├── .gitattributes ├── .gitignore ├── Dockerfile ├── LICENSE ├── README.md ├── SIEMs └── HELK │ └── README.md ├── datasets ├── day1 │ ├── README.md │ ├── apt29_evals_day1_manual.zip │ ├── pcaps │ │ ├── NASHUA.zip │ │ ├── README.md │ │ └── SCRANTON.zip │ └── zeek │ │ ├── NASHUA-zeek_logs.zip │ │ ├── SCRANTON-zeek_logs.zip │ │ ├── combined_zeek.log │ │ └── individual_zeek_logs │ │ ├── NASHUA_conn.log │ │ ├── NASHUA_dce_rpc.log │ │ ├── NASHUA_dns.log │ │ ├── NASHUA_dpd.log │ │ ├── NASHUA_files.log │ │ ├── NASHUA_kerberos.log │ │ ├── NASHUA_notice.log │ │ ├── NASHUA_smb_files.log │ │ ├── NASHUA_smb_mapping.log │ │ ├── NASHUA_ssl.log │ │ ├── NASHUA_weird.log │ │ ├── NASHUA_x509.log │ │ ├── SCRANTON_conn.log │ │ ├── SCRANTON_dce_rpc.log │ │ ├── SCRANTON_dns.log │ │ ├── SCRANTON_dpd.log │ │ ├── SCRANTON_files.log │ │ ├── SCRANTON_http.log │ │ ├── SCRANTON_kerberos.log │ │ ├── SCRANTON_notice.log │ │ ├── SCRANTON_pe.log │ │ ├── SCRANTON_smb_files.log │ │ ├── SCRANTON_smb_mapping.log │ │ ├── SCRANTON_ssl.log │ │ ├── SCRANTON_weird.log │ │ └── SCRANTON_x509.log └── day2 │ ├── apt29_evals_day2_manual.zip │ ├── pcaps │ ├── NEWYORK.zip │ ├── README.md │ ├── SCRANTON.zip │ ├── UTICA-A.zip │ ├── UTICA-C.zip │ ├── UTICA-D.zip │ └── UTICA-ONE-DRIVE.zip │ └── zeek │ ├── NEWYORK-zeek_logs.zip │ ├── SCRANTON-zeek_logs.zip │ ├── UTICA-A-zeek_logs.zip │ ├── UTICA-C-zeek_logs.zip │ ├── UTICA-D-zeek_logs.zip │ ├── UTICA-ONE-DRIVE-zeek_logs.zip │ ├── combined_zeek.log │ └── individual_zeek_logs │ ├── NEWYORK_capture_loss.log │ ├── NEWYORK_conn.log │ ├── NEWYORK_dce_rpc.log │ ├── NEWYORK_dns.log │ ├── NEWYORK_kerberos.log │ ├── NEWYORK_loaded_scripts.log │ ├── NEWYORK_packet_filter.log │ ├── NEWYORK_reporter.log │ ├── NEWYORK_smb_files.log │ ├── NEWYORK_smb_mapping.log │ ├── NEWYORK_stats.log │ ├── NEWYORK_weird.log │ ├── SCRANTON_capture_loss.log │ ├── SCRANTON_conn.log │ ├── SCRANTON_dce_rpc.log │ ├── SCRANTON_dns.log │ ├── SCRANTON_kerberos.log │ ├── SCRANTON_loaded_scripts.log │ ├── SCRANTON_packet_filter.log │ ├── SCRANTON_reporter.log │ ├── SCRANTON_smb_mapping.log │ ├── SCRANTON_stats.log │ ├── SCRANTON_weird.log │ ├── UTICA-A_capture_loss.log │ ├── UTICA-A_conn.log │ ├── UTICA-A_dce_rpc.log │ ├── UTICA-A_dns.log │ ├── UTICA-A_files.log │ ├── UTICA-A_http.log │ ├── UTICA-A_kerberos.log │ ├── UTICA-A_loaded_scripts.log │ ├── UTICA-A_notice.log │ ├── UTICA-A_packet_filter.log │ ├── UTICA-A_pe.log │ ├── UTICA-A_reporter.log │ ├── UTICA-A_smb_mapping.log │ ├── UTICA-A_ssl.log │ ├── UTICA-A_stats.log │ ├── UTICA-A_weird.log │ ├── UTICA-A_x509.log │ ├── UTICA-C_capture_loss.log │ ├── UTICA-C_conn.log │ ├── UTICA-C_dns.log │ ├── UTICA-C_kerberos.log │ ├── UTICA-C_loaded_scripts.log │ ├── UTICA-C_packet_filter.log │ ├── UTICA-C_reporter.log │ ├── UTICA-C_smb_mapping.log │ ├── UTICA-C_ssl.log │ ├── UTICA-C_stats.log │ ├── UTICA-C_weird.log │ ├── UTICA-D_capture_loss.log │ ├── UTICA-D_conn.log │ ├── UTICA-D_dce_rpc.log │ ├── UTICA-D_dns.log │ ├── UTICA-D_kerberos.log │ ├── UTICA-D_loaded_scripts.log │ ├── UTICA-D_packet_filter.log │ ├── UTICA-D_reporter.log │ ├── UTICA-D_ssl.log │ ├── UTICA-D_stats.log │ ├── UTICA-D_weird.log │ ├── UTICA-ONE-DRIVE_capture_loss.log │ ├── UTICA-ONE-DRIVE_conn.log │ ├── UTICA-ONE-DRIVE_dns.log │ ├── UTICA-ONE-DRIVE_files.log │ ├── UTICA-ONE-DRIVE_loaded_scripts.log │ ├── UTICA-ONE-DRIVE_packet_filter.log │ ├── UTICA-ONE-DRIVE_reporter.log │ ├── UTICA-ONE-DRIVE_ssl.log │ ├── UTICA-ONE-DRIVE_stats.log │ ├── UTICA-ONE-DRIVE_weird.log │ └── UTICA-ONE-DRIVE_x509.log ├── emulation-plans └── apt29.xlsx ├── notebooks ├── APT29-Our_Favorite_Analytics_Platform.ipynb └── APT29_Day1_Initial_Exploratory_Analysis.ipynb └── rules ├── kql └── SecurityEvent │ ├── handle_requested_sam_domain_remotely.yml │ └── new_service_install_remotely.yml └── sigma ├── network └── zeek │ ├── zeek_dce_rpc_domain_user_enumeration.yml │ ├── zeek_http_executable_download_from_webdav.yml │ ├── zeek_http_exfiltration_compressed_files.yml │ ├── zeek_http_exfiltration_compressed_files_filtered.yml │ └── zeek_http_webdav_put_request.yml └── windows ├── powershell ├── powershell_decompress_commands.yml └── powershell_get_clipboard.yml ├── security ├── win_high_integrity_sdclt.yml ├── win_sdclt_child_process.yml ├── win_susp_secondary_logon_service.yml └── win_susp_webdav_client_execution.yml └── sysmon ├── sysmon_high_integrity_sdclt.yml ├── sysmon_new_application_appcompat.yml ├── sysmon_removal_com_hijacking_registry_key.yml ├── sysmon_sdclt_child_process.yml ├── sysmon_startup_folder_file_write.yml ├── sysmon_susp_com_hijacking_delegate_execute.yml ├── sysmon_susp_pfx_file_creation.yml ├── sysmon_susp_python_image_load.yml ├── sysmon_susp_secondary_logon_service.yml ├── sysmon_susp_system_drawing_load.yml ├── sysmon_susp_webdav_client_execution.yml ├── sysmon_sysinternals_sdelete_file_deletion.yml └── sysmon_sysinternals_sdelete_registry_keys.yml /.gitattributes: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/Dockerfile -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/README.md -------------------------------------------------------------------------------- /SIEMs/HELK/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/SIEMs/HELK/README.md -------------------------------------------------------------------------------- /datasets/day1/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/README.md -------------------------------------------------------------------------------- /datasets/day1/apt29_evals_day1_manual.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/apt29_evals_day1_manual.zip -------------------------------------------------------------------------------- /datasets/day1/pcaps/NASHUA.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/pcaps/NASHUA.zip -------------------------------------------------------------------------------- /datasets/day1/pcaps/README.md: -------------------------------------------------------------------------------- 1 | # PCAP PASSWORD: infected -------------------------------------------------------------------------------- /datasets/day1/pcaps/SCRANTON.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/pcaps/SCRANTON.zip -------------------------------------------------------------------------------- /datasets/day1/zeek/NASHUA-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/NASHUA-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day1/zeek/SCRANTON-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/SCRANTON-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day1/zeek/combined_zeek.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/combined_zeek.