OTRF detection-hackathon-apt29 issues

OTRF / detection-hackathon-apt29

Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets

GNU General Public License v3.0

130 stars 41 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

How do I know which Sysmon events are involved in each step?Can the dataset annotate the malicious logs?

#54 xiaodupi-zyq opened 3 years ago
0
Logstash doesn't filter kafkacat input

#53 ghost closed 4 years ago
1
Patch 1

#52 DarthRaki closed 4 years ago
8
nate can't spell :)

#51 neu5ron closed 4 years ago
1
make zeek log viewing/ingesting easier

#50 neu5ron closed 4 years ago
3
8.B Sigma Rule - Py2Exe

#49 patrickstjohn closed 4 years ago
1
20.B) Pass the Ticket, Windows Remote Management, Create Account

#48 Cyb3rWard0g opened 4 years ago
18
20.A) Rundll32, Windows Management Instrumentation Event Subscription, PowerShell

#47 Cyb3rWard0g opened 4 years ago
0
19.C) File Deletion, Process Injection

#46 Cyb3rWard0g opened 4 years ago
0
19.B) File Deletion, Process Injection

#45 Cyb3rWard0g opened 4 years ago
0
19.A) File Deletion, Process Injection

#44 Cyb3rWard0g opened 4 years ago
0
18.A) Web Service, Exfiltration Over Alternative Protocol

#43 Cyb3rWard0g opened 4 years ago
0
17.C) Data Compressed, Obfuscated Files or Information

#42 Cyb3rWard0g opened 4 years ago
0
17.B) Data from Local System, Data Staged

#41 Cyb3rWard0g opened 4 years ago
0
16.D) Remote File Copy, Credential Dumping

#40 Cyb3rWard0g opened 4 years ago
0
16.C) Next, the attacker uses the previously dumped credentials (T1078) to create a remote PowerShell session to the domain controller (T1028).

#39 Cyb3rWard0g opened 4 years ago
0
16.B) System Owner/User Discovery, Execution through API

#38 Cyb3rWard0g opened 4 years ago
0
16.A) Remote System Discovery

#37 Cyb3rWard0g opened 4 years ago
11
15.A) Windows Management Instrumentation Event Subscription, System Owner/User Discovery

#36 Cyb3rWard0g opened 4 years ago
0
14.B) Windows Management Instrumentation, Remote File Copy, Credential Dumping, Obfuscated Files or Information, Process Discovery, Deobfuscate/Decode Files or Information

#35 Cyb3rWard0g opened 4 years ago
0
14.A) Component Object Model Hijacking, Bypass User Account Control

#34 Cyb3rWard0g opened 4 years ago
0
13.D) Process Discovery

#33 Cyb3rWard0g opened 4 years ago
0
13.C) System Owner/User Discovery

#32 Cyb3rWard0g opened 4 years ago
0
13.B) Domain Name Enumeration

#31 Cyb3rWard0g opened 4 years ago
0
13.A) System Information Discovery

#30 Cyb3rWard0g opened 4 years ago
0
12.C) Query Registry

#29 Cyb3rWard0g opened 4 years ago
0
12.B) Security Software Discovery

#28 Cyb3rWard0g opened 4 years ago
0
12.A) Timestomp, File and Directory Discovery

#27 Cyb3rWard0g opened 4 years ago
0
11.A) Initial Breach

#26 Cyb3rWard0g opened 4 years ago
0
10.B) Registry Run Keys / Startup Folder

#25 Cyb3rWard0g opened 4 years ago
3
10.A) Service Execution

#24 Cyb3rWard0g opened 4 years ago
2
9.C) File Deletion

#23 Cyb3rWard0g opened 4 years ago
3
9.B) PowerShell, File and Directory Discovery, Automated Collection, Data from Local System, Data Encrypted, Data Compressed, Data Staged, Exfiltration Over Command and Control Channel

#22 Cyb3rWard0g opened 4 years ago
12
9.A) Remote File Copy

#21 Cyb3rWard0g opened 4 years ago
3
8.C) Windows Admin Shares, Service Execution, Valid Accounts

#20 Cyb3rWard0g opened 4 years ago
9
8.B) Software Packing

#19 Cyb3rWard0g opened 4 years ago
6
8.A) Remote System Discovery, Windows Remote Management, Process Discovery

#18 Cyb3rWard0g opened 4 years ago
8
7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol

#17 Cyb3rWard0g opened 4 years ago
25
7.A) Screen Capture, Clipboard Data, Input Capture

#16 Cyb3rWard0g opened 4 years ago
6
6.C) Credential Dumping

#15 Cyb3rWard0g opened 4 years ago
2
6.B) Private Keys

#14 Cyb3rWard0g opened 4 years ago
2
6.A) Credentials in Files, Credential Dumping, Masquerading

#13 Cyb3rWard0g opened 4 years ago
6
5.B) Registry Run Keys / Startup Folder

#12 Cyb3rWard0g opened 4 years ago
2
5.A) New Service

#11 Cyb3rWard0g opened 4 years ago
5
4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

#10 Cyb3rWard0g opened 4 years ago
16
4.B) Process Discovery, File Deletion

#9 Cyb3rWard0g opened 4 years ago
12
4.A) PowerShell, Deobfuscate/Decode Files or Information

#8 Cyb3rWard0g opened 4 years ago
7
3.C) Modify Registry

#7 Cyb3rWard0g opened 4 years ago
1
3.B) Component Object Model Hijacking, Bypass User Account Control, Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

#6 Cyb3rWard0g opened 4 years ago
7
3.A) Remote File Copy, Obfuscated Files or Information

#5 Cyb3rWard0g opened 4 years ago
3