Roberto Rodriguez Cyb3rWard0g

## evals_table_jinja.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                Cyb3rWard0g
                / evals_table_jinja.md
            
            
              Created
              June 11, 2020 22:10
            
          
    Free Telemetry Report


Step
Procedure
Criteria
Technique
Detections


{% for s in renderyaml %}
{{s['step']}}
{{s['procedure']}}
{{s['criteria']}}
{{s['technique']['name']}}


{% endfor %}


## create_table_report.py
from jinja2 import Template
import copy
import yaml
import glob
from os import path

print("[+] Processing files inside {} directory".format('../docs/evals/apt29/steps'))
# ******** Open every forge yaml file available ****************
print("[+] Opening report yaml files..")
yaml_files = sorted(glob.glob(path.join(path.dirname(__file__), '../docs/evals/apt29/steps', "*.yaml")), key=lambda x: (int(path.basename(x).split(".")[0]), str(path.basename(x).split(".")[1]), int(path.basename(x).split(".")[2].split("_")[0])))

## 3_B_2_Bypass_User_Account_Control.yaml
vendor: OTR Community
step: 3.B.2
procedure: Executed elevated PowerShell payload
criteria: High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
technique:
  name: Bypass User Account Control
  id: T1088
issue: https://github.com/OTRF/detection-hackathon-apt29/issues/6
detections:
  - main_type: Telemetry

## audit_rule_microphone_webcam_access.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                Cyb3rWard0g
                / audit_rule_microphone_webcam_access.md
            
            
              Created
              June 7, 2020 19:41
            
          
    Clone Set-Audit Rule Project

git clone https://github.com/OTRF/Set-AuditRule
cd Set-AuditRule

Create Rule


## win_camera_microphone_access.yml
title: Processes Accessing the microphone and webcam
id: 29976992-e6d6-4fce-8f9d-e7b9be4efbb6
status: experimental
description: Potential adversaries accessing the microphone and webcam in an endpoint.
references:
  - https://twitter.com/duzvik/status/1269671601852813320
  - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
tags:

## COMPlus_ETWEnabled_detection_notes.md

      
              1 file
            
          
              3 forks
            
          
              3 comments
            
          
              18 stars
            
          
                Cyb3rWard0g
                / COMPlus_ETWEnabled_detection_notes.md
            
            
              Last active
              November 23, 2023 20:05
            
          
    Initial Notes:


The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
CLRConfig will look for configurations in the following places in the following order:

Look at environment variables (prepending COMPlus_ to the name)
Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
Look at the framework registry keys  HKLM\Software\Microsoft\.NETFramework)


These can be set in the following ways:

Setting the environment variable COMPlus_:


Windows


## seatbelt_wmi_query_strings_basic_exploration.txt
SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')"
SELECT * FROM win32_networkconnection"
Select * from Win32_ComputerSystem"
SELECT * FROM Win32_DeviceGuard"
SELECT * FROM win32_service"
SELECT * FROM AntiVirusProduct"
SELECT * FROM MSFT_DNSClientCache"
SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"
SELECT * FROM Win32_Process"
SELECT * FROM Win32_Process WHERE SessionID != 0"

## seatbelt_appdata_basic_exploration.txt
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Roaming\\gcloud\\credentials.db"

## seatbelt_registry_basic_exploration.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"

## talk-stream-time.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                Cyb3rWard0g
                / talk-stream-time.md
            
            
              Created
              May 13, 2020 18:16
            
          
    Infosec Jupyterthon

Infosec Jupyterthon
Agenda

Welcome

Recording
Notebook
Roberto Rodriguez @Cyb3rWard0g, Threat Researcher, Microsoft MSTIC
What About Jupyter Notebooks? Binder

Recording
Notebook
Step	Procedure	Criteria	Technique	Detections
{% for s in renderyaml %}	{{s['step']}}	{{s['procedure']}}	{{s['criteria']}}	{{s['technique']['name']}}
{% endfor %}
	from jinja2 import Template
	import copy
	import yaml
	import glob
	from os import path

	print("[+] Processing files inside {} directory".format('../docs/evals/apt29/steps'))
	# ****** Open every forge yaml file available **************
	print("[+] Opening report yaml files..")
	yaml_files = sorted(glob.glob(path.join(path.dirname(__file__), '../docs/evals/apt29/steps', "*.yaml")), key=lambda x: (int(path.basename(x).split(".")[0]), str(path.basename(x).split(".")[1]), int(path.basename(x).split(".")[2].split("_")[0])))
	vendor: OTR Community
	step: 3.B.2
	procedure: Executed elevated PowerShell payload
	criteria: High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
	technique:
	name: Bypass User Account Control
	id: T1088
	issue: https://github.com/OTRF/detection-hackathon-apt29/issues/6
	detections:
	- main_type: Telemetry
	title: Processes Accessing the microphone and webcam
	id: 29976992-e6d6-4fce-8f9d-e7b9be4efbb6
	status: experimental
	description: Potential adversaries accessing the microphone and webcam in an endpoint.
	references:
	- https://twitter.com/duzvik/status/1269671601852813320
	- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
	author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
	date: 2020/06/07
	tags:
	SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(, '""{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')"
	SELECT * FROM win32_networkconnection"
	Select * from Win32_ComputerSystem"
	SELECT * FROM Win32_DeviceGuard"
	SELECT * FROM win32_service"
	SELECT * FROM AntiVirusProduct"
	SELECT * FROM MSFT_DNSClientCache"
	SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"
	SELECT * FROM Win32_Process"
	SELECT * FROM Win32_Process WHERE SessionID != 0"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
	\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
	\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
	\AppData\\Roaming\\gcloud\\credentials.db"
	SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
	SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
	SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
	Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
	Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
	SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
	SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"