├── .github ├── pull_request_template.md └── workflows │ └── github-actions-secure.yml ├── .gitignore ├── EDR_telem_linux.json ├── EDR_telem_windows.json ├── LICENSE ├── README.md ├── Tools ├── Telemetry-Generator │ ├── Linux │ │ ├── LINUX_TELEMETRY_GENERATOR_GUIDE.md │ │ ├── complex │ │ │ ├── driver_load.py │ │ │ ├── eBPF_exec.py │ │ │ ├── process_hijack_demo.py │ │ │ ├── process_tampering.py │ │ │ └── scheduled_task.py │ │ ├── lnx_telem_gen.py │ │ └── requirements.txt │ └── Windows │ │ ├── README.md │ │ ├── ServiceCreator │ │ ├── Program.cs │ │ └── ServiceCreator.csproj │ │ ├── VSSDelete │ │ ├── Program.cs │ │ └── README.md │ │ ├── config.json │ │ ├── telemetry-generator.ps1 │ │ └── telemetry-mappings.csv ├── compare-requirements.txt ├── compare.py ├── convert.py └── fetch_contributors.py ├── images ├── edr-telemetry_website_screenshot.png └── logo_new.png ├── mitre_att&ck_mappings.json ├── partially_value_explanations_linux.json └── partially_value_explanations_windows.json /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | # EDR Telemetry Pull Request 2 | 3 | 10 | 11 | ## Contribution Details 12 | 13 | 14 | 15 | ### Telemetry Validation 16 | 17 | 18 | 19 | Documentation or Evidence: 20 | - [ ] Official documentation (link: ) 21 | - [ ] Screenshots attached 22 | - [ ] Sanitized logs provided 23 | - [ ] Private documentation (will share confidentially) 24 | 25 | ## Type of Contribution 26 | 27 | 28 | - [ ] Adding telemetry information for an existing EDR product 29 | - [ ] Adding a new EDR product that meets eligibility criteria 30 | - [ ] Proposing new event categories/sub-categories 31 | - [ ] Documentation improvement 32 | - [ ] Tool enhancement 33 | 34 | ## Validation Details 35 | 36 | ### EDR Product Information 37 | - EDR Product Name: 38 | - EDR Version: 39 | - Operating System(s) Tested: 40 | 41 | ### Testing Methodology 42 | 43 | 44 | ## Additional Notes 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /.github/workflows/github-actions-secure.yml: -------------------------------------------------------------------------------- 1 | # Secure GitHub Actions Workflow with Webhook Secret 2 | # Place this file in your EDR-Telemetry repository at: 3 | # .github/workflows/update-database.yml 4 | 5 | name: Update EDR Telemetry Database (Secure) 6 | 7 | on: 8 | push: 9 | branches: [ main ] 10 | paths: 11 | - 'EDR_telem_windows.json' 12 | - 'EDR_telem_linux.json' 13 | - 'partially_value_explanations_windows.json' 14 | 15 | # Allow manual triggering 16 | workflow_dispatch: 17 | inputs: 18 | platform: 19 | description: 'Platform to update (windows, linux, both)' 20 | required: false 21 | default: 'both' 22 | type: choice 23 | options: 24 | - both 25 | - windows 26 | - linux 27 | 28 | jobs: 29 | update-database: 30 | runs-on: ubuntu-latest 31 | name: Update Database via Cloud Function 32 | 33 | steps: 34 | - name: Generate Webhook Signature 35 | id: signature 36 | run: | 37 | echo "🔐 Generating webhook signature for secure authentication" 38 | 39 | # Prepare the payload 40 | PAYLOAD=$(cat <> $GITHUB_OUTPUT 59 | echo "$PAYLOAD" >> $GITHUB_OUTPUT 60 | echo "EOF" >> $GITHUB_OUTPUT 61 | echo "signature=sha256=$SIGNATURE" >> $GITHUB_OUTPUT 62 | env: 63 | # This secret must be set in GitHub repository settings 64 | WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }} 65 | 66 | - name: Trigger Database Update 67 | run: | 68 | echo "🚀 Triggering secure database update for platform: ${{ github.event.inputs.platform || 'both' }}" 69 | 70 | # Make the authenticated request 71 | RESPONSE=$(curl -s -w "\n%{http_code}" -X POST \ 72 | "${{ secrets.CLOUD_FUNCTION_URL }}?platform=${{ github.event.inputs.platform || 'both' }}" \ 73 | -H "Content-Type: application/json" \ 74 | -H "X-GitHub-Event: ${{ github.event_name }}" \ 75 | -H "X-Hub-Signature-256: ${{ steps.signature.outputs.signature }}" \ 76 | -d '${{ steps.signature.outputs.payload }}') 77 | 78 | # Extract HTTP status code and response body 79 | HTTP_CODE=$(echo "$RESPONSE" | tail -n1) 80 | RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d') 81 | 82 | echo "📊 Response Status: $HTTP_CODE" 83 | echo "📄 Response Body:" 84 | echo "$RESPONSE_BODY" | jq '.' 2>/dev/null || echo "$RESPONSE_BODY" 85 | 86 | # Check if request was successful 87 | if [ "$HTTP_CODE" -eq 200 ]; then 88 | echo "✅ Database update completed successfully" 89 | 90 | # Parse and display statistics if available 91 | WINDOWS_UPDATED=$(echo "$RESPONSE_BODY" | jq -r '.windows_stats.scores_updated // 0' 2>/dev/null || echo "0") 92 | LINUX_UPDATED=$(echo "$RESPONSE_BODY" | jq -r '.linux_stats.scores_updated // 0' 2>/dev/null || echo "0") 93 | DURATION=$(echo "$RESPONSE_BODY" | jq -r '.duration_seconds // 0' 2>/dev/null || echo "0") 94 | 95 | echo "📈 Update Statistics:" 96 | echo " Windows scores updated: $WINDOWS_UPDATED" 97 | echo " Linux scores updated: $LINUX_UPDATED" 98 | echo " Duration: ${DURATION}s" 99 | 100 | elif [ "$HTTP_CODE" -eq 401 ]; then 101 | echo "❌ Authentication failed - check WEBHOOK_SECRET" 102 | echo "💡 Make sure the WEBHOOK_SECRET in GitHub matches your Cloud Function" 103 | exit 1 104 | else 105 | echo "❌ Database update failed with status code: $HTTP_CODE" 106 | exit 1 107 | fi 108 | env: 109 | # These secrets must be set in GitHub repository settings: 110 | # Settings → Secrets and variables → Actions → New repository secret 111 | CLOUD_FUNCTION_URL: ${{ secrets.CLOUD_FUNCTION_URL }} 112 | 113 | - name: Notify on Success 114 | if: success() 115 | run: | 116 | echo "🎉 Database update completed successfully!" 117 | echo "📋 Summary:" 118 | echo " Repository: ${{ github.repository }}" 119 | echo " Branch: ${{ github.ref_name }}" 120 | echo " Commit: ${{ github.sha }}" 121 | echo " Actor: ${{ github.actor }}" 122 | echo " Platform: ${{ github.event.inputs.platform || 'both' }}" 123 | 124 | - name: Notify on Failure 125 | if: failure() 126 | run: | 127 | echo "💥 Database update failed!" 128 | echo "🔍 Troubleshooting steps:" 129 | echo " 1. Verify CLOUD_FUNCTION_URL is correct in repository secrets" 130 | echo " 2. Check WEBHOOK_SECRET matches between GitHub and Cloud Function" 131 | echo " 3. Ensure Cloud Function is deployed and accessible" 132 | echo " 4. Verify Supabase database is operational" 133 | echo " 5. Review Cloud Function logs in GCP Console:" 134 | echo " gcloud functions logs read edr-telemetry-updater --region=us-central1" 135 | 136 | # Optional: Add Slack notification job 137 | # uncomment and configure if you want Slack notifications 138 | # notify-slack: 139 | # needs: update-database 140 | # runs-on: ubuntu-latest 141 | # if: always() 142 | # steps: 143 | # - name: Notify Slack 144 | # uses: 8398a7/action-slack@v3 145 | # with: 146 | # status: ${{ needs.update-database.result }} 147 | # text: | 148 | # EDR Telemetry Database Update: ${{ needs.update-database.result }} 149 | # Repository: ${{ github.repository }} 150 | # Commit: ${{ github.sha }} 151 | # Actor: ${{ github.actor }} 152 | # env: 153 | # SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .replit 2 | replit.nix -------------------------------------------------------------------------------- /EDR_telem_linux.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Telemetry Feature Category":"Process Activity", 4 | "Sub-Category":"Process Creation", 5 | "Auditd":"Yes", 6 | "BitDefender":"Yes", 7 | "Carbon Black Cloud":"Yes", 8 | "CrowdStrike":"Yes", 9 | "ESET Inspect":"Yes", 10 | "Elastic":"Yes", 11 | "Harfanglab":"Yes", 12 | "LimaCharlie":"Yes", 13 | "MDE":"Yes", 14 | "Qualys":"Yes", 15 | "SentinelOne":"Yes", 16 | "Sysmon":"Yes", 17 | "Uptycs":"Yes" 18 | }, 19 | { 20 | "Telemetry Feature Category":null, 21 | "Sub-Category":"Process Termination", 22 | "Auditd":"No", 23 | "BitDefender":"Yes", 24 | "Carbon Black Cloud":"No", 25 | "CrowdStrike":"Yes", 26 | "ESET Inspect":"Yes", 27 | "Elastic":"Yes", 28 | "Harfanglab":"No", 29 | "LimaCharlie":"Yes", 30 | "MDE":"No", 31 | "Qualys":"Yes", 32 | "SentinelOne":"No", 33 | "Sysmon":"Yes", 34 | "Uptycs":"Yes" 35 | }, 36 | { 37 | "Telemetry Feature Category":"File Manipulation", 38 | "Sub-Category":"File Creation", 39 | "Auditd":"Yes", 40 | "BitDefender":"Yes", 41 | "Carbon Black Cloud":"Yes", 42 | "CrowdStrike":"Yes", 43 | "ESET Inspect":"Yes", 44 | "Elastic":"Yes", 45 | "Harfanglab":"No", 46 | "LimaCharlie":"Yes", 47 | "MDE":"Yes", 48 | "Qualys":"Yes", 49 | "SentinelOne":"Yes", 50 | "Sysmon":"Yes", 51 | "Uptycs":"Yes" 52 | }, 53 | { 54 | "Telemetry Feature Category":null, 55 | "Sub-Category":"File Modification", 56 | "Auditd":"Yes", 57 | "BitDefender":"Yes", 58 | "Carbon Black Cloud":"Yes", 59 | "CrowdStrike":"Yes", 60 | "ESET Inspect":"Yes", 61 | "Elastic":"Yes", 62 | "Harfanglab":"Yes", 63 | "LimaCharlie":"Yes", 64 | "MDE":"Partially", 65 | "Qualys":"Yes", 66 | "SentinelOne":"Yes", 67 | "Sysmon":"No", 68 | "Uptycs":"Yes" 69 | }, 70 | { 71 | "Telemetry Feature Category":null, 72 | "Sub-Category":"File Deletion", 73 | "Auditd":"Yes", 74 | "BitDefender":"Yes", 75 | "Carbon Black Cloud":"Yes", 76 | "CrowdStrike":"No", 77 | "ESET Inspect":"Yes", 78 | "Elastic":"Yes", 79 | "Harfanglab":"Yes", 80 | "LimaCharlie":"Yes", 81 | "MDE":"Yes", 82 | "Qualys":"Yes", 83 | "SentinelOne":"Yes", 84 | "Sysmon":"Yes", 85 | "Uptycs":"Yes" 86 | }, 87 | { 88 | "Telemetry Feature Category":"User Activity", 89 | "Sub-Category":"User Logon", 90 | "Auditd":"No", 91 | "BitDefender":"Yes", 92 | "Carbon Black Cloud":"No", 93 | "CrowdStrike":"Yes", 94 | "ESET Inspect":"No", 95 | "Elastic":"No", 96 | "Harfanglab":"Yes", 97 | "LimaCharlie":"No", 98 | "MDE":"Yes", 99 | "Qualys":"No", 100 | "SentinelOne":"Yes", 101 | "Sysmon":"No", 102 | "Uptycs":"Yes" 103 | }, 104 | { 105 | "Telemetry Feature Category":null, 106 | "Sub-Category":"User Logoff", 107 | "Auditd":"No", 108 | "BitDefender":"Yes", 109 | "Carbon Black Cloud":"No", 110 | "CrowdStrike":"Yes", 111 | "ESET Inspect":"No", 112 | "Elastic":"No", 113 | "Harfanglab":"No", 114 | "LimaCharlie":"No", 115 | "MDE":"No", 116 | "Qualys":"No", 117 | "SentinelOne":"No", 118 | "Sysmon":"No", 119 | "Uptycs":"Yes" 120 | }, 121 | { 122 | "Telemetry Feature Category":null, 123 | "Sub-Category":"Logon Failed", 124 | "Auditd":"No", 125 | "BitDefender":"No", 126 | "Carbon Black Cloud":"No", 127 | "CrowdStrike":"Yes", 128 | "ESET Inspect":"No", 129 | "Elastic":"No", 130 | "Harfanglab":"Yes", 131 | "LimaCharlie":"No", 132 | "MDE":"Yes", 133 | "Qualys":"No", 134 | "SentinelOne":"Yes", 135 | "Sysmon":"No", 136 | "Uptycs":"Yes" 137 | }, 138 | { 139 | "Telemetry Feature Category":"Script Activity", 140 | "Sub-Category":"Script Content", 141 | "Auditd":"No", 142 | "BitDefender":"No", 143 | "Carbon Black Cloud":"No", 144 | "CrowdStrike":"Yes", 145 | "ESET Inspect":"No", 146 | "Elastic":"No", 147 | "Harfanglab":"No", 148 | "LimaCharlie":"No", 149 | "MDE":"Yes", 150 | "Qualys":"No", 151 | "SentinelOne":"No", 152 | "Sysmon":"No", 153 | "Uptycs":"No" 154 | }, 155 | { 156 | "Telemetry Feature Category":"Network Activity", 157 | "Sub-Category":"Network Connection", 158 | "Auditd":"Yes", 159 | "BitDefender":"Yes", 160 | "Carbon Black Cloud":"Yes", 161 | "CrowdStrike":"Yes", 162 | "ESET Inspect":"Yes", 163 | "Elastic":"Yes", 164 | "Harfanglab":"Yes", 165 | "LimaCharlie":"Yes", 166 | "MDE":"Yes", 167 | "Qualys":"Yes", 168 | "SentinelOne":"Yes", 169 | "Sysmon":"Yes", 170 | "Uptycs":"Yes" 171 | }, 172 | { 173 | "Telemetry Feature Category":null, 174 | "Sub-Category":"Network Socket Listen", 175 | "Auditd":"Yes", 176 | "BitDefender":"Yes", 177 | "Carbon Black Cloud":"No", 178 | "CrowdStrike":"Yes", 179 | "ESET Inspect":"No", 180 | "Elastic":"Yes", 181 | "Harfanglab":"Yes", 182 | "LimaCharlie":"Partially", 183 | "MDE":"Yes", 184 | "Qualys":"Partially", 185 | "SentinelOne":"No", 186 | "Sysmon":"No", 187 | "Uptycs":"No" 188 | }, 189 | { 190 | "Telemetry Feature Category":null, 191 | "Sub-Category":"DNS Query", 192 | "Auditd":"No", 193 | "BitDefender":"No", 194 | "Carbon Black Cloud":"No", 195 | "CrowdStrike":"Yes", 196 | "ESET Inspect":"No", 197 | "Elastic":"No", 198 | "Harfanglab":"Yes", 199 | "LimaCharlie":"Yes", 200 | "MDE":"No", 201 | "Qualys":"Via EnablingTelemetry", 202 | "SentinelOne":"Yes", 203 | "Sysmon":"No", 204 | "Uptycs":"Yes" 205 | }, 206 | { 207 | "Telemetry Feature Category":"Scheduled Task Activity", 208 | "Sub-Category":"Scheduled Task", 209 | "Auditd":"No", 210 | "BitDefender":"No", 211 | "Carbon Black Cloud":"No", 212 | "CrowdStrike":"No", 213 | "ESET Inspect":"No", 214 | "Elastic":"No", 215 | "Harfanglab":"No", 216 | "LimaCharlie":"No", 217 | "MDE":"No", 218 | "Qualys":"No", 219 | "SentinelOne":"Yes", 220 | "Sysmon":"No", 221 | "Uptycs":"No" 222 | }, 223 | { 224 | "Telemetry Feature Category":"User Account Activity", 225 | "Sub-Category":"User Account Created", 226 | "Auditd":"No", 227 | "BitDefender":"Yes", 228 | "Carbon Black Cloud":"No", 229 | "CrowdStrike":"Yes", 230 | "ESET Inspect":"No", 231 | "Elastic":"No", 232 | "Harfanglab":"No", 233 | "LimaCharlie":"No", 234 | "MDE":"No", 235 | "Qualys":"No", 236 | "SentinelOne":"Yes", 237 | "Sysmon":"No", 238 | "Uptycs":"No" 239 | }, 240 | { 241 | "Telemetry Feature Category":null, 242 | "Sub-Category":"User Account Modified", 243 | "Auditd":"No", 244 | "BitDefender":"No", 245 | "Carbon Black Cloud":"No", 246 | "CrowdStrike":"No", 247 | "ESET Inspect":"No", 248 | "Elastic":"No", 249 | "Harfanglab":"No", 250 | "LimaCharlie":"No", 251 | "MDE":"No", 252 | "Qualys":"No", 253 | "SentinelOne":"No", 254 | "Sysmon":"No", 255 | "Uptycs":"No" 256 | }, 257 | { 258 | "Telemetry Feature Category":null, 259 | "Sub-Category":"User Account Deleted", 260 | "Auditd":"No", 261 | "BitDefender":"No", 262 | "Carbon Black Cloud":"No", 263 | "CrowdStrike":"Yes", 264 | "ESET Inspect":"No", 265 | "Elastic":"No", 266 | "Harfanglab":"No", 267 | "LimaCharlie":"No", 268 | "MDE":"No", 269 | "Qualys":"No", 270 | "SentinelOne":"Yes", 271 | "Sysmon":"No", 272 | "Uptycs":"No" 273 | }, 274 | { 275 | "Telemetry Feature Category":"Driver\/Module Activity", 276 | "Sub-Category":"Driver Load", 277 | "Auditd":"Yes", 278 | "BitDefender":"No", 279 | "Carbon Black Cloud":"No", 280 | "CrowdStrike":"Yes", 281 | "ESET Inspect":"Yes", 282 | "Elastic":"No", 283 | "Harfanglab":"No", 284 | "LimaCharlie":"No", 285 | "MDE":"Via EnablingTelemetry", 286 | "Qualys":"No", 287 | "SentinelOne":"No", 288 | "Sysmon":"No", 289 | "Uptycs":"No" 290 | }, 291 | { 292 | "Telemetry Feature Category":null, 293 | "Sub-Category":"Image Load", 294 | "Auditd":"Yes", 295 | "BitDefender":"Yes", 296 | "Carbon Black Cloud":"No", 297 | "CrowdStrike":"No", 298 | "ESET Inspect":"No", 299 | "Elastic":"No", 300 | "Harfanglab":"No", 301 | "LimaCharlie":"No", 302 | "MDE":"No", 303 | "Qualys":"No", 304 | "SentinelOne":"No", 305 | "Sysmon":"No", 306 | "Uptycs":"No" 307 | }, 308 | { 309 | "Telemetry Feature Category":null, 310 | "Sub-Category":"eBPF Event", 311 | "Auditd":"Yes", 312 | "BitDefender":"No", 313 | "Carbon Black Cloud":"No", 314 | "CrowdStrike":"Yes", 315 | "ESET Inspect":"No", 316 | "Elastic":"No", 317 | "Harfanglab":"No", 318 | "LimaCharlie":"No", 319 | "MDE":"Via EnablingTelemetry", 320 | "Qualys":"No", 321 | "SentinelOne":"No", 322 | "Sysmon":"No", 323 | "Uptycs":"Via EnablingTelemetry" 324 | }, 325 | { 326 | "Telemetry Feature Category":"Access Activity", 327 | "Sub-Category":"Raw Access Read", 328 | "Auditd":"Yes", 329 | "BitDefender":"No", 330 | "Carbon Black Cloud":"No", 331 | "CrowdStrike":"No", 332 | "ESET Inspect":"No", 333 | "Elastic":"No", 334 | "Harfanglab":"No", 335 | "LimaCharlie":"No", 336 | "MDE":"No", 337 | "Qualys":"No", 338 | "SentinelOne":"No", 339 | "Sysmon":"Yes", 340 | "Uptycs":"Via EnablingTelemetry" 341 | }, 342 | { 343 | "Telemetry Feature Category":null, 344 | "Sub-Category":"Process Access", 345 | "Auditd":"Yes", 346 | "BitDefender":"Yes", 347 | "Carbon Black Cloud":"No", 348 | "CrowdStrike":"No", 349 | "ESET Inspect":"No", 350 | "Elastic":"No", 351 | "Harfanglab":"No", 352 | "LimaCharlie":"No", 353 | "MDE":"No", 354 | "Qualys":"No", 355 | "SentinelOne":"No", 356 | "Sysmon":"No", 357 | "Uptycs":"Via EnablingTelemetry" 358 | }, 359 | { 360 | "Telemetry Feature Category":"Process Tampering Activity", 361 | "Sub-Category":"Process Tampering", 362 | "Auditd":"Yes", 363 | "BitDefender":"Yes", 364 | "Carbon Black Cloud":"No", 365 | "CrowdStrike":"No", 366 | "ESET Inspect":"No", 367 | "Elastic":"No", 368 | "Harfanglab":"No", 369 | "LimaCharlie":"No", 370 | "MDE":"No", 371 | "Qualys":"No", 372 | "SentinelOne":"Yes", 373 | "Sysmon":"No", 374 | "Uptycs":"Via EnablingTelemetry" 375 | }, 376 | { 377 | "Telemetry Feature Category":"Service Activity", 378 | "Sub-Category":"Service Creation", 379 | "Auditd":"No", 380 | "BitDefender":"No", 381 | "Carbon Black Cloud":"No", 382 | "CrowdStrike":"Partially", 383 | "ESET Inspect":"No", 384 | "Elastic":"No", 385 | "Harfanglab":"No", 386 | "LimaCharlie":"Yes", 387 | "MDE":"Partially", 388 | "Qualys":"No", 389 | "SentinelOne":"Yes", 390 | "Sysmon":"No", 391 | "Uptycs":"No" 392 | }, 393 | { 394 | "Telemetry Feature Category":null, 395 | "Sub-Category":"Service Modification", 396 | "Auditd":"No", 397 | "BitDefender":"No", 398 | "Carbon Black Cloud":"No", 399 | "CrowdStrike":"Partially", 400 | "ESET Inspect":"No", 401 | "Elastic":"No", 402 | "Harfanglab":"No", 403 | "LimaCharlie":"Yes", 404 | "MDE":"No", 405 | "Qualys":"No", 406 | "SentinelOne":"Yes", 407 | "Sysmon":"Yes", 408 | "Uptycs":"No" 409 | }, 410 | { 411 | "Telemetry Feature Category":null, 412 | "Sub-Category":"Service Deletion", 413 | "Auditd":"No", 414 | "BitDefender":"No", 415 | "Carbon Black Cloud":"No", 416 | "CrowdStrike":"No", 417 | "ESET Inspect":"No", 418 | "Elastic":"No", 419 | "Harfanglab":"No", 420 | "LimaCharlie":"No", 421 | "MDE":"No", 422 | "Qualys":"No", 423 | "SentinelOne":"No", 424 | "Sysmon":"No", 425 | "Uptycs":"No" 426 | }, 427 | { 428 | "Telemetry Feature Category":"EDR SysOps", 429 | "Sub-Category":"Agent Start", 430 | "Auditd":"No", 431 | "BitDefender":"Yes", 432 | "Carbon Black Cloud":"Yes", 433 | "CrowdStrike":"Yes", 434 | "ESET Inspect":"No", 435 | "Elastic":"Yes", 436 | "Harfanglab":"Yes", 437 | "LimaCharlie":"Yes", 438 | "MDE":"Yes", 439 | "Qualys":"Yes", 440 | "SentinelOne":"Yes", 441 | "Sysmon":"No", 442 | "Uptycs":"Yes" 443 | }, 444 | { 445 | "Telemetry Feature Category":null, 446 | "Sub-Category":"Agent Stop", 447 | "Auditd":"No", 448 | "BitDefender":"Yes", 449 | "Carbon Black Cloud":"Yes", 450 | "CrowdStrike":"Yes", 451 | "ESET Inspect":"Yes", 452 | "Elastic":"Yes", 453 | "Harfanglab":"No", 454 | "LimaCharlie":"Yes", 455 | "MDE":"Yes", 456 | "Qualys":"Yes", 457 | "SentinelOne":"Yes", 458 | "Sysmon":"No", 459 | "Uptycs":"Yes" 460 | }, 461 | { 462 | "Telemetry Feature Category":"Hash Algorithms", 463 | "Sub-Category":"MD5", 464 | "Auditd":"No", 465 | "BitDefender":"Yes", 466 | "Carbon Black Cloud":"Yes", 467 | "CrowdStrike":"Yes", 468 | "ESET Inspect":"Yes", 469 | "Elastic":"Yes", 470 | "Harfanglab":"Yes", 471 | "LimaCharlie":"Yes", 472 | "MDE":"Yes", 473 | "Qualys":"Yes", 474 | "SentinelOne":"No", 475 | "Sysmon":"Yes", 476 | "Uptycs":"Yes" 477 | }, 478 | { 479 | "Telemetry Feature Category":null, 480 | "Sub-Category":"SHA", 481 | "Auditd":"No", 482 | "BitDefender":"Yes", 483 | "Carbon Black Cloud":"Yes", 484 | "CrowdStrike":"Yes", 485 | "ESET Inspect":"Yes", 486 | "Elastic":"Yes", 487 | "Harfanglab":"Yes", 488 | "LimaCharlie":"Yes", 489 | "MDE":"Yes", 490 | "Qualys":"Yes", 491 | "SentinelOne":"Yes", 492 | "Sysmon":"Yes", 493 | "Uptycs":"Yes" 494 | }, 495 | { 496 | "Telemetry Feature Category":null, 497 | "Sub-Category":"Fuzzy Hash", 498 | "Auditd":"No", 499 | "BitDefender":"No", 500 | "Carbon Black Cloud":"No", 501 | "CrowdStrike":"No", 502 | "ESET Inspect":"No", 503 | "Elastic":"No", 504 | "Harfanglab":"No", 505 | "LimaCharlie":"Yes", 506 | "MDE":"No", 507 | "Qualys":"No", 508 | "SentinelOne":"No", 509 | "Sysmon":"Yes", 510 | "Uptycs":"No" 511 | } 512 | ] -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Attribution-NonCommercial 4.0 International License 2 | 3 | Copyright (c) 2024 EDR Telemetry Project 4 | 5 | This work is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License. 6 | 7 | To view a copy of this license, visit: 8 | http://creativecommons.org/licenses/by-nc/4.0/ 9 | 10 | or send a letter to: 11 | Creative Commons 12 | PO Box 1866 13 | Mountain View, CA 94042 14 | USA 15 | 16 | The full license text can be found at: 17 | https://creativecommons.org/licenses/by-nc/4.0/legalcode 18 | 19 | Attribution-NonCommercial 4.0 International 20 | 21 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 22 | 23 | You are free to: 24 | - Share — copy and redistribute the material in any medium or format 25 | - Adapt — remix, transform, and build upon the material 26 | 27 | Under the following terms: 28 | - Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. 29 | - NonCommercial — You may not use the material for commercial purposes. 30 | 31 | No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EDR Telemetry 2 | 3 |

