├── .github ├── ISSUE_TEMPLATE │ ├── analytic.md │ ├── bug_report.md │ └── schema.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ └── pythonpackage.yml ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── MANIFEST.in ├── Makefile ├── README.md ├── data ├── normalized-T1117-AtomicRed-regsvr32.json ├── normalized-atomic-red-team.json.gz ├── normalized-rta.json.gz ├── sysmon-atomic-red-team.json.gz └── sysmon-rta.json.gz ├── docs ├── Makefile ├── _static │ ├── atomicblue.css │ ├── eql-whoami.jpg │ ├── eql.png │ ├── favicon.png │ └── searchtools.js ├── _templates │ ├── analytic-groups.rst │ ├── analytic.rst │ ├── data-source.rst │ ├── links.rst │ └── matrix.rst ├── analytics.rst ├── atomicblue.rst ├── conf.py ├── docutils.conf ├── guides │ ├── cli.rst │ ├── index.rst │ └── sysmon.rst ├── index.rst ├── licenses.rst ├── make.bat ├── matrices.rst ├── resources.rst ├── schemas.rst └── schemas │ ├── car.rst │ └── sysmon.rst ├── eqllib ├── __init__.py ├── __main__.py ├── analytics │ ├── actors │ │ └── GAMAREDON GROUP │ │ │ ├── G0047-dynamic-dns-non-browser-process.toml │ │ │ ├── G0047-ms-office-template-injection.toml │ │ │ ├── G0047-persistence-startup-folder-execution.toml │ │ │ ├── G0047-persistence-startup-folder-file-write.toml │ │ │ └── G0047-registry-modification-remove-vba-warning-disable.toml │ ├── collection │ │ ├── T1005-txt-files-with-command-line-redirection.toml │ │ ├── T1074-common-archiver-commands.toml │ │ ├── T1114-outlook-archive-access.toml │ │ ├── T1115-clipboard-pbpaste.toml │ │ ├── T1123-powershell-audio-collect.toml │ │ └── T1123-soundrecorder-collect.toml │ ├── credential-access │ │ ├── T1003-credential-dumping-via-credential-vault-dll.toml │ │ ├── T1003-credential-enumeration-via-credential-vault-cli.toml │ │ ├── T1003-lsass-memory-dump.toml │ │ ├── T1003-ntdsutil-dump-ntds.toml │ │ ├── T1003-procdump-dump-lsass.toml │ │ ├── T1003-reg-dump.toml │ │ ├── T1081-linux-creds-in-files.toml │ │ ├── T1081-windows-findstr-password.toml │ │ └── T1174-password-filter-dll.toml │ ├── defense-evasion │ │ ├── T1036-process-unusual-extensions.toml │ │ ├── T1055-code-injection-ld.so.preload.toml │ │ ├── T1070-fsutil-deletejournal.toml │ │ ├── T1070-indicator-removal-on-host.toml │ │ ├── T1070-wevtutil-clear.toml │ │ ├── T1089-unload-sysmon-driver.toml │ │ ├── T1093-parent-child-mismatch.toml │ │ ├── T1096-ads-file-create.toml │ │ ├── T1117-scrobj-load.toml │ │ ├── T1126-disconnecting-from-network-shares-net.toml │ │ ├── T1130-root-cert-install.toml │ │ ├── T1140-certutil-decode.toml │ │ ├── T1144-potential-gatekeeper-bypass.toml │ │ ├── T1151-processes-trailing-space.toml │ │ ├── T1158-hidden-files-attrib.toml │ │ ├── T1191-execution-cmstp.toml │ │ ├── T1191-msft-connection-mgr-uac-bypass.toml │ │ ├── T1196-control-panel-items.toml │ │ ├── T1197-bitsadmin-download.toml │ │ ├── T1197-bitsadmin-ps-download.toml │ │ ├── T1202-indirect-cmd-exec.toml │ │ ├── T1216-proxied-exec-signed-scripts.toml │ │ ├── T1222-windows-file-permissions-modification.toml │ │ └── T1223-compiled-html-file.toml │ ├── discovery │ │ ├── T1016-discovery-of-network-environment-built-in-tools.toml │ │ ├── T1016-windows-discovery-of-network-environment-built-in-tools.toml │ │ ├── T1018-net-view.toml │ │ ├── T1018-remote-system-discovery-commands-windows.toml │ │ ├── T1033-system-owner-and-user-discovery.toml │ │ ├── T1046-network-service-scanning-port.toml │ │ ├── T1049-net-use.toml │ │ ├── T1049-system-network-connections-discovery-nix.toml │ │ ├── T1057-process-discovery-built-in-applications.toml │ │ ├── T1057-process-discovery.toml │ │ ├── T1069-discovery-of-domain-groups.toml │ │ ├── T1082-linux-system-information-discovery.toml │ │ ├── T1082-system-information-discovery.toml │ │ ├── T1082-systeminfo.toml │ │ ├── T1087-account-discovery-built-in-tools.toml │ │ ├── T1087-discovery-commands-rundll32-remote-access-tool.toml │ │ ├── T1124-net-time-remote.toml │ │ ├── T1135-net-share.toml │ │ ├── T1135-net-view-remote.toml │ │ ├── T1201-password-policy-enumeration-linux.toml │ │ ├── T1482-domain-trust-discovery-nltest.toml │ │ └── T1482-domain-trust-discovery.toml │ ├── execution │ │ ├── T1035-execution-of-existing-service-command.toml │ │ ├── T1047-wmi-execution-via-vba-macro.toml │ │ ├── T1047-wmic-remote-process.toml │ │ ├── T1117-regsvr32-scrobj.toml │ │ ├── T1118-installutil-process.toml │ │ ├── T1154-trap-signals.toml │ │ ├── T1168-local-job-scheduling-paths.toml │ │ ├── T1168-local-job-scheduling-process.toml │ │ ├── T1170-mshta-ms-office-descendant.toml │ │ ├── T1170-mshta-network.toml │ │ └── T1173-executable-written-and-executed-via-dde-and-ms-office.toml │ ├── exfiltration │ │ └── T1002-rar-compression.toml │ ├── impact │ │ ├── T1489-stop-services-sc.toml │ │ ├── T1489-stopping-services-net.toml │ │ ├── T1490-bcdedit-modification.toml │ │ ├── T1490-vssadmin-delete.toml │ │ └── T1490-wmic-shadow-delete.toml │ ├── lateral-movement │ │ ├── T1021-remote-terminal-session.toml │ │ ├── T1028-incoming-remote-powershell.toml │ │ ├── T1037-logon-scripts-registry.toml │ │ ├── T1076-remote-desktop-protocol-hijack.toml │ │ ├── T1077-net-use-hidden.toml │ │ └── T1077-windows-hidden-shares-net.toml │ ├── persistence │ │ ├── T1004-winlogon-helper-dll-reg.toml │ │ ├── T1015-accessibility-debugger.toml │ │ ├── T1031-service-path-mod-sc.toml │ │ ├── T1037-reg-logon-script.toml │ │ ├── T1042-file-handler.toml │ │ ├── T1053-scheduled-task-creation-via-vba-macro.toml │ │ ├── T1060-run-keys.toml │ │ ├── T1060-shell-folders.toml │ │ ├── T1101-ssp-registry-modification.toml │ │ ├── T1103-appinit.toml │ │ ├── T1122-com-hijack.toml │ │ ├── T1128-registry-netsh.toml │ │ ├── T1131-lsa-authentication-package.toml │ │ ├── T1136-net-user-add.toml │ │ ├── T1137-office-application-startup-template-file.toml │ │ ├── T1137-office-application-startup-template-reg.toml │ │ ├── T1138-shim-db.toml │ │ ├── T1156-bash-profile-bashrc-mod.toml │ │ ├── T1159-process-launch-agent.toml │ │ ├── T1163-rc-common.toml │ │ ├── T1164-mac-resumed-application.toml │ │ ├── T1176-suspicious-files-browser-extensions.toml │ │ ├── T1180-screensaver-persistence.toml │ │ ├── T1209-persistence-time-providers.toml │ │ ├── T1215-linux-ko-creations.toml │ │ ├── T1215-mac-kernel-modules-kextload.toml │ │ └── T1501-systemd-service.toml │ └── privilege-escalation │ │ ├── T1013-port-monitor.toml │ │ ├── T1038-dll-hijacking-known.toml │ │ ├── T1050-escalation-service-cmd.toml │ │ ├── T1053-interactive-at-job.toml │ │ ├── T1053-schtask-create.toml │ │ ├── T1088-bypassuac-compmgmtlauncher.toml │ │ ├── T1088-bypassuac-eventvwr-exec.toml │ │ ├── T1088-bypassuac-eventvwr-registry.toml │ │ ├── T1088-bypassuac-fodhelper-exec.toml │ │ ├── T1088-bypassuac-wsreset-exec.toml │ │ ├── T1150-plist-modification.toml │ │ ├── T1160-launch-daemon-persistence.toml │ │ └── T1182-appcert-dlls-registry-modification.toml ├── attack.py ├── domains │ └── security.toml ├── enterprise-attack.json.gz ├── functions.py ├── loader.py ├── main.py ├── normalization.py ├── schemas.py ├── sources │ ├── car.toml │ ├── endgame.toml │ └── sysmon.toml └── utils.py ├── requirements_rtd.txt ├── setup.cfg ├── setup.py ├── tests ├── __init__.py ├── test_analytics.py └── test_normalization.py └── utils └── scrape-events.ps1 /.github/ISSUE_TEMPLATE/analytic.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/.github/ISSUE_TEMPLATE/analytic.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/.github/ISSUE_TEMPLATE/bug_report.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/schema.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/.github/ISSUE_TEMPLATE/schema.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/.github/PULL_REQUEST_TEMPLATE.md -------------------------------------------------------------------------------- /.github/workflows/pythonpackage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/.github/workflows/pythonpackage.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/.gitignore -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/CONTRIBUTING.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/LICENSE -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/MANIFEST.in -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/README.md -------------------------------------------------------------------------------- /data/normalized-T1117-AtomicRed-regsvr32.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/data/normalized-T1117-AtomicRed-regsvr32.json -------------------------------------------------------------------------------- /data/normalized-atomic-red-team.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/data/normalized-atomic-red-team.json.gz -------------------------------------------------------------------------------- /data/normalized-rta.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/data/normalized-rta.json.gz -------------------------------------------------------------------------------- /data/sysmon-atomic-red-team.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/data/sysmon-atomic-red-team.json.gz -------------------------------------------------------------------------------- /data/sysmon-rta.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/data/sysmon-rta.json.gz -------------------------------------------------------------------------------- /docs/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/Makefile -------------------------------------------------------------------------------- /docs/_static/atomicblue.css: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_static/atomicblue.css -------------------------------------------------------------------------------- /docs/_static/eql-whoami.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_static/eql-whoami.jpg -------------------------------------------------------------------------------- /docs/_static/eql.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_static/eql.png -------------------------------------------------------------------------------- /docs/_static/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_static/favicon.png -------------------------------------------------------------------------------- /docs/_static/searchtools.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_static/searchtools.js -------------------------------------------------------------------------------- /docs/_templates/analytic-groups.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_templates/analytic-groups.rst -------------------------------------------------------------------------------- /docs/_templates/analytic.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_templates/analytic.rst -------------------------------------------------------------------------------- /docs/_templates/data-source.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_templates/data-source.rst -------------------------------------------------------------------------------- /docs/_templates/links.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_templates/links.rst -------------------------------------------------------------------------------- /docs/_templates/matrix.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/_templates/matrix.rst -------------------------------------------------------------------------------- /docs/analytics.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/analytics.rst -------------------------------------------------------------------------------- /docs/atomicblue.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/atomicblue.rst -------------------------------------------------------------------------------- /docs/conf.