This is a container for windows events samples associated to specific attack and post-exploitation techniques. Can be useful for:
-
Testing your detection scripts based on EVTX parsing
-
Training on DFIR and threat hunting using event logs
-
Designing detection use cases using Windows and Sysmon event logs
-
Avoid/Bypass the noisy techniques if you are a redteamer
For a detailed overview of covered attack TTPs and their mapping to MITRE ATT&CK TTPs check this spreadsheet:
https://docs.google.com/spreadsheets/d/1DOehPeGlUQOsf6HRNT2tsLxNiUQS-kE0GtDE8mcbi8A/edit?usp=sharing
N.B: Mapping has been done to the level of ATT&CK technique (not procedure), some items are marked in grey, meaning couldn't found a closer TTP that achieves same objective.
Below a summarized overview of the covered TTPs using attack-navigator:
The content of this repository is released under the GNU General Public License.