4 | EDR Telemetry Logo 5 |

6 | 7 |
8 | 9 | [![Website](https://img.shields.io/badge/Website-EDR--Telemetry.com-blue)](https://www.edr-telemetry.com) 10 | [![FAQ](https://img.shields.io/badge/Wiki-FAQ-green)](https://github.com/tsale/EDR-Telemetry/wiki/FAQ) 11 | [![License: CC BY-NC 4.0](https://img.shields.io/badge/License-CC%20BY--NC%204.0-lightgrey.svg)](http://creativecommons.org/licenses/by-nc/4.0/) 12 | [![Stars](https://img.shields.io/github/stars/tsale/EDR-Telemetry)](https://github.com/tsale/EDR-Telemetry/stargazers) 13 | 14 |
15 | 16 | ## 📖 About 17 | 18 | A comprehensive comparison of telemetry features from EDR products and endpoint agents like [Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon). This project enables security practitioners to evaluate telemetry capabilities while promoting vendor transparency. 19 | 20 | 🌐 **[Visit our Website](https://www.edr-telemetry.com)** for the complete comparison and analysis. 21 | 22 | 📝 Read more about this project in our [initial release blog post](https://detect.fyi/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b?sk=b5aade1de1afbabf687620a12aa7a581). 23 | 24 | ## 🎯 Key Features 25 | 26 | - Comprehensive telemetry comparison across multiple EDR solutions 27 | - Detailed scoring system for feature evaluation 28 | - Regular updates to reflect the latest capabilities 29 | - Community-driven contributions and verification 30 | 31 | ## 📊 Telemetry Comparison 32 | 33 | Visit our [EDR Telemetry Comparison Table](https://www.edr-telemetry.com) to see: 34 | - Feature-by-feature comparison 35 | - Detailed scoring metrics 36 | - Implementation status 37 | - Latest updates 38 | 39 | ## 🤝 Contributing 40 | 41 | We welcome contributions! Please check our [Contribution Guidelines](https://www.edr-telemetry.com/contribute) for details on how to get involved. 42 | 43 | ## ⚖️ Scoring System 44 | 45 | Our evaluation script assigns scores based on feature implementation: 46 | - ✅ Yes: 1.0 47 | - ⚠️ Partially: 0.5 48 | - 🎚️ Via EnablingTelemetry: 1.0 49 | - 🪵 Via EventLogs: 0.5 50 | - ❌ No: 0.0 51 | - ❓ Pending Response: 0.0 52 | 53 | View the complete [scoring breakdown](https://www.edr-telemetry.com/scores) on our website. 54 | 55 | ## ⚠️ Disclaimer 56 | 57 | The data presented reflects only the telemetry capabilities of each product, not their detection or prevention capabilities. For more details, please visit our [FAQ page](https://www.edr-telemetry.com/faq). 58 | 59 | ## 📜 License 60 | 61 | This work is licensed under a [Creative Commons Attribution-NonCommercial 4.0 International License](http://creativecommons.org/licenses/by-nc/4.0/). 62 | 63 | This means you are free to: 64 | - Share — copy and redistribute the material in any medium or format 65 | - Adapt — remix, transform, and build upon the material 66 | 67 | Under the following terms: 68 | - **Attribution** — You must give appropriate credit, provide a link to the license, and indicate if changes were made. 69 | - **NonCommercial** — You may not use the material for commercial purposes without explicit permission from the author. 70 | 71 | For commercial use, please [contact us](https://www.edr-telemetry.com/contact). 72 | 73 | ## ✨ Contributors Wall 74 | 75 | Thanks to these amazing contributors: 76 | 77 |

78 |

79 | 80 | 81 | tsale 82 | 83 | 84 | jdu2600 85 | 86 | 87 | j91321 88 | 89 | 90 | mthcht 91 | 92 | 93 | thiboog 94 | 95 | 96 | thomaspatzke 97 | 98 | 99 | xC0uNt3r7hr34t 100 | 101 | 102 | inodee 103 | 104 | 105 | alwashali 106 | 107 | 108 | Guzzy711 109 | 110 | 111 | joshlemon-uptycs 112 | 113 | 114 | LuKePicci 115 | 116 | 117 | maximelb 118 | 119 | 120 | MyPeaches 121 | 122 | 123 | nasbench 124 | 125 | 126 | NicolasSchn 127 | 128 | 129 | QueenSquishy 130 | 131 | 132 | Robert-HarfangLab 133 | 134 | 135 | SecurityAura 136 | 137 | 138 | alextrender 139 | 140 | 141 | idev 142 | 143 | 144 | johnk3r 145 | 146 | 147 | pep-un 148 | 149 | 150 | zbeastofburden 151 | 152 |
153 |

154 | 155 | ## Current Primary Maintainers 156 | Kostas - [@kostastsale](https://twitter.com/Kostastsale) -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/LINUX_TELEMETRY_GENERATOR_GUIDE.md: -------------------------------------------------------------------------------- 1 | # Linux Telemetry Generator 2 | 3 | ## Overview 4 | 5 | This script, `lnx_telem_gen.py`, is designed to generate various telemetry events for the EDR (Endpoint Detection and Response) telemetry project. The script performs a wide range of activities that are typically monitored by EDR solutions, such as file operations, network connections, process manipulation, and more. The goal is to help validate that the EDR solution is correctly capturing and reporting these events. 6 | 7 | ## Features 8 | 9 | The script includes the following functionalities: 10 | 11 | 1. **Service Management**: Create, modify, and delete systemd services using D-Bus system calls 12 | 2. **DNS Query**: Perform a DNS query 13 | 3. **Process Termination**: Create and terminate a process 14 | 4. **Image Load**: Load a shared library 15 | 5. **Process Access**: Hijack a process and manipulate its memory and registers 16 | 6. **Network Operations**: 17 | - Establish TCP connections 18 | - Create raw sockets 19 | - Create listening sockets for incoming connections 20 | 7. **Raw Access Read**: Perform raw read access on a device 21 | 8. **Driver Load**: Write, compile, and load a Linux kernel module 22 | 9. **Process Tampering**: Tamper with the memory of a running process 23 | 10. **Scheduled Task**: Create and remove scheduled tasks using cron 24 | 11. **User Account Events**: Create, modify, and delete user accounts using libuser 25 | 12. **eBPF Events**: Utilize pamspy for credential dumping using eBPF 26 | 13. **File Operations**: Create, modify, and delete files. 27 | 28 | 29 | ## Usage 30 | 31 | To run the script, use the following command: 32 | 33 | ```bash 34 | python3 lnx_telem_gen.py [Event1 Event2 ...] 35 | ``` 36 | If no events are specified, the script will run all available events. You can specify one or more events to run only those specific tests. 37 | 38 | **Example** 39 | 40 | ```bash 41 | python3 lnx_telem_gen.py FileCreated DnsQuery NetworkConnect 42 | ``` 43 | 44 | This command will run the `FileCreated`, `DnsQuery`, and `NetworkConnect` events. 45 | 46 | ## Event List 47 | 48 | - `FileCreated` 49 | - `FileModified` 50 | - `FileDelete` 51 | - `DnsQuery` 52 | - `ProcessTerminate` 53 | - `ImageLoad` 54 | - `ProcessAccess` 55 | - `NetworkConnect` 56 | - `ServiceStartStop` 57 | - `RawAccessRead` 58 | - `LoadDriver` 59 | - `TamperProcess` 60 | - `ScheduledTask` 61 | - `UserAccountEvents` 62 | - `NetworkListen` 63 | - `NetworkRawSocket` 64 | - `eBPFProgram` 65 | 66 | ## Disclaimers 67 | 68 | - **Best Effort**: This script is provided on a best-effort basis. If you do not see telemetry events for a specific category, please refer to the official documentation for your EDR vendor. 69 | - **System Calls**: These tests are designed to avoid reliance on system binaries, which could allow the EDR to infer activity based on command line arguments or binaries executed on the host. Instead, this script uses system calls to perform the actions. 70 | 71 | ## Logging 72 | The script logs the output of each function to a CSV file named `function_output_log.csv`. This file includes the function name, output, and any errors encountered during execution. 73 | 74 | ## Requirements 75 | - Python 3.x 76 | - Required Python packages: `dbus-python`, `libuser`, `ctypes` 77 | 78 | ## Installation 79 | To install the required packages on a Debian host, run: 80 | 81 | ```bash 82 | sudo apt-get install -y python3-dbus python3-libuser git linux-headers-$(uname -r) 83 | pip install prettytable 84 | ``` 85 | 86 | ## License 87 | This project is licensed under the MIT License. -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/complex/driver_load.py: -------------------------------------------------------------------------------- 1 | import os 2 | import ctypes 3 | import subprocess 4 | 5 | 6 | ### 7 | # This script writes, compiles, and loads a simple Linux kernel module. 8 | # It performs the following steps: 9 | # 1. Writes a C source file for a test kernel module. 10 | # 2. Writes a Makefile to compile the kernel module. 11 | # 3. Compiles the kernel module using the Makefile. 12 | # 4. Loads the compiled kernel module into the kernel using the finit_module system call. 13 | ### 14 | 15 | # Constants for system call numbers (Linux-specific) 16 | SYS_finit_module = 313 # On x86_64; this number may vary by architecture 17 | 18 | # Load the C library (libc) which contains system calls 19 | libc = ctypes.CDLL("libc.so.6") 20 | 21 | # Define finit_module prototype and parameters in ctypes 22 | # int finit_module(int fd, const char *param_values, int flags); 23 | libc.syscall.argtypes = [ctypes.c_long, ctypes.c_int, ctypes.c_char_p, ctypes.c_int] 24 | libc.syscall.restype = ctypes.c_int 25 | 26 | def write_test_driver(): 27 | """Write the test driver C code to a file.""" 28 | driver_code = """ 29 | #include // Needed by all kernel modules 30 | #include // Needed for KERN_INFO 31 | #include // Needed for __init and __exit macros 32 | 33 | MODULE_LICENSE("GPL"); 34 | MODULE_AUTHOR("Your Name"); 35 | MODULE_DESCRIPTION("A Simple Test Kernel Module"); 36 | 37 | // Function that runs when the module is loaded 38 | static int __init test_driver_init(void) { 39 | printk(KERN_INFO "Test Driver Loaded: Hello, Kernel!\\n"); 40 | return 0; // Return 0 means successful loading 41 | } 42 | 43 | // Function that runs when the module is unloaded 44 | static void __exit test_driver_exit(void) { 45 | printk(KERN_INFO "Test Driver Unloaded: Goodbye, Kernel!\\n"); 46 | } 47 | 48 | // Macros that specify the initialization and cleanup functions 49 | module_init(test_driver_init); 50 | module_exit(test_driver_exit); 51 | """ 52 | 53 | # Write to a file 54 | with open("test_driver.c", "w") as f: 55 | f.write(driver_code) 56 | print("Test driver code written to 'test_driver.c'.") 57 | 58 | def write_makefile(): 59 | """Write the Makefile to compile the kernel module.""" 60 | makefile_content = """ 61 | obj-m += test_driver.o 62 | 63 | all: 64 | \tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules 65 | 66 | clean: 67 | \tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean 68 | """ 69 | # Write the Makefile to the current directory 70 | with open("Makefile", "w") as f: 71 | f.write(makefile_content) 72 | print("Makefile written.") 73 | 74 | def compile_driver(): 75 | """Compile the kernel module using the Makefile.""" 76 | try: 77 | subprocess.run(["make"], check=True) 78 | print("Kernel module compiled successfully.") 79 | except subprocess.CalledProcessError: 80 | print("Failed to compile the kernel module.") 81 | raise Exception("Kernel module compilation failed") # Raise an exception instead 82 | 83 | def load_kernel_module(module_path, params=""): 84 | """Load the kernel module using the finit_module system call.""" 85 | fd = os.open(module_path, os.O_RDONLY) 86 | 87 | if fd < 0: 88 | print(f"Failed to open module file: {module_path}") 89 | return 90 | 91 | # Make the finit_module system call 92 | ret = libc.syscall(SYS_finit_module, fd, params.encode('utf-8'), 0) 93 | 94 | # If ret == 0, the module was loaded successfully 95 | if ret == 0: 96 | print(f"Module {module_path} loaded successfully.") 97 | else: 98 | # Handle the case where finit_module fails 99 | errno = ctypes.get_errno() 100 | print(f"Failed to load module: {os.strerror(errno)}") 101 | 102 | os.close(fd) 103 | 104 | def loadit(): 105 | # Write the driver C code and Makefile 106 | write_test_driver() 107 | write_makefile() 108 | 109 | # Compile the kernel module 110 | compile_driver() 111 | 112 | # Load the kernel module using finit_module system call 113 | module_path = "./test_driver.ko" # The compiled kernel module 114 | load_kernel_module(module_path) 115 | 116 | return "Driver loaded successfully." -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/complex/eBPF_exec.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | import urllib.request 4 | 5 | def download_pamspy(): 6 | """ 7 | Downloads the pamspy binary from the specified URL and saves it locally. 8 | """ 9 | url = "https://github.com/citronneur/pamspy/releases/download/v0.3/pamspy" 10 | local_path = "./pamspy" 11 | try: 12 | print(f"Downloading pamspy from {url}...") 13 | urllib.request.urlretrieve(url, local_path) 14 | os.chmod(local_path, 0o755) # Make the downloaded file executable 15 | print("Download complete.") 16 | except Exception as e: 17 | print(f"Failed to download pamspy: {e}") 18 | raise 19 | 20 | def execute_pamspy(): 21 | """ 22 | Executes the pamspy binary with the specified arguments. 23 | Returns: 24 | int: The return code of the executed command. 25 | """ 26 | pam_path_command = "/usr/sbin/ldconfig -p | grep libpam.so | cut -d ' ' -f4" 27 | try: 28 | # Get the path to libpam.so 29 | pam_path = subprocess.check_output(pam_path_command, shell=True).decode().strip() 30 | if not pam_path: 31 | raise Exception("libpam.so not found.") 32 | 33 | # Construct the command to run pamspy 34 | command = ["./pamspy", "-p", pam_path, "-d", "/var/log/trace.0"] 35 | print(f"Executing pamspy with command: {' '.join(command)}") 36 | result = subprocess.run(command) 37 | return result.returncode 38 | except subprocess.CalledProcessError as e: 39 | print(f"Error executing command to get libpam path: {e}") 40 | return -1 41 | except Exception as e: 42 | print(f"Failed to execute pamspy: {e}") 43 | return -1 44 | 45 | def run_pamspy(): 46 | try: 47 | download_pamspy() 48 | return_code = execute_pamspy() 49 | return return_code 50 | except Exception as e: 51 | print(f"Error in run_pamspy: {e}") 52 | return -1 -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/complex/process_hijack_demo.py: -------------------------------------------------------------------------------- 1 | """ 2 | This script is used to attach to a process, modify its memory and registers, and optionally execute shellcode using the ptrace system call. 3 | 4 | The script provides functionality to: 5 | 1. Attach to a process by its PID. 6 | 2. Peek into the memory of the attached process. 7 | 3. Poke new values into the process memory. 8 | 4. Retrieve and modify the general-purpose registers of the process. 9 | 5. Write and execute shellcode within the context of the attached process. 10 | 6. Restore the original state and detach from the process. 11 | 12 | It is primarily designed for educational purposes to demonstrate how process memory and registers can be manipulated using ptrace in Linux. 13 | """ 14 | 15 | import ctypes 16 | import struct 17 | import sys 18 | import os 19 | import random 20 | import time 21 | 22 | libc = ctypes.CDLL('libc.so.6') 23 | 24 | PTRACE_ATTACH = 16 25 | PTRACE_DETACH = 17 26 | PTRACE_PEEKTEXT = 3 27 | PTRACE_POKETEXT = 4 28 | PTRACE_GETREGS = 12 29 | PTRACE_SETREGS = 13 30 | 31 | def attach_process(pid): 32 | return libc.ptrace(PTRACE_ATTACH, pid, 0, 0) 33 | 34 | def detach_process(pid): 35 | return libc.ptrace(PTRACE_DETACH, pid, 0, 0) 36 | 37 | def peek_text(pid, addr): 38 | word = ctypes.c_uint32() 39 | libc.ptrace(PTRACE_PEEKTEXT, pid, addr, ctypes.byref(word)) 40 | return word.value 41 | 42 | def poke_text(pid, addr, word): 43 | libc.ptrace(PTRACE_POKETEXT, pid, addr, word) 44 | 45 | def get_regs(pid): 46 | class regs_struct(ctypes.Structure): 47 | _fields_ = [('eax', ctypes.c_uint32), ('ecx', ctypes.c_uint32), ('edx', ctypes.c_uint32), 48 | ('ebx', ctypes.c_uint32), ('esp', ctypes.c_uint32), ('ebp', ctypes.c_uint32), 49 | ('esi', ctypes.c_uint32), ('edi', ctypes.c_uint32), ('eip', ctypes.c_uint32), 50 | ('eflags', ctypes.c_uint32), ('cs', ctypes.c_uint32), ('ss', ctypes.c_uint32), 51 | ('ds', ctypes.c_uint32), ('es', ctypes.c_uint32), ('fs', ctypes.c_uint32), 52 | ('gs', ctypes.c_uint32)] 53 | 54 | regs = regs_struct() 55 | libc.ptrace(PTRACE_GETREGS, pid, 0, ctypes.byref(regs)) 56 | return regs 57 | 58 | def set_regs(pid, regs): 59 | # Pack the fields in the correct order according to the regs_struct 60 | regs_packed = struct.pack('16I', regs.eax, regs.ecx, regs.edx, regs.ebx, regs.esp, regs.ebp, 61 | regs.esi, regs.edi, regs.eip, regs.eflags, regs.cs, regs.ss, 62 | regs.ds, regs.es, regs.fs, regs.gs) 63 | libc.ptrace(PTRACE_SETREGS, pid, 0, ctypes.byref(ctypes.create_string_buffer(regs_packed))) 64 | 65 | def pick_user_process(): 66 | """ 67 | Pick a suitable user process that is safe to hijack, avoiding critical system processes or SSH processes. 68 | Returns: 69 | int: The PID of the selected user process. 70 | """ 71 | user_uid = os.getuid() 72 | processes = [] 73 | 74 | for proc in os.listdir('/proc'): 75 | if proc.isdigit(): 76 | try: 77 | with open(f'/proc/{proc}/status', 'r') as f: 78 | lines = f.readlines() 79 | uid_line = [line for line in lines if line.startswith('Uid:')][0] 80 | uid = int(uid_line.split()[1]) 81 | if uid == user_uid: 82 | with open(f'/proc/{proc}/cmdline', 'r') as cmd_file: 83 | cmdline = cmd_file.read() 84 | if 'ssh' not in cmdline and 'systemd' not in cmdline and 'dbus' not in cmdline and 'su' not in cmdline and 'bash' not in cmdline: 85 | processes.append(int(proc)) 86 | except (FileNotFoundError, IndexError, PermissionError): 87 | continue 88 | 89 | if not processes: 90 | raise Exception("No suitable user processes found.") 91 | 92 | # Select a less critical process by filtering out common system services 93 | safe_processes = [pid for pid in processes if pid > 1000] 94 | if not safe_processes: 95 | raise Exception("No suitable non-critical user processes found.") 96 | 97 | return random.choice(safe_processes) 98 | 99 | def start_hijacking(): 100 | try: 101 | while True: 102 | try: 103 | # Pick a suitable user process PID, avoiding critical system processes and SSH processes 104 | pid = pick_user_process() 105 | print(f"Selected PID: {pid}") 106 | 107 | # Attach to the process 108 | attach_process(pid) 109 | 110 | # Read the process' memory 111 | addr = 0x10000000 112 | word = peek_text(pid, addr) 113 | print(f"Original word at 0x{addr:08x}: 0x{word:08x}") 114 | 115 | # Patch the process' memory 116 | new_word = 0xDEADBEEF 117 | poke_text(pid, addr, new_word) 118 | print(f"Patched word at 0x{addr:08x}: 0x{peek_text(pid, addr):08x}") 119 | 120 | # Get the thread's registers 121 | regs = get_regs(pid) 122 | print(f"Original registers: {regs}") 123 | 124 | # Modify the thread's registers 125 | regs.eip = 0x12345678 # Modify the EIP register 126 | set_regs(pid, regs) 127 | print(f"Modified registers: {get_regs(pid)}") 128 | 129 | # Run the shellcode 130 | shellcode = b'\x90' * 100 # NOP sled 131 | for i in range(0, len(shellcode), 4): 132 | chunk = shellcode[i:i+4] 133 | chunk = chunk.ljust(4, b'\x00') # Ensure the chunk is 4 bytes 134 | poke_text(pid, addr + i, int.from_bytes(chunk, 'little')) 135 | 136 | set_regs(pid, regs) # Restore the original registers 137 | 138 | # Detach from the process 139 | detach_process(pid) 140 | 141 | print("Shellcode executed. Check the process' output.") 142 | return "Process hijacking completed successfully." 143 | except (ctypes.ArgumentError, OSError, Exception) as e: 144 | print(f"Error occurred: {e}. Retrying with a different PID...") 145 | time.sleep(1) # Give it some time before retrying 146 | continue 147 | except KeyboardInterrupt: 148 | print("Process hijacking interrupted by user.") 149 | break 150 | except Exception as e: 151 | print(f"Error occurred: {e}.") 152 | raise Exception("Process hijacking failed") # Raise an exception -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/complex/process_tampering.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | import time 4 | import struct 5 | 6 | # C code for the test program 7 | C_CODE = """ 8 | #include 9 | #include 10 | 11 | int target_value = 0x12345678; 12 | 13 | int main() { 14 | printf("Test process started. PID: %d\\n", getpid()); 15 | fflush(stdout); // Ensure the output is immediately flushed 16 | printf("Target value is initially: 0x%x\\n", target_value); 17 | fflush(stdout); // Ensure the output is immediately flushed 18 | 19 | // Infinite loop to keep the process running 20 | while (1) { 21 | sleep(1); // Sleep to avoid high CPU usage 22 | } 23 | 24 | return 0; 25 | } 26 | """ 27 | 28 | def compile_and_run_test_program(): 29 | """Write, compile, and run the C test program.""" 