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_conn.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_dce_rpc.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_dce_rpc.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_dns.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_dpd.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_dpd.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_files.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_files.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_kerberos.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_kerberos.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_notice.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_notice.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_smb_files.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_smb_files.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_smb_mapping.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_smb_mapping.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_ssl.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_ssl.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_weird.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/NASHUA_x509.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/NASHUA_x509.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_conn.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_dce_rpc.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_dce_rpc.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_dns.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_dpd.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_dpd.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_files.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_files.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_http.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_http.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_kerberos.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_kerberos.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_notice.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_notice.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_pe.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_pe.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_smb_files.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_smb_files.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_smb_mapping.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_smb_mapping.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_ssl.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_ssl.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_weird.log -------------------------------------------------------------------------------- /datasets/day1/zeek/individual_zeek_logs/SCRANTON_x509.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day1/zeek/individual_zeek_logs/SCRANTON_x509.log -------------------------------------------------------------------------------- /datasets/day2/apt29_evals_day2_manual.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/apt29_evals_day2_manual.zip -------------------------------------------------------------------------------- /datasets/day2/pcaps/NEWYORK.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/pcaps/NEWYORK.zip -------------------------------------------------------------------------------- /datasets/day2/pcaps/README.md: -------------------------------------------------------------------------------- 1 | # PCAP PASSWORD: infected -------------------------------------------------------------------------------- /datasets/day2/pcaps/SCRANTON.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/pcaps/SCRANTON.zip -------------------------------------------------------------------------------- /datasets/day2/pcaps/UTICA-A.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/pcaps/UTICA-A.zip -------------------------------------------------------------------------------- /datasets/day2/pcaps/UTICA-C.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/pcaps/UTICA-C.zip -------------------------------------------------------------------------------- /datasets/day2/pcaps/UTICA-D.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/pcaps/UTICA-D.zip -------------------------------------------------------------------------------- /datasets/day2/pcaps/UTICA-ONE-DRIVE.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/pcaps/UTICA-ONE-DRIVE.zip -------------------------------------------------------------------------------- /datasets/day2/zeek/NEWYORK-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/NEWYORK-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day2/zeek/SCRANTON-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/SCRANTON-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day2/zeek/UTICA-A-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/UTICA-A-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day2/zeek/UTICA-C-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/UTICA-C-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day2/zeek/UTICA-D-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/UTICA-D-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day2/zeek/UTICA-ONE-DRIVE-zeek_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/UTICA-ONE-DRIVE-zeek_logs.zip -------------------------------------------------------------------------------- /datasets/day2/zeek/combined_zeek.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/combined_zeek.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_capture_loss.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_capture_loss.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_conn.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_dce_rpc.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_dce_rpc.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_dns.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_kerberos.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_kerberos.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_loaded_scripts.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_loaded_scripts.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_packet_filter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_packet_filter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_reporter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_reporter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_smb_files.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_smb_files.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_smb_mapping.