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/conf.py -------------------------------------------------------------------------------- /docs/docutils.conf: -------------------------------------------------------------------------------- 1 | [html4css1 writer] 2 | field_name_limit: 40 -------------------------------------------------------------------------------- /docs/guides/cli.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/guides/cli.rst -------------------------------------------------------------------------------- /docs/guides/index.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/guides/index.rst -------------------------------------------------------------------------------- /docs/guides/sysmon.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/guides/sysmon.rst -------------------------------------------------------------------------------- /docs/index.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/index.rst -------------------------------------------------------------------------------- /docs/licenses.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/licenses.rst -------------------------------------------------------------------------------- /docs/make.bat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/make.bat -------------------------------------------------------------------------------- /docs/matrices.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/matrices.rst -------------------------------------------------------------------------------- /docs/resources.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/resources.rst -------------------------------------------------------------------------------- /docs/schemas.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/schemas.rst -------------------------------------------------------------------------------- /docs/schemas/car.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/schemas/car.rst -------------------------------------------------------------------------------- /docs/schemas/sysmon.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/docs/schemas/sysmon.rst -------------------------------------------------------------------------------- /eqllib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/__init__.py -------------------------------------------------------------------------------- /eqllib/__main__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/__main__.py -------------------------------------------------------------------------------- /eqllib/analytics/actors/GAMAREDON GROUP/G0047-dynamic-dns-non-browser-process.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/actors/GAMAREDON GROUP/G0047-dynamic-dns-non-browser-process.toml -------------------------------------------------------------------------------- /eqllib/analytics/actors/GAMAREDON GROUP/G0047-ms-office-template-injection.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/actors/GAMAREDON GROUP/G0047-ms-office-template-injection.toml -------------------------------------------------------------------------------- /eqllib/analytics/actors/GAMAREDON GROUP/G0047-persistence-startup-folder-execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/actors/GAMAREDON GROUP/G0047-persistence-startup-folder-execution.toml -------------------------------------------------------------------------------- /eqllib/analytics/actors/GAMAREDON GROUP/G0047-persistence-startup-folder-file-write.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/actors/GAMAREDON GROUP/G0047-persistence-startup-folder-file-write.toml -------------------------------------------------------------------------------- /eqllib/analytics/actors/GAMAREDON GROUP/G0047-registry-modification-remove-vba-warning-disable.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/actors/GAMAREDON GROUP/G0047-registry-modification-remove-vba-warning-disable.toml -------------------------------------------------------------------------------- /eqllib/analytics/collection/T1005-txt-files-with-command-line-redirection.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/collection/T1005-txt-files-with-command-line-redirection.toml -------------------------------------------------------------------------------- /eqllib/analytics/collection/T1074-common-archiver-commands.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/collection/T1074-common-archiver-commands.toml -------------------------------------------------------------------------------- /eqllib/analytics/collection/T1114-outlook-archive-access.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/collection/T1114-outlook-archive-access.toml -------------------------------------------------------------------------------- /eqllib/analytics/collection/T1115-clipboard-pbpaste.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/collection/T1115-clipboard-pbpaste.toml -------------------------------------------------------------------------------- /eqllib/analytics/collection/T1123-powershell-audio-collect.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/collection/T1123-powershell-audio-collect.toml -------------------------------------------------------------------------------- /eqllib/analytics/collection/T1123-soundrecorder-collect.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/collection/T1123-soundrecorder-collect.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1003-credential-dumping-via-credential-vault-dll.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1003-credential-dumping-via-credential-vault-dll.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1003-credential-enumeration-via-credential-vault-cli.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1003-credential-enumeration-via-credential-vault-cli.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1003-lsass-memory-dump.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1003-lsass-memory-dump.