Fixed broken links

Author: edoardo

CONTRIBUTING.md

@@ -3,7 +3,7 @@
 When contributing to this repository, please first discuss the change you wish to make via issue,
 email, or any other method with the owners of this repository before making a change. 
 
-Please note we have a [code of conduct](https://github.com/BlueTeamToolkit/sentinel-attack/tree/defcon/CODE_OF_CONDUCT.md), please follow it in all your interactions with the project.
+Please note we have a [code of conduct](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/CODE_OF_CONDUCT.md), please follow it in all your interactions with the project.
 
 ## Pull Request Process
 

dashboards/README.md

@@ -5,11 +5,11 @@ Uploading dashboards in Azure sentinel is quick and easy. The following steps mu
 
 1. Sign into your [Azure portal](https://portal.azure.com)
 2. Head to the Dashboards blade
-3. Download the [ATT&CK telemetry dashboard](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/dashboards/ATT%26CK%20telemetry.json) provided
+3. Download the [ATT&CK telemetry dashboard](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/dashboards/ATT%26CK%20telemetry.json) provided
 4. Click the **Upload** button on the toolbar located at the top of the webpage
 
 See the GIF below for a full demonstration:
 
-![demo](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/upload-dashboard.gif)
+![demo](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/upload-dashboard.gif)
 
-Next, if needed, you should [Upload selected Kusto queries into Sentinel analytics](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/detections/README.md).
+Next, if needed, you should [Upload selected Kusto queries into Sentinel analytics](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/detections/README.md).

detections/README.md

@@ -8,7 +8,7 @@ This folder contains 119 Kusto queries than can be used to:
 
 In aggregate the queries cover a total of 156 ATT&CK techniques:
 
-![coverage](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/sentinel_attack_coverage.JPG)
+![coverage](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/sentinel_attack_coverage.JPG)
 
 **DISCLAIMER:** Please note that this folder is work in progress and is constantly being updated. It is likely you will come across detections that might require some fine tuning to function 100%. If you spot any issues in the Kusto source code feel free to open an issue or submit a pull request.
 
@@ -30,15 +30,15 @@ Each detection rule provides the following information in the rule comments:
 
 Creating detection rules in Azure sentinel is done like so:
 
-![demo1](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/upload-detection-rules.gif)
+![demo1](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/upload-detection-rules.gif)
 
 ### Execute hunts for specific ATT&CK techniques
 
 The detection rules in this folder can also be used to conduct one-off threat hunts to try and discover specific ATT&CK techniques executed on a network, like so:
 
-![demo2](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/execute-hunts.gif)
+![demo2](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/execute-hunts.gif)
 
-Next, if needed, you could [Upload available threat hunting Jupyter notebooks in your Sentinel Azure workspace](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/hunting/README.md).
+Next, if needed, you could [Upload available threat hunting Jupyter notebooks in your Sentinel Azure workspace](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/hunting/README.md).
 
 ### ATT&CK coverage report
-ATT&CK coverage reports for the detection rules in this folder are available in [SVG](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/sentinel_attack_coverage.svg), [Excel](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/sentinel_attack_coverage.xlsx) and [ATT&CK navigator](https://mitre-attack.github.io/attack-navigator/enterprise/) [JSON format](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/sentinel_attack_coverage.json).
+ATT&CK coverage reports for the detection rules in this folder are available in [SVG](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/sentinel_attack_coverage.svg), [Excel](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/sentinel_attack_coverage.xlsx) and [ATT&CK navigator](https://mitre-attack.github.io/attack-navigator/enterprise/) [JSON format](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/sentinel_attack_coverage.json).

guides/Sysmon-onboarding-quickstart.md

@@ -5,29 +5,29 @@ This is a quick, super terse guide to onboarding Sysmon data to Azure Sentinel.
 
 - **Step 1: Provision a Windows 10 virtual machine (or machines) in your [Azure environment](https://portal.azure.com).**
 
-  You can follow microsoft's official documentation or use the included terraform [deployment script](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/lab) to quickly provision a lab. If you use the terraform script create a variables.tfvars file in the root directory, using the [variables.tfvars.txt](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/lab/variables.tfvars.txt) file as a template and making sure to complete all fields.
+  You can follow microsoft's official documentation or use the included terraform [deployment script](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/lab) to quickly provision a lab. If you use the terraform script create a variables.tfvars file in the root directory, using the [variables.tfvars.txt](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/lab/variables.tfvars.txt) file as a template and making sure to complete all fields.
 
 - **Step 2: Provision a log analytics workspace**
 
   The second step is to provision a log analytics workspace into which an Azure Sentinel will be deployed
 
-  ![demo1](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/deploy-analytics.gif)
+  ![demo1](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/deploy-analytics.gif)
 
 
 - **Step 3: Deploy an Azure Sentinel instance**
 
   The third step is to deploy the Azure Sentinel SIEM instance
 
-  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/defcon/docs/deploy-sentinel.gif)
+  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/deploy-sentinel.gif)
 
 - **Step 4: Install Sysmon and load the provided sysmon configuration file on virtual machines**
 
-  **NOTE:** If during step 1 you have deployed your lab using the included terraform [deployment script](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/lab) you can skip this step.
+  **NOTE:** If during step 1 you have deployed your lab using the included terraform [deployment script](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/lab) you can skip this step.
 
   In order for the virtual machines in your lab/network to send the correct data to Sentinel you must:
 
   1. Install Sysmon on the virtual machines to monitor; to do so follow the [official documentation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
-  2. Download the provided [sysmon configuration file](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/sysmonconfig.xml) on the virtual machines to monitor
+  2. Download the provided [sysmon configuration file](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/sysmonconfig.xml) on the virtual machines to monitor
   3. Load the conguration file by executing the following command within the directory containing _sysmonconfig.xml_ :
 
       ´´´
@@ -38,7 +38,7 @@ This is a quick, super terse guide to onboarding Sysmon data to Azure Sentinel.
 
