├── .github └── workflows │ └── build.yml ├── .meta.json ├── Data Collection ├── .gitignore ├── Anomaly Detection │ ├── README.md │ └── anomdetsketch.png ├── Automated Malware Analysis │ ├── README.md │ └── malwareclassification.png ├── README.md └── tactics │ ├── .meta.json │ ├── Command and Control │ ├── .gitkeep │ ├── README.md │ └── T1071 │ │ ├── README.md │ │ ├── T1071.001 │ │ └── README.md │ │ └── T1071.002 │ │ └── README.md │ ├── Credential Access │ ├── .gitkeep │ ├── README.md │ ├── T1003 │ │ ├── README.md │ │ └── T1003.001 │ │ │ └── README.md │ ├── T1056 │ │ ├── README.md │ │ └── T1056.001 │ │ │ └── README.md │ └── T1110 │ │ ├── README.md │ │ └── T1110.003 │ │ └── README.md │ ├── Defence Evasion │ ├── .gitkeep │ ├── README.md │ ├── T1070 │ │ ├── README.md │ │ └── T1070.004 │ │ │ └── README.md │ └── T1140 │ │ └── README.md │ ├── Discovery │ ├── .gitkeep │ ├── README.md │ ├── T1016 │ │ └── README.md │ ├── T1083 │ │ └── README.md │ └── T1087 │ │ ├── README.md │ │ ├── T1087.001 │ │ └── README.md │ │ └── T1087.002 │ │ └── README.md │ ├── Execution │ ├── .gitkeep │ ├── README.md │ └── T1059 │ │ ├── README.md │ │ ├── T1059.001 │ │ └── README.md │ │ ├── T1059.003 │ │ └── README.md │ │ └── T1059.005 │ │ └── README.md │ ├── Lateral Movement │ ├── .gitkeep │ ├── README.md │ ├── T1021 │ │ ├── README.md │ │ ├── T1021.001 │ │ │ └── README.md │ │ └── T1021.002 │ │ │ └── README.md │ └── T1570 │ │ └── README.md │ ├── Persistence │ ├── .gitkeep │ ├── README.md │ ├── T1053 │ │ ├── README.md │ │ ├── T1053.002 │ │ │ └── README.md │ │ └── T1053.005 │ │ │ └── README.md │ ├── T1078 │ │ ├── README.md │ │ ├── T1078.001 │ │ │ └── README.md │ │ ├── T1078.002 │ │ │ └── README.md │ │ └── T1078.003 │ │ │ └── README.md │ └── T1547 │ │ ├── README.md │ │ └── T1547.001 │ │ └── README.md │ └── Privilege Escalation │ ├── .gitkeep │ ├── README.md │ ├── T1053 │ ├── README.md │ ├── T1053.002 │ │ └── README.md │ └── T1053.005 │ │ └── README.md │ ├── T1078 │ ├── README.md │ ├── T1078.001 │ │ └── README.md │ ├── T1078.002 │ │ └── README.md │ └── T1078.003 │ │ └── README.md │ └── T1543 │ ├── README.md │ └── T1543.003 │ └── README.md ├── Enrichment ├── Feature-Extractor │ ├── .gitkeep │ └── README.md ├── README.md ├── Threat Intelligence │ ├── .gitkeep │ ├── Mitre Att&ck │ │ ├── .gitkeep │ │ └── README.md │ ├── Open Source Intelligence │ │ ├── README.md │ │ ├── analyze_ip_address.ipynb │ │ ├── finnish_domains.ipynb │ │ └── upload_file_to_virustotal.ipynb │ └── README.md └── Time Series Analysis and Log Anomaly Detection │ └── README.md ├── Eradicate-Recover └── README.md ├── Hypotheses ├── .gitignore ├── README.md ├── Risk Management │ ├── Plan Implementation │ │ └── README.md │ ├── README.md │ ├── Reporting │ │ └── README.md │ ├── Risk Assessment │ │ ├── Hypotheses │ │ │ ├── README.md │ │ │ ├── hypothesis1.md │ │ │ └── hypothesis2.md │ │ ├── README.md │ │ ├── Risk Analysis │ │ │ └── README.md │ │ ├── Risk Evaluation │ │ │ └── README.md │ │ ├── Risk Identification │ │ │ └── README.md │ │ └── Risk to Threat │ │ │ └── README.md │ ├── Risk Mitigation Plan │ │ └── README.md │ └── Risk Monitoring │ │ └── README.md └── Threat Modeling │ ├── Methodologies │ ├── Attack Tree │ │ ├── .gitignore │ │ ├── README.md │ │ └── attack.gif │ ├── CVSS │ │ └── README.md │ ├── DREAD │ │ ├── .gitignore │ │ └── README.md │ ├── MITRE ATT&CK │ │ └── README.md │ ├── Mitre Atlas │ │ ├── .gitkeep │ │ └── README.md │ ├── OCTAVE │ │ └── README.md │ ├── OWASP │ │ ├── .README.md.swp │ │ └── README.md │ ├── PASTA │ │ └── README.md │ ├── README.md │ ├── STRIDE │ │ └── README.md │ ├── Security Cards │ │ ├── README.md │ │ └── impunity.png │ ├── Trike │ │ └── README.md │ └── hTMM │ │ └── README.md │ └── README.md ├── Improvements └── README.md ├── Lessons Learned └── README.md ├── Preparation ├── .gitignore ├── .meta.json ├── AI │ ├── README.md │ ├── Secure and Privacy-preserving Machine Learning │ │ ├── README.md │ │ ├── lib │ │ │ └── common.py │ │ └── tf_encrypted.ipynb │ └── cyberdatalake.png ├── Incident Response Tools and Tracking │ ├── MISP │ │ ├── .gitkeep │ │ └── README.md │ ├── README.md │ └── TheHive │ │ ├── .gitkeep │ │ └── README.md ├── README.md ├── Security Controls │ ├── EDR │ │ ├── .gitkeep │ │ ├── README.md │ │ └── Wazuh │ │ │ ├── .gitkeep │ │ │ └── README.md │ ├── IDS │ │ └── IPS │ │ │ ├── .gitkeep │ │ │ ├── README.md │ │ │ └── Snort │ │ │ ├── .gitkeep │ │ │ └── README.md │ ├── MFA │ │ ├── .gitkeep │ │ └── README.md │ └── SIEM │ │ ├── .gitkeep │ │ ├── Elastic SIEM │ │ ├── .gitkeep │ │ └── README.md │ │ └── README.md └── Threat Hunting Tools │ ├── Honeypots │ ├── .gitkeep │ ├── Cowrie │ │ ├── .gitkeep │ │ └── README.md │ └── README.md │ ├── Jupyter Notebooks │ ├── .gitkeep │ └── README.md │ └── README.md ├── Prepare_Hunt_Respond_Poster.pdf ├── README.md ├── Threat Hunting ├── README.md └── Threat Hunting with Jupyter Notebooks │ ├── README.md │ ├── threat_hunting_IDS2018.ipynb │ └── threat_hunting_deepblue.ipynb ├── Triage-Respond ├── .meta.json ├── Investigations │ ├── .gitkeep │ ├── CyberChef │ │ ├── .gitkeep │ │ └── README.md │ ├── Memory-Forensics │ │ ├── Analyzing-memory-dump.md │ │ ├── Autovola.md │ │ ├── README.md │ │ ├── binary-virustotal-results.png │ │ └── malfind-virustotal-results.png │ ├── README.md │ ├── data_breach_checklist.md │ ├── ddos_attack_checklist.md │ ├── firewalls_checklist.md │ ├── large_scale_attack_checklist.md │ ├── malware_infection_checklist.md │ ├── network_device_checklist.md │ ├── recon_phishing_social_engineering_checklist.md │ ├── server_checklist.md │ └── workstation_checklist.md ├── README.md └── Triage │ ├── .gitkeep │ └── README.md └── _images ├── .gitkeep ├── JYVSECTEC-logo2.png ├── JYVSECTEC_by_jamk.png ├── OKM-logo1.png ├── Prepare_Hunt_Respond.png ├── jamk-logo1.png └── polamk-logo1.png /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | branches: [ master ] 8 | 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v2 14 | 15 | - name: Trigger jekyll workflow on jyvsectec.github.io repo 16 | run: | 17 | curl -XPOST \ 18 | -u "${{ secrets.PAT_USERNAME}}:${{secrets.PAT_TOKEN}}" \ 19 | -H "Accept: application/vnd.github.everest-preview+json" \ 20 | -H "Content-Type: application/json" https://api.github.com/repos/JYVSECTEC/jyvsectec.github.io/actions/workflows/jekyll.yml/dispatches \ 21 | --data '{"ref": "main"}' 22 | -------------------------------------------------------------------------------- /.meta.json: -------------------------------------------------------------------------------- 1 | { 2 | "child_order": [ 3 | "Preparation", 4 | "Hypotheses", 5 | "Data Collection", 6 | "Enrichment", 7 | "Playbooks", 8 | "Triage-Respond", 9 | "Eradicate-Recover", 10 | "Lessons Learned", 11 | "Improvements" 12 | ] 13 | } -------------------------------------------------------------------------------- /Data Collection/.gitignore: -------------------------------------------------------------------------------- 1 | !.gitignore 2 | -------------------------------------------------------------------------------- /Data Collection/Anomaly Detection/anomdetsketch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/Anomaly Detection/anomdetsketch.png -------------------------------------------------------------------------------- /Data Collection/Automated Malware Analysis/README.md: -------------------------------------------------------------------------------- 1 | # Malware classification with machine learning 2 | 3 | Traditionally antivirus software compare hash signatures to malware databases to verify if suspected executables are malicious. Malware variants that use packing or obfuscating techniques can circumvent this verification easily. Data analysis and machine learning methods can be used to analyze executable files and provide detection on malware variants also. 4 | 5 | A 2020 research survey describes different methods that could be utilized in [The rise of machine learning for detection and classification of malware: Research developments, trends and challenges](https://www.sciencedirect.com/science/article/pii/S1084804519303868). The paper provides a good overview of malware detection algorithms, ways to extract features from executable files and datasets to evaluate classification on. Features that can be extracted from executable files are divided into two categories: static and dynamic. Feature engineering, a practice where domain expertise is used to extract relevant features from raw data, plays an important role in creating a capable malware classifying machine learning model. 6 | 7 | ### Static features 8 | 9 | A number of features can be gathered from the file without it being run, making static analysis quick and risk-free. Executable files in Windows for example have PE headers, where fields such as Import Address Table (IAT) can be useful in determining if the file is malicious. The research survey lists other features that can be extracted using static methods: 10 | * Searching for all the text inside the executable, which could reveal file paths or IP addresses that the file will use. This is a simple method and can be performed with for example by Linux command "strings". 