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1003-ntdsutil-dump-ntds.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1003-ntdsutil-dump-ntds.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1003-procdump-dump-lsass.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1003-procdump-dump-lsass.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1003-reg-dump.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1003-reg-dump.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1081-linux-creds-in-files.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1081-linux-creds-in-files.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1081-windows-findstr-password.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1081-windows-findstr-password.toml -------------------------------------------------------------------------------- /eqllib/analytics/credential-access/T1174-password-filter-dll.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/credential-access/T1174-password-filter-dll.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1036-process-unusual-extensions.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1036-process-unusual-extensions.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1055-code-injection-ld.so.preload.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1055-code-injection-ld.so.preload.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1070-fsutil-deletejournal.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1070-fsutil-deletejournal.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1070-indicator-removal-on-host.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1070-indicator-removal-on-host.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1070-wevtutil-clear.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1070-wevtutil-clear.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1089-unload-sysmon-driver.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1089-unload-sysmon-driver.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1093-parent-child-mismatch.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1093-parent-child-mismatch.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1096-ads-file-create.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1096-ads-file-create.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1117-scrobj-load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1117-scrobj-load.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1126-disconnecting-from-network-shares-net.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1126-disconnecting-from-network-shares-net.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1130-root-cert-install.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1130-root-cert-install.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1140-certutil-decode.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1140-certutil-decode.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1144-potential-gatekeeper-bypass.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1144-potential-gatekeeper-bypass.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1151-processes-trailing-space.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1151-processes-trailing-space.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1158-hidden-files-attrib.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1158-hidden-files-attrib.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1191-execution-cmstp.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1191-execution-cmstp.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1191-msft-connection-mgr-uac-bypass.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1191-msft-connection-mgr-uac-bypass.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1196-control-panel-items.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1196-control-panel-items.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1197-bitsadmin-download.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1197-bitsadmin-download.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1197-bitsadmin-ps-download.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1197-bitsadmin-ps-download.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1202-indirect-cmd-exec.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1202-indirect-cmd-exec.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1216-proxied-exec-signed-scripts.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1216-proxied-exec-signed-scripts.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1222-windows-file-permissions-modification.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1222-windows-file-permissions-modification.toml -------------------------------------------------------------------------------- /eqllib/analytics/defense-evasion/T1223-compiled-html-file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/defense-evasion/T1223-compiled-html-file.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1016-discovery-of-network-environment-built-in-tools.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1016-discovery-of-network-environment-built-in-tools.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1016-windows-discovery-of-network-environment-built-in-tools.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1016-windows-discovery-of-network-environment-built-in-tools.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1018-net-view.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1018-net-view.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1018-remote-system-discovery-commands-windows.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1018-remote-system-discovery-commands-windows.