public-threats

August 2, 2020 ยท View on GitHub

Manticore's Public Threats Repository

Ransomware Emulation

ransomware.json

ScenarioDescriptionLink
im-001.jsonGo Multiplatform Ransomware Emulationim-001.json
im-002.jsonPowershell Ransomware Emulationim-002.json

Lolbins Emulation For Downloading File

lolbins.json

ScenarioDescriptionLink
cc-001.jsonUse Certutil.exe to download a file from a remote servercc-001.json
cc-002.jsonUse Bitsadmin.exe to download a file from a remote servercc-002.json

APT-29 Emulation

apt-29.json

ScenarioDescriptionLink
cn-001.jsonNative API call(s) were used to collect a screenshot.cn-001.json
cn-002.jsonExecute PowerShell from cmd.exe to collect and compress files of specific extensions.cn-002.json
cn-003.jsonLoad custom PowerShell module and take screenshots.cn-003.json
cn-004.jsonPerform e-mail collection from custom PowerShell module.cn-004.json
cn-005.jsonGet contents of clipboard.cn-005.json
ca-001.jsonDownload Mimikatz Binaryca-001.json
ca-002.jsonDumping credentials via wmidump (Mimikatz)cn-002.json
ca-003.jsonMimikatz lsadump::sam is executed via Invoke-Mimikatz to dump hashes via process injection into LSASS.ca-003.json
de-001.jsonInvoke UAC bypass sdctlde-001.json
de-002.jsonTimestomp kxwn.lockde-002.json
de-003.jsonDelete registry entries post-UAC Bypassde-003.json
dv-001.jsonTriage host for informationdv-001.json
dv-002.jsonThe net utility is executed via cmd to enumerate hosts within the domain.dv-002.json
dv-003.jsonDelete registry entries post-UAC Bypassdv-003.json
dv-004.jsonGet domain controller and curret user SID for the domaindv-004.json