Skip to content

Latest commit

 

History

History
 
 

rta

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
bin
bin
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
__main__.py
__main__.py
 
 
adobe_hijack.py
adobe_hijack.py
 
 
appcompat_shim.py
appcompat_shim.py
 
 
at_command.py
at_command.py
 
 
bitsadmin_download.py
bitsadmin_download.py
 
 
brute_force_login.py
brute_force_login.py
 
 
certutil_file_obfuscation.py
certutil_file_obfuscation.py
 
 
certutil_webrequest.py
certutil_webrequest.py
 
 
common.py
common.py
 
 
comsvcs_dump.py
comsvcs_dump.py
 
 
dcom_lateral_movement_with_mmc.py
dcom_lateral_movement_with_mmc.py
 
 
delete_bootconf.py
delete_bootconf.py
 
 
delete_catalogs.py
delete_catalogs.py
 
 
delete_usnjrnl.py
delete_usnjrnl.py
 
 
delete_volume_shadows.py
delete_volume_shadows.py
 
 
disable_windows_fw.py
disable_windows_fw.py
 
 
enum_commands.py
enum_commands.py
 
 
findstr_pw_search.py
findstr_pw_search.py
 
 
globalflags.py
globalflags.py
 
 
hosts_file_modify.py
hosts_file_modify.py
 
 
installutil_network.py
installutil_network.py
 
 
iqy_file_writes.py
iqy_file_writes.py
 
 
lateral_command_psexec.py
lateral_command_psexec.py
 
 
lateral_commands.py
lateral_commands.py
 
 
linux_compress_sensitive_files.py
linux_compress_sensitive_files.py
 
 
linux_discovery_sensitive_files.py
linux_discovery_sensitive_files.py
 
 
mac_office_descendant.py
mac_office_descendant.py
 
 
modification_of_wdigest_security_provider.py
modification_of_wdigest_security_provider.py
 
 
ms_office_drop_exe.py
ms_office_drop_exe.py
 
 
msbuild_network.py
msbuild_network.py
 
 
mshta_network.py
mshta_network.py
 
 
msiexec_http_installer.py
msiexec_http_installer.py
 
 
msxsl_network.py
msxsl_network.py
 
 
net_user_add.py
net_user_add.py
 
 
obfuscated_cmd_commands.py
obfuscated_cmd_commands.py
 
 
obfuscated_powershell.py
obfuscated_powershell.py
 
 
office_application_startup.py
office_application_startup.py
 
 
persistent_scripts.py
persistent_scripts.py
 
 
port_monitor.py
port_monitor.py
 
 
powershell_args.py
powershell_args.py
 
 
powershell_base64_gzip.py
powershell_base64_gzip.py
 
 
powershell_from_script.py
powershell_from_script.py
 
 
process_double_extension.py
process_double_extension.py
 
 
process_extension_anomalies.py
process_extension_anomalies.py
 
 
process_name_masquerade.py
process_name_masquerade.py
 
 
recycle_bin_process.py
recycle_bin_process.py
 
 
registry_hive_export.py
registry_hive_export.py
 
 
registry_persistence_create.py
registry_persistence_create.py
 
 
registry_rdp_enable.py
registry_rdp_enable.py
 
 
regsvr32_scrobj.py
regsvr32_scrobj.py
 
 
rundll32_inf_callback.py
rundll32_inf_callback.py
 
 
rundll32_javascript_callback.py
rundll32_javascript_callback.py
 
 
schtask_escalation.py
schtask_escalation.py
 
 
scrobj_com_hijack.py
scrobj_com_hijack.py
 
 
secure_file_deletion.py
secure_file_deletion.py
 
 
settingcontentms_files.py
settingcontentms_files.py
 
 
sevenzip_encrypted.py
sevenzip_encrypted.py
 
 
shortcut_file_suspicious_process.py
shortcut_file_suspicious_process.py
 
 
sip_provider.py
sip_provider.py
 
 
smb_connection.py
smb_connection.py
 
 
sticky_keys_write_execute.py
sticky_keys_write_execute.py
 
 
suspicious_dll_registration_regsvr32.py
suspicious_dll_registration_regsvr32.py
 
 
suspicious_office_children.py
suspicious_office_children.py
 
 
suspicious_office_descendant_fp.py
suspicious_office_descendant_fp.py
 
 
suspicious_powershell_download.py
suspicious_powershell_download.py
 
 
suspicious_wmic_script.py
suspicious_wmic_script.py
 
 
suspicious_wscript_parent.py
suspicious_wscript_parent.py
 
 
system_restore_process.py
system_restore_process.py
 
 
trust_provider.py
trust_provider.py
 
 
uac_eventviewer.py
uac_eventviewer.py
 
 
uac_sdclt.py
uac_sdclt.py
 
 
uac_sysprep.py
uac_sysprep.py
 
 
uncommon_persistence.py
uncommon_persistence.py
 
 
unusual_ms_tool_network.py
unusual_ms_tool_network.py
 
 
unusual_parent_child.py
unusual_parent_child.py
 
 
user_dir_escalation.py
user_dir_escalation.py
 
 
vaultcmd_commands.py
vaultcmd_commands.py
 
 
werfault_persistence.py
werfault_persistence.py
 
 
wevtutil_log_clear.py
wevtutil_log_clear.py
 
 
winrar_encrypted.py
winrar_encrypted.py
 
 
winrar_startup_folder.py
winrar_startup_folder.py
 
 
wmi_incoming_logon.py
wmi_incoming_logon.py
 
 

README.md

Red Team Automation

Supported Python versions Chat

The repo comes with some red team automation (RTA) python scripts that run on Windows, Mac OS, and *nix. RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.

$   python -m rta -h
usage: rta [-h] ttp_name

positional arguments:
  ttp_name

optional arguments:
  -h, --help  show this help message and exit

ttp_name can be found in the rta directory. For example to execute ./rta/wevtutil_log_clear.py script, run command:

$ python -m rta wevtutil_log_clear

Most of the RTA scripts contain a comment with the rule name, in signal.rule.name, that maps to the Kibana Detection Signals.