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1033-system-owner-and-user-discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1033-system-owner-and-user-discovery.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1046-network-service-scanning-port.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1046-network-service-scanning-port.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1049-net-use.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1049-net-use.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1049-system-network-connections-discovery-nix.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1049-system-network-connections-discovery-nix.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1057-process-discovery-built-in-applications.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1057-process-discovery-built-in-applications.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1057-process-discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1057-process-discovery.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1069-discovery-of-domain-groups.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1069-discovery-of-domain-groups.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1082-linux-system-information-discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1082-linux-system-information-discovery.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1082-system-information-discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1082-system-information-discovery.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1082-systeminfo.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1082-systeminfo.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1087-account-discovery-built-in-tools.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1087-account-discovery-built-in-tools.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1087-discovery-commands-rundll32-remote-access-tool.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1087-discovery-commands-rundll32-remote-access-tool.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1124-net-time-remote.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1124-net-time-remote.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1135-net-share.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1135-net-share.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1135-net-view-remote.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1135-net-view-remote.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1201-password-policy-enumeration-linux.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1201-password-policy-enumeration-linux.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1482-domain-trust-discovery-nltest.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1482-domain-trust-discovery-nltest.toml -------------------------------------------------------------------------------- /eqllib/analytics/discovery/T1482-domain-trust-discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/discovery/T1482-domain-trust-discovery.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1035-execution-of-existing-service-command.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1035-execution-of-existing-service-command.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1047-wmi-execution-via-vba-macro.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1047-wmi-execution-via-vba-macro.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1047-wmic-remote-process.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1047-wmic-remote-process.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1117-regsvr32-scrobj.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1117-regsvr32-scrobj.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1118-installutil-process.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1118-installutil-process.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1154-trap-signals.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1154-trap-signals.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1168-local-job-scheduling-paths.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1168-local-job-scheduling-paths.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1168-local-job-scheduling-process.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1168-local-job-scheduling-process.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1170-mshta-ms-office-descendant.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1170-mshta-ms-office-descendant.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1170-mshta-network.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1170-mshta-network.toml -------------------------------------------------------------------------------- /eqllib/analytics/execution/T1173-executable-written-and-executed-via-dde-and-ms-office.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/execution/T1173-executable-written-and-executed-via-dde-and-ms-office.toml -------------------------------------------------------------------------------- /eqllib/analytics/exfiltration/T1002-rar-compression.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/exfiltration/T1002-rar-compression.toml -------------------------------------------------------------------------------- /eqllib/analytics/impact/T1489-stop-services-sc.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/impact/T1489-stop-services-sc.toml -------------------------------------------------------------------------------- /eqllib/analytics/impact/T1489-stopping-services-net.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/impact/T1489-stopping-services-net.toml -------------------------------------------------------------------------------- /eqllib/analytics/impact/T1490-bcdedit-modification.