Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: netevert/sentinel-attack
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v.1.4.4
Choose a base ref
...
head repository: netevert/sentinel-attack
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
  • 7 commits
  • 154 files changed
  • 2 contributors

Commits on Nov 28, 2024

  1. Minor fixes

    @netevert
    netevert committed Nov 28, 2024
    Copy the full SHA
    a22b3bd View commit details

  2. Cleaned up readme

    @netevert
    netevert committed Nov 28, 2024
    Copy the full SHA
    225fefa View commit details

  3. Cleaned up deprecated components

    @netevert
    netevert committed Nov 28, 2024
    Copy the full SHA
    dc73d7d View commit details

  4. Removed deprecated azure deployment file

    @netevert
    netevert committed Nov 28, 2024
    Copy the full SHA
    1d309a1 View commit details

  5. Update LICENSE.md

    @netevert
    netevert authored Nov 28, 2024
    Copy the full SHA
    95db3db View commit details

  6. Minor cleanup

    @netevert
    netevert committed Nov 28, 2024
    Copy the full SHA
    bfa0fe1 View commit details

  7. Merge branch 'master' of https://github.com/netevert/sentinel-attack

    @netevert
    netevert committed Nov 28, 2024
    Copy the full SHA
    979fb46 View commit details
Showing with 9 additions and 11,141 deletions.
  1. +1 −1 LICENSE.md
  2. +8 −19 README.md
  3. 0 {parser → }/Sysmon-OSSEM.txt
  4. +0 −356 azuredeploy.json
  5. +0 −294 deployment/gallery.azuredeploy.json
  6. +0 −19 detections/T0000_Console_History.txt
  7. +0 −32 detections/T0000_Named_Pipes.txt
  8. +0 −17 detections/T0000_Named_Pipes_CobaltStrike.txt
  9. +0 −17 detections/T0000_Remotely_Query_Login_Sessions_Network.txt
  10. +0 −17 detections/T0000_Remotely_Query_Login_Sessions_Process.txt
  11. +0 −53 detections/T0000_Suspicious_Filename_Used.txt
  12. +0 −20 detections/T1002_Data_Compressed.txt
  13. +0 −25 detections/T1003_Credential_Dumping_ImageLoad.txt
  14. +0 −21 detections/T1003_Credential_Dumping_Process.txt
  15. +0 −24 detections/T1003_Credential_Dumping_Process_Access.txt
  16. +0 −22 detections/T1003_Credential_Dumping_Registry.txt
  17. +0 −19 detections/T1003_Credential_Dumping_Registry_Save.txt
  18. +0 −20 detections/T1004_Win_Logon_Helper_DLL.txt
  19. +0 −24 detections/T1007_System_Service_Discovery.txt
  20. +0 −17 detections/T1012_Query_Registry_Network.txt
  21. +0 −17 detections/T1012_Query_Registry_Process.txt
  22. +0 −18 detections/T1013_Local_Port_Monitor.txt
  23. +0 −24 detections/T1015_Accessibility_Features.txt
  24. +0 −17 detections/T1015_Accessibility_Features_Registry.txt
  25. +0 −22 detections/T1016_System_Network_Configuration_Discovery.txt
  26. +0 −20 detections/T1018_Remote_System_Discovery_Network.txt
  27. +0 −20 detections/T1018_Remote_System_Discovery_Process.txt
  28. +0 −18 detections/T1027_Obfuscated_Files_Or_Information.txt
  29. +0 −21 detections/T1028_Windows_Remote_Management.txt
  30. +0 −20 detections/T1031_Modify_Existing_Service.txt
  31. +0 −22 detections/T1033_System_Owner_User_Discovery.txt
  32. +0 −29 detections/T1036_Masquerading_Extension.txt
  33. +0 −29 detections/T1036_Masquerading_Location.txt
  34. +0 −17 detections/T1037_Logon_Scripts.txt
  35. +0 −22 detections/T1040_Network_Sniffing.txt
  36. +0 −19 detections/T1042_Change_Default_File_Association.txt
