detection-rules/rta at main · elastic/detection-rules

History

Name		Name	Last commit message	Last commit date
parent directory ..
bin		bin
deprecated		deprecated
src		src
README.md		README.md
__init__.py		__init__.py
__main__.py		__main__.py
adobe_hijack.py		adobe_hijack.py
adobe_priv_helper_tool.py		adobe_priv_helper_tool.py
app_bundler_execution.py		app_bundler_execution.py
app_hijack.py		app_hijack.py
appcompat_shim.py		appcompat_shim.py
at_command.py		at_command.py
at_job.py		at_job.py
atom_init_coffee.py		atom_init_coffee.py
attempt_to_establish_vscode.py		attempt_to_establish_vscode.py
auth_plugin.py		auth_plugin.py
automator_workflows.py		automator_workflows.py
background_process_from_tmp.py		background_process_from_tmp.py
bash_cmdline_history.py		bash_cmdline_history.py
bifrost_attack.py		bifrost_attack.py
binary_execution_from_shared_memory.py		binary_execution_from_shared_memory.py
binary_masquerade.py		binary_masquerade.py
bitsadmin_download.py		bitsadmin_download.py
bitsadmin_execution.py		bitsadmin_execution.py
browser_cred_access.py		browser_cred_access.py
browser_debugging.py		browser_debugging.py
brute_force_login.py		brute_force_login.py
builtin_cmd_file_delete.py		builtin_cmd_file_delete.py
c2_dns_from_iso.py		c2_dns_from_iso.py
calendar_file_mod.py		calendar_file_mod.py
cat_network_activity.py		cat_network_activity.py
certutil_file_obfuscation.py		certutil_file_obfuscation.py
certutil_webrequest.py		certutil_webrequest.py
child_w3wp.py		child_w3wp.py
cloud_eicar.py		cloud_eicar.py
clr_logs_creation.py		clr_logs_creation.py
cmd_shell_via_word.py		cmd_shell_via_word.py
cmstp_image_load.py		cmstp_image_load.py
collection_keylog_hook_keystate.py		collection_keylog_hook_keystate.py
collection_keylog_rawinputdevice.py		collection_keylog_rawinputdevice.py
common.py		common.py
comsvcs_dump.py		comsvcs_dump.py
crashdump_disabled.py		crashdump_disabled.py
credaccess_reg_query_privesc_token_manip.py		credaccess_reg_query_privesc_token_manip.py
credaccess_sam_from_vss.py		credaccess_sam_from_vss.py
credential_access_dump_hashes_via_cmd.py		credential_access_dump_hashes_via_cmd.py
credential_access_known_utilities.py		credential_access_known_utilities.py
credential_access_osascript_phishing.py		credential_access_osascript_phishing.py
credential_dumping.py		credential_dumping.py
credential_dumping_via_proc.py		credential_dumping_via_proc.py
credman_discovery.py		credman_discovery.py
cron_tab_file_create.py		cron_tab_file_create.py
cscript_suspicious_args.py		cscript_suspicious_args.py
curl_data_exfil.py		curl_data_exfil.py
curl_payload_download.py		curl_payload_download.py
curl_sus_payload.py		curl_sus_payload.py
cve_2019_14287.py		cve_2019_14287.py
cve_2023_0386.py		cve_2023_0386.py
darkradiation.py		darkradiation.py
dcom_lateral_movement_with_mmc.py		dcom_lateral_movement_with_mmc.py
ddns_lolbas.py		ddns_lolbas.py
ddns_unsigned.py		ddns_unsigned.py
defensive_evasion_reflective_loading.py		defensive_evasion_reflective_loading.py
defensive_evasion_safari_modification.py		defensive_evasion_safari_modification.py
delete_bootconf.py		delete_bootconf.py
delete_catalogs.py		delete_catalogs.py
delete_quarantine_attrib.py		delete_quarantine_attrib.py
delete_usnjrnl.py		delete_usnjrnl.py
delete_volume_shadows.py		delete_volume_shadows.py
directory_service_plugin_file.py		directory_service_plugin_file.py
disable_os_security_updates.py		disable_os_security_updates.py
disable_security_controls.py		disable_security_controls.py
disable_windows_fw.py		disable_windows_fw.py
discovery_virtual_machine_grep.py		discovery_virtual_machine_grep.py
dmg_create_in_tmp.py		dmg_create_in_tmp.py
dock_plist.py		dock_plist.py
double_persist.py		double_persist.py
dscl_hidden_account.py		dscl_hidden_account.py
dseditgroup_admin_add.py		dseditgroup_admin_add.py
dsenableroot_account.py		dsenableroot_account.py
dylib_injection.py		dylib_injection.py
dynwrapx_image_load.py		dynwrapx_image_load.py
echo_tmp_file_create.py		echo_tmp_file_create.py
edmond_child_process.py		edmond_child_process.py
eggshell_backdoor.py		eggshell_backdoor.py
eicar.py		eicar.py
elevated_osascript_execution.py		elevated_osascript_execution.py
emond_child_process.py		emond_child_process.py
emond_plist.py		emond_plist.py
empire_stager.py		empire_stager.py
enum_commands.py		enum_commands.py
enumeration_linpeas.py		enumeration_linpeas.py
env_variable_hijacking.py		env_variable_hijacking.py
evasion_addinproc_certoc_odbc_gfxdwn.py		evasion_addinproc_certoc_odbc_gfxdwn.py
evasion_loadlib_via_callback.py		evasion_loadlib_via_callback.py
evasion_ntdll_from_unusual_path.py		evasion_ntdll_from_unusual_path.py
evasion_oversized_dll_load.py		evasion_oversized_dll_load.py
evasion_patch_etw_amsi.py		evasion_patch_etw_amsi.py
evasion_unhook_ldrloaddll.py		evasion_unhook_ldrloaddll.py
exec_cmd_adfind.py		exec_cmd_adfind.py

README.md

Red Team Automation

The repo comes with some red team automation (RTA) python scripts that run on Windows, Mac OS, and *nix. RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.

$   python -m rta -h
usage: rta [-h] ttp_name

positional arguments:
  ttp_name

optional arguments:
  -h, --help  show this help message and exit

ttp_name can be found in the rta directory. For example to execute ./rta/wevtutil_log_clear.py script, run command:

$ python -m rta wevtutil_log_clear

Most of the RTA scripts contain a comment with the rule name, in signal.rule.name, that maps to the Kibana Detection Signals.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rta

rta

README.md

Red Team Automation

Files

rta

Directory actions

More options

Directory actions

More options

Latest commit

History

rta

Folders and files

parent directory

README.md

Red Team Automation