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/impact/T1490-bcdedit-modification.toml -------------------------------------------------------------------------------- /eqllib/analytics/impact/T1490-vssadmin-delete.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/impact/T1490-vssadmin-delete.toml -------------------------------------------------------------------------------- /eqllib/analytics/impact/T1490-wmic-shadow-delete.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/impact/T1490-wmic-shadow-delete.toml -------------------------------------------------------------------------------- /eqllib/analytics/lateral-movement/T1021-remote-terminal-session.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/lateral-movement/T1021-remote-terminal-session.toml -------------------------------------------------------------------------------- /eqllib/analytics/lateral-movement/T1028-incoming-remote-powershell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/lateral-movement/T1028-incoming-remote-powershell.toml -------------------------------------------------------------------------------- /eqllib/analytics/lateral-movement/T1037-logon-scripts-registry.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/lateral-movement/T1037-logon-scripts-registry.toml -------------------------------------------------------------------------------- /eqllib/analytics/lateral-movement/T1076-remote-desktop-protocol-hijack.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/lateral-movement/T1076-remote-desktop-protocol-hijack.toml -------------------------------------------------------------------------------- /eqllib/analytics/lateral-movement/T1077-net-use-hidden.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/lateral-movement/T1077-net-use-hidden.toml -------------------------------------------------------------------------------- /eqllib/analytics/lateral-movement/T1077-windows-hidden-shares-net.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/lateral-movement/T1077-windows-hidden-shares-net.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1004-winlogon-helper-dll-reg.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1004-winlogon-helper-dll-reg.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1015-accessibility-debugger.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1015-accessibility-debugger.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1031-service-path-mod-sc.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1031-service-path-mod-sc.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1037-reg-logon-script.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1037-reg-logon-script.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1042-file-handler.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1042-file-handler.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1053-scheduled-task-creation-via-vba-macro.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1053-scheduled-task-creation-via-vba-macro.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1060-run-keys.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1060-run-keys.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1060-shell-folders.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1060-shell-folders.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1101-ssp-registry-modification.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1101-ssp-registry-modification.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1103-appinit.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1103-appinit.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1122-com-hijack.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1122-com-hijack.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1128-registry-netsh.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1128-registry-netsh.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1131-lsa-authentication-package.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1131-lsa-authentication-package.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1136-net-user-add.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1136-net-user-add.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1137-office-application-startup-template-file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1137-office-application-startup-template-file.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1137-office-application-startup-template-reg.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1137-office-application-startup-template-reg.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1138-shim-db.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1138-shim-db.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1156-bash-profile-bashrc-mod.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1156-bash-profile-bashrc-mod.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1159-process-launch-agent.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1159-process-launch-agent.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1163-rc-common.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1163-rc-common.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1164-mac-resumed-application.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1164-mac-resumed-application.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1176-suspicious-files-browser-extensions.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1176-suspicious-files-browser-extensions.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1180-screensaver-persistence.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1180-screensaver-persistence.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1209-persistence-time-providers.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1209-persistence-time-providers.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1215-linux-ko-creations.