Commit 269c983
Patrick Bareiss
renaming data yml files
1 parent f8fac8e commit 269c983
File tree
1,417 files changed
+7088
-16277
lines changed- bin
- datasets
- attack_techniques
- T1003.001/atomic_red_team
- T1003.002
- atomic_red_team
- serioussam
- T1003.003/atomic_red_team
- T1003.004/NoLMHash
- T1003.006
- impacket
- mimikatz
- T1003.008
- copy_file_stdoutpipe
- linux_auditd_access_credential
- T1003
- credential_extraction
- wdigest_enable
- T1014
- T1016
- atomic_red_team/linux_net_discovery
- discovery_commands
- linux_auditd_net_tool_new
- linux_auditd_net_tool
- T1018
- AD_discovery
- atomic_red_team
- T1020
- T1021.001
- mstsc_rdp_cmd
- remote_desktop_connection
- T1021.002
- atomic_red_team
- impacket_smbexec
- impacket_wmiexec
- T1021.003
- impacket
- lateral_movement_lolbas
- lateral_movement
- T1021.006
- lateral_movement_lolbas
- lateral_movement_psh
- lateral_movement_pssession
- lateral_movement
- T1027
- FuckThatPacker
- atomic_red_team
- T1030
- linux_auditd_split_b_exec
- linux_auditd_split_syscall_new
- linux_auditd_split_syscall
- T1033
- AD_discovery
- atomic_red_team
- linux_auditd_whoami_new
- linux_auditd_whoami
- qakbot_discovery_cmdline
- whoami_priv
- T1036.003
- atomic_red_team
- copy_sysmon
- mpcmdrun
- samsam_extension
- T1036
- msdtc_process_param
- suspicious_process_path
- write_to_recycle_bin
- T1037.001/logonscript_reg
- T1046/kubernetes_scanning
- T1047
- atomic_red_team
- execution_scrcons
- lateral_movement_lolbas
- lateral_movement
- wmi_impersonate
- T1048.003
- cve-2023-23397
- long_dns_queries
- mass_file_creation
- nslookup_exfil
- T1048/ftp_connection
- T1049/AD_discovery
- T1053.002
- at_execution
- lateral_movement
- linux_auditd_at
- linux_auditd_chown_root
- linux_new_auditd_at
- T1053.003
- cronjobs_entry
- crontab_edit_parameter
- crontab_list_parameter
- linux_auditd_cron_file_audited
- linux_auditd_crontab_edit_new
- linux_auditd_crontab_edit
- T1053.005
- asyncrat_highest_priv_schtasks
- atomic_red_team
- lateral_movement_lolbas
- lateral_movement
- schtask_shutdown
- schtask_system
- schtasks
- taskschedule
- windows_taskschedule
- winevent_scheduled_task_with_suspect_name
- T1053.006
- linux_services_restart
- service_systemd
- T1053.007/kubernetes_audit_cron_job_creation
- T1055.001/rasautou
- T1055
- cobalt_strike
- msra
- sliver
- T1057/process_commandline_discovery
- T1059.001
- asyncrat_crypto_pwh_namespace
- atomic_red_team
- encoded_powershell
- exchange
- import_applocker_policy
- malicious_cmd_line_samples
- obfuscated_powershell
- powershell_execution_policy
- powershell_remotesigned
- powershell_script_block_logging
- powershell_testing
- powershell_xml_requests
- sharphound
- soaphound
- unmanaged_powershell_execution
- T1059.003
- atomic_red_team
- cmd_spawns_cscript
- powershell_spawn_cmd
- ryuk
- T1059.004/linux_discovery_tools
- T1059.005
- discord_dnsquery
- vbs_wscript
- T1059
- autoit
- metasploit
- path_traversal
- suspiciously_named_executables
- T1068
- drivers
- windows_escalation_behavior
- zoom_child_process
- T1069.001/atomic_red_team
- T1069.002/AD_discovery
- T1070.001/atomic_red_team
- T1070.005/atomic_red_team
- T1070
- atomic_red_team
- fsutil_file_zero
- remove_windows_security_event_log
- T1071.002/outbound_smb_traffic
- T1078.002
- account_lockout
- powerview_acl_enumeration
- T1078.004
- azure_ad_service_principal_authentication
- azure_automation_runbook
- azure_runbook_webhook
- azuread_pws
- azuread
- gcp_single_factor_auth
- o365_security_and_compliance_alert_triggered
- okta_single_factor_auth
- okta_threatinsight_threat_detected
- T1078
- aws_create_policy_version