30 | c_file = "test_program.c" 31 | executable = "./test_program" 32 | 33 | try: 34 | # Write the C code to a file 35 | with open(c_file, "w") as f: 36 | f.write(C_CODE) 37 | 38 | # Compile the C program 39 | compile_cmd = ["gcc", "-o", executable, c_file] 40 | subprocess.run(compile_cmd, check=True) 41 | print("C test program compiled successfully.") 42 | 43 | # Run the compiled test program asynchronously 44 | process = subprocess.Popen([executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True) 45 | except subprocess.CalledProcessError as e: 46 | print(f"Compilation failed: {e}") 47 | raise Exception("Failed to compile the test program") # Raise an exception instead 48 | 49 | # Capture the PID from the test program's output 50 | pid = None 51 | while True: 52 | line = process.stdout.readline().strip() 53 | print(line) # Print output for debugging 54 | if "PID" in line: 55 | pid = int(line.split("PID: ")[1]) 56 | break 57 | 58 | if not pid: 59 | raise Exception("Failed to get PID from the test program.") 60 | 61 | return pid, process 62 | 63 | def read_memory_from_proc(pid, address, size=4): 64 | """Read memory directly from /proc//mem.""" 65 | mem_path = f"/proc/{pid}/mem" 66 | try: 67 | with open(mem_path, 'rb') as mem_file: 68 | mem_file.seek(address) 69 | return mem_file.read(size) 70 | except Exception as e: 71 | print(f"Error reading memory from {hex(address)}: {e}") 72 | return None 73 | 74 | def write_memory_to_proc(pid, address, value): 75 | """Write memory directly to /proc//mem.""" 76 | mem_path = f"/proc/{pid}/mem" 77 | value_bytes = struct.pack("I", value) # Convert integer value to bytes 78 | try: 79 | with open(mem_path, 'wb') as mem_file: 80 | mem_file.seek(address) 81 | mem_file.write(value_bytes) 82 | print(f"Successfully wrote {hex(value)} to {hex(address)}") 83 | except Exception as e: 84 | print(f"Error writing memory to {hex(address)}: {e}") 85 | 86 | def find_variable_address(pid, target_value): 87 | """Search for the target value in the process's memory.""" 88 | maps_path = f"/proc/{pid}/maps" 89 | mem_path = f"/proc/{pid}/mem" 90 | target_value_bytes = struct.pack("I", target_value) # Pack target_value as bytes 91 | 92 | try: 93 | with open(maps_path, 'r') as maps_file, open(mem_path, 'rb', 0) as mem_file: 94 | for line in maps_file: 95 | if 'rw-p' in line: # Look for writable memory segment 96 | address_range = line.split(' ')[0] 97 | start_address, end_address = [int(addr, 16) for addr in address_range.split('-')] 98 | print(f"Checking memory segment: {hex(start_address)} - {hex(end_address)}") 99 | 100 | # Search for the target value in the memory segment 101 | mem_file.seek(start_address) 102 | memory = mem_file.read(end_address - start_address) 103 | address_offset = memory.find(target_value_bytes) 104 | if address_offset != -1: 105 | return start_address + address_offset # Return the address where target_value is found 106 | except FileNotFoundError: 107 | raise Exception(f"Could not open memory maps or memory file for process {pid}") 108 | return None 109 | 110 | def tamper_process(pid, target_value): 111 | """Tamper with process memory using /proc//mem.""" 112 | try: 113 | # Step 1: Find the memory address of the target variable 114 | address = find_variable_address(pid, target_value) 115 | if address is None: 116 | raise Exception("Could not find the target value in memory.") 117 | print(f"Found target value at address: {hex(address)}") 118 | 119 | # Step 2: Read the original value from memory 120 | original_value = read_memory_from_proc(pid, address) 121 | if original_value is not None: 122 | original_value = struct.unpack("I", original_value)[0] # Convert bytes to integer 123 | print(f"Original value at {hex(address)}: {hex(original_value)}") 124 | 125 | # Step 3: Write a new value to the memory 126 | new_value = 0xDEADBEEF 127 | write_memory_to_proc(pid, address, new_value) 128 | 129 | # Step 4: Verify the tampering 130 | tampered_value = read_memory_from_proc(pid, address) 131 | if tampered_value is not None: 132 | tampered_value = struct.unpack("I", tampered_value)[0] 133 | print(f"New value at {hex(address)}: {hex(tampered_value)}") 134 | 135 | except Exception as e: 136 | print(f"Error: {e}") 137 | 138 | def cleanup(process): 139 | """Terminate the test program and clean up.""" 140 | process.terminate() # Kill the running test process 141 | process.wait() # Wait for process termination 142 | print("Test process terminated.") 143 | 144 | def begin_tamper(): 145 | """Main function to demonstrate process tampering.""" 146 | try: 147 | # Step 1: Compile and run the C test program asynchronously 148 | pid, process = compile_and_run_test_program() 149 | print(f"Test program running with PID: {pid}") 150 | 151 | # Step 2: Tamper with the process's memory 152 | target_value = 0x12345678 # The known value we want to tamper with 153 | tamper_process(pid, target_value) 154 | 155 | # Step 3: Clean up and terminate the test program 156 | cleanup(process) 157 | 158 | return "Process tampering completed successfully." 159 | except Exception as e: 160 | print(f"Error during process tampering: {e}") 161 | raise 162 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/complex/scheduled_task.py: -------------------------------------------------------------------------------- 1 | import os 2 | import pwd 3 | import time 4 | import subprocess 5 | 6 | CRON_PATH = '/var/spool/cron/crontabs' 7 | 8 | def get_username(): 9 | """Get the current username.""" 10 | return pwd.getpwuid(os.getuid()).pw_name 11 | 12 | def create_cron_job(command, schedule="* * * * *"): 13 | """Create a cron job for the current user.""" 14 | try: 15 | username = get_username() 16 | cron_file_path = os.path.join(CRON_PATH, username) 17 | 18 | # Ensure the cron directory exists 19 | if not os.path.exists(CRON_PATH): 20 | raise Exception(f"Cron path {CRON_PATH} does not exist.") 21 | 22 | # Build the cron job entry 23 | cron_job = f"{schedule} {command}\n" 24 | 25 | # Write the cron job directly into the user's crontab file 26 | with open(cron_file_path, 'a') as cron_file: 27 | cron_file.write(cron_job) 28 | print(f"Cron job added: {cron_job.strip()}") 29 | 30 | # Change permissions of the crontab file to ensure it is correct 31 | os.chmod(cron_file_path, 0o600) # User read-write, no other permissions 32 | 33 | # Reload cron daemon to apply the changes 34 | subprocess.run(['service', 'cron', 'reload'], check=True) 35 | print(f"Cron daemon reloaded successfully.") 36 | 37 | except Exception as e: 38 | print(f"Error creating cron job: {e}") 39 | raise Exception("Failed to create cron job") # Raise an exception 40 | 41 | def remove_cron_job(command): 42 | """Remove the specified cron job for the current user.""" 43 | try: 44 | username = get_username() 45 | cron_file_path = os.path.join(CRON_PATH, username) 46 | 47 | if not os.path.exists(cron_file_path): 48 | raise Exception(f"Cron file {cron_file_path} does not exist.") 49 | 50 | # Read the current cron file and filter out the specific job 51 | with open(cron_file_path, 'r') as cron_file: 52 | lines = cron_file.readlines() 53 | 54 | # Filter out the line containing the command 55 | new_lines = [line for line in lines if command not in line] 56 | 57 | # Write the modified cron file back 58 | with open(cron_file_path, 'w') as cron_file: 59 | cron_file.writelines(new_lines) 60 | print(f"Removed cron job: {command}") 61 | 62 | # Reload cron daemon to apply the changes 63 | subprocess.run(['service', 'cron', 'reload'], check=True) 64 | print(f"Cron daemon reloaded after cleanup.") 65 | 66 | except Exception as e: 67 | print(f"Error removing cron job: {e}") 68 | raise Exception("Failed to remove cron job") # Raise an exception 69 | 70 | def run_task(): 71 | """Main function to create a scheduled task using cron, and then clean it up.""" 72 | # Define the command to be scheduled and the schedule (every minute by default) 73 | command = '/usr/bin/echo "Hello from cron task!"' 74 | schedule = "* * * * *" # Runs every minute; modify as needed 75 | 76 | # Step 1: Create the cron job 77 | create_cron_job(command, schedule) 78 | 79 | # Step 2: Wait for a short while (e.g., 1 minute) to allow the job to run once 80 | print("Waiting for the cron job to run once...") 81 | time.sleep(10) # Sleep for 10 seconds to allow the cron job to run 82 | 83 | # Step 3: Remove the cron job 84 | remove_cron_job(command) 85 | 86 | return "Scheduled task created and removed successfully." 87 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/lnx_telem_gen.py: -------------------------------------------------------------------------------- 1 | import dbus 2 | import os 3 | import libuser 4 | import sched 5 | import sys 6 | import time 7 | import socket 8 | import signal 9 | import socket 10 | import csv 11 | import traceback 12 | from ctypes import CDLL 13 | from complex.driver_load import loadit 14 | from complex.process_tampering import begin_tamper 15 | from complex.scheduled_task import run_task 16 | from complex.process_hijack_demo import start_hijacking 17 | from complex.eBPF_exec import run_pamspy 18 | from prettytable import PrettyTable 19 | 20 | scheduler = sched.scheduler(time.time, time.sleep) 21 | 22 | class NetworkSocketManager: 23 | """ 24 | The `network_listen` method is intended to create a standard listening socket for handling incoming TCP 25 | connections, while the `network_raw_socket` method creates a raw socket bound to a network interface. 26 | """ 27 | 28 | @staticmethod 29 | def network_listen(): 30 | """ 31 | Creates a listening socket that binds to a specified IP and port. 32 | """ 33 | try: 34 | listen_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 35 | listen_socket.bind(('0.0.0.0', 12345)) # Bind to all interfaces on port 12345 36 | listen_socket.listen(5) 37 | print("Listening on 0.0.0.0:12345...") 38 | except socket.error as e: 39 | print(f"Error in NetworkListen: {e}") 40 | finally: 41 | listen_socket.close() 42 | 43 | @staticmethod 44 | def network_raw_socket(): 45 | """ 46 | Creates a raw socket that binds to an existing network interface. 47 | """ 48 | try: 49 | # Automatically find an available network interface 50 | def get_interface(): 51 | interfaces = os.listdir('/sys/class/net/') 52 | for interface in interfaces: 53 | if interface != 'lo': # Skip the loopback interface 54 | return interface 55 | raise Exception("No valid network interfaces found.") 56 | 57 | interface = get_interface() 58 | raw_socket = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0003)) 59 | raw_socket.bind((interface, 0)) # Bind to the automatically found network interface 60 | print(f"Raw socket bound to {interface}...") 61 | except socket.error as e: 62 | print(f"Error in NetworkRawSocket: {e}") 63 | except Exception as e: 64 | print(f"Error finding network interface: {e}") 65 | finally: 66 | raw_socket.close() 67 | 68 | @staticmethod 69 | def network_connect(): 70 | # Function to trigger a network connection 71 | try: 72 | # Create a TCP/IP socket 73 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 74 | # Google's IP address and port 80 (HTTP) 75 | server_address = ('google.com', 80) 76 | print(f"Attempting to connect to {server_address[0]} on port {server_address[1]}...") 77 | sock.connect(server_address) 78 | print("Network connection established.") 79 | # Close the socket 80 | sock.close() 81 | except socket.error as e: 82 | print(f"Network connection failed: {e}") 83 | 84 | class UserAccountManager: 85 | """ 86 | UserAccountManager is a class responsible for managing user accounts on a Linux system. 87 | It provides methods to create, modify, and delete user accounts using the libuser library. 88 | Additionally, it sets up the necessary libuser configuration and installs the required packages. 89 | """ 90 | def __init__(self): 91 | self.username = "testuser" 92 | self.password = "password123" 93 | self.new_password = "newpassword123" 94 | self.setup_libuser() 95 | 96 | def setup_libuser(self): 97 | try: 98 | # Create the libuser configuration file 99 | libuser_conf = "/etc/libuser.conf" 100 | if not os.path.exists(libuser_conf): 101 | with open(libuser_conf, "w") as f: 102 | f.write("[defaults]\n") 103 | f.write("LU_DEFAULT_USERGROUPS = true\n") 104 | f.write("LU_DEFAULT_HOME = /home\n") 105 | f.write("LU_DEFAULT_SHELL = /bin/bash\n") 106 | print("libuser setup completed successfully.") 107 | except Exception as e: 108 | print(f"Failed to set up libuser: {e}") 109 | 110 | def create_user(self): 111 | try: 112 | # Initialize the libuser context 113 | ctx = libuser.admin() 114 | 115 | # Create a new user 116 | user = ctx.initUser(self.username) 117 | user.set("password", self.password) 118 | user.set("home", f"/home/{self.username}") 119 | user.set("shell", "/bin/bash") 120 | 121 | # Add the user to the system 122 | if not ctx.addUser(user): 123 | raise Exception("Failed to create user") 124 | 125 | print(f"User '{self.username}' created successfully.") 126 | except Exception as e: 127 | print(f"Failed to create user '{self.username}': {e}") 128 | 129 | def modify_user(self): 130 | try: 131 | # Initialize the libuser context 132 | ctx = libuser.admin() 133 | 134 | # Get the existing user 135 | user = ctx.lookupUserByName(self.username) 136 | if not user: 137 | raise Exception(f"User '{self.username}' does not exist") 138 | 139 | # Modify the user's password 140 | user.set("password", self.new_password) 141 | 142 | # Update the user in the system 143 | if not ctx.modifyUser(user): 144 | raise Exception("Failed to modify user") 145 | 146 | print(f"User '{self.username}' modified successfully.") 147 | except Exception as e: 148 | print(f"Failed to modify user '{self.username}': {e}") 149 | 150 | def delete_user(self): 151 | try: 152 | # Initialize the libuser context 153 | ctx = libuser.admin() 154 | 155 | # Get the existing user 156 | user = ctx.lookupUserByName(self.username) 157 | if not user: 158 | raise Exception(f"User '{self.username}' does not exist") 159 | 160 | # Delete the user from the system 161 | if not ctx.deleteUser(user): 162 | raise Exception("Failed to delete user") 163 | 164 | print(f"User '{self.username}' deleted successfully.") 165 | except Exception as e: 166 | print(f"Failed to delete user '{self.username}': {e}") 167 | 168 | def run(self): 169 | self.create_user() 170 | time.sleep(2) 171 | self.modify_user() 172 | time.sleep(2) 173 | self.delete_user() 174 | 175 | def manage_test_service(): 176 | """ 177 | Creates, modifies, and deletes a systemd service using D-Bus system calls. 178 | """ 179 | service_name = "test_telemetry_service" 180 | unit_name = f"{service_name}.service" 181 | service_file_path = f"/etc/systemd/system/{unit_name}" 182 | 183 | try: 184 | # Create service unit file on disk 185 | service_content = """[Unit] 186 | Description=Test Telemetry Service 187 | After=network.target 188 | 189 | [Service] 190 | Type=oneshot 191 | ExecStart=/bin/sleep 5 192 | RemainAfterExit=yes 193 | 194 | [Install] 195 | WantedBy=multi-user.target 196 | """ 197 | 198 | # Write the service file 199 | with open(service_file_path, 'w') as f: 200 | f.write(service_content) 201 | print(f"Service file created at {service_file_path}") 202 | 203 | # Connect to system bus 204 | bus = dbus.SystemBus() 205 | systemd = bus.get_object('org.freedesktop.systemd1', '/org/freedesktop/systemd1') 206 | manager = dbus.Interface(systemd, 'org.freedesktop.systemd1.Manager') 207 | 208 | # Reload systemd to recognize the new service 209 | manager.Reload() 210 | print(f"Systemd daemon reloaded") 211 | 212 | time.sleep(1) 213 | 214 | # Enable the service 215 | manager.EnableUnitFiles([unit_name], False, True) 216 | print(f"Service '{service_name}' enabled successfully") 217 | 218 | time.sleep(1) 219 | 220 | # Start the service 221 | manager.StartUnit(unit_name, 'replace') 222 | print(f"Service '{service_name}' started successfully") 223 | 224 | time.sleep(2) 225 | 226 | # Modify the service by updating the file 227 | modified_content = """[Unit] 228 | Description=Modified Test Telemetry Service 229 | After=network.target 230 | 231 | [Service] 232 | Type=oneshot 233 | ExecStart=/bin/sleep 3 234 | RemainAfterExit=yes 235 | 236 | [Install] 237 | WantedBy=multi-user.target 238 | """ 239 | with open(service_file_path, 'w') as f: 240 | f.write(modified_content) 241 | 242 | # Reload systemd to apply changes 243 | manager.Reload() 244 | print(f"Service '{service_name}' modified successfully") 245 | 246 | time.sleep(1) 247 | 248 | # Stop the service 249 | manager.StopUnit(unit_name, 'replace') 250 | print(f"Service '{service_name}' stopped successfully") 251 | 252 | time.sleep(1) 253 | 254 | # Disable and remove the service 255 | manager.DisableUnitFiles([unit_name], False) 256 | print(f"Service '{service_name}' disabled successfully") 257 | 258 | # Remove the service file 259 | if os.path.exists(service_file_path): 260 | os.remove(service_file_path) 261 | print(f"Service file removed from {service_file_path}") 262 | 263 | # Final reload to clean up 264 | manager.Reload() 265 | print(f"Service '{service_name}' deleted successfully") 266 | 267 | except dbus.exceptions.DBusException as e: 268 | print(f"D-Bus error: {e}") 269 | # Cleanup on error 270 | if os.path.exists(service_file_path): 271 | os.remove(service_file_path) 272 | except Exception as e: 273 | print(f"Error managing service: {e}") 274 | # Cleanup on error 275 | if os.path.exists(service_file_path): 276 | os.remove(service_file_path) 277 | 278 | # Function to perform a DNS query 279 | def dns_query(): 280 | domain = 'www.google.com' 281 | try: 282 | ip = socket.gethostbyname(domain) 283 | print(f"DNS query for {domain} returned IP: {ip}") 284 | except socket.error as e: 285 | print(f"DNS query failed: {e}") 286 | 287 | # Function to create and terminate a process 288 | def process_terminate(): 289 | pid = os.fork() 290 | if pid == 0: 291 | # Child process 292 | time.sleep(30) # Simulate work 293 | os._exit(0) 294 | else: 295 | # Parent process 296 | print(f"Started child process with PID: {pid}") 297 | time.sleep(5) 298 | os.kill(pid, signal.SIGTERM) 299 | print(f"Terminated child process with PID: {pid}") 300 | 301 | # Function to load a shared library (image) 302 | def image_load(): 303 | libc = CDLL('libc.so.6') 304 | print("Loaded shared library 'libc.so.6' into process.") 305 | 306 | # Function to trigger a network connection 307 | def network_connect(): 308 | try: 309 | # Create a TCP/IP socket 310 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 311 | # Google's IP address and port 80 (HTTP) 312 | server_address = ('google.com', 80) 313 | print(f"Attempting to connect to {server_address[0]} on port {server_address[1]}...") 314 | sock.connect(server_address) 315 | print("Network connection established.") 316 | # Close the socket 317 | sock.close() 318 | except socket.error as e: 319 | print(f"Network connection failed: {e}") 320 | 321 | # Function to perform raw access read 322 | def raw_access_read(): 323 | # Replace with a safer device for testing 324 | device = '/dev/sda' # Using '/dev/sda' as the main hard drive device 325 | num_bytes = 512 # Number of bytes to read 326 | offset = 0 # Offset from the beginning of the device 327 | 328 | try: 329 | with open(device, 'rb') as f: # Open the device in read-only mode 330 | data = f.read(1024) # Read the first 1024 bytes for demonstration 331 | print(data) 332 | except PermissionError: 333 | print("Permission denied: You need to run this script with elevated privileges.") 334 | except FileNotFoundError: 335 | print(f"Device {device} not found.") 336 | except Exception as e: 337 | print(f"An error occurred: {e}") 338 | 339 | # Dictionary mapping event names to functions 340 | event_functions = { 341 | 'ServiceManagement': manage_test_service, 342 | 'DnsQuery': dns_query, 343 | 'ProcessTerminate': process_terminate, 344 | 'ImageLoad': image_load, 345 | 'NetworkConnect': network_connect, 346 | 'RawAccessRead': raw_access_read, 347 | 'LoadDriver': loadit, 348 | 'TamperProcess': begin_tamper, 349 | 'ScheduledTask': run_task, 350 | 'UserAccountEvents': UserAccountManager().run, 351 | 'NetworkListen': NetworkSocketManager.network_listen, 352 | 'NetworkRawSocket': NetworkSocketManager.network_raw_socket, 353 | 'eBPFProgram': run_pamspy, 354 | 'ProcessAccess': start_hijacking 355 | } 356 | 357 | def log_to_csv(function_name, output, error=None): 358 | with open('function_output_log.csv', mode='a', newline='') as file: 359 | writer = csv.writer(file) 360 | writer.writerow([function_name, output, error]) 361 | 362 | def main(): 363 | # Initialize CSV file with headers 364 | with open('function_output_log.csv', mode='w', newline='') as file: 365 | writer = csv.writer(file) 366 | writer.writerow(["Function", "Output", "Error"]) 367 | 368 | # Initialize script counters 369 | total_scripts = len(event_functions) 370 | current_script = 0 371 | successful_scripts = 0 372 | failed_scripts = 0 373 | failed_script_names = [] 374 | 375 | # Check for command-line arguments 376 | if len(sys.argv) > 1: 377 | # User has specified which events to run 378 | selected_events = sys.argv[1:] 379 | else: 380 | # No arguments provided; run all events 381 | selected_events = list(event_functions.keys()) 382 | 383 | # Remove duplicates and invalid event names 384 | selected_events = set(selected_events).intersection(event_functions.keys()) 385 | 386 | if not selected_events: 387 | print("No valid events specified.") 