OTRF/detection-hackathon-apt29
Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
Jupyter NotebookGPL-3.0
Issues
- 11
16.A) Remote System Discovery
#37 opened by Cyb3rWard0g - 18
- 0
How do I know which Sysmon events are involved in each step?Can the dataset annotate the malicious logs?
#54 opened by xiaodupi-zyq - 1
Logstash doesn't filter kafkacat input
#53 opened - 25
7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol
#17 opened by Cyb3rWard0g - 3
10.B) Registry Run Keys / Startup Folder
#25 opened by Cyb3rWard0g - 7
3.B) Component Object Model Hijacking, Bypass User Account Control, Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol
#6 opened by Cyb3rWard0g - 2
10.A) Service Execution
#24 opened by Cyb3rWard0g - 3
9.C) File Deletion
#23 opened by Cyb3rWard0g - 12
9.B) PowerShell, File and Directory Discovery, Automated Collection, Data from Local System, Data Encrypted, Data Compressed, Data Staged, Exfiltration Over Command and Control Channel
#22 opened by Cyb3rWard0g - 3
9.A) Remote File Copy
#21 opened by Cyb3rWard0g - 9
- 6
8.B) Software Packing
#19 opened by Cyb3rWard0g - 8
- 16
4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API
#10 opened by Cyb3rWard0g - 6
- 2
6.C) Credential Dumping
#15 opened by Cyb3rWard0g - 2
6.B) Private Keys
#14 opened by Cyb3rWard0g - 6
- 2
5.B) Registry Run Keys / Startup Folder
#12 opened by Cyb3rWard0g - 5
5.A) New Service
#11 opened by Cyb3rWard0g - 12
4.B) Process Discovery, File Deletion
#9 opened by Cyb3rWard0g - 7
- 1
3.C) Modify Registry
#7 opened by Cyb3rWard0g - 3
- 5
- 7
2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged
#3 opened by Cyb3rWard0g - 3
1.B) Command-Line Interface, PowerShell
#2 opened by Cyb3rWard0g - 16
- 0
20.A) Rundll32, Windows Management Instrumentation Event Subscription, PowerShell
#47 opened by Cyb3rWard0g - 0
19.C) File Deletion, Process Injection
#46 opened by Cyb3rWard0g - 0
19.B) File Deletion, Process Injection
#45 opened by Cyb3rWard0g - 0
19.A) File Deletion, Process Injection
#44 opened by Cyb3rWard0g - 0
- 0
- 0
17.B) Data from Local System, Data Staged
#41 opened by Cyb3rWard0g - 0
16.D) Remote File Copy, Credential Dumping
#40 opened by Cyb3rWard0g - 0
16.C) Next, the attacker uses the previously dumped credentials (T1078) to create a remote PowerShell session to the domain controller (T1028).
#39 opened by Cyb3rWard0g - 0
- 0
15.A) Windows Management Instrumentation Event Subscription, System Owner/User Discovery
#36 opened by Cyb3rWard0g - 0
14.B) Windows Management Instrumentation, Remote File Copy, Credential Dumping, Obfuscated Files or Information, Process Discovery, Deobfuscate/Decode Files or Information
#35 opened by Cyb3rWard0g - 0
- 0
13.D) Process Discovery
#33 opened by Cyb3rWard0g - 0
13.C) System Owner/User Discovery
#32 opened by Cyb3rWard0g - 0
13.B) Domain Name Enumeration
#31 opened by Cyb3rWard0g - 0
13.A) System Information Discovery
#30 opened by Cyb3rWard0g - 0
12.C) Query Registry
#29 opened by Cyb3rWard0g - 0
12.B) Security Software Discovery
#28 opened by Cyb3rWard0g - 0
12.A) Timestomp, File and Directory Discovery
#27 opened by Cyb3rWard0g - 0
11.A) Initial Breach
#26 opened by Cyb3rWard0g