11 | * List all the imported functions to gain insight into the functionality of the file. [An open source tool Dependencies](https://github.com/lucasg/Dependencies) can be used to extract the imported functions. 12 | * Analyzing headers and sections of the PE file. [Malwarebytes blog post lists five PE analysis tools here.](https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/) 13 | * PE file ".text" - sections can have encrypted code in them, that is decrypted during runtime using a decryption stub. The amount of encrypted code segments and sections labeled as ".stub" could be indication of malware. 14 | * Disassembling the program and performing automated analysis on the assembly code. [Xori is an open souurce automation-ready disassembly tool, requires installation of Rust.](https://github.com/endgameinc/xori) 15 | 16 | ### Dynamic features 17 | 18 | Dynamic features are gathered when the file is executed in a secure sandbox environment, enabling the analysis of function calls, network traffic or file system modifications that the file performs. Extracting features from sandbox is time and resource consuming compared to static analysis. Some malware are able to detect sandbox environments or are coded to delay it's malicious actions for days after execution, making them seem benign with quick analysis. 19 | 20 | [Cuckoo Sandbox](https://cuckoosandbox.org/) is an open source automated malware analysis system which generates reports from executed files. The sandbox can simulate realistic Android, Linux, macOS and Windows operating system environments. 21 | 22 | # Creating a malware detection system 23 | 24 | ### Gather data 25 | 26 | First thing needed is a directory with clean Portable Executable (PE) samples, and malware PE samples. 27 | 28 | 1. Clean PE samples can be acquired for example, from a personal Windows computer. 29 | 2. Malware PE samples can be acquired online for example, from VirusShare or theZoo GitHub repository. 30 | * https://virusshare.com/ 31 | * https://github.com/ytisf/theZoo 32 | 33 | ### Create dataset from gathered data 34 | 35 | When samples of clean and malware PE samples have been downloaded, a dataset to train the classifier needs to be created. Static features according to the picture below ![Static malware classification](https://github.com/JYVSECTEC/PHR-model/blob/master/Data%20Collection/Automated%20Malware%20Analysis/malwareclassification.png?raw=true) can be extracted from the PE file. 36 | 37 | The n-grams, function names and embedded text are extracted into columns for a dataset where one row is one PE file sample. Some research has also used a method where images are created from executable files, and the image is used as a feature to analyze whether the file is malicious or not. One such dataset is the [MalImg dataset](https://vision.ece.ucsb.edu/abstract/563). 38 | 39 | ### Training a model from the created dataset 40 | 41 | Machine learning models, such as a random forest classifier, can be trained using the PE file dataset. The random forest algorithm also provides insight into what features are most useful in classifying a file into clean or malware sample. Neural networks can create a classifier from large amounts of features and possibly one with better accuracy, but the system requires more processing power and data than training machine learning algorithms. 42 | 43 | ### Example open source system 44 | 45 | [Malware Classification using classical Machine Learning and Deep Learning repository](https://github.com/pratikpv/malware_detect2) provides an example implementation, where PE file features are extracted to train multiple different machine learning algorithms to detect malicious files. Deep learning is also utilized by converting binaries to grayscale images and training neural networks, such as convolutional neural networks, with the images. The project utilizes Python and it's machine learning libraries Scikit-learn and PyTorch. The researches using the system gained on average 92% classification accuracy on best neural network models, though on some malware families the accuracy drops to 64%. 46 | -------------------------------------------------------------------------------- /Data Collection/Automated Malware Analysis/malwareclassification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/Automated Malware Analysis/malwareclassification.png -------------------------------------------------------------------------------- /Data Collection/tactics/.meta.