   The fifth step is to enable the collection of security events
 
-  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/defcon/docs/enable-security-events.gif)
+  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/enable-security-events.gif)
 
 - **Step 6: Activate windows event logs as data sources**
 
@@ -50,14 +50,14 @@ This is a quick, super terse guide to onboarding Sysmon data to Azure Sentinel.
 
   **Note that _Microsoft-Windows-Sysmon/Operational_ does not appear in the drop down menu. You must hit enter after inputting the data source to add it to the list**
 
-  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/defcon/docs/enable-event-logs.gif)
+  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/enable-event-logs.gif)
 
 
 - **Step 7: Connect Virtual Machine(s) to Sentinel**
 
   The seventh step is to connect the virtual machine to Sentinel to being collecting sysmon data
 
-  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/defcon/docs/connect-vm.gif)
+  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/connect-vm.gif)
 
 
 - **Step 8: Check Sysmon data transmission**
@@ -68,12 +68,12 @@ This is a quick, super terse guide to onboarding Sysmon data to Azure Sentinel.
 
   **Note that at this stage raw, unparsed data is being sent to sentinel**
 
-  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/defcon/docs/data-test.gif)
+  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/data-test.gif)
 
 - **Step 9: Install Sysmon event parser**
 
   The final step is to install the windows event parser to ensure Sysmon events are stored and parsed according to the [OSSEM standard](https://github.com/Cyb3rWard0g/OSSEM) and to allow for compatibility with the repository's [detection rules](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/detections).
 
-  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/defcon/docs/install-parser.gif)
+  ![View demo](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/install-parser.gif)
 
-Next, you should [Install the ATT&CK telemetry dashboard on Azure](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/dashboards/README.md).
+Next, you should [Install the ATT&CK telemetry dashboard on Azure](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/dashboards/README.md).

guides/getting-started.md

@@ -2,10 +2,10 @@ Getting started guide
 =====
 Setting up Sentinel ATT&CK on Azure is quick and simple, the following steps must be performed:
 
-1. [Quickly spin-up a test lab on Azure Sentinel](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/lab/README.md) **(Optional)** 
-2. [Deploy Sentinel and onboard Sysmon data](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/guides/Sysmon-onboarding-quickstart.md)  
-3. [Install the ATT&CK telemetry dashboard on Azure](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/dashboards/README.md)
-4. [Upload selected Kusto queries into Sentinel analytics](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/detections/README.md) **(Optional)**
-5. [Upload available threat hunting Jupyter notebooks in Azure](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/hunting/README.md) **(Optional)** 
+1. [Quickly spin-up a test lab on Azure Sentinel](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/lab/README.md) **(Optional)** 
+2. [Deploy Sentinel and onboard Sysmon data](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/guides/Sysmon-onboarding-quickstart.md)  
+3. [Install the ATT&CK telemetry dashboard on Azure](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/dashboards/README.md)
+4. [Upload selected Kusto queries into Sentinel analytics](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/detections/README.md) **(Optional)**
+5. [Upload available threat hunting Jupyter notebooks in Azure](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/hunting/README.md) **(Optional)** 
 
 Please note that this documentation is under active development and will be updated frequently.

hunting/README.md

@@ -12,23 +12,23 @@ This folder contains a Jupyter notebook to help with process investigations and
 
 a) gaining a high-level overview of ATT&CK tactics executed within a network and mapped against the [killchain](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html):
 
-![demo1](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/killchain-overview.png)
+![demo1](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/killchain-overview.png)
 
 b) generating a summary of ATT&CK techniques executed on a machine:
 
-![demo2](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/technique-overview.png)
+![demo2](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/technique-overview.png)
 
 c) inspecting individual ATT&CK techniques to extract and examine processes (by event ID) executed by attackers:
 
-![demo3](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/process-overview.png)
+![demo3](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/process-overview.png)
 
 ## Installation 
 
 Installing this notebook is quick and easy, to do so you must follow the steps outlined in the GIF below:
 
-![demo4](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/docs/upload-notebook.gif)
+![demo4](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/upload-notebook.gif)
 
-You must also ensure to upload the [config.ini](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/hunting/config.ini) file provided and to complete all relevant credentials.
+You must also ensure to upload the [config.ini](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/hunting/config.ini) file provided and to complete all relevant credentials.
 
 ## Caveats
 

lab/README.md

@@ -4,7 +4,7 @@ This terraform script provisions a win 10 machine and runs a post-deployment scr
 
 # Set-up
 1. Install/configure/authenticate Terraform following [these Microsoft docs](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure).
-2. Create a _variables.tfvars_ file in the root directory, using the [_variables.tfvars.txt_](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/lab/variables.tfvars.txt) file as a template and making sure to complete all fields. 
+2. Create a _variables.tfvars_ file in the root directory, using the [_variables.tfvars.txt_](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/lab/variables.tfvars.txt) file as a template and making sure to complete all fields. 
 
     **The _variables.tfvars_ file is the heart of the terraform playbook** and it allows:
     - To securely specify authentication credentials (the file is ignored by git)
@@ -20,4 +20,4 @@ This terraform script provisions a win 10 machine and runs a post-deployment scr
 
     ```terraform apply --var-file="variables.tfvars"```
 
-As a next step you should [Deploy Sentinel and onboard Sysmon data](https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/guides/Sysmon-onboarding-quickstart.md). 
+As a next step you should [Deploy Sentinel and onboard Sysmon data](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/guides/Sysmon-onboarding-quickstart.md).