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_smb_mapping.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_stats.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_stats.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/NEWYORK_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/NEWYORK_weird.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_capture_loss.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_capture_loss.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_conn.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_dce_rpc.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_dce_rpc.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_dns.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_kerberos.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_kerberos.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_loaded_scripts.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_loaded_scripts.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_packet_filter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_packet_filter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_reporter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_reporter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_smb_mapping.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_smb_mapping.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_stats.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_stats.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/SCRANTON_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/SCRANTON_weird.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_capture_loss.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_capture_loss.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_conn.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_dce_rpc.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_dce_rpc.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_dns.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_files.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_files.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_http.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_http.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_kerberos.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_kerberos.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_loaded_scripts.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_loaded_scripts.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_notice.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_notice.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_packet_filter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_packet_filter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_pe.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_pe.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_reporter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_reporter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_smb_mapping.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_smb_mapping.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_ssl.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_ssl.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_stats.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_stats.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_weird.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-A_x509.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-A_x509.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_capture_loss.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_capture_loss.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_conn.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_dns.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_kerberos.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_kerberos.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_loaded_scripts.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_loaded_scripts.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_packet_filter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_packet_filter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_reporter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_reporter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_smb_mapping.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_smb_mapping.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_ssl.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_ssl.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_stats.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_stats.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-C_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-C_weird.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_capture_loss.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_capture_loss.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_conn.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_dce_rpc.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_dce_rpc.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_dns.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_kerberos.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_kerberos.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_loaded_scripts.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_loaded_scripts.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_packet_filter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_packet_filter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_reporter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_reporter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_ssl.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_ssl.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_stats.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_stats.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-D_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-D_weird.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_capture_loss.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_capture_loss.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_conn.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_conn.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_dns.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_dns.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_files.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_files.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_loaded_scripts.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_loaded_scripts.