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "By Mitre ATT&CK" 3 | } -------------------------------------------------------------------------------- /Data Collection/tactics/Command and Control/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Command and Control/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Command and Control/README.md: -------------------------------------------------------------------------------- 1 | # Command and Control 2 | 3 | ## Description 4 | 5 | Command and control (C&C) is a tactic category where the adversary remotely controls systems they have compromised in the target environment. The servers used to control compromised machines usually reside outside of the victim network, on the Internet. 6 | 7 | Adversaries use various methods to hide their communication. Common network protocols, such as HTTP and DNS are often used for communication to mimic normal network traffic occurring in the environment. Data obfuscation and encryption techniques also make it harder to detect and analyze command and control traffic 8 | 9 | ## References 10 | 11 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0011/) 12 | 13 | -------------------------------------------------------------------------------- /Data Collection/tactics/Command and Control/T1071/README.md: -------------------------------------------------------------------------------- 1 | # T1071 - Application Layer Protocol 2 | 3 | ## Sub techniques 4 | 5 | * [T1071.001 - Web Protocols](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Command%20and%20Control/T1071/T1071.001/README.md) 6 | * [T1071.002 - File Transfer Protocols](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Command%20and%20Control/T1071/T1071.002/README.md) 7 | -------------------------------------------------------------------------------- /Data Collection/tactics/Command and Control/T1071/T1071.001/README.md: -------------------------------------------------------------------------------- 1 | # T1071.001 - Web Protocols 2 | 3 | ## Description 4 | 5 | Adversaries may use standard application layer protocols that are used in every IT environment to blend their command and control traffic within normal network communications. 6 | 7 | Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 3: Network connection 12 | 13 | Sysmon can be used to monitor process network connection events (ID 3). These events should be filtered by process name or destination IP to only include suspicious network activity, such as processes that shouldn't normally communicate to Internet or that are communicating with unusual destinations. 14 | 15 | ## References 16 | 17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1071/001/) 18 | 19 | [Event ID 3](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection) 20 | -------------------------------------------------------------------------------- /Data Collection/tactics/Command and Control/T1071/T1071.002/README.md: -------------------------------------------------------------------------------- 1 | # T1071.002 - File Transfer Protocols 2 | 3 | ## Description 4 | 5 | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 6 | 7 | Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 3: Network connection 12 | 13 | Sysmon can be used to monitor process network connection events (ID 3). These events should be filtered by port numbers associated with file transfer protocols (e.g. FTP/21, TFTP/69, SMB/445). 14 | 15 | ## References 16 | 17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1071/002/) 18 | 19 | [Event ID 3](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection) 20 | -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Credential Access/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/README.md: -------------------------------------------------------------------------------- 1 | # Credential Access 2 | 3 | ## Description 4 | 5 | Credential access tactic category consists of techniques that adversaries use to steal credentials, such as account names and passwords. Stealing legitimate credentials can give an adversary access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. 