- aws_createaccesskey
- aws_createloginprofile
- aws_saml_access_by_provider_user_and_principal
- aws_saml_update_identity_provider
- aws_setdefaultpolicyversion
- aws_updateloginprofile
- azure_ad_multiple_appids_and_useragents_auth
- defaultaccount
- o365_excessive_sso_logon_errors
- o365_multiple_appids_and_useragents_auth
- okta_suspicious_activity_reported_by_user
- special_logon_on_mulitple_hosts
- update_saml_provider
- T1082
- atomic_red_team
- linux_auditd_lsmod_new
- linux_auditd_lsmod
- T1083
- linux_auditd_find_db
- linux_auditd_find_document
- linux_auditd_find_virtual_disk
- T1087.001/AD_discovery
- T1087.002
- AD_discovery
- adsi_discovery
- blackmatter_schcache
- T1087.004
- azurehound
- okta_unauth_access
- T1090.001/netsh_portproxy
- T1098.001
- azure_ad_service_principal_credentials
- o365_service_principal_credentials
- okta_new_api_token_created
- T1098.002
- full_access_as_app_permission_assigned
- o365_full_access_as_app_permission_assigned
- o365_mailbox_folder_read_granted
- T1098.003
- azure_ad_admin_consent
- azure_ad_assign_global_administrator
- azure_ad_assign_privileged_role
- azure_ad_bypass_admin_consent
- azure_ad_pim_role_activated
- azure_ad_privileged_graph_perm_assigned
- azure_ad_privileged_role_serviceprincipal
- azure_ad_spn_privesc
- o365_admin_consent
- o365_bypass_admin_consent
- o365_grant_mail_read
- o365_high_priv_role_assigned
- o365_privileged_graph_perm_assigned
- o365_spn_privesc
- T1098.004
- linux_auditd_nopasswd
- ssh_authorized_keys
- T1098.005
- azure_ad_register_new_mfa_method
- o365_register_new_mfa_method
- okta_new_device_enrolled
- T1098
- account_manipulation
- azure_ad_add_serviceprincipal_owner
- azure_ad_enable_and_reset
- azure_ad_set_immutableid
- dnsadmins_member_added
- dsrm_account
- o365_add_app_registration_owner
- o365_azure_workload_events
- service_principal_name_added
- short_lived_service_principal_name
- windows_multiple_accounts_deleted
- windows_multiple_accounts_disabled
- windows_multiple_passwords_changed
- T1105/atomic_red_team
- T1110.001
- aws_login_failure
- azure_ad_high_number_of_failed_authentications_for_user
- azure_ad_successful_authentication_from_different_ips
- o365_high_number_authentications_for_user
- rdp_brute_sysmon
- T1110.002/aws_rds_password_reset
- T1110.003
- aws_mulitple_failed_console_login
- azure_ad_distributed_spray
- azuread_highrisk
- gcp_gws_multiple_login_failure
- o365_distributed_spray
- o365_multiple_users_from_ip
- okta_multiple_users_from_ip
- password_spraying_azuread
- purplesharp_explicit_credential_spray_xml
- purplesharp_invalid_users_kerberos_xml
- purplesharp_invalid_users_ntlm_xml
- purplesharp_multiple_users_from_process_xml
- purplesharp_remote_spray_xml
- purplesharp_valid_users_kerberos_xml
- purplesharp_valid_users_ntlm_xml
- T1110.004/local_administrator_cred_stuffing
- T1110
- azure_mfasweep_events
- o365_brute_force_login
- okta_multiple_accounts_lockout
- T1112
- AuthenticationLevelOverride
- atomic_red_team
- blackbyte
- enablelinkedconnections
- longpathsenabled
- disable_notif_center
- firewall_modify_delete
- minint_reg
- ransomware_disable_reg
- shimcache_flush
- T1114.002
- o365_compliance_content_search_exported
- o365_compliance_content_search_started
- o365_multiple_mailboxes_accessed_via_api
- o365_oauth_app_ews_mailbox_access
- o365_oauth_app_graph_mailbox_access
- T1114.003
- o365_email_forwarding_rule_created
- o365_mailbox_forwarding_enabled
- T1114
- o365_export_pst_file
- o365_new_forwarding_mailflow_rule_created
- o365_suspect_email_actions
- T1115/linux_auditd_xclip
- T1127.001
- regsvr32_silent
- T1127
- atomic_red_team