388 | print("Available events:", ', '.join(event_functions.keys())) 389 | sys.exit(1) 390 | 391 | for event in selected_events: 392 | current_script += 1 393 | print(f"\n\n--- Running {event} ({current_script}/{total_scripts}) ---") 394 | try: 395 | event_functions[event]() 396 | log_to_csv("[+] ", event, "Success") 397 | successful_scripts += 1 398 | time.sleep(1) # Add a delay between events 399 | except Exception as e: 400 | error_message = traceback.format_exc() 401 | log_to_csv(event, "", error_message) 402 | print(f"[-] Error running {event}: {e}") 403 | failed_scripts += 1 404 | failed_script_names.append(event) 405 | continue # Continue to the next function even if there is an error 406 | 407 | # Print summary table 408 | table = PrettyTable() 409 | table.field_names = ["Total Scripts", "Successful Scripts", "Failed Scripts"] 410 | table.add_row([total_scripts, successful_scripts, failed_scripts]) 411 | print("\n\n--- Summary ---") 412 | print(table, "\n") 413 | 414 | if failed_script_names: 415 | print("\nFailed Scripts:") 416 | for script in failed_script_names: 417 | print(f"- {script}") 418 | 419 | if __name__ == "__main__": 420 | try: 421 | main() 422 | except Exception as e: 423 | print(f"An unexpected error occurred: {e}") 424 | traceback.print_exc() 425 | finally: 426 | print("Script execution completed.") 427 | 428 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Linux/requirements.txt: -------------------------------------------------------------------------------- 1 | # EDR-Telemetry Project Requirements 2 | # This file lists all Python dependencies needed for the EDR-Telemetry project 3 | 4 | # Core table formatting library used across multiple scripts 5 | prettytable>=3.0.0 6 | 7 | # Data manipulation and analysis (used in convert.py) 8 | pandas>=1.5.0 9 | 10 | # HTTP requests library (used in fetch_contributors.py) 11 | requests>=2.28.0 12 | 13 | # Linux-specific dependencies for telemetry generation 14 | # D-Bus Python bindings for system service management (Linux telemetry generator) 15 | dbus-python>=1.2.18 16 | 17 | # User account management library for Linux (Linux telemetry generator) 18 | # NOTE: libuser is NOT available via pip and must be installed as a system package: 19 | # On Ubuntu/Debian: sudo apt-get install python3-libuser libuser 20 | # On RHEL/CentOS/Fedora: sudo yum install python3-libuser libuser 21 | # The Python bindings (python3-libuser) are installed system-wide and will be 22 | # available to your virtual environment after system installation. 23 | 24 | # Additional system dependencies notes: 25 | # The Linux telemetry generator also requires: 26 | # - gcc compiler for kernel module compilation 27 | # - kernel headers for driver loading functionality 28 | # - sudo privileges for certain system-level operations 29 | # - systemd for service management operations 30 | 31 | # Development dependencies (optional) 32 | # Add these if you need development/testing tools: 33 | # pytest>=7.0.0 34 | # black>=22.0.0 35 | # flake8>=5.0.0 -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/README.md: -------------------------------------------------------------------------------- 1 | # Telemetry Generator 2 | 3 | The telemetry generation tool is an early version (v0.1) software designed to help generate and test telemetry data. It utilizes the Invoke-AtomicRedTeam framework to map sub-categories to their corresponding atomic red team tests in order to generate the telemetry. This mapping information is stored in the config.json file, which the tool reads and executes the techniques accordingly. 4 | 5 | Users have the flexibility to execute either one technique or all of the techniques by passing the -Name parameter (default=All). This makes it easy to generate telemetry and test it against the comparison table of the project, ensuring alignment and accuracy. 6 | 7 | However, it is important to note that some sub-categories cannot be tested using this tool, such as USB Mount/Unmount and everything from the EDR-SysOps category. Despite these limitations, the telemetry generation tool serves as a valuable resource for generating and testing telemetry data in accordance with the Invoke-AtomicRedTeam framework. 8 | 9 | ## Feature Proofing 10 | 11 | As the project expands and evolves, the telemetry generation tool will continue to improve and incorporate new features and capabilities. This ongoing development will ensure that the tool remains relevant and effective in generating and testing telemetry data in line with the Invoke-AtomicRedTeam framework and the project's goals. 12 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/ServiceCreator/Program.cs: -------------------------------------------------------------------------------- 1 | // Build & Run Instructions 2 | // ------------------------ 3 | // 1. Create a new project: 4 | // dotnet new console -n ServiceCreator 5 | // 2. Install the Visual C++ Redistributable (x64): 6 | // https://aka.ms/vs/17/release/vc_redist.x64.exe 7 | // 3. Replace the Program.cs file with this one. 8 | // 4. Publish a self-contained executable (64-bit): 9 | // dotnet publish -c Release -r win-x64 --self-contained false 10 | // 5. Run the generated .exe from the publish folder (Administrator privileges required). 11 | 12 | using System; 13 | using System.ComponentModel; 14 | using System.Runtime.InteropServices; 15 | using System.Security.Principal; 16 | 17 | class Program 18 | { 19 | // SCM + service access flags 20 | const uint SC_MANAGER_ALL_ACCESS = 0xF003F; 21 | const uint SERVICE_WIN32_OWN_PROCESS = 0x00000010; 22 | const uint SERVICE_DEMAND_START = 0x00000003; 23 | const uint SERVICE_ERROR_NORMAL = 0x00000001; 24 | const uint SERVICE_ALL_ACCESS = 0xF01FF; 25 | const uint SERVICE_QUERY_STATUS = 0x0004; 26 | const uint SERVICE_START = 0x0010; 27 | const uint DELETE = 0x00010000; 28 | const uint SERVICE_NO_CHANGE = 0xFFFFFFFF; 29 | 30 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 31 | static extern IntPtr OpenSCManager(string machineName, string databaseName, uint dwAccess); 32 | 33 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 34 | static extern IntPtr CreateService( 35 | IntPtr hSCManager, 36 | string lpServiceName, 37 | string lpDisplayName, 38 | uint dwDesiredAccess, 39 | uint dwServiceType, 40 | uint dwStartType, 41 | uint dwErrorControl, 42 | string lpBinaryPathName, 43 | string lpLoadOrderGroup, 44 | IntPtr lpdwTagId, 45 | string lpDependencies, 46 | string lpServiceStartName, 47 | string lpPassword); 48 | 49 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 50 | static extern IntPtr OpenService( 51 | IntPtr hSCManager, 52 | string lpServiceName, 53 | uint dwDesiredAccess); 54 | 55 | [DllImport("advapi32.dll", SetLastError = true)] 56 | static extern bool DeleteService(IntPtr hService); 57 | 58 | [DllImport("advapi32.dll", SetLastError = true)] 59 | static extern bool StartService(IntPtr hService, int dwNumServiceArgs, IntPtr lpServiceArgVectors); 60 | 61 | [DllImport("advapi32.dll", SetLastError = true)] 62 | static extern bool CloseServiceHandle(IntPtr hSCObject); 63 | 64 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 65 | static extern bool ChangeServiceConfig( 66 | IntPtr hService, 67 | uint dwServiceType, 68 | uint dwStartType, 69 | uint dwErrorControl, 70 | string lpBinaryPathName, 71 | string lpLoadOrderGroup, 72 | IntPtr lpdwTagId, 73 | string lpDependencies, 74 | string lpServiceStartName, 75 | string lpPassword, 76 | string lpDisplayName); 77 | 78 | static void Main(string[] args) 79 | { 80 | if (!IsAdministrator()) 81 | { 82 | Console.WriteLine("You must run this program as Administrator to manage services."); 83 | return; 84 | } 85 | 86 | if (args.Length == 0) 87 | { 88 | Console.WriteLine("Usage: ServiceCreator install|start|modify|uninstall"); 89 | return; 90 | } 91 | 92 | string serviceName = "TestCmdNotepadService"; 93 | string displayName = "Test Cmd Notepad Service"; 94 | 95 | switch (args[0].ToLowerInvariant()) 96 | { 97 | case "install": 98 | Install(serviceName, displayName); 99 | break; 100 | case "start": 101 | Start(serviceName); 102 | break; 103 | case "modify": 104 | Modify(serviceName); 105 | break; 106 | case "uninstall": 107 | Uninstall(serviceName); 108 | break; 109 | default: 110 | Console.WriteLine("Usage: ServiceCreator install|start|modify|uninstall"); 111 | break; 112 | } 113 | } 114 | 115 | static bool IsAdministrator() 116 | { 117 | using var identity = WindowsIdentity.GetCurrent(); 118 | var principal = new WindowsPrincipal(identity); 119 | return principal.IsInRole(WindowsBuiltInRole.Administrator); 120 | } 121 | 122 | static void Install(string serviceName, string displayName) 123 | { 124 | // Initial test binary: cmd.exe /c notepad.exe 125 | string binPath = "\"C:\\Windows\\System32\\cmd.exe\" /c notepad.exe"; 126 | 127 | IntPtr scm = OpenSCManager(null, null, SC_MANAGER_ALL_ACCESS); 128 | if (scm == IntPtr.Zero) 129 | throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenSCManager failed"); 130 | 131 | try 132 | { 133 | IntPtr svc = CreateService( 134 | scm, 135 | serviceName, 136 | displayName, 137 | SERVICE_ALL_ACCESS, 138 | SERVICE_WIN32_OWN_PROCESS, 139 | SERVICE_DEMAND_START, 140 | SERVICE_ERROR_NORMAL, 141 | binPath, 142 | null, 143 | IntPtr.Zero, 144 | null, 145 | null, 146 | null); 147 | 148 | if (svc == IntPtr.Zero) 149 | throw new Win32Exception(Marshal.GetLastWin32Error(), "CreateService failed"); 150 | 151 | CloseServiceHandle(svc); 152 | Console.WriteLine("Service installed."); 153 | } 154 | finally 155 | { 156 | CloseServiceHandle(scm); 157 | } 158 | } 159 | 160 | static void Start(string serviceName) 161 | { 162 | IntPtr scm = OpenSCManager(null, null, SC_MANAGER_ALL_ACCESS); 163 | if (scm == IntPtr.Zero) 164 | throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenSCManager failed"); 165 | 166 | try 167 | { 168 | IntPtr svc = OpenService(scm, serviceName, SERVICE_START | SERVICE_QUERY_STATUS); 169 | if (svc == IntPtr.Zero) 170 | throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenService failed"); 171 | 172 | try 173 | { 174 | if (!StartService(svc, 0, IntPtr.Zero)) 175 | throw new Win32Exception(Marshal.GetLastWin32Error(), "StartService failed"); 176 | 177 | Console.WriteLine("Service start requested."); 178 | } 179 | finally 180 | { 181 | CloseServiceHandle(svc); 182 | } 183 | } 184 | finally 185 | { 186 | CloseServiceHandle(scm); 187 | } 188 | } 189 | 190 | static void Modify(string serviceName) 191 | { 192 | // New test binary after modification: cmd.exe /c calc.exe 193 | string newBinPath = "\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe"; 194 | 195 | IntPtr scm = OpenSCManager(null, null, SC_MANAGER_ALL_ACCESS); 196 | if (scm == IntPtr.Zero) 197 | throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenSCManager failed"); 198 | 199 | try 200 | { 201 | IntPtr svc = OpenService(scm, serviceName, SERVICE_ALL_ACCESS); 202 | if (svc == IntPtr.Zero) 203 | throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenService failed"); 204 | 205 | try 206 | { 207 | bool ok = ChangeServiceConfig( 208 | svc, 209 | SERVICE_NO_CHANGE, // keep type 210 | SERVICE_NO_CHANGE, // keep start type 211 | SERVICE_NO_CHANGE, // keep error control 212 | newBinPath, // update binary path 213 | null, 214 | IntPtr.Zero, 215 | null, 216 | null, 217 | null, 218 | null); 219 | 220 | if (!ok) 221 | throw new Win32Exception(Marshal.GetLastWin32Error(), "ChangeServiceConfig failed"); 222 | 223 | Console.WriteLine("Service modified successfully."); 224 | } 225 | finally 226 | { 227 | CloseServiceHandle(svc); 228 | } 229 | } 230 | finally 231 | { 232 | CloseServiceHandle(scm); 233 | } 234 | } 235 | 236 | static void Uninstall(string serviceName) 237 | { 238 | IntPtr scm = OpenSCManager(null, null, SC_MANAGER_ALL_ACCESS); 239 | if (scm == IntPtr.Zero) 240 | throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenSCManager failed"); 241 | 242 | try 243 | { 244 | IntPtr svc = OpenService(scm, serviceName, DELETE); 245 | if (svc == IntPtr.Zero) 246 | throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenService failed"); 247 | 248 | try 249 | { 250 | if (!DeleteService(svc)) 251 | throw new Win32Exception(Marshal.GetLastWin32Error(), "DeleteService failed"); 252 | 253 | Console.WriteLine("Service uninstalled."); 254 | } 255 | finally 256 | { 257 | CloseServiceHandle(svc); 258 | } 259 | } 260 | finally 261 | { 262 | CloseServiceHandle(scm); 263 | } 264 | } 265 | } -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/ServiceCreator/ServiceCreator.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | net7.0 6 | win-x64 7 | true 8 | true 9 | true 10 | link 11 | false 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/VSSDelete/Program.cs: -------------------------------------------------------------------------------- 1 | // Program.cs 2 | // 3 | // Before you begin compiling, follow the steps below: 4 | // ------------------------ 5 | // 1. Create a new project: 6 | // dotnet new console -n VssDeletePOC 7 | // 8 | // 2. Navigate to that directory: 9 | // cd VssDeletePOC 10 | // 11 | // 3. Add the dependency: 12 | // dotnet add package AlphaVSS 13 | // -- If you get an error for no versions available for package AlphaVSS, run this: 14 | // dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org 15 | // 16 | // 4. Run the program: 17 | // dotnet run 18 | // _____________________________________________ 19 | // 20 | // Build & Run Instructions 21 | // ------------------------ 22 | // 1. Install the Visual C++ Redistributable (x64): 23 | // https://aka.ms/vs/17/release/vc_redist.x64.exe 24 | // 25 | // 2. Publish a self-contained executable (64-bit): 26 | // dotnet publish -c Release -r win-x64 --self-contained false 27 | // 28 | // 3. Run the generated .exe from the publish folder (Administrator privileges required). 29 | 30 | using System; 31 | using System.Linq; 32 | using Alphaleonis.Win32.Vss; 33 | 34 | class DeleteFirstSnapshot 35 | { 36 | static void Main() 37 | { 38 | try 39 | { 40 | var factory = VssFactoryProvider.Default.GetVssFactory(); 41 | 42 | using (IVssBackupComponents backup = factory.CreateVssBackupComponents()) 43 | { 44 | backup.InitializeForBackup(null); 45 | backup.SetContext(VssSnapshotContext.All); 46 | 47 | VssSnapshotProperties first = backup.QuerySnapshots().FirstOrDefault(); 48 | 49 | if (first != null) 50 | { 51 | Console.WriteLine("Deleting snapshot: " + first.SnapshotId); 52 | backup.DeleteSnapshot(first.SnapshotId, false); 53 | Console.WriteLine("Snapshot deleted."); 54 | } 55 | else 56 | { 57 | Console.WriteLine("No snapshots found."); 58 | } 59 | } 60 | } 61 | catch (Exception ex) 62 | { 63 | Console.WriteLine("VSS operation failed."); 64 | Console.WriteLine("Message : " + ex.Message); 65 | Console.WriteLine("HResult : 0x" + ex.HResult.ToString("X")); 66 | Console.WriteLine("Stack : " + ex.StackTrace); 67 | } 68 | } 69 | } -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/VSSDelete/README.md: -------------------------------------------------------------------------------- 1 | # VssDeletePOC 2 | 3 | This is a simple proof-of-concept for deleting the first available Volume Shadow Copy Service (VSS) snapshot on Windows. 4 | It uses the [AlphaVSS](https://github.com/alphaleonis/AlphaVSS) library. 5 | 6 | ## Setup & Run 7 | 8 | 1. Create a new console project: 9 | ```bash 10 | dotnet new console -n VssDeletePOC 11 | cd VssDeletePOC 12 | 2. Add the dependency: 13 | ```bash 14 | dotnet add package AlphaVSS 15 | cd VssDeletePOC 16 | ``` 17 | If you see an error about no versions available, run: 18 | ```bash 19 | dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org 20 | ``` 21 | 3. Replace the content of `Program.cs` with the content of [Program.cs](Program.cs). 22 | 4. Run the program: 23 | ```bash 24 | dotnet run 25 | ``` 26 | 27 | ## Build & Run as Executable 28 | 29 | 1. Install the [Visual C++ Redistributable (x64)](https://aka.ms/vs/17/release/vc_redist.x64.exe). 30 | 2. Publish a self-contained executable (64-bit): 31 | 32 | ```bash 33 | dotnet publish -c Release -r win-x64 --self-contained true 34 | ``` 35 | 3. Run the generated `.exe` (requires **Administrator** privileges). 36 | 37 | --- 38 | 39 | ## Creating a VSS Snapshot 40 | 41 | If you don't have a VSS snapshot already, on a Windows server, you can create one using the following command: 42 | ```bash 43 | vssadmin create shadow /for=C: 44 | ``` 45 | Replace `C:` with the drive letter you want to snapshot. 46 | 47 | You can verify that the snapshot was created by running: 48 | ```bash 49 | vssadmin list shadows 50 | ``` 51 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "Process Activity": { 3 | "Process Creation": { 4 | "Atomics": { 5 | "T1204.002": "02f35d62-9fdc-4a97-b899-a5d9a876d295" 6 | } 7 | }, 8 | "Process Access": { 9 | "Atomics": { 10 | "T1055.001": "74496461-11a1-4982-b439-4d87a550d254" 11 | }, 12 | "Comments": { 13 | "1": "Includes tests for Image/Library Loaded and Remote Thread Creation" 14 | } 15 | }, 16 | "Process Tampering Activity": { 17 | "Atomics": { 18 | "T1055.012": "562427b4-39ef-4e8c-af88-463a78e70b9c" 19 | } 20 | } 21 | }, 22 | "File Manipulation": { 23 | "File Creation": { 24 | "Atomics": { 25 | "T1204.002": "3f3af983-118a-4fa1-85d3-ba4daa739d80" 26 | }, 27 | "Comments": { 28 | "1": "Includes tests for 'File Opened','File Deletion' and 'File Modification" 29 | }, 30 | "Cleanup": "True" 31 | }, 32 | "File Opened": { 33 | "Atomics": { 34 | "T1055.001": "74496461-11a1-4982-b439-4d87a550d254" 35 | }, 36 | "Comments": { 37 | "1": "Includes tests for Image/Library Loaded and Remote Thread Creation" 38 | } 39 | }, 40 | "File Renaming": { 41 | "Atomics": { 42 | "T1036.003": "5ba5a3d1-cf3c-4499-968a-a93155d1f717" 43 | } 44 | } 45 | }, 46 | "User Account Activity": { 47 | "Local Account Creation": { 48 | "Atomics": { 49 | "T1136.001": "2170d9b5-bacd-4819-a952-da76dae0815f" 50 | } 51 | }, 52 | "Local Account Modification": { 53 | "Atomics": { 54 | "T1098": "5598f7cb-cf43-455e-883a-f6008c5d46af" 55 | }, 56 | "Comments": { 57 | "1": "Includes test for 'Local Account Deletion'" 58 | }, 59 | "Cleanup": "True" 60 | } 61 | }, 62 | "Network Activity": { 63 | "TCP Connection": { 64 | "Atomics": { 65 | "T1071.001": "81c13829-f6c9-45b8-85a6-053366d55297" 66 | } 67 | }, 68 | "URL": { 69 | "Atomics": { 70 | "T1204.002": "02f35d62-9fdc-4a97-b899-a5d9a876d295" 71 | } 72 | }, 73 | "DNS Query": { 74 | "Atomics": { 75 | "T1071.004": "fef31710-223a-40ee-8462-a396d6b66978" 76 | } 77 | }, 78 | "File Downloaded": { 79 | "Atomics": { 80 | "T1105": "42dc4460-9aa6-45d3-b1a6-3955d34e1fe8" 81 | } 82 | } 83 | }, 84 | "Registry Activity": { 85 | "Key/Value Creation": { 86 | "Atomics": { 87 | "T1547.001": "e55be3fd-3521-4610-9d1a-e210e42dcf05" 88 | }, 89 | "Comments": { 90 | "1": "Includes test for 'Key/Value Deletion'" 91 | }, 92 | "Cleanup": "True" 93 | }, 94 | "Key/Value Modification": { 95 | "Atomics": { 96 | "T1071.004": "8834b65a-f808-4ece-ad7e-2acdf647aafa" 97 | } 98 | } 99 | }, 100 | "Schedule Task Activity": { 101 | "Scheduled Task Creation": { 102 | "Atomics": { 103 | "T1053.005": "cd925593-fbb4-486d-8def-16cbdf944bf4" 104 | }, 105 | "Comments": { 106 | "1": "Includes test for 'Scheduled Task Deletion'" 107 | }, 108 | "Cleanup": "True" 109 | }, 110 | "Scheduled Task Modification": { 111 | "Atomics": { 112 | "T1053.005": "dda6fc7b-c9a6-4c18-b98d-95ec6542af6d" 113 | } 114 | } 115 | }, 116 | "Service Activity": { 117 | "Service Creation": { 118 | "Atomics": { 119 | "T1543.003": "ef0581fd-528e-4662-87bc-4c2affb86940" 120 | }, 121 | "Comments": { 122 | "1": "Includes test for 'Service Deletion'" 123 | }, 124 | "Cleanup": "True" 125 | }, 126 | "Service Modification": { 127 | "Atomics": { 128 | "T1543.003": "ed366cde-7d12-49df-a833-671904770b9f" 129 | } 130 | } 131 | }, 132 | "Driver/Module Activity": { 133 | "Driver Loaded": { 134 | "Atomics": { 135 | "T1562.001": "24a12b91-05a7-4deb-8d7f-035fa98591bc" 136 | } 137 | } 138 | }, 139 | "Device Operations": { 140 | "Virtual Disk Mount": { 141 | "Atomics": { 142 | "T1553.005": "002cca30-4778-4891-878a-aaffcfa502fa" 143 | } 144 | } 145 | }, 146 | "Other Relevant Events": { 147 | "Group Policy Modification": { 148 | "Atomics": { 149 | "T1484.001": "9ab80952-74ee-43da-a98c-1e740a985f28" 150 | } 151 | } 152 | }, 153 | "Named Pipe Activity": { 154 | "Pipe Creation": { 155 | "Atomics": { 156 | "T1559": " bd13b9fc-b758-496a-b81a-397462f82c72" 157 | }, 158 | "Comments": { 159 | "1": "Includes test for 'Pipe Connection'" 160 | } 161 | } 162 | }, 163 | "WMI Activity": { 164 | "WmiEventConsumerToFilter": { 165 | "Atomics": { 166 | "T1546.003": "3c64f177-28e2-49eb-a799-d767b24dd1e0" 167 | }, 168 | "Comments": { 169 | "1": "Includes test for 'WmiEventConsumer' and 'WmiEventFilter'" 170 | } 171 | } 172 | }, 173 | "BITS JOBS Activity": { 174 | "BITS JOBS Activity": { 175 | "Atomics": { 176 | "T1197": "62a06ec5-5754-47d2-bcfc-123d8314c6ae" 177 | } 178 | } 179 | }, 180 | "PowerShell Activity": { 181 | "Script-Block Activity": { 182 | "Atomics": { 183 | "T1059.001": "f3132740-55bc-48c4-bcc0-758a459cd027" 184 | } 185 | } 186 | } 187 | } 188 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/telemetry-generator.ps1: -------------------------------------------------------------------------------- 1 | # Version 0.1 2 | 3 | # Name of Technique to run. Default = All 4 | [CmdletBinding()] 5 | Param( 6 | [Parameter(Mandatory = $False, Position = 0)] 7 | [string]$Name = "All" 8 | ) 9 | 10 | 11 | # Function that installs Invoke-AtomicRedTeam 12 | function Install-ART(){ 13 | $art_url = 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' 14 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 15 | try{ 16 | Invoke-Expression (Invoke-WebRequest $art_url -UseBasicParsing); 17 | Install-AtomicRedTeam -getAtomics -ErrorAction Stop 18 | } 19 | catch{ 20 | Write-Host "There was an error during the installation please check your AV or internet connection" 21 | } 22 | } 23 | 24 | #Function that checks if cleanup exists inside the dictionary. (Some sub-categories require to be 'cleaned up/deleted' to generate the telemetry) 25 | function CheckCleanupValue($value) { 26 | if ($value.PSobject.Properties.Name -contains "Cleanup") { 27 | return $true 28 | } 29 | } 30 | 31 | function CSV-Concat() { 32 | # Get all CSV files in the folder 33 | $csvFiles = Get-ChildItem -Path $scriptPath -Filter *.csv 34 | 35 | # Initialize an empty array to store the combined CSV data 36 | $combinedCsvData = @() 37 | 38 | # Iterate through each CSV file 39 | foreach ($csvFile in $csvFiles) { 40 | # Import the CSV file data 41 | $csvData = Import-Csv -Path $csvFile.FullName 42 | 43 | # Add the CSV data to the combined array 44 | $combinedCsvData += $csvData 45 | } 46 | 47 | # Export the combined CSV data to a new file with headers 48 | $combinedCsvData | Export-Csv -Path "$scriptPath\All_telem_results.csv" -NoTypeInformation 49 | } 50 | 51 | # Iterate through all categories and execute the sub-categories specified. It generates a CSV for the results of each sub-category. 