6 | 7 | ## References 8 | 9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0006/) 10 | -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/T1003/README.md: -------------------------------------------------------------------------------- 1 | # T1003 - OS Credential Dumping 2 | 3 | ## Sub techniques 4 | 5 | * [T1003.001 - LSASS Memory](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Credential%20Access/T1003/T1003.001/README.md) 6 | -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/T1003/T1003.001/README.md: -------------------------------------------------------------------------------- 1 | # T1003.001 - LSASS Memory 2 | 3 | ## Description 4 | 5 | Windows stores credentials in several databases and processes. Security Account Manager (SAM) is a database that stores user accounts and security descriptors for users on the local computer. Passwords are stored in SAM as LM or NTML hashes. When a user logs on, the credentials are stored in Local Security Authority Subsystem Service (LSASS) process, which is part of Local Security Authority (LSA) subsystem. LSA maintains information about all aspects of local security in a system and Its components run in the context of the Lsass.exe process. These credential materials can be harvested by an administrative user or SYSTEM. 6 | 7 | Many tools exist for accessing credential data stored in SAM or LSASS, such as ProcDump or Mimikatz. Mimikatz is a Windows tool developed by Benjamin Delpy to learn more about Windows credentials. It can be used to extract plaintext passwords, hashes, pin codes and Kerberos tickets directly from memory. While Mimikatz binary can be directly executed on a target system, more sophisticated methods exist that allow executing Mimikatz from memory or remotely. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 7: Image loaded 12 | 13 | One approach on detecting Mimikatz is to look for specific Windows DLL modules it loads when executed. This approach is effective since it is not dependent on which process loads the code or whether Mimikatz is executed from disk or memory. 14 | 15 | Sysmon event ID 7 records DDL modules loaded into a processes. 16 | 17 | ## References 18 | 19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1003/001/) 20 | 21 | 22 | [Event ID 7](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded) 23 | -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/T1056/README.md: -------------------------------------------------------------------------------- 1 | # T1056 - Input Capture 2 | 3 | ## Sub techniques 4 | 5 | * [T1056.001 - Keylogging](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Credential%20Access/T1056/T1056.001/README.md) 6 | -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/T1056/T1056.001/README.md: -------------------------------------------------------------------------------- 1 | # T1056.001 - Keylogging 2 | 3 | ## Description 4 | 5 | Keylogging is the most widely used input capture method, where the adversary installs a software that records user’s keystrokes and sends them back to the adversary. Other common methods include presenting fake credential prompts to user, injecting code to login pages or wrapping the Windows default credential provider. 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 12: RegistryEvent (Object create and delete) 10 | 11 | Windows stores credential provider definitions in registry location: 12 | 13 | * HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\CredentialProviders 14 | 15 | Creation of new credential provider can be detected by monitoring Sysmon registry modification events for the CredentialProviders location. 16 | 17 | ## References 18 | 19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1056/001/) 20 | 21 | 22 | [Event ID 12](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) 23 | -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/T1110/README.md: -------------------------------------------------------------------------------- 1 | # T1110 - Brute Force 2 | 3 | ## Sub techniques 4 | 5 | * [T1110.003 - Password Spraying](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Credential%20Access/T1110/T1110.003/README.md) 6 | -------------------------------------------------------------------------------- /Data Collection/tactics/Credential Access/T1110/T1110.003/README.md: -------------------------------------------------------------------------------- 1 | # T1110.003 - Password Spraying 2 | 3 | ## Description 4 | 5 | Brute force is a credential access technique where an adversary attempts to access user accounts without knowledge of the password. The adversary may attempt logins with a list of commonly used passwords. This method usually leads to numerous failed logins, which can trigger alarms or account lockouts. A more sophisticated strategy, called password spraying uses a single password or a small list of passwords against many different accounts to avoid triggering account lockouts or alarms. 