Toggle navigation sidebar
Toggle in-page Table of Contents
Security Datasets
How-To
Create Datasets
Windows
Azure Log Analytics
Microsoft 365 Defender
Kafka
Consume Datasets
Jupyter Notebooks
Suricata
Kafka
The Hunting ELK (HELK)
Atomic Datasets
aws
initial_access
AWS Cloud Bank Breach S3
persistence
AWS Cloud Bank Breach S3
privilege_escalation
AWS Cloud Bank Breach S3
defense_evasion
AWS Cloud Bank Breach S3
collection
AWS Cloud Bank Breach S3
discovery
AWS S3 Honey Bucket Logs
linux
discovery
Arp Cache Discovery
defense_evasion
DD Binary Padding Hash Change
windows
defense_evasion
Empire Powerview Add-DomainObjectAcl
Empire Over-Pass-The-Hash
IKEEXT Remote Service DLL Hijack
Empire PSInject
Empire WDigest Downgrade
Empire Enable RDP
Empire Invoke DLLInjection
Covenant ShellCmd InstallUtil
Empire Invoke InternalMonologue
Empire Regsvr32 Execution
Covenant Wuauclt CreateRemoteThread Execution
WMIC Remote XSL Jscript Execution
Mavinject Process DLL Injection
Netsh Open FW Proxy Ports
HH Execution of Local Compiled HTML Payload
Control Panel Execution
CMSTP Proxy Execution
Mshta Javascript GetObject Sct
Mshta VBScript Execute PowerShell
Mshta HTML Application (HTA) Execution
Register-CimProvider Execute Dll
Bitsadmin Download Malicious File
PurpleSharp PE Injection CreateRemoteThread
Process Herpaderping Mimikatz
Windows Vault Web Credentials
APT Simulator Cobalt Strike
Disabling Windows Event Logging via Audit Policy Modification
Disabling Process Command Line Logging via Registry Modification
Modifying Security Event Log File Path via Modification of Log Configuration
Stopping Event Log Service via Modification of Start Up Type
Stopping Event Log Service after Stopping Depending Services
Stopping Event Logging via Creation of MiniNt Registry Key
credential_access
Empire DCSync
Rubeus Userland ASKTGT PTT
Empire Mimikatz LogonPasswords
Empire Mimikatz Extract Kerberos Keys
Empire Mimikatz Backup Keys
Empire Mimikatz SAM Extract Hashes
Empire Reg Dump SAM Hive
RDP TaskManager LSASS Dump
Covenant DCSync
Empire Mimikatz Lsadump LSA Patch
Rubeus Elevated ASKTGT CreateNetOnly
Empire Powerdump Extract Hashes
Lsass Memory Dump via Comsvcs.dll
Lsass Memory Dump via Syscalls
SAM Copy via Esentutl VSS
Psexec Reg LSA Secrets Dump
UI Prompt For Credentials Function
PurpleSharp Active Directory Playbook I
discovery
Empire Net Local Administrators Group
Empire Net Local Users
Empire Net Domain Users
Empire Shell Net Domain Admins
Empire Find Local Admin Access
Empire Remote Get Session
Covenant GetDomainGroup Domain Admins
Internet Explorer Version Discovery
PurpleSharp Active Directory Playbook I
Seatbelt Group User Discovery
persistence
Empire Userland Registry Run Keys
Empire Userland Scheduled Tasks
IKEEXT Remote Service DLL Hijack
Empire Elevated WMI Eventing
Empire Elevated Registry Run Keys
Empire Elevated Scheduled Tasks
Logon Scripts via UserInitMprLogonScript
Service Modification Fax
Bitsadmin Download Malicious File
Remote Scheduled Task Creation
Remote Scheduled Task Modification
Exchange ProxyLogon SSRF RCE Vuln POC
lateral_movement
Empire Over-Pass-The-Hash
Empire Invoke SMBExec
Empire Invoke PsExec
Empire Invoke DCOM ShellWindows
Empire Invoke PSRemoting
Empire Invoke Execute MSBuild
Covenant Remote WMI Eventing ActiveScriptEventConsumers
Covenant SC.exe Utility Query
Covenant SharpSC Query
Covenant Remote File Copy
Covenant SharpSC Create
Covenant SharpSC Start
Covenant SharpSC Stop Service
Covenant SharpWMI Exec
Covenant PowerShell Remoting Command
Empire Remote WMIC Add User
Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2
DCOM ExecuteExcel4macro
DCOM RegisterXLL
Empire Invoke WMI
Covenant Remote WMI Wbemcomn DLL Hijacking
Covenant Remote DCOM Iertutil DLL Hijacking
PurpleSharp Active Directory Playbook I
Remote Scheduled Task Creation
Remote Scheduled Task Modification
Export ADFS Database Configuration Remotely
privilege_escalation
IKEEXT Remote Service DLL Hijack
Empire Elevated WMI Eventing
Empire PSInject
Empire Invoke DLLInjection
Invoke BypassUAC FodHelper
Mavinject Process DLL Injection
Service Modification Fax
PurpleSharp PE Injection CreateRemoteThread
Process Herpaderping Mimikatz
Windows Vault Web Credentials
Remote Scheduled Task Creation
Remote Scheduled Task Modification
APT Simulator Cobalt Strike
execution
Empire VBS Execution
Empire Invoke PsExec
Empire Invoke DCOM ShellWindows
Empire Invoke PSRemoting
Empire Invoke Execute MSBuild
Covenant ShellCmd InstallUtil
Covenant Remote WMI Eventing ActiveScriptEventConsumers
Covenant SharpWMI Exec
Covenant PowerShell Remoting Command
Empire Remote WMIC Add User
Empire Invoke WMI
Covenant Remote WMI Wbemcomn DLL Hijacking
Python HTTP Server
SharpView PCRE.NET
PowerShell HTTP Listener
Remote Scheduled Task Creation
Remote Scheduled Task Modification
Exchange ProxyLogon SSRF RCE Vuln POC
collection
MSF Record Mic
UI Prompt For Credentials Function
Compound Datasets
Golden SAML AD FS Mail Access
Log4Shell
repository
open issue
suggest edit
.md
.pdf
discovery
discovery
#