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1215-linux-ko-creations.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1215-mac-kernel-modules-kextload.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1215-mac-kernel-modules-kextload.toml -------------------------------------------------------------------------------- /eqllib/analytics/persistence/T1501-systemd-service.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/persistence/T1501-systemd-service.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1013-port-monitor.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1013-port-monitor.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1038-dll-hijacking-known.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1038-dll-hijacking-known.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1050-escalation-service-cmd.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1050-escalation-service-cmd.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1053-interactive-at-job.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1053-interactive-at-job.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1053-schtask-create.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1053-schtask-create.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1088-bypassuac-compmgmtlauncher.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1088-bypassuac-compmgmtlauncher.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1088-bypassuac-eventvwr-exec.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1088-bypassuac-eventvwr-exec.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1088-bypassuac-eventvwr-registry.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1088-bypassuac-eventvwr-registry.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1088-bypassuac-fodhelper-exec.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1088-bypassuac-fodhelper-exec.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1088-bypassuac-wsreset-exec.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1088-bypassuac-wsreset-exec.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1150-plist-modification.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1150-plist-modification.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1160-launch-daemon-persistence.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1160-launch-daemon-persistence.toml -------------------------------------------------------------------------------- /eqllib/analytics/privilege-escalation/T1182-appcert-dlls-registry-modification.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/analytics/privilege-escalation/T1182-appcert-dlls-registry-modification.toml -------------------------------------------------------------------------------- /eqllib/attack.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/attack.py -------------------------------------------------------------------------------- /eqllib/domains/security.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/domains/security.toml -------------------------------------------------------------------------------- /eqllib/enterprise-attack.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/enterprise-attack.json.gz -------------------------------------------------------------------------------- /eqllib/functions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/functions.py -------------------------------------------------------------------------------- /eqllib/loader.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/loader.py -------------------------------------------------------------------------------- /eqllib/main.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/main.py -------------------------------------------------------------------------------- /eqllib/normalization.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/normalization.py -------------------------------------------------------------------------------- /eqllib/schemas.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/schemas.py -------------------------------------------------------------------------------- /eqllib/sources/car.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/sources/car.toml -------------------------------------------------------------------------------- /eqllib/sources/endgame.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/sources/endgame.toml -------------------------------------------------------------------------------- /eqllib/sources/sysmon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/sources/sysmon.toml -------------------------------------------------------------------------------- /eqllib/utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/eqllib/utils.py -------------------------------------------------------------------------------- /requirements_rtd.txt: -------------------------------------------------------------------------------- 1 | sphinx==1.7.9 2 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/setup.cfg -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/setup.py -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- 1 | """Unit tests for the EQL analytics library.""" 2 | -------------------------------------------------------------------------------- /tests/test_analytics.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/tests/test_analytics.py -------------------------------------------------------------------------------- /tests/test_normalization.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/tests/test_normalization.py -------------------------------------------------------------------------------- /utils/scrape-events.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endgameinc/eqllib/HEAD/utils/scrape-events.ps1 --------------------------------------------------------------------------------