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 4625: An account failed to log on 10 | * Event ID 4771: Kerberos pre-authentication failed 11 | 12 | Brute force attempts can be detected by monitoring operating system authentication logs for an unusually high number of failed logins. Windows logs several authentication failure related events, such as ID 4625 and ID 4771. The event ID 4625 is generated on a local computer when a log on fails. The event ID 4771 is generated on a domain controller when Kerberos Key Distribution Center fails to issue Ticket Grantisng Ticket (TGT). This event occurs when a user fails to authenticate using domain credentials. 13 | 14 | Audit Logon policy must be enabled through Windows Group Policy to log event ID 4625 (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Logon) 15 | 16 | Audit Kerberos Authentication Service policy must be enabled through Windows Group Policy to log event ID 4771 (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Logon → Audit Kerberos Authentication Service) 17 | 18 | ## References 19 | 20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1110/003/) 21 | 22 | [Event ID 4625](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625) 23 | 24 | [Event ID 4771](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Defence Evasion/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Defence Evasion/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Defence Evasion/README.md: -------------------------------------------------------------------------------- 1 | # Defence Evasion 2 | 3 | ## Description 4 | 5 | Adversaries utilize defense evasion techniques to avoid being detected. Defense evasion has become more important to adversaries, as the detection and defense technologies have become more sophisticated and their adoption increased. Common techniques in this tactic category include uninstalling/disabling security software, removing evidence and obfuscating/encrypting data. 6 | 7 | ## References 8 | 9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0005/) 10 | -------------------------------------------------------------------------------- /Data Collection/tactics/Defence Evasion/T1070/README.md: -------------------------------------------------------------------------------- 1 | # T1070 - Indicator Removal on Host 2 | 3 | ## Sub techniques 4 | 5 | * [T1070.004 - File Deletion](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Defence%20Evasion/T1070/T1070.004/README.md) 6 | -------------------------------------------------------------------------------- /Data Collection/tactics/Defence Evasion/T1070/T1070.004/README.md: -------------------------------------------------------------------------------- 1 | # T1070.004 - File Deletion 2 | 3 | ## Description 4 | 5 | Adversaries often create files and download tools or malware to target systems for execution. These files can cause detection by security defenses or leave clues to investigators. To prevent this, adversaries may delete the files over the course of an intrusion or at the end as part of the post-intrusion cleanup process. 6 | 7 | Operating systems have built-in tools for deleting files, such as the DEL function in Windows cmd.exe or Remove-Item cmdled in PowerShell. There are also many external tools which can be used to delete files. One such tool known to be used by adversary groups is the Windows Sysinternals SDelete. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 23: FileDelete 12 | 13 | Sysmon generates event ID 23 when a file is deleted. 14 | 15 | ## References 16 | 17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1070/004/) 18 | 19 | 20 | [Event ID 23](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-a-file-delete-was-detected) 21 | -------------------------------------------------------------------------------- /Data Collection/tactics/Defence Evasion/T1140/README.md: -------------------------------------------------------------------------------- 1 | # T1140 - Deobfuscate/Decode Files or Information 2 | 3 | ## Description 4 | 5 | File/information obfuscation can prevent signature-based security software from detecting the execution and make post-incident investigation harder. Common obfuscation techniques include encoding, compressing and encryption. Command-line interfaces have many built-in features that can be used for obfuscation information, such as environment variables, aliases and ability to receive commands from standard input stream. 