52 | function Executor($Name) { 53 | foreach ($key1 in $json.$Name.PSobject.Properties.Name) { 54 | $errorCheckPrereqs = $false 55 | $errorExecution = $false 56 | $atomic = $json.$Name.$key1.Atomics.PSobject.Properties.Name 57 | $GUID = $json.$Name.$key1.Atomics.PSobject.Properties.Value 58 | Write-Host "" 59 | Write-Host "====================================" -ForegroundColor Yellow 60 | Write-Host "[*] Executing tests for $key1" -ForegroundColor Magenta 61 | Write-Host "====================================" -ForegroundColor Yellow 62 | Write-Host "" 63 | # TODO: Add more error handling for edge cases 64 | try { 65 | Invoke-AtomicTest -AtomicTechnique $atomic -TestGuids $GUID -GetPrereqs -ErrorAction SilentlyContinue 66 | } 67 | Catch { 68 | Write-Host "There was an error while checking the prerequisites for atomic $atomic" -ForegroundColor Red 69 | $errorCheckPrereqs = $true 70 | } 71 | try { 72 | Invoke-AtomicTest -AtomicTechnique $atomic -TestGuids $GUID -ExecutionLogPath "$key1.csv" -ErrorAction SilentlyContinue 73 | } 74 | Catch { 75 | Write-Host "There was an error while running the test for atomic $atomic" -ForegroundColor Red 76 | $errorExecution = $true 77 | } 78 | 79 | if ( -not $errorCheckPrereqs -and -not $errorExecution){ 80 | if (CheckCleanupValue($json.$Name.$key1)) { 81 | Write-Host "" 82 | Write-Host "==> Cleaning up and then sleeping for 7 seconds " -ForegroundColor Green -BackgroundColor DarkGray 83 | Write-Host "" 84 | Start-Sleep -Seconds 3 85 | Invoke-AtomicTest -AtomicTechnique $atomic -TestGuids $GUID -Cleanup 86 | } 87 | Start-Sleep -Seconds 7 88 | } 89 | } 90 | } 91 | 92 | Write-Host @" 93 | _____ _ _ _____ _ 94 | |_ _| | | | | | __ \ | | 95 | | | ___| | ___ _ __ ___ ___| |_ _ __ _ _ ______| | \/ ___ _ __ ___ _ __ __ _| |_ ___ _ __ 96 | | |/ _ \ |/ _ \ '_ ` _ \ / _ \ __| '__| | | |______| | __ / _ \ '_ \ / _ \ '__/ _` | __/ _ \| '__| 97 | | | __/ | __/ | | | | | __/ |_| | | |_| | | |_\ \ __/ | | | __/ | | (_| | || (_) | | 98 | \_/\___|_|\___|_| |_| |_|\___|\__|_| \__, | \____/\___|_| |_|\___|_| \__,_|\__\___/|_| 99 | __/ | 100 | |___/ 101 | 102 | "@ 103 | 104 | # Install Invoke-Atomic 105 | Install-ART 106 | 107 | # Get the path of the running script 108 | $scriptPath = $PSScriptRoot 109 | 110 | # Parse the configuration file 111 | $json_file = Get-Content -Path "$scriptPath\config.json" -Raw 112 | $json = ConvertFrom-Json $json_file 113 | 114 | # Main Execution loop. In this case, the argument -Name would have been set to default which is to run All available event categories. 115 | if ($Name -eq "All"){ 116 | foreach ($key in $json.PSobject.Properties.Name) { 117 | Executor($key) 118 | } 119 | } 120 | else { 121 | Executor($Name) 122 | } 123 | 124 | # Fuse all the CSV files into one 125 | CSV-Concat 126 | -------------------------------------------------------------------------------- /Tools/Telemetry-Generator/Windows/telemetry-mappings.csv: -------------------------------------------------------------------------------- 1 | Telemetry Feature Category,Sub-Category,Technique ID,Test Number,GUID,Comments 2 | Process Activity,Process Creation,T1204.002,8,02f35d62-9fdc-4a97-b899-a5d9a876d295, 3 | ,Process Termination,T1204.002,8,02f35d62-9fdc-4a97-b899-a5d9a876d295, 4 | ,Process Access,T1055.001,1,74496461-11a1-4982-b439-4d87a550d254, 5 | ,Image/Library Loaded,T1055.001,1,74496461-11a1-4982-b439-4d87a550d254, 6 | ,Remote Thread Creation,T1055.001,1,74496461-11a1-4982-b439-4d87a550d254, 7 | ,Process Tampering Activity,T1055.012,1,562427b4-39ef-4e8c-af88-463a78e70b9c, 8 | File Manipulation,File Creation,T1204.002,2,3f3af983-118a-4fa1-85d3-ba4daa739d80, 9 | ,File Opened,T1204.003,1,8bebc690-18c7-4549-bc98-210f7019efff, 10 | ,File Deletion,T1204.004,1,8bebc690-18c7-4549-bc98-210f7019efff,Covered from the above using -CleanUp parameter to delete the file 11 | ,File Modification,T1204.005,1,8bebc690-18c7-4549-bc98-210f7019efff, 12 | ,File Renaming,T1036.003,1,5ba5a3d1-cf3c-4499-968a-a93155d1f717, 13 | User Account Activity,Local Account Creation,T1136.001,6,fda74566-a604-4581-a4cc-fbbe21d66559, 14 | ,Local Account Modification,T1098,1,5598f7cb-cf43-455e-883a-f6008c5d46af, 15 | ,Local Account Deletion,T1098,1,5598f7cb-cf43-455e-883a-f6008c5d46af,Covered from the above using -CleanUp parameter to delete the file 16 | ,Account Login,-,-,-, 17 | ,Account Logoff,-,-,-, 18 | Network Activity,TCP Connection,T1071.001,1,81c13829-f6c9-45b8-85a6-053366d55297, 19 | ,UDP Connection,,,, 20 | ,URL,,,, 21 | ,DNS Query,T1071.004,3,fef31710-223a-40ee-8462-a396d6b66978, 22 | ,File Downloaded,T1105,10,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8, 23 | Hash Algorithms,MD5,-,-,-,Evaluate through Documentation 24 | ,SHA,-,-,-,Evaluate through Documentation 25 | ,IMPHASH,-,-,-,Evaluate through Documentation 26 | Registry Activity,Key/Value Creation,T1547.001,1,e55be3fd-3521-4610-9d1a-e210e42dcf05, 27 | ,Key/Value Modification,T1547.001,11,8834b65a-f808-4ece-ad7e-2acdf647aafa, 28 | ,Key/Value Deletion,T1547.001,1,e55be3fd-3521-4610-9d1a-e210e42dcf05,Covered from the above using -CleanUp parameter to delete the file 29 | Schedule Task Activity,Scheduled Task Creation,T1053.005,1,fec27f65-db86-4c2d-b66c-61945aee87c2, 30 | ,Scheduled Task Modification,T1053.005,9,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d, 31 | ,Scheduled Task Deletion,T1053.005,1,fec27f65-db86-4c2d-b66c-61945aee87c2,Covered from the above using -CleanUp parameter to delete the file 32 | Service Activity,Service Creation,T1543.003,2,981e2942-e433-44e9-afc1-8c957a1496b6, 33 | ,Service Modification,T1543.003,1,ed366cde-7d12-49df-a833-671904770b9f, 34 | ,Service Deletion,T1543.003,2,981e2942-e433-44e9-afc1-8c957a1496b6,Covered from the above using -CleanUp parameter to delete the file 35 | Driver/Module Activity,Driver Loaded,T1562.001,29,24a12b91-05a7-4deb-8d7f-035fa98591bc, 36 | ,Driver Modification,,,, 37 | ,Driver Unloaded,T1562.001,10,811b3e76-c41b-430c-ac0d-e2380bfaa164, 38 | Device Operations,Virtual Disk Mount,T1553.005,1,002cca30-4778-4891-878a-aaffcfa502fa, 39 | ,USB Device Unmount,-,-,-,Evaluate through Documentation 40 | ,USB Device Mount,-,-,-,Evaluate through Documentation 41 | Other Relevant Events,Group Policy Modification,T1484.001,1,9ab80952-74ee-43da-a98c-1e740a985f28, 42 | Named Pipe Activity,Pipe Creation,T1559,1, bd13b9fc-b758-496a-b81a-397462f82c72, 43 | ,Pipe Connection,T1559,1, bd13b9fc-b758-496a-b81a-397462f82c72, 44 | EDR SysOps,Agent Start,-,-,-,Evaluate through Documentation 45 | ,Agent Stop,-,-,-,Evaluate through Documentation 46 | ,Agent Install,-,-,-,Evaluate through Documentation 47 | ,Agent Uninstall,-,-,-,Evaluate through Documentation 48 | ,Agent Tampering,-,-,-,Evaluate through Documentation 49 | ,Agent Keep-Alive,-,-,-,Evaluate through Documentation 50 | ,Agent Errors,-,-,-,Evaluate through Documentation 51 | WMI Activity,WmiEventConsumerToFilter,T1546.003,1,3c64f177-28e2-49eb-a799-d767b24dd1e0, 52 | ,WmiEventConsumer,T1546.004,1,3c64f177-28e2-49eb-a799-d767b24dd1e1, 53 | ,WmiEventFilter,T1546.005,1,3c64f177-28e2-49eb-a799-d767b24dd1e2, 54 | BIT JOBS Activity,BIT JOBS Activity,T1197,3,62a06ec5-5754-47d2-bcfc-123d8314c6ae, 55 | PowerShell Activity,Script-Block Activity,T1059.001,1,f3132740-55bc-48c4-bcc0-758a459cd027, -------------------------------------------------------------------------------- /Tools/compare-requirements.txt: -------------------------------------------------------------------------------- 1 | prettytable==3.10.0 2 | wcwidth==0.2.13 3 | -------------------------------------------------------------------------------- /Tools/compare.py: -------------------------------------------------------------------------------- 1 | import json 2 | import os 3 | import argparse 4 | from prettytable import PrettyTable 5 | 6 | # Scoring definitions 7 | FEATURES_DICT_VALUED = { 8 | "Yes": 1, "No": 0, "Via EnablingTelemetry": 1, 9 | "Partially": 0.5, "Via EventLogs": 0.5, 10 | "Pending Response": 0 11 | } 12 | WINDOWS_CATEGORIES_VALUED = { 13 | "Process Creation": 1, 14 | "Process Termination": 0.5, 15 | "Process Access": 1, 16 | "Image/Library Loaded": 1, 17 | "Remote Thread Creation": 1, 18 | "Process Tampering Activity": 1, 19 | "Process Call Stacks":1, 20 | "Win32 API Telemetry": 1, 21 | "File Creation": 1, 22 | "File Opened": 1, 23 | "File Deletion": 1, 24 | "File Modification": 1, 25 | "File Renaming": 0.7, 26 | "Local Account Creation": 1, 27 | "Local Account Modification": 1, 28 | "Local Account Deletion": 0.5, 29 | "Account Login": 0.7, 30 | "Account Logoff": 0.4, 31 | "TCP Connection": 1, 32 | "UDP Connection": 1, 33 | "URL": 1, 34 | "DNS Query": 1, 35 | "File Downloaded": 1, 36 | "MD5": 1, 37 | "SHA": 1, 38 | "JA3/JA3s": 1, 39 | "IMPHASH": 1, 40 | "Key/Value Creation": 1, 41 | "Key/Value Modification": 1, 42 | "Key/Value Deletion": 0.7, 43 | "Scheduled Task Creation": 0.7, 44 | "Scheduled Task Modification": 0.7, 45 | "Scheduled Task Deletion": 0.5, 46 | "Service Creation": 1, 47 | "Service Modification": 0.7, 48 | "Service Deletion": 0.6, 49 | "Driver Loaded": 1, 50 | "Driver Modification": 1, 51 | "Driver Unloaded": 1, 52 | "Virtual Disk Mount": 0.5, 53 | "USB Device Unmount": 0.7, 54 | "USB Device Mount": 1, 55 | "Group Policy Modification": 0.3, 56 | "Pipe Creation": 0.8, 57 | "Pipe Connection": 1, 58 | "Agent Start": 0.2, 59 | "Agent Stop": 0.8, 60 | "Agent Install": 0.2, 61 | "Agent Uninstall": 1, 62 | "Agent Keep-Alive": 0.2, 63 | "Agent Errors": 0.2, 64 | "WmiEventConsumerToFilter": 1, 65 | "WmiEventConsumer": 1, 66 | "WmiEventFilter": 1, 67 | "BIT JOBS Activity": 1, 68 | "Script-Block Activity": 1, 69 | "Volume Shadow Copy Deletion": 0.5 70 | } 71 | 72 | # Linux-specific categories 73 | LINUX_CATEGORIES_VALUED = { 74 | "Process Creation": 1, 75 | "Process Termination": 0.5, 76 | "File Creation": 1, 77 | "File Modification": 1, 78 | "File Deletion": 1, 79 | "User Logon": 0.7, 80 | "User Logoff": 0.4, 81 | "Logon Failed": 1, 82 | "Script Content": 1, 83 | "Network Connection": 1, 84 | "Network Socket Listen": 1, 85 | "DNS Query": 1, 86 | "Scheduled Task": 0.7, 87 | "User Account Created": 1, 88 | "User Account Modified": 1, 89 | "User Account Deleted": 0.5, 90 | "Driver Load": 1, 91 | "Driver Modification": 1, 92 | "Image Load": 1, 93 | "eBPF Event": 1, 94 | "Raw Access Read": 1, 95 | "Process Access": 1, 96 | "Process Tampering": 1, 97 | "Service Creation": 1, 98 | "Service Modification": 0.7, 99 | "Service Deletion": 0.6, 100 | "Agent Start": 0.2, 101 | "Agent Stop": 0.8, 102 | "MD5": 1, 103 | "SHA": 1, 104 | "Fuzzy Hash": 1 105 | } 106 | 107 | def determine_categories(filename): 108 | """ 109 | Determine which categories to use based on the filename. 110 | """ 111 | if "linux" in filename.lower(): 112 | return LINUX_CATEGORIES_VALUED 113 | return WINDOWS_CATEGORIES_VALUED 114 | 115 | 116 | def parse_arguments(): 117 | """ 118 | Parse command line arguments 119 | """ 120 | parser = argparse.ArgumentParser(description='Compare EDR telemetry data and generate scores.') 121 | parser.add_argument('-f', '--file', 122 | default="EDR_telem.json", 123 | help='Path to the EDR telemetry JSON file (default: EDR_telem.json)') 124 | return parser.parse_args() 125 | 126 | def display_results(scores_dict, input_file): 127 | """ 128 | Display the results in the terminal using PrettyTable 129 | """ 130 | os_type = "Linux" if "linux" in input_file.lower() else "Windows" 131 | table = PrettyTable() 132 | table.field_names = ["Rank", "EDR", "Score"] 133 | 134 | # Add rows to the table 135 | for i, (edr, score) in enumerate(scores_dict.items(), 1): 136 | table.add_row([i, edr, score]) 137 | 138 | # Set table style 139 | table.align = "l" # Left align text 140 | table.align["Score"] = "r" # Right align numbers 141 | table.border = True 142 | table.hrules = True 143 | 144 | # Print results 145 | print(f"\n{os_type} EDR Telemetry Scores") 146 | print(f"Input file: {input_file}") 147 | print("\n" + str(table)) 148 | 149 | def generate_scores(input_file): 150 | """ 151 | Generate scores based on the data in the input file. 152 | """ 153 | current_directory = os.path.dirname(__file__) 154 | main_folder = os.path.dirname(current_directory) 155 | full_file_path = os.path.join(main_folder, input_file) 156 | 157 | # Load JSON data 158 | with open(full_file_path, "r") as fd: 159 | edrs_info = json.load(fd) 160 | 161 | # Determine which categories to use 162 | categories = determine_categories(input_file) 163 | 164 | # Calculate scores for each EDR 165 | edrs_list = {} 166 | for category in edrs_info: 167 | sliced_items = list(category.items())[2:] 168 | subcategory = list(category.items())[1][1] 169 | for key, value in sliced_items: 170 | try: 171 | category_value = categories.get(subcategory, 0) 172 | edrs_list[key] = edrs_list.get(key, 0) + FEATURES_DICT_VALUED[value] * category_value 173 | except KeyError: 174 | category_value = categories.get(subcategory, 0) 175 | edrs_list[key] = FEATURES_DICT_VALUED[value] * category_value 176 | 177 | # Sort and round the scores 178 | return dict(sorted( 179 | ((k, round(v, 2)) for k, v in edrs_list.items()), 180 | key=lambda x: x[1], 181 | reverse=True 182 | )) 183 | 184 | def main(): 185 | """ 186 | Main function to generate and display EDR scores. 187 | """ 188 | args = parse_arguments() 189 | scores = generate_scores(args.file) 190 | display_results(scores, args.file) 191 | 192 | if __name__ == '__main__': 193 | main() -------------------------------------------------------------------------------- /Tools/convert.py: -------------------------------------------------------------------------------- 1 | import pandas as pd 2 | import argparse 3 | 4 | parser = argparse.ArgumentParser( 5 | description='Convert from JSON to CSV and the other way around') 6 | parser.add_argument( 7 | '-i', 8 | '--input_file', 9 | help='The input file to convert depending on the extension', 10 | required=True) 11 | args = parser.parse_args() 12 | input_file = args.input_file 13 | 14 | def replace_to_words(file): 15 | # Replace the target words with the replacement words 16 | words_to_replace = { 17 | "\u2705": "Yes", # ✅ Implemented 18 | "\u274C": "No", # ❌ Not Implemented 19 | "\u26A0\uFE0F": "Partially", # ⚠️ Partially Implemented 20 | "\u2753": "Pending Response", # ❓ Pending Response 21 | "\uD83E\uDEB5" : "Via EventLogs", # 🪵 Via EventLogs 22 | "\ud83c\udf9a️" : "Via EnablingTelemetry" # 🎚️ Via EnablingTelemetry 23 | } 24 | # Read the JSON file 25 | with open(file, "rb") as f: 26 | data = f.read() 27 | data = data.decode("unicode_escape") 28 | for key,value in words_to_replace.items(): 29 | if key in data: 30 | data = data.replace(key,value) 31 | try: 32 | with open(file, 'w+',errors="ignore") as f: 33 | # Writing the replaced data in our 34 | # text file 35 | f.write(data) 36 | except PermissionError: 37 | print(PermissionError) 38 | pass 39 | else: 40 | pass 41 | 42 | def replace_from_words(file): 43 | # Replace the target words with the replacement words 44 | words_to_replace = { 45 | "Yes": "✅", 46 | "No" : "❌", 47 | "Partially" : "⚠️", 48 | "N/A" : "➖", 49 | "Pending Response" : "❓", 50 | "Via EventLogs" : "🪵", 51 | "Via EnablingTelemetry" : "🎚️" 52 | #Add more words as needed 53 | } 54 | # Read the CSV file 55 | with open(file, "r") as f: 56 | data = f.read() 57 | for key,value in words_to_replace.items(): 58 | if key in data: 59 | data = data.replace(key,value) 60 | try: 61 | with open(file, 'w',encoding='utf-8') as f: 62 | # Writing the replaced data in our 63 | # text file 64 | f.write(data) 65 | except PermissionError: 66 | print(PermissionError) 67 | pass 68 | else: 69 | pass 70 | 71 | def to_json(input_file): 72 | df = pd.read_csv(input_file) 73 | input_file = input_file.split(".")[0] + ".json" 74 | df.to_json(input_file, orient='records', indent=2) 75 | replace_to_words(input_file) 76 | print(f"\n [*] Successfully converted to {input_file}\n") 77 | 78 | 79 | def to_csv(input_file): 80 | df = pd.read_json(input_file) 81 | df1 = df[['Telemetry Feature Category', 'Sub-Category']] 82 | df2 = df.drop(['Telemetry Feature Category', 'Sub-Category'], axis=1) 83 | df2.sort_index(axis=1, level=None, sort_remaining=False, inplace=True) 84 | df = pd.concat([df1, df2], axis="columns") 85 | 86 | input_file = input_file.split(".")[0] + ".csv" 87 | df.to_csv(input_file, index=False) 88 | replace_from_words(input_file) 89 | print(f"\n [*] Successfully converted to {input_file}\n") 90 | 91 | 92 | if __name__ == '__main__': 93 | try: 94 | if input_file.endswith('.csv'): 95 | to_json(input_file) 96 | elif input_file.endswith('.json'): 97 | to_csv(input_file) 98 | except Exception as error: 99 | print("\n\t[*] ", error) 100 | -------------------------------------------------------------------------------- /Tools/fetch_contributors.py: -------------------------------------------------------------------------------- 1 | import re 2 | import requests 3 | 4 | # GitHub repository details 5 | OWNER = "tsale" 6 | REPOSITORY = "EDR-Telemetry" 7 | 8 | # Define the README file path 9 | readme_path = "README.md" 10 | 11 | # Define the section markers 12 | start_marker = "# ✨ Contributors Wall" 13 | end_marker = "## Current Primary Maintainers" 14 | 15 | # Fetch contributors using GitHub API 16 | def fetch_contributors(): 17 | """ 18 | Fetch contributors from GitHub and generate HTML for their icons. 19 | """ 20 | url = f"https://api.github.com/repos/{OWNER}/{REPOSITORY}/contributors" 21 | response = requests.get(url) 22 | 23 | if response.status_code != 200: 24 | raise Exception(f"Failed to fetch contributors: {response.status_code}") 25 | 26 | contributors = response.json() 27 | contributors_html = '
\n' 28 | 29 | for contributor in contributors: 30 | username = contributor["login"] 31 | avatar_url = contributor["avatar_url"] 32 | profile_url = contributor["html_url"] 33 | contributors_html += f""" 34 | 35 | {username} 36 | """ 37 | 38 | contributors_html += "\n
