Skip to content

TheWover/compound-actions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits

ExampleScript2

ExampleScript2

 
 

S0552 - AdFind

S0552 - AdFind

 
 

T1003.001 - OS Credential Dumping - LSASS

T1003.001 - OS Credential Dumping - LSASS

 
 

T1003.002 - OS Credential Dumping - SAM

T1003.002 - OS Credential Dumping - SAM

 
 

T1016 - System Network Configuration Discovery

T1016 - System Network Configuration Discovery

 
 

T1021-RemoteServices

T1021-RemoteServices

 
 

T1021.001-RemoteServices-RDP

T1021.001-RemoteServices-RDP

 
 

T1021.002-RemoteServices-SMB

T1021.002-RemoteServices-SMB

 
 

T1027 - Obfuscated Files or Information - PowerShell Obfuscation

T1027 - Obfuscated Files or Information - PowerShell Obfuscation

 
 

T1030 - Data Transfer Limit Sizes

T1030 - Data Transfer Limit Sizes

 
 

T1036.003 - Rename System Utilities - Rundll32

T1036.003 - Rename System Utilities - Rundll32

 
 

T1041 - Exfiltration Over C2 Channel

T1041 - Exfiltration Over C2 Channel

 
 

T1048 - Exfiltration Over Alternative Protocol

T1048 - Exfiltration Over Alternative Protocol

 
 

T1053.005 - Scheduled Task

T1053.005 - Scheduled Task

 
 

T1055.012 - Process Injection - Process Hollowing

T1055.012 - Process Injection - Process Hollowing

 
 

T1057 - Process Discovery

T1057 - Process Discovery

 
 

T1059.001 - PowerShell

T1059.001 - PowerShell

 
 

T1070.004 - File Deletion

T1070.004 - File Deletion

 
 

T1072 - Software Deployment Tools - ATERA

T1072 - Software Deployment Tools - ATERA

 
 

T1082 - System Information Discovery

T1082 - System Information Discovery

 
 

T1090.002 - External Proxy - Chisel

T1090.002 - External Proxy - Chisel

 
 

T1115 - Clipboard Data

T1115 - Clipboard Data

 
 

T1127.001 - Trusted Developer Utilities Proxy Execution - MSBuild

T1127.001 - Trusted Developer Utilities Proxy Execution - MSBuild

 
 

T1136.001 - Create Local Account

T1136.001 - Create Local Account

 
 

T1218.010 - System Binary Proxy Execution - Regsvr32

T1218.010 - System Binary Proxy Execution - Regsvr32

 
 

T1491.001 - Internal Defacement

T1491.001 - Internal Defacement

 
 

T1497.001 - Virtualization & Sandbox Evasion - System Checks

T1497.001 - Virtualization & Sandbox Evasion - System Checks

 
 

T1497.003 - Time Based Evasion

T1497.003 - Time Based Evasion

 
 

T1518.001 - Security Software Discovery

T1518.001 - Security Software Discovery

 
 

T1546.003 - Windows Management Instrumentation Event Subscription

T1546.003 - Windows Management Instrumentation Event Subscription

 
 

T1546.007 - Event Triggered Execution - Netsh Helper DLL

T1546.007 - Event Triggered Execution - Netsh Helper DLL

 
 

T1547.001 - Registry Run Keys & Startup Folder

T1547.001 - Registry Run Keys & Startup Folder

 
 

T1548 - Abuse Elevation Control Mechanism

T1548 - Abuse Elevation Control Mechanism

 
 

T1553.005 - Mark-of-the-Web Bypass - VHD

T1553.005 - Mark-of-the-Web Bypass - VHD

 
 

T1553.005 - Mark-of-the-Web Bypass

T1553.005 - Mark-of-the-Web Bypass

 
 

T1562.001 - Impair Defenses - Disable Tools

T1562.001 - Impair Defenses - Disable Tools

 
 

T1567.002 - Exfiltration to Cloud Storage

T1567.002 - Exfiltration to Cloud Storage

 
 

T1610 - Deploy Container

T1610 - Deploy Container

 
 

TA0007 - Discovery

TA0007 - Discovery

 
 

TA0040 - Impact and Ransomware

TA0040 - Impact and Ransomware

 
 

README.md

README.md

 
 

Repository files navigation

Compound Actions

This repository is for sharing SCYTHE Compound Actions. Compound Actions are custom tests that do not classify as an entire threat or adversary emulation plan. However, they are still an attack chain that can be added to larger threats and campaigns.

How To Use Compound Actions

  1. Select the Compound Action folder you are interested in
  2. Review the README if available
  3. Download the raw JSON file.

Import into SCYTHE

  1. Login to the SCYTHE instance where you want to import the Compound Action.
  2. Click Threat Manager - Migrate Threats
  3. Under "Import Threat" click “Choose File” and select the JSON file you downloaded from GitHub
  4. Click Import and OK when complete
  5. Click Threat Manager - Threat Catalog
  6. Find the imported Compound Action and click the tag icon
  7. Tag the MITRE ATT&CK Technique for the Compound Action

Community Effort

SCYTHE believes in giving back to the community and encourages everyone to do the same. Please submit pull requests with new Compound Actions in their respective folder and we will review before approving.

About

Compound Actions align with MITRE ATT&CK TTPs at the procedure level.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 7

Languages