6 | 7 | Detecting obfuscation can be challenging using traditional string matching techniques, since the obfuscated data does not usually contain predictable patterns. One way to detect obfuscation is to look for suspicious escape characters, e.g. '''^''' and '''"''' included in commands. Another approach is to use statistical methods to analyze entropy and frequency of characters to detect anomalies. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4103: Module Logging 12 | 13 | PowerShell can interpret commands encoded using the base64-encoding. PowerShell module logging (ID 4103) records the options used with execution as well as de-obfuscated commands. 14 | 15 | ## References 16 | 17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1140/) 18 | -------------------------------------------------------------------------------- /Data Collection/tactics/Discovery/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Discovery/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Discovery/README.md: -------------------------------------------------------------------------------- 1 | # Discovery 2 | 3 | ## Description 4 | 5 | Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. 6 | 7 | ## References 8 | 9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0007/) 10 | -------------------------------------------------------------------------------- /Data Collection/tactics/Discovery/T1016/README.md: -------------------------------------------------------------------------------- 1 | # T1016 - System Network Configuration Discovery 2 | 3 | ## Description 4 | 5 | System Network Configuration Discovery is a technique where the adversary looks for details about the network configuration of the target system. Many native Windows tools exist for querying information about the network configuration, such as ipconfig for IP, DNS and network adapter information, arp for displaying the ARP-table content and route for displaying the routing table. PowerShell has cmdlets that display similar information, such as Get-NetAdapter, Get-NetIPAddress and Get-NetRoute. 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 1: Process creation 10 | 11 | Tools used in this technique can be detected by monitoring the specific process command-line arguments (e.g. ipconfig or route print) from Sysmon Event ID 1. 12 | 13 | ## References 14 | 15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1016/) 16 | 17 | [ipconfig](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ipconfig) 18 | 19 | [Route](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961510(v=ws.11)) 20 | 21 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation) 22 | -------------------------------------------------------------------------------- /Data Collection/tactics/Discovery/T1083/README.md: -------------------------------------------------------------------------------- 1 | # T1083 - File and Directory Discovery 2 | 3 | ## Description 4 | 5 | File and Directory Discovery tactic category involves the adversary searching files or directories from local system or network share. The goal is usually to access sensitive information or to conduct reconnaissance. 6 | 7 | Adversaries can utilize native Windows Cmd tools, for example dir or tree to enumerate the filesystem. PowerShell has the Get-Item and Get-ChildItem that can be used to browse and search the filesystem. Some adversaries have also written custom tools that use the Windows API to gather file and directory information. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4103: Module Logging 12 | 13 | PowerShell file and directory listing cmdlets Get-Item and Get-ChildItem execution can be detected by monitoring PowerShell module logging events (ID 4103). 14 | 15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1083/) 16 | 17 | [Get-Item](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-item?view=powershell-7) 18 | 19 | [Get-ChildItem](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7) 20 | -------------------------------------------------------------------------------- /Data Collection/tactics/Discovery/T1087/README.md: -------------------------------------------------------------------------------- 1 | # T1087 - Account Discovery 2 | 3 | ## Sub techniques 4 | 5 | * [T1087.001 - Local Account](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Discovery/T1087/T1087.001/README.md) 6 | * [T1087.002 - Domain Account](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Discovery/T1087/T1087.002/README.md) 7 | -------------------------------------------------------------------------------- /Data Collection/tactics/Discovery/T1087/T1087.001/README.md: -------------------------------------------------------------------------------- 1 | # T1087.001 - Local Account 2 | 3 | ## Description 4 | 5 | Account discovery techniques involve the adversary attempting to discover user accounts of the target system or accounts of the domain environment. 