Roberto Rodriguez
Roberto Rodriguez
# Description The attacker performs local enumeration using various Windows API calls, specifically gathering current user context (T1033)
# Description The attacker performs local enumeration using various Windows API calls, specifically gathering domain name (T1063)
# Description The attacker performs local enumeration using various Windows API calls, specifically gathering the local computer name (T1082)
# Description The attacker then enumerates software installed by the user documented in the Windows Registry (T1012)
# Description The attacker then enumerates registered AV products (T1063)
# Description The attacker modifies the time attributes of the DLL payload (T1099) used in the previously established persistence mechanism to match that of a random file found in the...
# Description The scenario begins with initial breach, where a legitimate user clicks (T1204) a link file payload, which executes an alternate data stream (ADS) hidden on another dummy file...
https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-RPC/events/event-5_v1.yml https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-RPC/events/event-6_v1.yml
For example a few sources of data in Azure track specific entities such as User, managed identities and service principals in separate logs: https://github.com/mitre-attack/attack-datasources/blob/main/contribution/user_account.yml
- Write a Python script to separate each relationship as its own YAML file - Write a Python script to create master files in YAML and Markdown - present new...