- etw_disable
- T1134.005
- mimikatz
- sid_history2
- T1135
- large_number_computer_service_tickets
- rapid_authentication_multiple_hosts
- T1136.001
- atomic_red_team
- linux_auditd_add_user_type
- linux_auditd_add_user
- T1136.003
- azure_ad_add_service_principal
- azure_ad_external_guest_user_invited
- azure_ad_multiple_service_principals_created
- azure_automation_account
- o365_add_app_role_assignment_grant_user
- o365_add_service_principal
- o365_added_service_principal
- o365_multiple_service_principals_created
- o365_new_federated_domain_added
- o365_new_federated_domain
- o365_new_federation
- T1140
- atomic_red_team
- linux_auditd_base64
- T1185
- aws_concurrent_sessions_from_different_ips
- azure_ad_concurrent_sessions_from_different_ips
- o365_concurrent_sessions_from_different_ips
- T1187/petitpotam
- T1189
- dyn_dns_site
- splunk
- xss
- T1190
- citrix
- confluence
- crushftp
- ivanti
- java
- jenkins
- juniper
- magento
- outbound_java
- papercut
- proxyshell
- pswa
- sap
- screenconnect
- splunk
- spring4shell
- text4shell
- tomcat
- T1195.002/3CX
- T1197/atomic_red_team
- T1200
- linux_auditd_swapoff
- sysmon_usb_use_execution
- T1201/pwd_policy_discovery
- T1202/atomic_red_team
- T1204.002
- atomic_red_team
- batch_file_in_system32
- single_letter_exe
- T1204.003
- aws_ecr_container_upload
- aws_ecr_image_scanning
- risk_dataset
- T1204
- aws_updatelambdafunctioncode
- failed_login_service_account_ad
- kubernetes_audit_daemonset_created
- kubernetes_falco_shell_spawned
- kubernetes_privileged_pod
- kubernetes_unauthorized_access
- rare_executables
- T1207
- dc_promo
- mimikatz
- short_lived_server_object
- T1212
- kubernetes_nginx_lfi_attack
- kuberntest_nginx_rfi_attack
- T1216/atomic_red_team
- T1218.001/atomic_red_team
- T1218.002/atomic_red_team
- T1218.004/atomic_red_team
- T1218.005
- atomic_red_team
- mshta_in_registry
- T1218.007/atomic_red_team
- T1218.008/atomic_red_team
- T1218.009/atomic_red_team
- T1218.010/atomic_red_team
- T1218.011/atomic_red_team
- T1218.012/verclsid_exec
- T1218.013/atomic_red_team
- T1218
- bitlockertogo
- diskshadow
- eviltwin
- T1219
- atomic_red_team
- screenconnect
- teamviewer
- T1220/atomic_red_team
- T1222.001
- atomic_red_team
- dacl_abuse
- subinacl
- T1222.002
- linux_auditd_chattr_i
- linux_auditd_chmod_exec_attrib
- T1482
- atomic_red_team
- discovery
- T1484.001
- default_domain_policy_modified
- gpo_modification
- group_policy_created
- group_policy_deleted
- group_policy_disabled
- group_policy_new_cse
- T1484.002/new_federated_domain
- T1484
- DCShadowPermissions
- aclmodification
- T1485
- atomic_red_team
- decommissioned_buckets
- excessive_file_del_in_windefender_dir
- excessive_file_deletions
- linux_auditd_dd_overwrite
- linux_auditd_no_preserve_root
- linux_auditd_shred
- linux_dd_file_overwrite
- ransomware_extensions
- ransomware_notes
- rm_boot_dir
- rm_shred_critical_dir
- sdelete
- T1486
- aws_kms_key
- dcrypt
- s3_file_encryption
- sam_sam_note
- T1489
- linux_auditd_auditd_service_stop
- linux_auditd_osquerd_service_stop
- linux_auditd_service_stop
- linux_auditd_sysmon_service_stop
- linux_service_stop_disable
- T1490
- atomic_red_team
- aws_bucket_version
- ransomware_notes
- shadowcopy_del
- T1497.003/ping_sleep
- T1505.001/simulation
- T1505.003
- T1505.004
- T1526
- aws_security_scanner
- kubernetes_audit_pull_image
- kubernetes_kube_hunter
- T1528
- azure_ad_user_consent_blocked
- azure_ad_user_consent_declined
- azure_ad_user_consent_granted
- device_code_authentication
- o365_user_consent_blocked
- o365_user_consent_declined
- o365_user_consent_file_permissions
