detection-rules/rta at main · joepeeples/detection-rules

Name	Name	Last commit message	Last commit date
parent directory ..
bin	bin	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
README.md	README.md	Repaired merge from PR 876 - RTA docs (elastic#935 )	Feb 4, 2021
__init__.py	__init__.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
__main__.py	__main__.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
adobe_hijack.py	adobe_hijack.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
appcompat_shim.py	appcompat_shim.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
at_command.py	at_command.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
bitsadmin_download.py	bitsadmin_download.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
brute_force_login.py	brute_force_login.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
certutil_file_obfuscation.py	certutil_file_obfuscation.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
certutil_webrequest.py	certutil_webrequest.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
common.py	common.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
comsvcs_dump.py	comsvcs_dump.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
dcom_lateral_movement_with_mmc.py	dcom_lateral_movement_with_mmc.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
delete_bootconf.py	delete_bootconf.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
delete_catalogs.py	delete_catalogs.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
delete_usnjrnl.py	delete_usnjrnl.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
delete_volume_shadows.py	delete_volume_shadows.py	Fix typos discovered by codespell (elastic#1430 )	Aug 15, 2021
disable_windows_fw.py	disable_windows_fw.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
enum_commands.py	enum_commands.py	Fix typos discovered by codespell (elastic#1430 )	Aug 15, 2021
findstr_pw_search.py	findstr_pw_search.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
globalflags.py	globalflags.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
hosts_file_modify.py	hosts_file_modify.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
installutil_network.py	installutil_network.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
iqy_file_writes.py	iqy_file_writes.py	Fix typos discovered by codespell (elastic#1430 )	Aug 15, 2021
lateral_command_psexec.py	lateral_command_psexec.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
lateral_commands.py	lateral_commands.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
linux_compress_sensitive_files.py	linux_compress_sensitive_files.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
linux_discovery_sensitive_files.py	linux_discovery_sensitive_files.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
mac_office_descendant.py	mac_office_descendant.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
modification_of_wdigest_security_provider.py	modification_of_wdigest_security_provider.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
ms_office_drop_exe.py	ms_office_drop_exe.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
msbuild_network.py	msbuild_network.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
mshta_network.py	mshta_network.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
msiexec_http_installer.py	msiexec_http_installer.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
msxsl_network.py	msxsl_network.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
net_user_add.py	net_user_add.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
obfuscated_cmd_commands.py	obfuscated_cmd_commands.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
obfuscated_powershell.py	obfuscated_powershell.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
office_application_startup.py	office_application_startup.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
persistent_scripts.py	persistent_scripts.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
port_monitor.py	port_monitor.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
powershell_args.py	powershell_args.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
powershell_base64_gzip.py	powershell_base64_gzip.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
powershell_from_script.py	powershell_from_script.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
process_double_extension.py	process_double_extension.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
process_extension_anomalies.py	process_extension_anomalies.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
process_name_masquerade.py	process_name_masquerade.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
recycle_bin_process.py	recycle_bin_process.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
registry_hive_export.py	registry_hive_export.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
registry_persistence_create.py	registry_persistence_create.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
registry_rdp_enable.py	registry_rdp_enable.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
regsvr32_scrobj.py	regsvr32_scrobj.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
rundll32_inf_callback.py	rundll32_inf_callback.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
rundll32_javascript_callback.py	rundll32_javascript_callback.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
schtask_escalation.py	schtask_escalation.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
scrobj_com_hijack.py	scrobj_com_hijack.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
secure_file_deletion.py	secure_file_deletion.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
settingcontentms_files.py	settingcontentms_files.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
sevenzip_encrypted.py	sevenzip_encrypted.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
shortcut_file_suspicious_process.py	shortcut_file_suspicious_process.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
sip_provider.py	sip_provider.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
smb_connection.py	smb_connection.py	Fix typos discovered by codespell (elastic#1430 )	Aug 15, 2021
sticky_keys_write_execute.py	sticky_keys_write_execute.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
suspicious_dll_registration_regsvr32.py	suspicious_dll_registration_regsvr32.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
suspicious_office_children.py	suspicious_office_children.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
suspicious_office_descendant_fp.py	suspicious_office_descendant_fp.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
suspicious_powershell_download.py	suspicious_powershell_download.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
suspicious_wmic_script.py	suspicious_wmic_script.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
suspicious_wscript_parent.py	suspicious_wscript_parent.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
system_restore_process.py	system_restore_process.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
trust_provider.py	trust_provider.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
uac_eventviewer.py	uac_eventviewer.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
uac_sdclt.py	uac_sdclt.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
uac_sysprep.py	uac_sysprep.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
uncommon_persistence.py	uncommon_persistence.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
unusual_ms_tool_network.py	unusual_ms_tool_network.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
unusual_parent_child.py	unusual_parent_child.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
user_dir_escalation.py	user_dir_escalation.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
vaultcmd_commands.py	vaultcmd_commands.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
werfault_persistence.py	werfault_persistence.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
wevtutil_log_clear.py	wevtutil_log_clear.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
winrar_encrypted.py	winrar_encrypted.py	Fix typos discovered by codespell (elastic#1430 )	Aug 15, 2021
winrar_startup_folder.py	winrar_startup_folder.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021
wmi_incoming_logon.py	wmi_incoming_logon.py	Update License to Elastic v2 (elastic#944 )	Mar 4, 2021