" 39 | return contributors_html 40 | 41 | 42 | # Generate the new content for the Contributors Wall section 43 | def generate_new_content(contributors_html): 44 | return f""" 45 | # ✨ Contributors Wall 46 | 47 | Thanks to these amazing contributors: 48 | 49 |

50 | {contributors_html} 51 |

52 | """ 53 | 54 | # Update the specific section in the README file 55 | def update_readme(new_section_content): 56 | # Read the README file 57 | with open(readme_path, "r") as file: 58 | readme_content = file.read() 59 | 60 | # Use a regex pattern to replace the section 61 | pattern = re.compile( 62 | f"{re.escape(start_marker)}.*?{re.escape(end_marker)}", 63 | re.DOTALL 64 | ) 65 | updated_content = pattern.sub(new_section_content + "\n" + end_marker, readme_content) 66 | 67 | # Write the updated content back to the README file 68 | with open(readme_path, "w") as file: 69 | file.write(updated_content) 70 | 71 | print("README.md has been updated successfully!") 72 | 73 | # Main function to orchestrate the process 74 | def main(): 75 | try: 76 | contributors_html = fetch_contributors() 77 | new_section_content = generate_new_content(contributors_html) 78 | update_readme(new_section_content) 79 | except Exception as e: 80 | print(f"Error: {e}") 81 | 82 | # Execute the script 83 | if __name__ == "__main__": 84 | main() 85 | -------------------------------------------------------------------------------- /images/edr-telemetry_website_screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/EDR-Telemetry/5f39823b76c27d297401ab35a23ec210ae88a531/images/edr-telemetry_website_screenshot.png -------------------------------------------------------------------------------- /images/logo_new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/EDR-Telemetry/5f39823b76c27d297401ab35a23ec210ae88a531/images/logo_new.png -------------------------------------------------------------------------------- /mitre_att&ck_mappings.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "" : "", 4 | "MITRE ATT&CK Mappings" : "Process Creation - DS0009", 5 | "Sub-Category" : "Process Creation", 6 | "Telemetry Feature Category" : "Process Activity" 7 | }, 8 | { 9 | "" : "", 10 | "MITRE ATT&CK Mappings" : "Process Termination - DS0009", 11 | "Sub-Category" : "Process Termination", 12 | "Telemetry Feature Category" : "" 13 | }, 14 | { 15 | "" : "", 16 | "MITRE ATT&CK Mappings" : "Process Access - DS0009", 17 | "Sub-Category" : "Process Access", 18 | "Telemetry Feature Category" : "" 19 | }, 20 | { 21 | "" : "", 22 | "MITRE ATT&CK Mappings" : "Module Load - DS0011", 23 | "Sub-Category" : "Image\/Library Loaded", 24 | "Telemetry Feature Category" : "" 25 | }, 26 | { 27 | "" : "Process Access (Partial) - DS0009", 28 | "MITRE ATT&CK Mappings" : "OS API Execution (Partial) - DS0009, Process Access (Partial) - DS0009", 29 | "Sub-Category" : "Remote Thread Creation", 30 | "Telemetry Feature Category" : "" 31 | }, 32 | { 33 | "" : "", 34 | "MITRE ATT&CK Mappings" : "Process Modification - DS0009", 35 | "Sub-Category" : "Process Tampering Activity", 36 | "Telemetry Feature Category" : "" 37 | }, 38 | { 39 | "" : "", 40 | "MITRE ATT&CK Mappings" : "File Creation - DS0022", 41 | "Sub-Category" : "File Creation", 42 | "Telemetry Feature Category" : "File Manipulation" 43 | }, 44 | { 45 | "" : "", 46 | "MITRE ATT&CK Mappings" : "File Opened - DS0022", 47 | "Sub-Category" : "File Opened", 48 | "Telemetry Feature Category" : "" 49 | }, 50 | { 51 | "" : "", 52 | "MITRE ATT&CK Mappings" : "File Deletion - DS0022", 53 | "Sub-Category" : "File Deletion", 54 | "Telemetry Feature Category" : "" 55 | }, 56 | { 57 | "" : "", 58 | "MITRE ATT&CK Mappings" : "File Modification - DS0022", 59 | "Sub-Category" : "File Modification", 60 | "Telemetry Feature Category" : "" 61 | }, 62 | { 63 | "" : "", 64 | "MITRE ATT&CK Mappings" : "File Renaming - DS0022", 65 | "Sub-Category" : "File Renaming", 66 | "Telemetry Feature Category" : "" 67 | }, 68 | { 69 | "" : "", 70 | "MITRE ATT&CK Mappings" : "Local Account Creation - DS0002", 71 | "Sub-Category" : "Local Account Creation", 72 | "Telemetry Feature Category" : "User Account Activity" 73 | }, 74 | { 75 | "" : "", 76 | "MITRE ATT&CK Mappings" : "Local Account Modification - DS0002", 77 | "Sub-Category" : "Local Account Modification", 78 | "Telemetry Feature Category" : "" 79 | }, 80 | { 81 | "" : "", 82 | "MITRE ATT&CK Mappings" : "Local Account Deletion - DS0002", 83 | "Sub-Category" : "Local Account Deletion", 84 | "Telemetry Feature Category" : "" 85 | }, 86 | { 87 | "" : "", 88 | "MITRE ATT&CK Mappings" : "Account Login (User Account Authentication) - DS0002, Account Login (Logon Session Creation) - DS0028", 89 | "Sub-Category" : "Account Login", 90 | "Telemetry Feature Category" : "" 91 | }, 92 | { 93 | "" : "", 94 | "MITRE ATT&CK Mappings" : "-", 95 | "Sub-Category" : "Account Logoff", 96 | "Telemetry Feature Category" : "" 97 | }, 98 | { 99 | "" : "", 100 | "MITRE ATT&CK Mappings" : "TCP Connection - DS0029", 101 | "Sub-Category" : "TCP Connection", 102 | "Telemetry Feature Category" : "Network Activity" 103 | }, 104 | { 105 | "" : "", 106 | "MITRE ATT&CK Mappings" : "UDP Connection - DS0029", 107 | "Sub-Category" : "UDP Connection", 108 | "Telemetry Feature Category" : "" 109 | }, 110 | { 111 | "" : "", 112 | "MITRE ATT&CK Mappings" : "URL - DS0029", 113 | "Sub-Category" : "URL", 114 | "Telemetry Feature Category" : "" 115 | }, 116 | { 117 | "" : "", 118 | "MITRE ATT&CK Mappings" : "DNS Query - DS0029", 119 | "Sub-Category" : "DNS Query", 120 | "Telemetry Feature Category" : "" 121 | }, 122 | { 123 | "" : "", 124 | "MITRE ATT&CK Mappings" : "File Downloaded (Network Traffic Content) - DS0029,File Downloaded (File Creation) - DS0022", 125 | "Sub-Category" : "File Downloaded", 126 | "Telemetry Feature Category" : "" 127 | }, 128 | { 129 | "" : "", 130 | "MITRE ATT&CK Mappings" : "MD5 - DS0022", 131 | "Sub-Category" : "MD5", 132 | "Telemetry Feature Category" : "Hash Algorithms" 133 | }, 134 | { 135 | "" : "", 136 | "MITRE ATT&CK Mappings" : "SHA - DS0022", 137 | "Sub-Category" : "SHA", 138 | "Telemetry Feature Category" : "" 139 | }, 140 | { 141 | "" : "", 142 | "MITRE ATT&CK Mappings" : "IMPHASH - DS0022", 143 | "Sub-Category" : "IMPHASH", 144 | "Telemetry Feature Category" : "" 145 | }, 146 | { 147 | "" : "", 148 | "MITRE ATT&CK Mappings" : "Key\/Value Creation - DS0024", 149 | "Sub-Category" : "Key\/Value Creation", 150 | "Telemetry Feature Category" : "Registry Activity" 151 | }, 152 | { 153 | "" : "", 154 | "MITRE ATT&CK Mappings" : "Key\/Value Modification - DS0024", 155 | "Sub-Category" : "Key\/Value Modification", 156 | "Telemetry Feature Category" : "" 157 | }, 158 | { 159 | "" : "", 160 | "MITRE ATT&CK Mappings" : "Key\/Value Deletion - DS0024", 161 | "Sub-Category" : "Key\/Value Deletion", 162 | "Telemetry Feature Category" : "" 163 | }, 164 | { 165 | "" : "", 166 | "MITRE ATT&CK Mappings" : "Scheduled Task Creation - DS0003", 167 | "Sub-Category" : "Scheduled Task Creation", 168 | "Telemetry Feature Category" : "Schedule Task Activity" 169 | }, 170 | { 171 | "" : "", 172 | "MITRE ATT&CK Mappings" : "Scheduled Task Modification - DS0003", 173 | "Sub-Category" : "Scheduled Task Modification", 174 | "Telemetry Feature Category" : "" 175 | }, 176 | { 177 | "" : "", 178 | "MITRE ATT&CK Mappings" : "Scheduled Task Deletion - DS0003", 179 | "Sub-Category" : "Scheduled Task Deletion", 180 | "Telemetry Feature Category" : "" 181 | }, 182 | { 183 | "" : "", 184 | "MITRE ATT&CK Mappings" : "Service Creation - DS0019", 185 | "Sub-Category" : "Service Creation", 186 | "Telemetry Feature Category" : "Service Activity" 187 | }, 188 | { 189 | "" : "", 190 | "MITRE ATT&CK Mappings" : "Service Modification - DS0019", 191 | "Sub-Category" : "Service Modification", 192 | "Telemetry Feature Category" : "" 193 | }, 194 | { 195 | "" : "", 196 | "MITRE ATT&CK Mappings" : "Service Deletion - DS0019", 197 | "Sub-Category" : "Service Deletion", 198 | "Telemetry Feature Category" : "" 199 | }, 200 | { 201 | "" : "", 202 | "MITRE ATT&CK Mappings" : "Driver Loaded - DS0027", 203 | "Sub-Category" : "Driver Loaded", 204 | "Telemetry Feature Category" : "Driver\/Module Activity" 205 | }, 206 | { 207 | "" : "", 208 | "MITRE ATT&CK Mappings" : "Driver Modification - DS0022", 209 | "Sub-Category" : "Driver Modification", 210 | "Telemetry Feature Category" : "" 211 | }, 212 | { 213 | "" : "", 214 | "MITRE ATT&CK Mappings" : "-", 215 | "Sub-Category" : "Driver Unloaded", 216 | "Telemetry Feature Category" : "" 217 | }, 218 | { 219 | "" : "", 220 | "MITRE ATT&CK Mappings" : "Virtual Disk Mount - DS0016", 221 | "Sub-Category" : "Virtual Disk Mount", 222 | "Telemetry Feature Category" : "Device Operations" 223 | }, 224 | { 225 | "" : "", 226 | "MITRE ATT&CK Mappings" : "USB Device Unmount - DS0016", 227 | "Sub-Category" : "USB Device Unmount", 228 | "Telemetry Feature Category" : "" 229 | }, 230 | { 231 | "" : "", 232 | "MITRE ATT&CK Mappings" : "USB Device Mount - DS0016", 233 | "Sub-Category" : "USB Device Mount", 234 | "Telemetry Feature Category" : "" 235 | }, 236 | { 237 | "" : "", 238 | "MITRE ATT&CK Mappings" : "Group Policy Modification - DS0026", 239 | "Sub-Category" : "Group Policy Modification", 240 | "Telemetry Feature Category" : "Other Relevant Events" 241 | }, 242 | { 243 | "" : "", 244 | "MITRE ATT&CK Mappings" : "Pipe Creation - DS0023", 245 | "Sub-Category" : "Pipe Creation", 246 | "Telemetry Feature Category" : "Named Pipe Activity" 247 | }, 248 | { 249 | "" : "", 250 | "MITRE ATT&CK Mappings" : "Pipe Connection - DS0023", 251 | "Sub-Category" : "Pipe Connection", 252 | "Telemetry Feature Category" : "" 253 | }, 254 | { 255 | "" : "", 256 | "MITRE ATT&CK Mappings" : "Agent Start - DS0013", 257 | "Sub-Category" : "Agent Start", 258 | "Telemetry Feature Category" : "EDR SysOps" 259 | }, 260 | { 261 | "" : "", 262 | "MITRE ATT&CK Mappings" : "Agent Stop - DS0013", 263 | "Sub-Category" : "Agent Stop", 264 | "Telemetry Feature Category" : "" 265 | }, 266 | { 267 | "" : "", 268 | "MITRE ATT&CK Mappings" : "Agent Install - DS0013", 269 | "Sub-Category" : "Agent Install", 270 | "Telemetry Feature Category" : "" 271 | }, 272 | { 273 | "" : "", 274 | "MITRE ATT&CK Mappings" : "Agent Uninstall - DS0013", 275 | "Sub-Category" : "Agent Uninstall", 276 | "Telemetry Feature Category" : "" 277 | }, 278 | { 279 | "" : "", 280 | "MITRE ATT&CK Mappings" : "Agent Keep-Alive - DS0013", 281 | "Sub-Category" : "Agent Keep-Alive", 282 | "Telemetry Feature Category" : "" 283 | }, 284 | { 285 | "" : "", 286 | "MITRE ATT&CK Mappings" : "Agent Errors - DS0013", 287 | "Sub-Category" : "Agent Errors", 288 | "Telemetry Feature Category" : "" 289 | }, 290 | { 291 | "" : "", 292 | "MITRE ATT&CK Mappings" : "WmiEventConsumerToFilter - DS0005", 293 | "Sub-Category" : "WmiEventConsumerToFilter", 294 | "Telemetry Feature Category" : "WMI Activity" 295 | }, 296 | { 297 | "" : "", 298 | "MITRE ATT&CK Mappings" : "WmiEventConsumer - DS0005", 299 | "Sub-Category" : "WmiEventConsumer", 300 | "Telemetry Feature Category" : "" 301 | }, 302 | { 303 | "" : "", 304 | "MITRE ATT&CK Mappings" : "WmiEventFilter - DS0005", 305 | "Sub-Category" : "WmiEventFilter", 306 | "Telemetry Feature Category" : "" 307 | }, 308 | { 309 | "" : "", 310 | "MITRE ATT&CK Mappings" : "PowerShell Activity - DS0012,PowerShell Activity - DS0017", 311 | "Sub-Category" : "BIT JOBS Activity", 312 | "Telemetry Feature Category" : "BIT JOBS Activity" 313 | }, 314 | { 315 | "" : "", 316 | "MITRE ATT&CK Mappings" : "Script-Block Activity - DS0012", 317 | "Sub-Category" : "Script-Block Activity", 318 | "Telemetry Feature Category" : "PowerShell Activity" 319 | } 320 | ] -------------------------------------------------------------------------------- /partially_value_explanations_linux.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Telemetry Feature Category":"Process Activity", 4 | "Sub-Category":"Process Creation", 5 | "SentinelOne (Complete)":"", 6 | "Qualys":"", 7 | "Uptycs":"", 8 | "CrowdStrike":"", 9 | "Sysmon":"", 10 | "LimaCharlie":"", 11 | "MDE":"", 12 | "Elastic":"", 13 | "Auditd":"", 14 | "Carbon Black Cloud":"" 15 | }, 16 | { 17 | "Telemetry Feature Category":"", 18 | "Sub-Category":"Process Termination", 19 | "SentinelOne (Complete)":"", 20 | "Qualys":"", 21 | "Uptycs":"", 22 | "CrowdStrike":"", 23 | "Sysmon":"", 24 | "LimaCharlie":"", 25 | "MDE":"", 26 | "Elastic":"", 27 | "Auditd":"", 28 | "Carbon Black Cloud":"" 29 | }, 30 | { 31 | "Telemetry Feature Category":"File Manipulation", 32 | "Sub-Category":"File Creation", 33 | "SentinelOne (Complete)":"", 34 | "Qualys":"", 35 | "Uptycs":"", 36 | "CrowdStrike":"", 37 | "Sysmon":"", 38 | "LimaCharlie":"", 39 | "MDE":"", 40 | "Elastic":"", 41 | "Auditd":"", 42 | "Carbon Black Cloud":"" 43 | }, 44 | { 45 | "Telemetry Feature Category":"", 46 | "Sub-Category":"File Modification", 47 | "SentinelOne (Complete)":"", 48 | "Qualys":"", 49 | "Uptycs":"", 50 | "CrowdStrike":"", 51 | "Sysmon":"", 52 | "LimaCharlie":"", 53 | "MDE":{"Partially":"Although the file is modified, the event is recorded as FileCreated instead of FileModified, misrepresenting the actual action and preventing analysts from distinguishing between file creation and modification."}, 54 | "Elastic":"", 55 | "Auditd":"", 56 | "Carbon Black Cloud":"" 57 | }, 58 | { 59 | "Telemetry Feature Category":"", 60 | "Sub-Category":"File Deletion", 61 | "SentinelOne (Complete)":"", 62 | "Qualys":"", 63 | "Uptycs":"", 64 | "CrowdStrike":"", 65 | "Sysmon":"", 66 | "LimaCharlie":"", 67 | "MDE":"", 68 | "Elastic":"", 69 | "Auditd":"", 70 | "Carbon Black Cloud":"" 71 | }, 72 | { 73 | "Telemetry Feature Category":"User Activity", 74 | "Sub-Category":"User Logon", 75 | "SentinelOne (Complete)":"", 76 | "Qualys":"", 77 | "Uptycs":"", 78 | "CrowdStrike":"", 79 | "Sysmon":"", 80 | "LimaCharlie":"", 81 | "MDE":"", 82 | "Elastic":"", 83 | "Auditd":"", 84 | "Carbon Black Cloud":"" 85 | }, 86 | { 87 | "Telemetry Feature Category":"", 88 | "Sub-Category":"User Logoff", 89 | "SentinelOne (Complete)":"", 90 | "Qualys":"", 91 | "Uptycs":"", 92 | "CrowdStrike":"", 93 | "Sysmon":"", 94 | "LimaCharlie":"", 95 | "MDE":"", 96 | "Elastic":"", 97 | "Auditd":"", 98 | "Carbon Black Cloud":"" 99 | }, 100 | { 101 | "Telemetry Feature Category":"", 102 | "Sub-Category":"Logon Failed", 103 | "SentinelOne (Complete)":"", 104 | "Qualys":"", 105 | "Uptycs":"", 106 | "CrowdStrike":"", 107 | "Sysmon":"", 108 | "LimaCharlie":"", 109 | "MDE":"", 110 | "Elastic":"", 111 | "Auditd":"", 112 | "Carbon Black Cloud":"" 113 | }, 114 | { 115 | "Telemetry Feature Category":"Script Activity", 116 | "Sub-Category":"Script Content", 117 | "SentinelOne (Complete)":"", 118 | "Qualys":"", 119 | "Uptycs":"", 120 | "CrowdStrike":"", 121 | "Sysmon":"", 122 | "LimaCharlie":"", 123 | "MDE":"", 124 | "Elastic":"", 125 | "Auditd":"", 126 | "Carbon Black Cloud":"" 127 | }, 128 | { 129 | "Telemetry Feature Category":"Network Activity", 130 | "Sub-Category":"Network Connection", 131 | "SentinelOne (Complete)":"", 132 | "Qualys":"", 133 | "Uptycs":"", 134 | "CrowdStrike":"", 135 | "Sysmon":"", 136 | "LimaCharlie":"", 137 | "MDE":"", 138 | "Elastic":"", 139 | "Auditd":"", 140 | "Carbon Black Cloud":"" 141 | }, 142 | { 143 | "Telemetry Feature Category":"", 144 | "Sub-Category":"Network Socket Listen", 145 | "SentinelOne (Complete)":"", 146 | "Qualys":{"Partially":"Only available through the specific endpoint page in the console (not searchable)"}, 147 | "Uptycs":"", 148 | "CrowdStrike":"", 149 | "Sysmon":"", 150 | "LimaCharlie":{"Partially":"Only available through the specific endpoint page in the console (not searchable)"}, 151 | "MDE":"", 152 | "Elastic":"", 153 | "Auditd":"", 154 | "Carbon Black Cloud":"" 155 | }, 156 | { 157 | "Telemetry Feature Category":"", 158 | "Sub-Category":"DNS Query", 159 | "SentinelOne (Complete)":"", 160 | "Qualys":"", 161 | "Uptycs":"", 162 | "CrowdStrike":"", 163 | "Sysmon":"", 164 | "LimaCharlie":"", 165 | "MDE":"", 166 | "Elastic":"", 167 | "Auditd":"", 168 | "Carbon Black Cloud":"" 169 | }, 170 | { 171 | "Telemetry Feature Category":"Scheduled Task Activity", 172 | "Sub-Category":"Scheduled Task", 173 | "SentinelOne (Complete)":"", 174 | "Qualys":"", 175 | "Uptycs":"", 176 | "CrowdStrike":"", 177 | "Sysmon":"", 178 | "LimaCharlie":"", 179 | "MDE":"", 180 | "Elastic":"", 181 | "Auditd":"", 182 | "Carbon Black Cloud":"" 183 | }, 184 | { 185 | "Telemetry Feature Category":"User Account Activity", 186 | "Sub-Category":"User Account Created", 187 | "SentinelOne (Complete)":"", 188 | "Qualys":"", 189 | "Uptycs":"", 190 | "CrowdStrike":"", 191 | "Sysmon":"", 192 | "LimaCharlie":"", 193 | "MDE":"", 194 | "Elastic":"", 195 | "Auditd":"", 196 | "Carbon Black Cloud":"" 197 | }, 198 | { 199 | "Telemetry Feature Category":"", 200 | "Sub-Category":"User Account Modified", 201 | "SentinelOne (Complete)":"", 202 | "Qualys":"", 203 | "Uptycs":"", 204 | "CrowdStrike":"", 205 | "Sysmon":"", 206 | "LimaCharlie":"", 207 | "MDE":"", 208 | "Elastic":"", 209 | "Auditd":"", 210 | "Carbon Black Cloud":"" 211 | }, 212 | { 213 | "Telemetry Feature Category":"", 214 | "Sub-Category":"User Account Deleted", 215 | "SentinelOne (Complete)":"", 216 | "Qualys":"", 217 | "Uptycs":"", 218 | "CrowdStrike":"", 219 | "Sysmon":"", 220 | "LimaCharlie":"", 221 | "MDE":"", 222 | "Elastic":"", 223 | "Auditd":"", 224 | "Carbon Black Cloud":"" 225 | }, 226 | { 227 | "Telemetry Feature Category":"Driver\/Module Activity", 228 | "Sub-Category":"Driver Load", 229 | "SentinelOne (Complete)":"", 230 | "Qualys":"", 231 | "Uptycs":"", 232 | "CrowdStrike":"", 233 | "Sysmon":"", 234 | "LimaCharlie":"", 235 | "MDE":"", 236 | "Elastic":"", 237 | "Auditd":"", 238 | "Carbon Black Cloud":"" 239 | }, 240 | { 241 | "Telemetry Feature Category":"", 242 | "Sub-Category":"Image Load", 243 | "SentinelOne (Complete)":"", 244 | "Qualys":"", 245 | "Uptycs":"", 246 | "CrowdStrike":"", 247 | "Sysmon":"", 248 | "LimaCharlie":"", 249 | "MDE":"", 250 | "Elastic":"", 251 | "Auditd":"", 252 | "Carbon Black Cloud":"" 253 | }, 254 | { 255 | "Telemetry Feature Category":"", 256 | "Sub-Category":"eBPF Event", 257 | "SentinelOne (Complete)":"", 258 | "Qualys":"", 259 | "Uptycs":"", 260 | "CrowdStrike":"", 261 | "Sysmon":"", 262 | "LimaCharlie":"", 263 | "MDE":"", 264 | "Elastic":"", 265 | "Auditd":"", 266 | "Carbon Black Cloud":"" 267 | }, 268 | { 269 | "Telemetry Feature Category":"Access Activity", 270 | "Sub-Category":"Raw Access Read", 271 | "SentinelOne (Complete)":"", 272 | "Qualys":"", 273 | "Uptycs":"", 274 | "CrowdStrike":"", 275 | "Sysmon":"", 276 | "LimaCharlie":"", 277 | "MDE":"", 278 | "Elastic":"", 279 | "Auditd":"", 280 | "Carbon Black Cloud":"" 281 | }, 282 | { 283 | "Telemetry Feature Category":"", 284 | "Sub-Category":"Process Access", 285 | "SentinelOne (Complete)":"", 286 | "Qualys":"", 287 | "Uptycs":"", 288 | "CrowdStrike":"", 289 | "Sysmon":"", 290 | "LimaCharlie":"", 291 | "MDE":"", 292 | "Elastic":"", 293 | "Auditd":"", 294 | "Carbon Black Cloud":"" 295 | }, 296 | { 297 | "Telemetry Feature Category":"Process Tampering Activity", 298 | "Sub-Category":"Process Tampering", 299 | "SentinelOne (Complete)":"", 300 | "Qualys":"", 301 | "Uptycs":"", 302 | "CrowdStrike":"", 303 | "Sysmon":"", 304 | "LimaCharlie":"", 305 | "MDE":"", 306 | "Elastic":"", 307 | "Auditd":"", 308 | "Carbon Black Cloud":"" 309 | }, 310 | { 311 | "Telemetry Feature Category":"Service Activity", 312 | "Sub-Category":"Service Creation", 313 | "SentinelOne (Complete)":"", 314 | "Qualys":"", 315 | "Uptycs":"", 316 | "CrowdStrike":{"Partially":"Service-related events generated via D-Bus calls (as implemented in the test script for creating, modifying, and deleting services) are not visible in the console. This suggests CrowdStrike may not be fully monitoring systemd operations through D-Bus interfaces."}, 317 | "Sysmon":"", 318 | "LimaCharlie":"", 319 | "MDE":{"Partially":"Only available through the timeline. Not searchable in a query."}, 320 | "Elastic":"", 321 | "Auditd":"", 322 | "Carbon Black Cloud":"" 323 | }, 324 | { 325 | "Telemetry Feature Category":"", 326 | "Sub-Category":"Service Modification", 327 | "SentinelOne (Complete)":"", 328 | "Qualys":"", 329 | "Uptycs":"", 330 | "CrowdStrike":{"Partially":"Service-related events generated via D-Bus calls (as implemented in the test script for creating, modifying, and deleting services) are not visible in the console. This suggests CrowdStrike may not be fully monitoring systemd operations through D-Bus interfaces."