- o365_user_consent_mail_permissions
- T1530/aws_s3_public_bucket
- T1531/atomic_red_team
- T1537
- aws_exfil_risk_events
- aws_snapshot_exfil
- T1539/okta_web_session_multiple_ip
- T1542.003/bootkits
- T1543.003
- atomic_red_team
- lateral_movement_lolbas
- lateral_movement_powershell
- lateral_movement
- services_lolbas_execution
- T1546.001/txtfile_reg
- T1546.002/scrnsave_reg
- T1546.003
- atomic_red_team
- wmi_event_subscription
- T1546.004
- linux_auditd_unix_shell_mod_config
- linux_init_profile
- T1546.008/atomic_red_team
- T1546.011/atomic_red_team
- T1546.012/atomic_red_team
- T1546.015
- atomic_red_team
- pwh_com_object
- uac_colorui
- T1546/adminsdholder_modified
- T1547.001/atomic_red_team
- T1547.003/timeprovider_reg
- T1547.005/malicious_ssp
- T1547.006
- linux_auditd_insmod_new
- linux_auditd_insmod
- linux_auditd_modprobe_new
- linux_auditd_modprobe_unload_module
- linux_auditd_modprobe
- linux_auditd_rmmod_new
- linux_auditd_rmmod
- loading_linux_kernel_module
- T1547.008/atomic_red_team
- T1547.010/atomic_red_team
- T1547.012
- print_reg
- printnightmare
- T1548.001
- chmod_uid
- linux_auditd_setuid
- linux_setcap
- T1548.002
- LocalAccountTokenFilterPolicy
- atomic_red_team
- slui
- ssa_eventvwr
- uac_behavior
- T1548.003
- doas_exec
- doas
- linux_adduser
- linux_auditd_doas_new
- linux_auditd_doas
- linux_auditd_nopasswd
- linux_auditd_sudo_su
- linux_auditd_sudoers_access
- nopasswd_sudoers
- sudo_su
- sudoers_temp
- visudo
- T1548
- apt_get
- apt
- awk
- busybox
- c89
- c99
- composer
- cpulimit
- csvtool
- docker
- emacs
- find
- gawk
- gdb
- gem
- make
- mysql
- node
- octave
- openvpn
- php
- puppet
- rpm
- ruby
- sqlite3
- uac_bypass
- T1550.002/atomic_red_team
- T1550.003
- mimikatz
- rubeus
- T1550/rubeus
- T1552.001/password_in_username
- T1552.002/autoadminlogon
- T1552.004
- linux_auditd_find_gpg
- linux_auditd_find_ssh_files
- T1552.006/findstr_gpp_discovery
- T1552/aws_getpassworddata
- T1553.003/sip
- T1553.004/atomic_red_team
- T1555.005
- linux_auditd_find_credentials
- linux_auditd_find_password_db
- T1555/web_browser_pass_view
- T1556.001/atomic_red_team
- T1556.006
- aws_new_mfa_method_registered_for_user
- azure_ad_new_mfa_method_registered_for_user
- okta_mfa_method_disabled
- T1556
- azuread
- cisco_duo_bulk_policy_deletion
- cisco_duo_bypass_2FA
- cisco_duo_bypass_code
- cisco_duo_policy_allow_devices_without_screen_lock
- cisco_duo_policy_allow_network_bypass_2fa
- cisco_duo_policy_allow_old_flash_and_java
- cisco_duo_policy_allow_tampered_devices
- cisco_duo_policy_bypass_2FA_other_countries
- cisco_duo_policy_bypass_2FA
- cisco_duo_policy_deny_access
- cisco_duo_unusual_admin_login
- disable_credential_guard
- disable_lsa_protection
- gcp_disable_mfa
- o365_disable_mfa
- o365_sso_logon_errors
- okta_idp
- T1558.003
- atomic_red_team
- powerview-2
- powerview
- rubeus
- T1558.004/powershell
- T1558/diamond_ticket
- T1560.001/archive_utility
- T1561.002/mbr_raw_access
- T1562.001
- atomic_red_team
- defender_exclusion_sysmon
- disable-windows-security-defender-features
- disable_defender_logging
- disable_gpo
- pwh_defender_disabling
- sc_service_start_disabled
- unload_sysmon
- win_defend_service_stop
- T1562.002
- auditpol_tampering
- eventlog_sddl_tampering
- T1562.004
- atomic_red_team
- linux_auditd_disable_firewall
- njrat_add_firewall_rule
- njrat_delete_firewall
- T1562.007
- aws_create_acl
- aws_delete_acl
- o365_bypass_mfa_via_trusted_ip
- T1562.008
- aws_delete_security_services
- delete_cloudwatch_log_group
- o365_advanced_audit_disabled
- put_bucketlifecycle
- stop_delete_cloudtrail
- update_cloudtrail
