| Step | Procedure | Criteria | Technique | Detections |
|---|---|---|---|---|
| {% for s in renderyaml %} | {{s['step']}} | {{s['procedure']}} | {{s['criteria']}} | {{s['technique']['name']}} |
| {% endfor %} |
Roberto Rodriguez Cyb3rWard0g
🍻
Cyb3rWard0g
/ evals_table_jinja.md
Created
June 11, 2020 22:10
Cyb3rWard0g
/ create_table_report.py
Created
June 11, 2020 22:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from jinja2 import Template | |
| import copy | |
| import yaml | |
| import glob | |
| from os import path | |
| print("[+] Processing files inside {} directory".format('../docs/evals/apt29/steps')) | |
| # ******** Open every forge yaml file available **************** | |
| print("[+] Opening report yaml files..") | |
| yaml_files = sorted(glob.glob(path.join(path.dirname(__file__), '../docs/evals/apt29/steps', "*.yaml")), key=lambda x: (int(path.basename(x).split(".")[0]), str(path.basename(x).split(".")[1]), int(path.basename(x).split(".")[2].split("_")[0]))) |
Cyb3rWard0g
/ 3_B_2_Bypass_User_Account_Control.yaml
Last active
June 11, 2020 20:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vendor: OTR Community | |
| step: 3.B.2 | |
| procedure: Executed elevated PowerShell payload | |
| criteria: High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe) | |
| technique: | |
| name: Bypass User Account Control | |
| id: T1088 | |
| issue: https://github.com/OTRF/detection-hackathon-apt29/issues/6 | |
| detections: | |
| - main_type: Telemetry |
Cyb3rWard0g
/ audit_rule_microphone_webcam_access.md
Created
June 7, 2020 19:41
Cyb3rWard0g
/ win_camera_microphone_access.yml
Created
June 7, 2020 19:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Processes Accessing the microphone and webcam | |
| id: 29976992-e6d6-4fce-8f9d-e7b9be4efbb6 | |
| status: experimental | |
| description: Potential adversaries accessing the microphone and webcam in an endpoint. | |
| references: | |
| - https://twitter.com/duzvik/status/1269671601852813320 | |
| - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 | |
| author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | |
| date: 2020/06/07 | |
| tags: |
Cyb3rWard0g
/ COMPlus_ETWEnabled_detection_notes.md
Last active
November 23, 2023 20:05
- The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
- CLRConfig will look for configurations in the following places in the following order:
- Look at environment variables (prepending COMPlus_ to the name)
- Look at the framework registry keys (
HKCU\Software\Microsoft\.NETFramework - Look at the framework registry keys
HKLM\Software\Microsoft\.NETFramework)
- These can be set in the following ways:
- Setting the environment variable COMPlus_:
- Windows
Cyb3rWard0g
/ seatbelt_wmi_query_strings_basic_exploration.txt
Created
May 27, 2020 15:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')" | |
| SELECT * FROM win32_networkconnection" | |
| Select * from Win32_ComputerSystem" | |
| SELECT * FROM Win32_DeviceGuard" | |
| SELECT * FROM win32_service" | |
| SELECT * FROM AntiVirusProduct" | |
| SELECT * FROM MSFT_DNSClientCache" | |
| SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process" | |
| SELECT * FROM Win32_Process" | |
| SELECT * FROM Win32_Process WHERE SessionID != 0" |
Cyb3rWard0g
/ seatbelt_appdata_basic_exploration.txt
Created
May 27, 2020 15:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks" | |
| \AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
| \AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
| \AppData\\Roaming\\gcloud\\credentials.db" |
Cyb3rWard0g
/ seatbelt_registry_basic_exploration.txt
Last active
November 2, 2020 20:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer" |
Cyb3rWard0g
/ talk-stream-time.md
Created
May 13, 2020 18:16