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_packet_filter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_packet_filter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_reporter.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_reporter.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_ssl.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_ssl.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_stats.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_stats.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_weird.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_weird.log -------------------------------------------------------------------------------- /datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_x509.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/datasets/day2/zeek/individual_zeek_logs/UTICA-ONE-DRIVE_x509.log -------------------------------------------------------------------------------- /emulation-plans/apt29.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/emulation-plans/apt29.xlsx -------------------------------------------------------------------------------- /notebooks/APT29-Our_Favorite_Analytics_Platform.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/notebooks/APT29-Our_Favorite_Analytics_Platform.ipynb -------------------------------------------------------------------------------- /notebooks/APT29_Day1_Initial_Exploratory_Analysis.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/notebooks/APT29_Day1_Initial_Exploratory_Analysis.ipynb -------------------------------------------------------------------------------- /rules/kql/SecurityEvent/handle_requested_sam_domain_remotely.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/kql/SecurityEvent/handle_requested_sam_domain_remotely.yml -------------------------------------------------------------------------------- /rules/kql/SecurityEvent/new_service_install_remotely.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/kql/SecurityEvent/new_service_install_remotely.yml -------------------------------------------------------------------------------- /rules/sigma/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml -------------------------------------------------------------------------------- /rules/sigma/network/zeek/zeek_http_executable_download_from_webdav.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/network/zeek/zeek_http_executable_download_from_webdav.yml -------------------------------------------------------------------------------- /rules/sigma/network/zeek/zeek_http_exfiltration_compressed_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/network/zeek/zeek_http_exfiltration_compressed_files.yml -------------------------------------------------------------------------------- /rules/sigma/network/zeek/zeek_http_exfiltration_compressed_files_filtered.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/network/zeek/zeek_http_exfiltration_compressed_files_filtered.yml -------------------------------------------------------------------------------- /rules/sigma/network/zeek/zeek_http_webdav_put_request.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/network/zeek/zeek_http_webdav_put_request.yml -------------------------------------------------------------------------------- /rules/sigma/windows/powershell/powershell_decompress_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/powershell/powershell_decompress_commands.yml -------------------------------------------------------------------------------- /rules/sigma/windows/powershell/powershell_get_clipboard.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/powershell/powershell_get_clipboard.yml -------------------------------------------------------------------------------- /rules/sigma/windows/security/win_high_integrity_sdclt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/security/win_high_integrity_sdclt.yml -------------------------------------------------------------------------------- /rules/sigma/windows/security/win_sdclt_child_process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/security/win_sdclt_child_process.yml -------------------------------------------------------------------------------- /rules/sigma/windows/security/win_susp_secondary_logon_service.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/security/win_susp_secondary_logon_service.yml -------------------------------------------------------------------------------- /rules/sigma/windows/security/win_susp_webdav_client_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/security/win_susp_webdav_client_execution.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_high_integrity_sdclt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_high_integrity_sdclt.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_new_application_appcompat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_new_application_appcompat.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_sdclt_child_process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_sdclt_child_process.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_startup_folder_file_write.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_startup_folder_file_write.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_susp_com_hijacking_delegate_execute.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_susp_com_hijacking_delegate_execute.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_susp_pfx_file_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_susp_pfx_file_creation.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_susp_python_image_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_susp_python_image_load.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_susp_secondary_logon_service.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_susp_secondary_logon_service.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_susp_system_drawing_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_susp_system_drawing_load.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_susp_webdav_client_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_susp_webdav_client_execution.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml -------------------------------------------------------------------------------- /rules/sigma/windows/sysmon/sysmon_sysinternals_sdelete_registry_keys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/detection-hackathon-apt29/HEAD/rules/sigma/windows/sysmon/sysmon_sysinternals_sdelete_registry_keys.yml --------------------------------------------------------------------------------