  37. +0 −19 detections/T1044_File_System_Permissions_Weakness.txt
  38. +0 −17 detections/T1047_WMI_Command_Execution.txt
  39. +0 −17 detections/T1047_Windows_Management_Instrumentation_Active_Script_Event_Consumer_FileAccess.txt
  40. +0 −18 detections/T1047_Windows_Management_Instrumentation_Active_Script_Event_Consumer_Process.txt
  41. +0 −18 detections/T1047_Windows_Management_Instrumentation_Network.txt
  42. +0 −19 detections/T1047_Windows_Management_Instrumentation_Process.txt
  43. +0 −23 detections/T1049_System_Network_Connections_Discovery.txt
  44. +0 −22 detections/T1050_New_Service_Process.txt
  45. +0 −19 detections/T1053_Scheduled_Task_FileAccess.txt
  46. +0 −20 detections/T1053_Scheduled_Task_Process.txt
  47. +0 −17 detections/T1054_Indicator_Blocking_Driver_Unloaded.txt
  48. +0 −21 detections/T1054_Indicator_Blocking_Sysmon_Registry_Edited_From_Other_Source.txt
  49. +0 −18 detections/T1055_Process_Injection_Process.txt
  50. +0 −18 detections/T1057_Process_Discovery.txt
  51. +0 −17 detections/T1059_Command_Line_Interface.txt
  52. +0 −19 detections/T1060_Registry_Run_Keys_Or_Start_Folder.txt
  53. +0 −24 detections/T1063_Security_Software_Discovery.txt
  54. +0 −20 detections/T1069_Permission_Groups_Discovery.txt
  55. +0 −22 detections/T1069_Permission_Groups_Discovery_Process.txt
  56. +0 −17 detections/T1070_Indicator_Removal_On_Host.txt
  57. +0 −20 detections/T1074_Datal_Staged_Process.txt
  58. +0 −18 detections/T1076_Remote_Desktop_Protocol_Process.txt
  59. +0 −19 detections/T1076_Remote_Desktop_Protocol_Registry.txt
  60. +0 −20 detections/T1077_Windows_Admin_Shares.txt
  61. +0 −22 detections/T1077_Windows_Admin_Shares_Process.txt
  62. +0 −19 detections/T1077_Windows_Admin_Shares_Process_Created.txt
  63. +0 −19 detections/T1081_Credentials_In_Files.txt
  64. +0 −19 detections/T1082_System_Information_Discovery.txt
  65. +0 −19 detections/T1085_Rundll32.txt
  66. +0 −20 detections/T1086_PowerShell.txt
  67. +0 −19 detections/T1086_PowerShell_Downloads_Process.txt
  68. +0 −26 detections/T1087_Account_Discovery.txt
  69. +0 −19 detections/T1088_Bypass_User_Account_Control_Process.txt
  70. +0 −19 detections/T1088_Bypass_User_Account_Control_Registry.txt
  71. +0 −20 detections/T1089_Disabling_Security_Tools_Service_Stopped.txt
  72. +0 −65 detections/T1093_Process_Hollowing.txt
  73. +0 −17 detections/T1096_NTFS_File_Attributes.txt
  74. +0 −19 detections/T1103_AppInit_DLLs.txt
  75. +0 −22 detections/T1107_File_Deletion.txt
  76. +0 −18 detections/T1112_Modify_Registry.txt
  77. +0 −18 detections/T1115_Clipboard_Data.txt
  78. +0 −20 detections/T1117_Bypassing_Application_Whitelisting_With_Regsvr32.txt
  79. +0 −18 detections/T1117_Regsvr32_Network.txt
  80. +0 −18 detections/T1118_InstallUtil.txt
  81. +0 −19 detections/T1121_Regsvcs_Regasm.txt
  82. +0 −18 detections/T1122_Component_Object_Model_Hijacking.txt
  83. +0 −20 detections/T1123_Audio_Capture.txt
  84. +0 −21 detections/T1124_System_Time_Discovery.txt
  85. +0 −20 detections/T1126_Network_Share_Connection_Removal.txt
  86. +0 −19 detections/T1127_Trusted_Developer_Utilities.txt
  87. +0 −18 detections/T1128_Narsh_Helper_DLL_Registry.txt
  88. +0 −19 detections/T1128_Netsh_Helper_DLL_Process.txt
  89. +0 −20 detections/T1130_Install_Root_Certificates.txt