- T1562.012/auditd_daemon_type
- T1562
- azuread_disable_blockconsent_for_riskapps
- o365_disable_blockconsent_for_riskapps
- T1563.002/rdphijack
- T1564.004/ads_abuse
- T1564.008/o365
- T1564/sc_sdset_tampering
- T1566.001
- gsuite_outbound_email_to_external
- gsuite_susp_attachment_ext
- gsuite_susp_subj
- gsuite_susp_url
- office_doc_abuses_rels
- onenote_spear_phishing
- phishing_pdf_uri
- T1566.002
- atomic_red_team
- lnk_file_temp_folder
- T1566
- cve-2024-21378
- o365_various_alerts
- zscalar_web_proxy
- T1567
- o365_sus_file_activity
- web_upload_nginx
- T1569.002
- atomic_red_team
- linux_service_start
- remcom
- scmanager_sddl_tamper
- T1570/remcom
- T1572
- cobalt_strike
- ngrok
- plink
- ssh_proxy_command
- T1574.001
- atomic_red_team
- iscsicpl
- T1574.002
- hijacklibs
- msi_module_load
- wineloader
- T1574.006
- lib_hijack
- linux_auditd_ldpreload
- linux_auditd_preload_file
- T1574.009/atomic_red_team
- T1574.011/change_registry_path_service
- T1578.005/aws_authorize_security_group
- T1586.003/okta_multiple_city
- T1587.002/atomic_red_team
- T1588.002/atomic_red_team
- T1590.002/enum_dns_record
- T1595
- attacker_scan_tools
- sysmon_scanning_events
- T1598.002/rdp
- T1620/common_language_runtim_loaded
- T1621
- aws_mfa_disabled
- azure_ad_multiple_denied_mfa_requests
- azuread
- gcp_failed_mfa
- multiple_failed_mfa_gws
- multiple_failed_mfa_requests
- o365_multiple_failed_mfa_requests
- okta_mfa_login_failed
- okta_mismatch
- okta_multiple_failed_mfa_pushes
- okta_multiple_failed_mfa_requests
- pingid
- T1649
- atomic_red_team
- certify_abuse
- t1547.014/active_setup_stubpath
- t1592
- host_info_dxdiag
- pwh_av_recon
- malware
- acidrain
- agent_tesla
- agent_tesla_ftp
- agent_tesla_smtp
- agent_tesla_tor_dns_query
- chm_powershell
- amadey/access_permission
- awfulshred
- test1
- test2
- test3
- azorult
- brute_ratel
- brute_duplicate_token
- create_remote_thread
- iso_version_dll_campaign
- loading_samlib
- service_deletion
- wallpaper_via_transcodedwallpaper
- chaos_ransomware
- spread_in_root_drives
- clop
- clop_a
- clop_b
- conti/conti_leak
- cyclopsblink
- dcrat
- dcrat_delay_execution
- dcrat_enum_camera
- dcrat_explorer_url
- dcrat_forkbomb
- reboot_logoff_commandline
- shutdown_commandline
- doublezero_wiper
- fin7
- fin7_js_2
- fin7_macro_js_1
- jssloader
- gootloader/partial_ttps
- hermetic_wiper
- globalfolderoptions_reg
- icedid
- cmd_carry_str_param
- disable_av
- disable_schtask
- inf_icedid
- phish_icedid
- simulated_icedid
- industroyer2
- lockbit_ransomware
- olympic_destroyer
- prestige_ransomware
- qakbot
- qbot2
- qbot_3
- qbot_wermgr2
- qbot_wermgr
- remote_thread
- redline/modify_registry
- remcos
- remcos_agent
- remcos_dynwrapx
- remcos_pastebin_download
- remcos_registry
- remcos
- revil/msmpeng_side
- ryuk
- snakemalware
- swift_slicer
- trickbot/spear_phish
- vilsel
- winpeas
- powershell
- winpeas_cmdkeylist
- winpeas_fsutil
- winpeas_search_private_key
- winpeas_search_pwd_db
- winpeas_search_pwd
- winter-vivern
- pwh_exfiltration
- pwh_uploadstring
- scheduledtask
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
1,417 files changed
+7088
-16277
lines changedThis file was deleted.
Lines changed: 24 additions & 19 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
13 | | - | |
14 | | - | |
15 | | - | |
16 | | - | |
17 | | - | |
18 | | - | |
19 | | - | |
20 | | - | |
21 | | - | |
22 | | - | |
23 | | - | |
24 | | - | |
25 | | - | |
26 | | - | |
27 | | - | |
28 | | - | |
29 | | - | |
30 | | - | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
Lines changed: 0 additions & 29 deletions
This file was deleted.
0 commit comments