Free Telemetry Report
| Step | Procedure | Criteria | Technique | Detections |
|---|---|---|---|---|
| {% for s in renderyaml %} | {{s['step']}} | {{s['procedure']}} | {{s['criteria']}} | {{s['technique']['name']}} |
| {% endfor %} |
Cyb3rWard0g
/ evals_table_jinja.md
Created Jun 11, 2020
View evals_table_jinja.md
Cyb3rWard0g
/ create_table_report.py
Created Jun 11, 2020
View create_table_report.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from jinja2 import Template | |
| import copy | |
| import yaml | |
| import glob | |
| from os import path | |
| print("[+] Processing files inside {} directory".format('../docs/evals/apt29/steps')) | |
| # ******** Open every forge yaml file available **************** | |
| print("[+] Opening report yaml files..") | |
| yaml_files = sorted(glob.glob(path.join(path.dirname(__file__), '../docs/evals/apt29/steps', "*.yaml")), key=lambda x: (int(path.basename(x).split(".")[0]), str(path.basename(x).split(".")[1]), int(path.basename(x).split(".")[2].split("_")[0]))) |
Cyb3rWard0g
/ 3_B_2_Bypass_User_Account_Control.yaml
Last active Jun 11, 2020
View 3_B_2_Bypass_User_Account_Control.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vendor: OTR Community | |
| step: 3.B.2 | |
| procedure: Executed elevated PowerShell payload | |
| criteria: High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe) | |
| technique: | |
| name: Bypass User Account Control | |
| id: T1088 | |
| issue: https://github.com/OTRF/detection-hackathon-apt29/issues/6 | |
| detections: | |
| - main_type: Telemetry |
Cyb3rWard0g
/ audit_rule_microphone_webcam_access.md
Created Jun 7, 2020
View audit_rule_microphone_webcam_access.md
Clone Set-Audit Rule Project
git clone https://github.com/OTRF/Set-AuditRule
cd Set-AuditRule
Create Rule
Cyb3rWard0g
/ win_camera_microphone_access.yml
Created Jun 7, 2020
View win_camera_microphone_access.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Processes Accessing the microphone and webcam | |
| id: 29976992-e6d6-4fce-8f9d-e7b9be4efbb6 | |
| status: experimental | |
| description: Potential adversaries accessing the microphone and webcam in an endpoint. | |
| references: | |
| - https://twitter.com/duzvik/status/1269671601852813320 | |
| - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 | |
| author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | |
| date: 2020/06/07 | |
| tags: |
Cyb3rWard0g
/ COMPlus_ETWEnabled_detection_notes.md
Last active Aug 27, 2021
View COMPlus_ETWEnabled_detection_notes.md
Initial Notes:
- The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
- CLRConfig will look for configurations in the following places in the following order:
- Look at environment variables (prepending COMPlus_ to the name)
- Look at the framework registry keys (
HKCU\Software\Microsoft\.NETFramework - Look at the framework registry keys
HKLM\Software\Microsoft\.NETFramework)
- These can be set in the following ways:
- Setting the environment variable COMPlus_:
- Windows
Cyb3rWard0g
/ seatbelt_wmi_query_strings_basic_exploration.txt
Created May 27, 2020
View seatbelt_wmi_query_strings_basic_exploration.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')" | |
| SELECT * FROM win32_networkconnection" | |
| Select * from Win32_ComputerSystem" | |
| SELECT * FROM Win32_DeviceGuard" | |
| SELECT * FROM win32_service" | |
| SELECT * FROM AntiVirusProduct" | |
| SELECT * FROM MSFT_DNSClientCache" | |
| SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process" | |
| SELECT * FROM Win32_Process" | |
| SELECT * FROM Win32_Process WHERE SessionID != 0" |
Cyb3rWard0g
/ seatbelt_appdata_basic_exploration.txt
Created May 27, 2020
View seatbelt_appdata_basic_exploration.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks" | |
| \AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
| \AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
| \AppData\\Roaming\\gcloud\\credentials.db" |
Cyb3rWard0g
/ seatbelt_registry_basic_exploration.txt
Last active Nov 2, 2020
View seatbelt_registry_basic_exploration.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer" |
Cyb3rWard0g
/ talk-stream-time.md
Created May 13, 2020