Name

Last commit message

Last commit date

bin

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

README.md

Repaired merge from PR 876 - RTA docs (elastic#935 )

Feb 4, 2021

__init__.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

__main__.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

adobe_hijack.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

appcompat_shim.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

at_command.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

bitsadmin_download.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

brute_force_login.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

certutil_file_obfuscation.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

certutil_webrequest.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

common.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

comsvcs_dump.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

dcom_lateral_movement_with_mmc.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

delete_bootconf.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

delete_catalogs.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

delete_usnjrnl.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

delete_volume_shadows.py

Fix typos discovered by codespell (elastic#1430 )

Aug 15, 2021

disable_windows_fw.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

enum_commands.py

Fix typos discovered by codespell (elastic#1430 )

Aug 15, 2021

findstr_pw_search.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

globalflags.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

hosts_file_modify.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

installutil_network.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

iqy_file_writes.py

Fix typos discovered by codespell (elastic#1430 )

Aug 15, 2021

lateral_command_psexec.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

lateral_commands.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

linux_compress_sensitive_files.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

linux_discovery_sensitive_files.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

mac_office_descendant.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

modification_of_wdigest_security_provider.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

ms_office_drop_exe.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

msbuild_network.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

mshta_network.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

msiexec_http_installer.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

msxsl_network.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

net_user_add.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

obfuscated_cmd_commands.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

obfuscated_powershell.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

office_application_startup.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

persistent_scripts.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

port_monitor.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

powershell_args.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

powershell_base64_gzip.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

powershell_from_script.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

process_double_extension.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

process_extension_anomalies.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

process_name_masquerade.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

recycle_bin_process.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

registry_hive_export.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

registry_persistence_create.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

registry_rdp_enable.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

regsvr32_scrobj.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

rundll32_inf_callback.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

rundll32_javascript_callback.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

schtask_escalation.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

scrobj_com_hijack.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

secure_file_deletion.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

settingcontentms_files.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

sevenzip_encrypted.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

shortcut_file_suspicious_process.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

sip_provider.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

smb_connection.py

Fix typos discovered by codespell (elastic#1430 )

Aug 15, 2021

sticky_keys_write_execute.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

suspicious_dll_registration_regsvr32.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

suspicious_office_children.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

suspicious_office_descendant_fp.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

suspicious_powershell_download.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

suspicious_wmic_script.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

suspicious_wscript_parent.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

system_restore_process.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

trust_provider.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

uac_eventviewer.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

uac_sdclt.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

uac_sysprep.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

uncommon_persistence.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

unusual_ms_tool_network.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

unusual_parent_child.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

user_dir_escalation.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

vaultcmd_commands.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

werfault_persistence.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

wevtutil_log_clear.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

winrar_encrypted.py

Fix typos discovered by codespell (elastic#1430 )

Aug 15, 2021

winrar_startup_folder.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

wmi_incoming_logon.py

Update License to Elastic v2 (elastic#944 )

Mar 4, 2021

Red Team Automation

The repo comes with some red team automation (RTA) python scripts that run on Windows, Mac OS, and *nix. RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.

$   python -m rta -h
usage: rta [-h] ttp_name

positional arguments:
  ttp_name

optional arguments:
  -h, --help  show this help message and exit

ttp_name can be found in the rta directory. For example to execute ./rta/wevtutil_log_clear.py script, run command:

$ python -m rta wevtutil_log_clear

Most of the RTA scripts contain a comment with the rule name, in signal.rule.name, that maps to the Kibana Detection Signals.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

rta

rta

README.md

Red Team Automation

Files

rta

Directory actions

More options

Directory actions

More options

Latest commit

History

rta

Folders and files

parent directory

README.md

Red Team Automation