}, 331 | "Sysmon":"", 332 | "LimaCharlie":"", 333 | "MDE":"", 334 | "Elastic":"", 335 | "Auditd":"", 336 | "Carbon Black Cloud":"" 337 | }, 338 | { 339 | "Telemetry Feature Category":"", 340 | "Sub-Category":"Service Deletion", 341 | "SentinelOne (Complete)":"", 342 | "Qualys":"", 343 | "Uptycs":"", 344 | "CrowdStrike":{"Partially":"Service-related events generated via D-Bus calls (as implemented in the test script for creating, modifying, and deleting services) are not visible in the console. This suggests CrowdStrike may not be fully monitoring systemd operations through D-Bus interfaces."}, 345 | "Sysmon":"", 346 | "LimaCharlie":"", 347 | "MDE":"", 348 | "Elastic":"", 349 | "Auditd":"", 350 | "Carbon Black Cloud":"" 351 | }, 352 | { 353 | "Telemetry Feature Category":"EDR SysOps", 354 | "Sub-Category":"Agent Start", 355 | "SentinelOne (Complete)":"", 356 | "Qualys":"", 357 | "Uptycs":"", 358 | "CrowdStrike":"", 359 | "Sysmon":"", 360 | "LimaCharlie":"", 361 | "MDE":"", 362 | "Elastic":"", 363 | "Auditd":"", 364 | "Carbon Black Cloud":"" 365 | }, 366 | { 367 | "Telemetry Feature Category":"", 368 | "Sub-Category":"Agent Stop", 369 | "SentinelOne (Complete)":"", 370 | "Qualys":"", 371 | "Uptycs":"", 372 | "CrowdStrike":"", 373 | "Sysmon":"", 374 | "LimaCharlie":"", 375 | "MDE":"", 376 | "Elastic":"", 377 | "Auditd":"", 378 | "Carbon Black Cloud":"" 379 | }, 380 | { 381 | "Telemetry Feature Category":"Hash Algorithms", 382 | "Sub-Category":"MD5", 383 | "SentinelOne (Complete)":"", 384 | "Qualys":"", 385 | "Uptycs":"", 386 | "CrowdStrike":"", 387 | "Sysmon":"", 388 | "LimaCharlie":"", 389 | "MDE":"", 390 | "Elastic":"", 391 | "Auditd":"", 392 | "Carbon Black Cloud":"" 393 | }, 394 | { 395 | "Telemetry Feature Category":"", 396 | "Sub-Category":"SHA", 397 | "SentinelOne (Complete)":"", 398 | "Qualys":"", 399 | "Uptycs":"", 400 | "CrowdStrike":"", 401 | "Sysmon":"", 402 | "LimaCharlie":"", 403 | "MDE":"", 404 | "Elastic":"", 405 | "Auditd":"", 406 | "Carbon Black Cloud":"" 407 | }, 408 | { 409 | "Telemetry Feature Category":"", 410 | "Sub-Category":"IMPHASH", 411 | "SentinelOne (Complete)":"", 412 | "Qualys":"", 413 | "Uptycs":"", 414 | "CrowdStrike":"", 415 | "Sysmon":"", 416 | "LimaCharlie":"", 417 | "MDE":"", 418 | "Elastic":"", 419 | "Auditd":"", 420 | "Carbon Black Cloud":"" 421 | } 422 | ] -------------------------------------------------------------------------------- /partially_value_explanations_windows.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Telemetry Feature Category":"Process Activity", 4 | "Sub-Category":"Process Creation", 5 | "BitDefender":"", 6 | "Carbon Black":"", 7 | "Cortex XDR":"", 8 | "CrowdStrike":"", 9 | "Cybereason":"", 10 | "Cylance":" ", 11 | "ESET Inspect":"", 12 | "Elastic":"", 13 | "FortiEDR":"", 14 | "Harfanglab":"", 15 | "LimaCharlie":"", 16 | "MDE":"", 17 | "OpenEDR":"", 18 | "Padvish XDR":"", 19 | "Qualys":"", 20 | "SentinelOne":"", 21 | "Symantec SES Complete":"", 22 | "Sysmon":"", 23 | "Trellix":"", 24 | "Trend Micro":"", 25 | "Uptycs":"", 26 | "WatchGuard":"" 27 | }, 28 | { 29 | "Telemetry Feature Category":"Process Activity", 30 | "Sub-Category":"Process Termination", 31 | "BitDefender":"", 32 | "Carbon Black": {"Partially":"Only observed as file operations."}, 33 | "Cortex XDR":"", 34 | "CrowdStrike":"", 35 | "Cybereason":"", 36 | "Cylance":" ", 37 | "ESET Inspect":"", 38 | "Elastic":"", 39 | "FortiEDR":"", 40 | "Harfanglab":"", 41 | "LimaCharlie":"", 42 | "MDE":"", 43 | "OpenEDR":"", 44 | "Padvish XDR":"", 45 | "Qualys":"", 46 | "SentinelOne":"", 47 | "Symantec SES Complete":"", 48 | "Sysmon":"", 49 | "Trellix":"", 50 | "Trend Micro":"", 51 | "Uptycs":"", 52 | "WatchGuard":"" 53 | }, 54 | { 55 | "Telemetry Feature Category":"Process Activity", 56 | "Sub-Category":"Process Access", 57 | "BitDefender":"", 58 | "Carbon Black":"", 59 | "Cortex XDR":"", 60 | "CrowdStrike":"", 61 | "Cybereason":"", 62 | "Cylance":" ", 63 | "ESET Inspect":{"Partially":"Only for LSASS.exe process"}, 64 | "Elastic":"", 65 | "FortiEDR":"", 66 | "Harfanglab":"", 67 | "LimaCharlie":"", 68 | "MDE":"", 69 | "OpenEDR":"", 70 | "Padvish XDR":{"Partially":"Only for LSASS.exe process"}, 71 | "Qualys":"", 72 | "SentinelOne":"", 73 | "Symantec SES Complete":"", 74 | "Sysmon":"", 75 | "Trellix":"", 76 | "Trend Micro":"", 77 | "Uptycs":"", 78 | "WatchGuard":"" 79 | }, 80 | { 81 | "Telemetry Feature Category": "Process Activity", 82 | "Sub-Category":"Image\/Library Loaded", 83 | "BitDefender":"", 84 | "Carbon Black":"", 85 | "Cortex XDR":"", 86 | "CrowdStrike":"", 87 | "Cybereason":"", 88 | "Cylance":" ", 89 | "ESET Inspect":"", 90 | "Elastic":"", 91 | "FortiEDR":"", 92 | "Harfanglab":"", 93 | "LimaCharlie":"", 94 | "MDE":"", 95 | "OpenEDR":"", 96 | "Padvish XDR":"", 97 | "Qualys":"", 98 | "SentinelOne":"", 99 | "Symantec SES Complete":"", 100 | "Sysmon":"", 101 | "Trellix":"", 102 | "Trend Micro":"", 103 | "Uptycs":"", 104 | "WatchGuard":"" 105 | }, 106 | { 107 | "Telemetry Feature Category":"Process Activity", 108 | "Sub-Category":"Remote Thread Creation", 109 | "BitDefender":"", 110 | "Carbon Black":"", 111 | "Cortex XDR":"", 112 | "CrowdStrike":"", 113 | "Cybereason":"", 114 | "Cylance":" ", 115 | "ESET Inspect":"", 116 | "Elastic":"", 117 | "FortiEDR":"", 118 | "Harfanglab":"", 119 | "LimaCharlie":"", 120 | "MDE":"", 121 | "OpenEDR":"", 122 | "Padvish XDR":"", 123 | "Qualys":"", 124 | "SentinelOne":"", 125 | "Symantec SES Complete":"", 126 | "Sysmon":"", 127 | "Trellix":"", 128 | "Trend Micro":"", 129 | "Uptycs":"", 130 | "WatchGuard":"" 131 | }, 132 | { 133 | "Telemetry Feature Category": "Process Activity", 134 | "Sub-Category":"Win32 API Telemetry", 135 | "BitDefender":"", 136 | "Carbon Black":"", 137 | "Cortex XDR":"", 138 | "CrowdStrike":"", 139 | "Cybereason":"", 140 | "Cylance":" ", 141 | "ESET Inspect":{"Partially":"Only for a limited set of APIs as documented in: https://github.com/tsale/EDR-Telemetry/pull/130#issuecomment-3266387350"}, 142 | "Elastic":"", 143 | "FortiEDR":"", 144 | "Harfanglab":"", 145 | "LimaCharlie":"", 146 | "MDE":"", 147 | "OpenEDR":"", 148 | "Padvish XDR":{"Partially":"Only for a limited set of APIs (e.g., SetWindowsHookEx, GetAsyncKeyState, etc.)"}, 149 | "Qualys":"", 150 | "SentinelOne":"", 151 | "Symantec SES Complete":"", 152 | "Sysmon":"", 153 | "Trellix":"", 154 | "Trend Micro":"", 155 | "Uptycs":"", 156 | "WatchGuard":"" 157 | }, 158 | { 159 | "Telemetry Feature Category": "Process Activity", 160 | "Sub-Category":"Process Tampering Activity", 161 | "BitDefender":"", 162 | "Carbon Black":{"Partially":"Only via cross-process."}, 163 | "Cortex XDR":{"Partially":"Needs the tamper protection enabled."}, 164 | "CrowdStrike":"", 165 | "Cybereason":"", 166 | "Cylance":" ", 167 | "ESET Inspect":"", 168 | "Elastic":"", 169 | "FortiEDR":"", 170 | "Harfanglab":"", 171 | "LimaCharlie":"", 172 | "MDE":"", 173 | "OpenEDR":"", 174 | "Qualys":"", 175 | "SentinelOne":{"Partially":"Only provides cross process info like remote thread creation and process handles, it doesn't give much more detail beyond that."}, 176 | "Symantec SES Complete":"", 177 | "Sysmon":"", 178 | "Trellix":"", 179 | "Trend Micro":"", 180 | "Uptycs":"", 181 | "WatchGuard":"" 182 | }, 183 | { 184 | "Telemetry Feature Category": "Process Activity", 185 | "Sub-Category":"Process Call Stacks", 186 | "BitDefender":"", 187 | "Carbon Black":"", 188 | "Cortex XDR":"", 189 | "CrowdStrike": "", 190 | "Cybereason":"", 191 | "Cylance":" ", 192 | "ESET Inspect":"", 193 | "Elastic":"", 194 | "FortiEDR":"", 195 | "Harfanglab":"", 196 | "LimaCharlie":"", 197 | "MDE":"", 198 | "OpenEDR":"", 199 | "Padvish XDR":"", 200 | "Qualys":"", 201 | "SentinelOne":"", 202 | "Symantec SES Complete":"", 203 | "Sysmon":"", 204 | "Trellix":"", 205 | "Trend Micro":"", 206 | "Uptycs":"", 207 | "WatchGuard":"" 208 | 209 | }, 210 | { 211 | "Telemetry Feature Category":"File Manipulation", 212 | "Sub-Category":"File Creation", 213 | "BitDefender":"", 214 | "Carbon Black":"", 215 | "Cortex XDR":"", 216 | "CrowdStrike":"", 217 | "Cybereason":"", 218 | "Cylance":" ", 219 | "ESET Inspect":{"Partially":"Only for binaries created on disk."}, 220 | "Elastic":"", 221 | "FortiEDR":"", 222 | "Harfanglab":"", 223 | "LimaCharlie":"", 224 | "MDE":"", 225 | "OpenEDR":"", 226 | "Padvish XDR":"", 227 | "Qualys":"", 228 | "SentinelOne":"", 229 | "Symantec SES Complete":"", 230 | "Sysmon":"", 231 | "Trellix":"", 232 | "Trend Micro":"", 233 | "Uptycs":"", 234 | "WatchGuard":{"Partially":"Only tracks via dedicated event the renaming of Portable Executables (PE) and compressed files."} 235 | }, 236 | { 237 | "Telemetry Feature Category": "File Manipulation", 238 | "Sub-Category":"File Opened", 239 | "BitDefender":"", 240 | "Carbon Black":"", 241 | "Cortex XDR":"", 242 | "CrowdStrike":{"Partially":"Only file related events that is deems suspicious based on some proprietary criterias."}, 243 | "Cybereason":"", 244 | "Cylance":" ", 245 | "ESET Inspect":"", 246 | "Elastic":"", 247 | "FortiEDR":"", 248 | "Harfanglab":"", 249 | "LimaCharlie":{"Partially":"Visibility on File Read only"}, 250 | "MDE":"", 251 | "OpenEDR":"", 252 | "Padvish XDR":"", 253 | "Qualys":"", 254 | "SentinelOne":"", 255 | "Symantec SES Complete":"", 256 | "Sysmon":"", 257 | "Trellix":"", 258 | "Trend Micro":"", 259 | "Uptycs":"", 260 | "WatchGuard":{"Partially":"Only tracks via dedicated event the opening of compressed files."} 261 | }, 262 | { 263 | "Telemetry Feature Category": "File Manipulation", 264 | "Sub-Category":"File Deletion", 265 | "BitDefender":"", 266 | "Carbon Black":"", 267 | "Cortex XDR":"", 268 | "CrowdStrike":"", 269 | "Cybereason":"", 270 | "Cylance":" ", 271 | "ESET Inspect":"", 272 | "Elastic":"", 273 | "FortiEDR":"", 274 | "Harfanglab":"", 275 | "LimaCharlie":"", 276 | "MDE":"", 277 | "OpenEDR":"", 278 | "Padvish XDR":"", 279 | "Qualys":"", 280 | "SentinelOne":"", 281 | "Symantec SES Complete":"", 282 | "Sysmon":"", 283 | "Trellix":"", 284 | "Trend Micro":"", 285 | "Uptycs":"", 286 | "WatchGuard":"" 287 | }, 288 | { 289 | "Telemetry Feature Category": "File Manipulation", 290 | "Sub-Category":"File Modification", 291 | "BitDefender":"", 292 | "Carbon Black":"", 293 | "Cortex XDR":"", 294 | "CrowdStrike":"", 295 | "Cybereason":"", 296 | "Cylance":" ", 297 | "ESET Inspect":"", 298 | "Elastic":"", 299 | "FortiEDR":"", 300 | "Harfanglab":"", 301 | "LimaCharlie":"", 302 | "MDE":"", 303 | "OpenEDR":"", 304 | "Padvish XDR":"", 305 | "Qualys":"", 306 | "SentinelOne":"", 307 | "Symantec SES Complete":"", 308 | "Sysmon":"", 309 | "Trellix":"", 310 | "Trend Micro":"", 311 | "Uptycs":"", 312 | "WatchGuard":"" 313 | }, 314 | { 315 | "Telemetry Feature Category": "File Manipulation", 316 | "Sub-Category":"File Renaming", 317 | "BitDefender":"", 318 | "Carbon Black":"", 319 | "Cortex XDR":"", 320 | "CrowdStrike":"", 321 | "Cybereason":"", 322 | "Cylance":" ", 323 | "ESET Inspect":"", 324 | "Elastic":"", 325 | "FortiEDR":"", 326 | "Harfanglab":"", 327 | "LimaCharlie":{"Partially":"Events are reported as a delete+write."}, 328 | "MDE":"", 329 | "OpenEDR":"", 330 | "Padvish XDR": {"Partially":"Tracked as file modification event."}, 331 | "Qualys":"", 332 | "SentinelOne":"", 333 | "Symantec SES Complete":"", 334 | "Sysmon":"", 335 | "Trellix":"", 336 | "Trend Micro":"", 337 | "Uptycs":"", 338 | "WatchGuard": {"Partially":"Only tracks via dedicated event the renaming of Portable Executables (PE) and compressed files."} 339 | }, 340 | { 341 | "Telemetry Feature Category":"User Account Activity", 342 | "Sub-Category":"Local Account Creation", 343 | "BitDefender":"", 344 | "Carbon Black":"", 345 | "Cortex XDR":"", 346 | "CrowdStrike":"", 347 | "Cybereason":"", 348 | "Cylance":" ", 349 | "ESET Inspect":"", 350 | "Elastic":"", 351 | "FortiEDR":"", 352 | "Harfanglab":"", 353 | "LimaCharlie":"", 354 | "MDE":"", 355 | "OpenEDR":"", 356 | "Padvish XDR":"", 357 | "Qualys":"", 358 | "SentinelOne":"", 359 | "Symantec SES Complete":"", 360 | "Sysmon":"", 361 | "Trellix":"", 362 | "Trend Micro":"", 363 | "Uptycs":"", 364 | "WatchGuard":"" 365 | }, 366 | { 367 | "Telemetry Feature Category": "User Account Activity", 368 | "Sub-Category":"Local Account Modification", 369 | "BitDefender":"", 370 | "Carbon Black":"", 371 | "Cortex XDR":"", 372 | "CrowdStrike":{"Partially":"Only contains modification from a user added to a group."}, 373 | "Cybereason":"", 374 | "Cylance":" ", 375 | "ESET Inspect":"", 376 | "Elastic":"", 377 | "FortiEDR":"", 378 | "Harfanglab":"", 379 | "LimaCharlie":"", 380 | "MDE":"", 381 | "OpenEDR":"", 382 | "Padvish XDR":"", 383 | "Qualys":"", 384 | "SentinelOne":"", 385 | "Symantec SES Complete":"", 386 | "Sysmon":"", 387 | "Trellix":"", 388 | "Trend Micro":"", 389 | "Uptycs":"", 390 | "WatchGuard":"" 391 | }, 392 | { 393 | "Telemetry Feature Category": "User Account Activity", 394 | "Sub-Category":"Local Account Deletion", 395 | "BitDefender":"", 396 | "Carbon Black":"", 397 | "Cortex XDR":"", 398 | "CrowdStrike":"", 399 | "Cybereason":"", 400 | "Cylance":" ", 401 | "ESET Inspect":"", 402 | "Elastic":"", 403 | "FortiEDR":"", 404 | "Harfanglab":"", 405 | "LimaCharlie":"", 406 | "MDE":"", 407 | "OpenEDR":"", 408 | "Padvish XDR":"", 409 | "Qualys":"", 410 | "SentinelOne":"", 411 | "Symantec SES Complete":"", 412 | "Sysmon":"", 413 | "Trellix":"", 414 | "Trend Micro":"", 415 | "Uptycs":"", 416 | "WatchGuard":"" 417 | }, 418 | { 419 | "Telemetry Feature Category": "User Account Activity", 420 | "Sub-Category":"Account Login", 421 | "BitDefender":"", 422 | "Carbon Black":"", 423 | "Cortex XDR":"", 424 | "CrowdStrike":"", 425 | "Cybereason":"", 426 | "Cylance":" ", 427 | "ESET Inspect":"", 428 | "Elastic":"", 429 | "FortiEDR":"", 430 | "Harfanglab":"", 431 | "LimaCharlie":{"Partially":"Only tracks when user is seen first time per endpoint."}, 432 | "MDE":"", 433 | "OpenEDR":"", 434 | "Padvish XDR":"", 435 | "Qualys":"", 436 | "SentinelOne":"", 437 | "Symantec SES Complete":"", 438 | "Sysmon":"", 439 | "Trellix":"", 440 | "Trend Micro":"", 441 | "Uptycs":"", 442 | "WatchGuard":"" 443 | }, 444 | { 445 | "Telemetry Feature Category": "User Account Activity", 446 | "Sub-Category":"Account Logoff", 447 | "BitDefender":"", 448 | "Carbon Black":"", 449 | "Cortex XDR":"", 450 | "CrowdStrike":"", 451 | "Cybereason":"", 452 | "Cylance":" ", 453 | "ESET Inspect":"", 454 | "Elastic":"", 455 | "FortiEDR":"", 456 | "Harfanglab":"", 457 | "LimaCharlie":"", 458 | "MDE":"", 459 | "OpenEDR":"", 460 | "Padvish XDR":"", 461 | "Qualys":"", 462 | "SentinelOne":"", 463 | "Symantec SES Complete":"", 464 | "Sysmon":"", 465 | "Trellix":"", 466 | "Trend Micro":"", 467 | "Uptycs":"", 468 | "WatchGuard":"" 469 | }, 470 | { 471 | "Telemetry Feature Category":"Network Activity", 472 | "Sub-Category":"TCP Connection", 473 | "BitDefender":"", 474 | "Carbon Black":"", 475 | "Cortex XDR":"", 476 | "CrowdStrike":"", 477 | "Cybereason":"", 478 | "Cylance":" ", 479 | "ESET Inspect":"", 480 | "Elastic":"", 481 | "FortiEDR":"", 482 | "Harfanglab":"", 483 | "LimaCharlie":"", 484 | "MDE":"", 485 | "OpenEDR":"", 486 | "Padvish XDR":"", 487 | "Qualys":"", 488 | "SentinelOne":"", 489 | "Symantec SES Complete":"", 490 | "Sysmon":"", 491 | "Trellix":"", 492 | "Trend Micro":"", 493 | "Uptycs":"", 494 | "WatchGuard":"" 495 | }, 496 | { 497 | "Telemetry Feature Category":"Network Activity", 498 | "Sub-Category":"UDP Connection", 499 | "BitDefender":"", 500 | "Carbon Black":"", 501 | "Cortex XDR":"", 502 | "CrowdStrike":"", 503 | "Cybereason":"", 504 | "Cylance":" ", 505 | "ESET Inspect":"", 506 | "Elastic":"", 507 | "FortiEDR":"", 508 | "Harfanglab":"", 509 | "LimaCharlie":"", 510 | "MDE":"", 511 | "OpenEDR":"", 512 | "Padvish XDR":"", 513 | "Qualys":"", 514 | "SentinelOne":"", 515 | "Symantec SES Complete":"", 516 | "Sysmon":"", 517 | "Trellix":"", 518 | "Trend Micro":"", 519 | "Uptycs":"", 520 | "WatchGuard":"" 521 | }, 522 | { 523 | "Telemetry Feature Category": "Network Activity", 524 | "Sub-Category":"URL", 525 | "BitDefender":"", 526 | "Carbon Black":"", 527 | "Cortex XDR":"", 528 | "CrowdStrike":"", 529 | "Cybereason":"", 530 | "Cylance":" ", 531 | "ESET Inspect":"", 532 | "Elastic":{"Partially":"Only if activity is generated by a NON-Browser application."}, 533 | "FortiEDR":"", 534 | "Harfanglab":"", 535 | "LimaCharlie":"", 536 | "MDE":"", 537 | "OpenEDR":"", 538 | "Padvish XDR":"", 539 | "Qualys":"", 540 | "SentinelOne":"", 541 | "Symantec SES Complete":{"Partially":"Depends on Firewall / IPS settings / policy; if only IPS is enabled URL will just logged malicious connections, but not clean connections"}, 542 | "Sysmon":"", 543 | "Trellix":"", 544 | "Trend Micro":"", 545 | "Uptycs":"", 546 | "WatchGuard":{"Partially":"Mainly when the URL is fetched via HTTP/S GET and not from a modern browser."} 547 | }, 548 | { 549 | "Telemetry Feature Category": "Network Activity", 550 | "Sub-Category":"DNS Query", 551 | "BitDefender":"", 552 | "Carbon Black":"", 553 | "Cortex XDR":"", 554 | "CrowdStrike":"", 555 | "Cybereason":"", 556 | "Cylance":" ", 557 | "ESET Inspect":"", 558 | "Elastic":"", 559 | "FortiEDR":"", 560 | "Harfanglab":"", 561 | "LimaCharlie":"", 562 | "MDE":"", 563 | "OpenEDR":"", 564 | "Padvish XDR":"", 565 | "Qualys":"", 566 | "SentinelOne":"", 567 | "Symantec SES Complete":"", 568 | "Sysmon":"", 569 | "Trellix":"", 570 | "Trend Micro":"", 571 | "Uptycs":"", 572 | "WatchGuard":"" 573 | }, 574 | { 575 | "Telemetry Feature Category":"Network Activity", 576 | "Sub-Category":"File Downloaded", 577 | "BitDefender":{"Partially":"Only tracks downloads of executables."}, 578 | "Carbon Black":"", 579 | "Cortex XDR":"", 580 | "CrowdStrike":"", 581 | "Cybereason":{"Partially":"Only for documents and binaries."}, 582 | "Cylance":" ", 583 | "ESET Inspect":{"Partially":"Only for binaries created on disk."}, 584 | "Elastic":"", 585 | "FortiEDR":"", 586 | "Harfanglab":"", 587 | "LimaCharlie":{"Partially":"Only if the activity is generated via Chrome browser[https://doc.limacharlie.io/docs/documentation/0b189c00533e5-reference-events#http_request]"}, 588 | "MDE":"", 589 | "OpenEDR":"", 590 | "Padvish XDR":"", 591 | "Qualys":"", 592 | "SentinelOne":"", 593 | "Symantec SES Complete":"", 594 | "Sysmon":"", 595 | "Trellix":"", 596 | "Trend Micro":"", 597 | "Uptycs":{"Partially":"Limited to certain processes."}, 598 | "WatchGuard":"" 599 | }, 600 | { 601 | "Telemetry Feature Category":"Hash Algorithms", 602 | "Sub-Category":"MD5", 603 | "BitDefender":"", 604 | "Carbon Black":"", 605 | "Cortex XDR":"", 606 | "CrowdStrike":"", 607 | "Cybereason":"", 608 | "Cylance":" ", 609 | "ESET Inspect":"", 610 | "Elastic":"", 611 | "FortiEDR":"", 612 | "Harfanglab":"", 613 | "LimaCharlie":"", 614 | "MDE":"", 615 | "OpenEDR":"", 616 | "Padvish XDR":"", 617 | "Qualys":"", 618 | "SentinelOne":"", 619 | "Symantec SES Complete":"", 620 | "Sysmon":"", 621 | "Trellix":"", 622 | "Trend Micro":"", 623 | "Uptycs":"", 624 | "WatchGuard":"" 625 | }, 626 | { 627 | "Telemetry Feature Category":"Hash Algorithms", 628 | "Sub-Category":"SHA", 629 | "BitDefender":"", 630 | "Carbon Black":"", 631 | "Cortex XDR":"", 632 | "CrowdStrike":"", 633 | "Cybereason":"", 634 | "Cylance":" ", 635 | "ESET Inspect":"", 636 | "Elastic":"", 637 | "FortiEDR":"", 638 | "Harfanglab":"", 639 | "LimaCharlie":"", 640 | "MDE":"", 641 | "OpenEDR":"", 642 | "Padvish XDR":"", 643 | "Qualys":"", 644 | "SentinelOne":"", 645 | "Symantec SES Complete":"", 646 | "Sysmon":"", 647 | "Trellix":"", 648 | "Trend Micro":"", 649 | "Uptycs":"", 650 | "WatchGuard":"" 651 | }, 652 | { 653 | "Telemetry Feature Category":"Hash Algorithms", 654 | "Sub-Category":"IMPHASH", 655 | "BitDefender":"", 656 | "Carbon Black":"", 657 | "Cortex XDR":"", 658 | "CrowdStrike":"", 659 | "Cybereason":"", 660 | "Cylance":" ", 661 | "ESET Inspect":"", 662 | "Elastic":{"Partially":"Only available for drivers and DLL files."}, 663 | "FortiEDR":"", 664 | "Harfanglab":"", 665 | "LimaCharlie":"", 666 | "MDE":"", 667 | "OpenEDR":"", 668 | "Padvish XDR":"", 669 | "Qualys":"", 670 | "SentinelOne":"", 671 | "Symantec SES Complete":"", 672 | "Sysmon":"", 673 | "Trellix":"", 674 | "Trend Micro":"", 675 | "Uptycs":"", 676 | "WatchGuard":"" 677 | }, 678 | { 679 | "Telemetry Feature Category":"Hash Algorithms", 680 | "Sub-Category":"JA3/JA3s", 681 | "BitDefender":"", 682 | "Carbon Black":"", 683 | "Cortex XDR":"", 684 | "CrowdStrike":"", 685 | "Cybereason":"", 686 | "Cylance":" ", 687 | "ESET Inspect":"", 688 | "Elastic":"", 689 | "FortiEDR":"", 690 | "Harfanglab":"", 691 | "LimaCharlie":"", 692 | "MDE":"", 693 | "OpenEDR":"", 694 | "Padvish XDR":"", 695 | "Qualys":"", 696 | "SentinelOne":"", 697 | "Symantec SES Complete":"", 698 | "Sysmon":"", 699 | "Trellix":"", 700 | "Trend Micro":"", 701 | "Uptycs":"", 702 | "WatchGuard":"" 703 | }, 704 | { 705 | "Telemetry Feature Category":"Registry Activity", 706 | "Sub-Category":"Key\/Value Creation", 707 | "BitDefender":"", 708 | "Carbon Black":"", 709 | "Cortex XDR":"", 710 | "CrowdStrike":{"Partially":"Tracks only only specific keys (ASEP = 'AutoStarting Entry Point')."