  90. +0 −21 detections/T1131_Authentication_Package.txt
  91. +0 −19 detections/T1135_Network_Share_Discovery.txt
  92. +0 −20 detections/T1135_Network_Share_Discovery_Process.txt
  93. +0 −19 detections/T1136_Create_Account.txt
  94. +0 −18 detections/T1138_Application_Shimming_FileAccess.txt
  95. +0 −18 detections/T1138_Application_Shimming_Process.txt
  96. +0 −18 detections/T1138_Application_Shimming_Registry.txt
  97. +0 −19 detections/T1140_Deobfuscate_Decode_Files_Or_Information.txt
  98. +0 −21 detections/T1146_Clear_Command_History.txt
  99. +0 −20 detections/T1158_Hidden_Files_And_Directories.txt
  100. +0 −19 detections/T1158_Hidden_Files_And_Directories_VSS.txt
  101. +0 −18 detections/T1170_MSHTA_FileAccess.txt
  102. +0 −19 detections/T1170_MSHTA_Network.txt
  103. +0 −19 detections/T1170_MSHTA_Process.txt
  104. +0 −19 detections/T1179_Hooking.txt
  105. +0 −21 detections/T1180_Screensaver.txt
  106. +0 −18 detections/T1182_AppCert_DLLs.txt
  107. +0 −19 detections/T1183_Image_File_Execution_Options_Injection.txt
  108. +0 −19 detections/T1187_Forced_Authentication.txt
  109. +0 −18 detections/T1191_CMSTP.txt
  110. +0 −19 detections/T1196_Control_Panel_Items_Process.txt
  111. +0 −20 detections/T1196_Control_Panel_Items_Registry.txt
  112. +0 −18 detections/T1197_BITS_Jobs_Network.txt
  113. +0 −19 detections/T1197_BITS_Jobs_Process.txt
  114. +0 −19 detections/T1201_Password_Policy_Discovery.txt
  115. +0 −21 detections/T1202_Indirect_Command_Execution.txt
  116. +0 −18 detections/T1209_Time_Providers.txt
  117. +0 −24 detections/T1214_Credentials_In_Registry.txt
  118. +0 −21 detections/T1216_Signed_Script_Proxy_Execution.txt
  119. +0 −18 detections/T1217_Browser_Bookmark_Discovery.txt
  120. +0 −20 detections/T1218_Signed_Binary_Proxy_Execution_Network.txt
  121. +0 −23 detections/T1218_Signed_Binary_Proxy_Execution_Process.txt
  122. +0 −18 detections/T1223_Compiled_HTML_File.txt
  123. +0 −1,525 detections/sentinel_attack_rules.json
  124. BIN docs/attack_drilldown.PNG
  125. BIN docs/computer_drilldown.PNG
  126. BIN docs/connect-vm.gif
  127. BIN docs/data-test.gif
  128. BIN docs/demo.gif
  129. BIN docs/deploy-analytics.gif
  130. BIN docs/deploy-sentinel.gif
  131. BIN docs/drilldown_highlights.PNG
  132. BIN docs/enable-event-logs.gif
  133. BIN docs/enable-security-events.gif
  134. BIN docs/execute-hunts.gif
  135. BIN docs/file_create_drilldown.PNG
  136. BIN docs/install-parser.gif
  137. BIN docs/killchain-overview.png
  138. BIN docs/logo.png
  139. BIN docs/network_drilldown.PNG
  140. BIN docs/pipe_name_drilldown.PNG
  141. BIN docs/process-overview.png
  142. BIN docs/process_guid_drilldown.PNG
  143. BIN docs/sentinel_attack_coverage.JPG
  144. +0 −1,283 docs/sentinel_attack_coverage.json
  145. +0 −2 docs/sentinel_attack_coverage.svg
  146. BIN docs/sentinel_attack_coverage.xlsx
  147. BIN docs/technique-overview.png
  148. BIN docs/trigger_overview.PNG
  149. BIN docs/upload-dashboard.gif
  150. BIN docs/upload-detection-rules.gif
  151. BIN docs/upload-notebook.gif
  152. BIN docs/upload-workbooks.gif
  153. BIN docs/user_drilldown.PNG
  154. +0 −5,267 hunting/sysmon_threat_hunting.json
2 changes: 1 addition & 1 deletion LICENSE.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2019-2020 Edoardo Gerosa, Olaf Hartong
Copyright (c) 2019-2020 Edoardo Gerosa

