * Update sensitive_file_access.py * Update shellcode_load_ws2_32_unbacked.py * ++ * Update rta/c2_dns_from_iso.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rta/common.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rta/common.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rta/credaccess_reg_query_privesc_token_manip.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rta/credaccess_sam_from_vss.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rta/common.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rta/credaccess_sam_from_vss.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update shellcode_winexec_calc.py * Update shellcode_load_ws2_32_unbacked.py * Update c2_dns_from_iso.py * Update evasion_oversized_dll_load.py * Update rta/credaccess_sam_from_vss.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update evasion_oversized_dll_load.py * Update rta/credaccess_sam_from_vss.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update credaccess_sam_from_vss.py * Update c2_dns_from_iso.py * ++ * ++ * ++ * Update impersonate_trusted_installer.py * Update evasion_patch_etw_amsi.py * Update credaccess_reg_query_privesc_token_manip.py * ++ * Update evasion_ntdll_from_unusual_path.py * Update evasion_oversized_dll_load.py * ++ * Update common.py * Update ExecFromISOFile.ps1 * Update evasion_ntdll_from_unusual_path.py * add cpp source files * Update rta/common.py Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update rta/src/LoadLib-Callback64.cpp Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update rta/src/rta_unhook_ldrload.cpp Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update rta/impersonate_trusted_installer.py Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
110 KiB
110 KiB