}, 711 | "Cybereason":{"Partially":"By default, only RUN keys and some registry values that are commonly abused."}, 712 | "Cylance":" ", 713 | "ESET Inspect":"", 714 | "Elastic":"", 715 | "FortiEDR":"", 716 | "Harfanglab":"", 717 | "LimaCharlie":"", 718 | "MDE":"", 719 | "OpenEDR":"", 720 | "Padvish XDR":"", 721 | "Qualys":"", 722 | "SentinelOne":"", 723 | "Symantec SES Complete":"", 724 | "Sysmon":"", 725 | "Trellix":"", 726 | "Trend Micro":"", 727 | "Uptycs":"", 728 | "WatchGuard":"" 729 | }, 730 | { 731 | "Telemetry Feature Category":"Registry Activity", 732 | "Sub-Category":"Key\/Value Modification", 733 | "BitDefender":"", 734 | "Carbon Black":"", 735 | "Cortex XDR":"", 736 | "CrowdStrike":{"Partially":"Tracks only only specific keys (ASEP = 'AutoStarting Entry Point')."}, 737 | "Cybereason":{"Partially":"By default, only RUN keys and some registry values that are commonly abused."}, 738 | "Cylance":" ", 739 | "ESET Inspect":"", 740 | "Elastic":"", 741 | "FortiEDR":"", 742 | "Harfanglab":"", 743 | "LimaCharlie":"", 744 | "MDE":"", 745 | "OpenEDR":"", 746 | "Padvish XDR":"", 747 | "Qualys":"", 748 | "SentinelOne":"", 749 | "Symantec SES Complete":"", 750 | "Sysmon":"", 751 | "Trellix":"", 752 | "Trend Micro":"", 753 | "Uptycs":"", 754 | "WatchGuard":"" 755 | }, 756 | { 757 | "Telemetry Feature Category":"Registry Activity", 758 | "Sub-Category":"Key\/Value Deletion", 759 | "BitDefender":"", 760 | "Carbon Black":"", 761 | "Cortex XDR":"", 762 | "CrowdStrike":"", 763 | "Cybereason":{"Partially":"By default, only RUN keys and some registry values that are commonly abused."}, 764 | "Cylance":" ", 765 | "ESET Inspect":"", 766 | "Elastic":"", 767 | "FortiEDR":"", 768 | "Harfanglab":"", 769 | "LimaCharlie":"", 770 | "MDE":"", 771 | "OpenEDR":"", 772 | "Padvish XDR":"", 773 | "Qualys":"", 774 | "SentinelOne":"", 775 | "Symantec SES Complete":"", 776 | "Sysmon":"", 777 | "Trellix":"", 778 | "Trend Micro":"", 779 | "Uptycs":"", 780 | "WatchGuard":"" 781 | }, 782 | { 783 | "Telemetry Feature Category":"Schedule Task Activity", 784 | "Sub-Category":"Scheduled Task Creation", 785 | "BitDefender":"", 786 | "Carbon Black":"", 787 | "Cortex XDR":"", 788 | "CrowdStrike":"", 789 | "Cybereason":"", 790 | "Cylance":" ", 791 | "ESET Inspect":"", 792 | "Elastic":"", 793 | "FortiEDR":"", 794 | "Harfanglab":"", 795 | "LimaCharlie":"", 796 | "MDE":"", 797 | "OpenEDR":"", 798 | "Padvish XDR":"", 799 | "Qualys":"", 800 | "SentinelOne":"", 801 | "Symantec SES Complete":"", 802 | "Sysmon":"", 803 | "Trellix":"", 804 | "Trend Micro":"", 805 | "Uptycs":"", 806 | "WatchGuard":"" 807 | }, 808 | { 809 | "Telemetry Feature Category":"Schedule Task Activity", 810 | "Sub-Category":"Scheduled Task Modification", 811 | "BitDefender":"", 812 | "Carbon Black":"", 813 | "Cortex XDR":"", 814 | "CrowdStrike":"", 815 | "Cybereason":"", 816 | "Cylance":" ", 817 | "ESET Inspect":"", 818 | "Elastic":"", 819 | "FortiEDR":"", 820 | "Harfanglab":"", 821 | "LimaCharlie":"", 822 | "MDE":"", 823 | "OpenEDR":"", 824 | "Padvish XDR":"", 825 | "Qualys":"", 826 | "SentinelOne":"", 827 | "Symantec SES Complete":"", 828 | "Sysmon":"", 829 | "Trellix":"", 830 | "Trend Micro":"", 831 | "Uptycs":"", 832 | "WatchGuard":"" 833 | }, 834 | { 835 | "Telemetry Feature Category":"Schedule Task Activity", 836 | "Sub-Category":"Scheduled Task Deletion", 837 | "BitDefender":"", 838 | "Carbon Black":"", 839 | "Cortex XDR":"", 840 | "CrowdStrike":"", 841 | "Cybereason":"", 842 | "Cylance":" ", 843 | "ESET Inspect":"", 844 | "Elastic":"", 845 | "FortiEDR":"", 846 | "Harfanglab":"", 847 | "LimaCharlie":"", 848 | "MDE":"", 849 | "OpenEDR":"", 850 | "Padvish XDR":"", 851 | "Qualys":"", 852 | "SentinelOne":"", 853 | "Symantec SES Complete":"", 854 | "Sysmon":"", 855 | "Trellix":"", 856 | "Trend Micro":"", 857 | "Uptycs":"", 858 | "WatchGuard":"" 859 | }, 860 | { 861 | "Telemetry Feature Category":"Service Activity", 862 | "Sub-Category":"Service Creation", 863 | "BitDefender": {"Partially": "Service creation telemetry was not consistent across different types of testing, with some methods being captured where others were not."}, 864 | "Carbon Black":{"Partially":"Via monitoring the registry changes."}, 865 | "Cortex XDR":"", 866 | "CrowdStrike":"", 867 | "Cybereason":"", 868 | "Cylance":" ", 869 | "ESET Inspect":"", 870 | "Elastic":"", 871 | "FortiEDR":"", 872 | "Harfanglab":"", 873 | "LimaCharlie":"", 874 | "MDE":"", 875 | "OpenEDR":"", 876 | "Padvish XDR":"", 877 | "Qualys":"", 878 | "SentinelOne":"", 879 | "Symantec SES Complete":"", 880 | "Sysmon":"", 881 | "Trellix":"", 882 | "Trend Micro":"", 883 | "Uptycs":"", 884 | "WatchGuard":{"Partially":"The dedicated event tracking service activity only tracks parent/child processes related to a service change, no further details."} 885 | }, 886 | { 887 | "Telemetry Feature Category":"Service Activity", 888 | "Sub-Category":"Service Modification", 889 | "BitDefender":"", 890 | "Carbon Black":"", 891 | "Cortex XDR":"", 892 | "CrowdStrike":{"Partially":"Tracks only modification of service binaries."}, 893 | "Cybereason":"", 894 | "Cylance":" ", 895 | "ESET Inspect":"", 896 | "Elastic":"", 897 | "FortiEDR":"", 898 | "Harfanglab":"", 899 | "LimaCharlie":"", 900 | "MDE":"", 901 | "OpenEDR":"", 902 | "Padvish XDR":"", 903 | "Qualys":"", 904 | "SentinelOne":"", 905 | "Symantec SES Complete":"", 906 | "Sysmon":"", 907 | "Trellix":"", 908 | "Trend Micro":"", 909 | "Uptycs":"", 910 | "WatchGuard":{"Partially":"The dedicated event tracking service activity only tracks parent/child processes related to a service change, no further details."} 911 | }, 912 | { 913 | "Telemetry Feature Category":"Service Activity", 914 | "Sub-Category":"Service Deletion", 915 | "BitDefender":"", 916 | "Carbon Black":"", 917 | "Cortex XDR":"", 918 | "CrowdStrike":"", 919 | "Cybereason":"", 920 | "Cylance":" ", 921 | "ESET Inspect":"", 922 | "Elastic":"", 923 | "FortiEDR":"", 924 | "Harfanglab":"", 925 | "LimaCharlie":"", 926 | "MDE":"", 927 | "OpenEDR":"", 928 | "Padvish XDR":"", 929 | "Qualys":"", 930 | "SentinelOne":"", 931 | "Symantec SES Complete":"", 932 | "Sysmon":"", 933 | "Trellix":"", 934 | "Trend Micro":"", 935 | "Uptycs":"", 936 | "WatchGuard":"" 937 | }, 938 | { 939 | "Telemetry Featurere Category":"Driver\/Module Activity", 940 | "Sub-Category":"Driver Loaded", 941 | "BitDefender":"", 942 | "Carbon Black":"", 943 | "Cortex XDR":"", 944 | "CrowdStrike":"", 945 | "Cybereason":"", 946 | "Cylance":" ", 947 | "ESET Inspect":"", 948 | "Elastic":"", 949 | "FortiEDR":"", 950 | "Harfanglab":"", 951 | "LimaCharlie":"", 952 | "MDE":"", 953 | "OpenEDR":"", 954 | "Padvish XDR":"", 955 | "Qualys":"", 956 | "SentinelOne":"", 957 | "Symantec SES Complete":"", 958 | "Sysmon":"", 959 | "Trellix":"", 960 | "Trend Micro":"", 961 | "Uptycs":"", 962 | "WatchGuard":"" 963 | }, 964 | { 965 | "Telemetry Feature Category":"Driver\/Module Activity", 966 | "Sub-Category":"Driver Modification", 967 | "BitDefender":"", 968 | "Carbon Black":"", 969 | "Cortex XDR":"", 970 | "CrowdStrike":"", 971 | "Cybereason":"", 972 | "Cylance":" ", 973 | "ESET Inspect":"", 974 | "Elastic":"", 975 | "FortiEDR":"", 976 | "Harfanglab":"", 977 | "LimaCharlie":"", 978 | "MDE":"", 979 | "OpenEDR":"", 980 | "Padvish XDR":"", 981 | "Qualys":"", 982 | "SentinelOne":"", 983 | "Symantec SES Complete":"", 984 | "Sysmon":"", 985 | "Trellix":"", 986 | "Trend Micro":"", 987 | "Uptycs":"", 988 | "WatchGuard":"" 989 | }, 990 | { 991 | "Telemetry Feature Category": "Driver\/Module Activity", 992 | "Sub-Category":"Driver Unloaded", 993 | "BitDefender":"", 994 | "Carbon Black":"", 995 | "Cortex XDR":"", 996 | "CrowdStrike":"", 997 | "Cybereason":"", 998 | "Cylance":" ", 999 | "ESET Inspect":"", 1000 | "Elastic":"", 1001 | "FortiEDR":"", 1002 | "Harfanglab":"", 1003 | "LimaCharlie":"", 1004 | "MDE":"", 1005 | "OpenEDR":"", 1006 | "Qualys":"", 1007 | "SentinelOne":{"Partially":"It only shows a specific driver unload method use by attacker instead of every unloaded drivers"}, "Symantec SES Complete":"", 1008 | "Sysmon":"", 1009 | "Trellix":"", 1010 | "Trend Micro":"", 1011 | "Uptycs":"", 1012 | "WatchGuard":"" 1013 | }, 1014 | { 1015 | "Telemetry Feature Category":"Device Operations", 1016 | "Sub-Category":"Virtual Disk Mount", 1017 | "BitDefender":"", 1018 | "Carbon Black":"", 1019 | "Cortex XDR":{"Partially":"Device Control should be in block mode"}, 1020 | "CrowdStrike":"", 1021 | "Cybereason":"", 1022 | "Cylance":" ", 1023 | "ESET Inspect":"", 1024 | "Elastic":"", 1025 | "FortiEDR":"", 1026 | "Harfanglab":"", 1027 | "LimaCharlie":"", 1028 | "MDE":"", 1029 | "OpenEDR":"", 1030 | "Padvish XDR":"", 1031 | "Qualys":"", 1032 | "SentinelOne":"", 1033 | "Symantec SES Complete":"", 1034 | "Sysmon":"", 1035 | "Trellix":"", 1036 | "Trend Micro":"", 1037 | "Uptycs":"", 1038 | "WatchGuard":"" 1039 | }, 1040 | { 1041 | "Telemetry Feature Category":"Device Operations", 1042 | "Sub-Category":"USB Device Unmount", 1043 | "BitDefender":"", 1044 | "Carbon Black":"", 1045 | "Cortex XDR":{"Partially":"Device Control should be in block mode"}, 1046 | "CrowdStrike":"", 1047 | "Cybereason":"", 1048 | "Cylance":" ", 1049 | "ESET Inspect":"", 1050 | "Elastic":"", 1051 | "FortiEDR":"", 1052 | "Harfanglab":"", 1053 | "LimaCharlie":{"Partially":"Only mount/unmount events related to 'Volumes'. No other device visibility on this."}, 1054 | "MDE":"", 1055 | "OpenEDR":"", 1056 | "Padvish XDR":"", 1057 | "Qualys":"", 1058 | "SentinelOne":"", 1059 | "Symantec SES Complete":"", 1060 | "Sysmon":"", 1061 | "Trellix":"", 1062 | "Trend Micro":"", 1063 | "Uptycs":"", 1064 | "WatchGuard":"" 1065 | }, 1066 | { 1067 | "Telemetry Feature Category":"Device Operations", 1068 | "Sub-Category":"USB Device Mount", 1069 | "BitDefender":"", 1070 | "Carbon Black":{"Partially":"Mounted USBs are recorded in a separate table within the platform for administrative approval."}, 1071 | "Cortex XDR":{"Partially":"Device Control should be in block mode"}, 1072 | "CrowdStrike":"", 1073 | "Cybereason":"", 1074 | "Cylance":" ", 1075 | "ESET Inspect":"", 1076 | "Elastic":"", 1077 | "FortiEDR":"", 1078 | "Harfanglab":"", 1079 | "LimaCharlie":{"Partially":"Only mount/unmount events related to 'Volumes'. No other device visibility on this."}, 1080 | "MDE":"", 1081 | "OpenEDR":"", 1082 | "Padvish XDR":"", 1083 | "Qualys":"", 1084 | "SentinelOne":"", 1085 | "Symantec SES Complete":"", 1086 | "Sysmon":"", 1087 | "Trellix":"", 1088 | "Trend Micro":"", 1089 | "Uptycs":"", 1090 | "WatchGuard":"" 1091 | }, 1092 | { 1093 | "Telemetry Feature Category":"Other Relevant Events", 1094 | "Sub-Category":"Group Policy Modification", 1095 | "BitDefender":"", 1096 | "Carbon Black":"", 1097 | "Cortex XDR":"", 1098 | "CrowdStrike":"", 1099 | "Cybereason":"", 1100 | "Cylance":" ", 1101 | "ESET Inspect":"", 1102 | "Elastic":"", 1103 | "FortiEDR":"", 1104 | "Harfanglab":"", 1105 | "LimaCharlie":"", 1106 | "MDE":"", 1107 | "OpenEDR":"", 1108 | "Padvish XDR":"", 1109 | "Qualys":"", 1110 | "SentinelOne":"", 1111 | "Symantec SES Complete":"", 1112 | "Sysmon":"", 1113 | "Trellix":"", 1114 | "Trend Micro":"", 1115 | "Uptycs":"", 1116 | "WatchGuard":"" 1117 | }, 1118 | { 1119 | "Telemetry Feature Category":"Other Relevant Events", 1120 | "Sub-Category":"Volume Shadow Copy Deletion", 1121 | "BitDefender":"", 1122 | "Carbon Black":"", 1123 | "Cortex XDR":"", 1124 | "CrowdStrike":"", 1125 | "Cybereason":"", 1126 | "Cylance":" ", 1127 | "ESET Inspect":"", 1128 | "Elastic":"", 1129 | "FortiEDR":"", 1130 | "Harfanglab":"", 1131 | "LimaCharlie":"", 1132 | "MDE":"", 1133 | "OpenEDR":"", 1134 | "Padvish XDR":"", 1135 | "Qualys":"", 1136 | "SentinelOne":"", 1137 | "Symantec SES Complete":"", 1138 | "Sysmon":"", 1139 | "Trellix":"", 1140 | "Trend Micro":"", 1141 | "Uptycs":"", 1142 | "WatchGuard":"" 1143 | }, 1144 | { 1145 | "Telemetry Feature Category":"Named Pipe Activity", 1146 | "Sub-Category":"Pipe Creation", 1147 | "BitDefender":"", 1148 | "Carbon Black":{"Partially":"Reports only named pipes for file creation events."}, 1149 | "Cortex XDR":"", 1150 | "CrowdStrike":"", 1151 | "Cybereason":"", 1152 | "Cylance":" ", 1153 | "ESET Inspect":"", 1154 | "Elastic":"", 1155 | "FortiEDR":"", 1156 | "Harfanglab":"", 1157 | "LimaCharlie":"", 1158 | "MDE":"", 1159 | "OpenEDR":"", 1160 | "Qualys":"", 1161 | "SentinelOne":"", 1162 | "Symantec SES Complete":"", 1163 | "Sysmon":"", 1164 | "Trellix":"", 1165 | "Trend Micro":"", 1166 | "Uptycs":"", 1167 | "WatchGuard":"" 1168 | }, 1169 | { 1170 | "Telemetry Feature Category":"Named Pipe Activity", 1171 | "Sub-Category":"Pipe Connection", 1172 | "BitDefender":"", 1173 | "Carbon Black":"", 1174 | "Cortex XDR":"", 1175 | "CrowdStrike":"", 1176 | "Cybereason":"", 1177 | "Cylance":" ", 1178 | "ESET Inspect":"", 1179 | "Elastic":"", 1180 | "FortiEDR":"", 1181 | "Harfanglab":"", 1182 | "LimaCharlie":"", 1183 | "MDE":"", 1184 | "OpenEDR":"", 1185 | "Qualys":"", 1186 | "SentinelOne":"", 1187 | "Symantec SES Complete":"", 1188 | "Sysmon":"", 1189 | "Trellix":"", 1190 | "Trend Micro":"", 1191 | "Uptycs":"", 1192 | "WatchGuard":"" 1193 | }, 1194 | { 1195 | "Telemetry Feature Category":"EDR SysOps", 1196 | "Sub-Category":"Agent Start", 1197 | "BitDefender":"", 1198 | "Carbon Black":"", 1199 | "Cortex XDR":{"Partially":"Only if the start action fails"}, 1200 | "CrowdStrike":"", 1201 | "Cybereason":"", 1202 | "Cylance":" ", 1203 | "ESET Inspect":"", 1204 | "Elastic":"", 1205 | "FortiEDR":"", 1206 | "Harfanglab":"", 1207 | "LimaCharlie":"", 1208 | "MDE":"", 1209 | "OpenEDR":"", 1210 | "Qualys":"", 1211 | "SentinelOne":"", 1212 | "Symantec SES Complete":"", 1213 | "Sysmon":"", 1214 | "Trellix":"", 1215 | "Trend Micro":"", 1216 | "Uptycs":"", 1217 | "WatchGuard":"" 1218 | }, 1219 | { 1220 | "Telemetry Feature Category": "EDR SysOps", 1221 | "Sub-Category":"Agent Stop", 1222 | "BitDefender":"", 1223 | "Carbon Black":"", 1224 | "Cortex XDR":"", 1225 | "CrowdStrike":"", 1226 | "Cybereason":"", 1227 | "Cylance":" ", 1228 | "ESET Inspect":"", 1229 | "Elastic":"", 1230 | "FortiEDR":"", 1231 | "Harfanglab":"", 1232 | "LimaCharlie":"", 1233 | "MDE":"", 1234 | "OpenEDR":"", 1235 | "Qualys":"", 1236 | "SentinelOne":"", 1237 | "Symantec SES Complete":"", 1238 | "Sysmon":"", 1239 | "Trellix":"", 1240 | "Trend Micro":"", 1241 | "Uptycs":"", 1242 | "WatchGuard":"" 1243 | }, 1244 | { 1245 | "Telemetry Feature Category": "EDR SysOps", 1246 | "Sub-Category":"Agent Install", 1247 | "BitDefender":"", 1248 | "Carbon Black":"", 1249 | "Cortex XDR":"", 1250 | "CrowdStrike":"", 1251 | "Cybereason":"", 1252 | "Cylance":" ", 1253 | "ESET Inspect":"", 1254 | "Elastic":"", 1255 | "FortiEDR":"", 1256 | "Harfanglab":"", 1257 | "LimaCharlie":"", 1258 | "MDE":"", 1259 | "OpenEDR":"", 1260 | "Qualys":"", 1261 | "SentinelOne":"", 1262 | "Symantec SES Complete":"", 1263 | "Sysmon":"", 1264 | "Trellix":"", 1265 | "Trend Micro":"", 1266 | "Uptycs":"", 1267 | "WatchGuard":"" 1268 | }, 1269 | { 1270 | "Telemetry Feature Category": "EDR SysOps", 1271 | "Sub-Category":"Agent Uninstall", 1272 | "BitDefender":"", 1273 | "Carbon Black":"", 1274 | "Cortex XDR":"", 1275 | "CrowdStrike":"", 1276 | "Cybereason":"", 1277 | "Cylance":" ", 1278 | "ESET Inspect":"", 1279 | "Elastic":"", 1280 | "FortiEDR":"", 1281 | "Harfanglab":"", 1282 | "LimaCharlie":"", 1283 | "MDE":"", 1284 | "OpenEDR":"", 1285 | "Qualys":"", 1286 | "SentinelOne":"", 1287 | "Symantec SES Complete":"", 1288 | "Sysmon":"", 1289 | "Trellix":"", 1290 | "Trend Micro":"", 1291 | "Uptycs":"", 1292 | "WatchGuard":"" 1293 | }, 1294 | { 1295 | "Telemetry Feature Category": "EDR SysOps", 1296 | "Sub-Category":"Agent Keep-Alive", 1297 | "BitDefender":"", 1298 | "Carbon Black":"", 1299 | "Cortex XDR":"", 1300 | "CrowdStrike":"", 1301 | "Cybereason":"", 1302 | "Cylance":" ", 1303 | "ESET Inspect":"", 1304 | "Elastic":"", 1305 | "FortiEDR":"", 1306 | "Harfanglab":"", 1307 | "LimaCharlie":"", 1308 | "MDE":"", 1309 | "OpenEDR":"", 1310 | "Qualys":"", 1311 | "SentinelOne":"", 1312 | "Symantec SES Complete":"", 1313 | "Sysmon":"", 1314 | "Trellix":"", 1315 | "Trend Micro":"", 1316 | "Uptycs":"", 1317 | "WatchGuard":"" 1318 | }, 1319 | { 1320 | "Telemetry Feature Category": "EDR SysOps", 1321 | "Sub-Category":"Agent Errors", 1322 | "BitDefender":"", 1323 | "Carbon Black":"", 1324 | "Cortex XDR":"", 1325 | "CrowdStrike":"", 1326 | "Cybereason":"", 1327 | "Cylance":" ", 1328 | "ESET Inspect":"", 1329 | "Elastic":"", 1330 | "FortiEDR":"", 1331 | "Harfanglab":"", 1332 | "LimaCharlie":"", 1333 | "MDE":"", 1334 | "OpenEDR":"", 1335 | "Qualys":"", 1336 | "SentinelOne":"", 1337 | "Symantec SES Complete":"", 1338 | "Sysmon":"", 1339 | "Trellix":"", 1340 | "Trend Micro":"", 1341 | "Uptycs":"", 1342 | "WatchGuard":"" 1343 | }, 1344 | { 1345 | "Telemetry Feature Category":"WMI Activity", 1346 | "Sub-Category":"WmiEventConsumerToFilter", 1347 | "BitDefender":"", 1348 | "Carbon Black":"", 1349 | "Cortex XDR":"", 1350 | "CrowdStrike":"", 1351 | "Cybereason":"", 1352 | "Cylance":" ", 1353 | "ESET Inspect":"", 1354 | "Elastic":"", 1355 | "FortiEDR":"", 1356 | "Harfanglab":"", 1357 | "LimaCharlie":"", 1358 | "MDE":"", 1359 | "OpenEDR":"", 1360 | "Qualys":"", 1361 | "SentinelOne":"", 1362 | "Symantec SES Complete":{"Partially":"SES has a WMI Response Event and a WMI Instance Object, the WMI Response Event describes: unknown, blocked, allowed, no action, logged, command script, uncorrected, delayed, deleted, quarantined, restored, detected"}, 1363 | "Sysmon":"", 1364 | "Trellix":"", 1365 | "Trend Micro":"", 1366 | "Uptycs":"", 1367 | "WatchGuard":"" 1368 | }, 1369 | { 1370 | "Telemetry Feature Category": "WMI Activity", 1371 | "Sub-Category":"WmiEventConsumer", 1372 | "BitDefender":"", 1373 | "Carbon Black":"", 1374 | "Cortex XDR":"", 1375 | "CrowdStrike":"", 1376 | "Cybereason":"", 1377 | "Cylance":" ", 1378 | "ESET Inspect":"", 1379 | "Elastic":"", 1380 | "FortiEDR":"", 1381 | "Harfanglab":"", 1382 | "LimaCharlie":"", 1383 | "MDE":"", 1384 | "OpenEDR":"", 1385 | "Qualys":"", 1386 | "SentinelOne":"", 1387 | "Symantec SES Complete":{"Partially":"SES has a WMI Response Event and a WMI Instance Object, the WMI Response Event describes: unknown, blocked, allowed, no action, logged, command script, uncorrected, delayed, deleted, quarantined, restored, detected"}, "Sysmon":"", 1388 | "Trellix":"", 1389 | "Trend Micro":"", 1390 | "Uptycs":"", 1391 | "WatchGuard":"" 1392 | }, 1393 | { 1394 | "Telemetry Feature Category": "WMI Activity", 1395 | "Sub-Category":"WmiEventFilter", 1396 | "BitDefender":"", 1397 | "Carbon Black":"", 1398 | "Cortex XDR":"", 1399 | "CrowdStrike":"", 1400 | "Cybereason":"", 1401 | "Cylance":" ", 1402 | "ESET Inspect":"", 1403 | "Elastic":"", 1404 | "FortiEDR":"", 1405 | "Harfanglab":"", 1406 | "LimaCharlie":"", 1407 | "MDE":"", 1408 | "OpenEDR":"", 1409 | "Padvish XDR":"", 1410 | "Qualys":"", 1411 | "SentinelOne":"", 1412 | "Symantec SES Complete":{"Partially":"SES has a WMI Response Event and a WMI Instance Object, the WMI Response Event describes: unknown, blocked, allowed, no action, logged, command script, uncorrected, delayed, deleted, quarantined, restored, detected"}, 1413 | "Sysmon":"", 1414 | "Trellix":"", 1415 | "Trend Micro":"", 1416 | "Uptycs":"", 1417 | "WatchGuard":"" 1418 | }, 1419 | { 1420 | "Telemetry Feature Category":"BIT JOBS Activity", 1421 | "Sub-Category":"BIT JOBS Activity", 1422 | "BitDefender":"", 1423 | "Carbon Black":"", 1424 | "Cortex XDR":"", 1425 | "CrowdStrike":"", 1426 | "Cybereason":"", 1427 | "Cylance":" ", 1428 | "ESET Inspect":"", 1429 | "Elastic":"", 1430 | "FortiEDR":"", 1431 | "Harfanglab":"", 1432 | "LimaCharlie":"", 1433 | "MDE":"", 1434 | "OpenEDR":"", 1435 | "Padvish XDR":"", 1436 | "Qualys":"", 1437 | "SentinelOne":"", 1438 | "Symantec SES Complete":"", 1439 | "Sysmon":"", 1440 | "Trellix":"", 1441 | "Trend Micro":"", 1442 | "Uptycs":"", 1443 | "WatchGuard":"" 1444 | }, 1445 | { 1446 | "Telemetry Feature Category":"PowerShell Activity", 1447 | "Sub-Category":"Script-Block Activity", 1448 | "BitDefender":"", 1449 | "Carbon Black":"", 1450 | "Cortex XDR":"", 1451 | "CrowdStrike":"", 1452 | "Cybereason":"", 1453 | "Cylance":" ", 1454 | "ESET Inspect":"", 1455 | "Elastic":"", 1456 | "FortiEDR":"", 1457 | "Harfanglab":"", 1458 | "LimaCharlie":"", 1459 | "MDE":"", 1460 | "OpenEDR":"", 1461 | "Padvish XDR":"", 1462 | "Qualys":"", 1463 | "SentinelOne":"", 1464 | "Symantec SES Complete":"", 1465 | "Sysmon":"", 1466 | "Trellix":"", 1467 | "Trend Micro":"", 1468 | "Uptycs":"", 1469 | "WatchGuard":"" 1470 | } 1471 | ] --------------------------------------------------------------------------------