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
27 changes: 8 additions & 19 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,26 @@
[![GitHub release](https://img.shields.io/github/release/BlueTeamLabs/sentinel-attack.svg?style=flat-square)](https://github.com/BlueTeamLabs/sentinel-attack/releases)
[![Maintenance](https://img.shields.io/maintenance/yes/2023.svg?style=flat-square)]()
[![GitHub release](https://img.shields.io/github/v/release/netevert/sentinel-attack.svg?style=flat-square)](https://github.com/netevert/sentinel-attack/releases)
[![Maintenance](https://img.shields.io/maintenance/yes/2024.svg?style=flat-square)]()
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
[![](https://img.shields.io/badge/2019-DEF%20CON%2027-blueviolet?style=flat-square)](https://2019.cloud-village.org/#talks?olafedoardo)
[![](https://img.shields.io/badge/Official%20Azure%20Sentinel%20workbook-grey?style=flat-square&logo=microsoft-azure)](https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SysmonThreatHunting.json)

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FBlueTeamLabs%2Fsentinel-attack%2Fmaster%2Fazuredeploy.json)

Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel.

**DISCLAIMER:** This tool requires tuning and investigative trialling to be truly effective in a production environment.

![demo](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/demo.gif)
It provides a [Sysmon log parser](https://github.com/netevert/sentinel-attack/blob/master/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/OTRF/OSSEM) data model and compatible with the [Sysmon Modular XML configuration file](https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml).

### Overview
Sentinel ATT&CK provides the following tools:
- An [ARM template](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/azuredeploy.json) to automatically deploy Sentinel ATT&CK to your Azure environment
- A [Sysmon log parser](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/parser/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/Cyb3rWard0g/OSSEM) data model and compatible with the [Sysmon Modular XML configuration file](https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml)
- 117 ready-to-use Kusto [detection rules](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/detections) covering 156 ATT&CK techniques
- A [Sysmon threat hunting workbook](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/hunting) inspired by the [Threat Hunting App](https://splunkbase.splunk.com/app/4305/) for Splunk to help simplify threat hunts
- Comprehensive guidance to help you use the materials in this repository
**DISCLAIMER:** This tool requires tuning and investigative trialling to be truly effective in a production environment.

### Usage
Head over to the [WIKI](https://github.com/BlueTeamLabs/sentinel-attack/wiki) to learn how to deploy and run Sentinel ATT&CK.
To use the Sentinel-ATT&CK parser, copy-paste it into your Sentinel Logs blade and store it as a function named `Sysmon`.

A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found [here](https://2019.cloud-village.org/#talks?olafedoardo) and [here](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/DEFCON_attacking_the_sentinel.pdf).
A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found [here](https://2019.cloud-village.org/#talks?olafedoardo) and [here](https://github.com/netevert/sentinel-attack/blob/master/docs/DEFCON_attacking_the_sentinel.pdf).

### Contributing
As this repository is constantly being updated and worked on, if you spot any problems we warmly welcome pull requests or submissions on the issue tracker.
This repository is work in progress, if you spot any problems we welcome pull requests or submissions on the issue tracker.

### Authors and contributors
Sentinel ATT&CK is built with ❤ by:
- Edoardo Gerosa
[![Twitter Follow](https://img.shields.io/twitter/follow/netevert.svg?style=social)](https://twitter.com/netevert)
[![Twitter Follow](https://img.shields.io/twitter/follow/edoardogerosa.svg?style=social)](https://twitter.com/edoardogerosa)

Special thanks go to the following contributors:

0 parser/Sysmon-OSSEM.txt → Sysmon-OSSEM.txt
View file
File renamed without changes.
Loading