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 1: Process creation 10 | 11 | Windows includes net.exe native tool that can be used to list local users (net user). Execution of the tool can be detected by monitoring the specific process command-line arguments (net user) from Sysmon Event ID 1. 12 | 13 | ## References 14 | 15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1087/001/) 16 | 17 | [Net user](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771865(v=ws.11)) 18 | 19 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation) 20 | -------------------------------------------------------------------------------- /Data Collection/tactics/Discovery/T1087/T1087.002/README.md: -------------------------------------------------------------------------------- 1 | # T1087.002 - Domain Account 2 | 3 | ## Description 4 | 5 | Account discovery techniques involve the adversary attempting to discover user accounts of the target system or accounts of the domain environment. 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 1: Process creation 10 | 11 | Windows Remote Server Administration Tools (RSAT) bundle includes a tool called Dsquery, which can be used to query Active Directory for users and groups information. Execution of the tool can be detected by monitoring the specific process command-line arguments (dsquery user) from Sysmon Event ID 1. 12 | 13 | ## References 14 | 15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1087/002/) 16 | 17 | [Dsquery user](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725702(v=ws.11)) 18 | 19 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation) 20 | -------------------------------------------------------------------------------- /Data Collection/tactics/Execution/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Execution/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Execution/README.md: -------------------------------------------------------------------------------- 1 | # Execution 2 | 3 | ## Description 4 | 5 | Execution is a tactic where the adversary is trying to run malicious code on the systems to which he has gained access. This is often paired with techniques from other tactic categories to achieve broader goals, such as network discovery or exfiltration of data. 6 | 7 | ## References 8 | 9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0002/) 10 | -------------------------------------------------------------------------------- /Data Collection/tactics/Execution/T1059/README.md: -------------------------------------------------------------------------------- 1 | # T1059 - Command and Scripting Interpreter 2 | 3 | ## Sub techniques 4 | 5 | * [T1059.001 - PowerShell](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Execution/T1059/T1059.001/README.md) 6 | * [T1059.003 - Windows Command Shell](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Execution/T1059/T1059.003/README.md) 7 | * [T1059.005 - Visual Basic](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Execution/T1059/T1059.005/README.md) 8 | -------------------------------------------------------------------------------- /Data Collection/tactics/Execution/T1059/T1059.001/README.md: -------------------------------------------------------------------------------- 1 | # T1059.001 - PowerShell 2 | 3 | ## Description 4 | 5 | PowerShell is an interactive command-line interface and scripting language built on .NET. It helps system administrators to automate common operating system management tasks and provides the command-line for executing other processes. PowerShell has been included in Windows since Windows 7 and the latest version, PowerShell Core is a fully open-source and cross-platform implementation. 6 | 7 | PowerShell has become a popular tool among adversary groups because of its versatility and wide range of capabilities to automate, hide and obscure activities. PowerShell scripts can be hidden into other files, used to run executables from the Internet and even embedded into other applications for execution without the powershell.exe interpreter. PowerShell based offensive testing tools include Empire, PowerSploit and PSAttack. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4103: Module Logging 12 | * Event ID 4104: Script Block Logging 13 | 14 | PowerShell has support for three types of logging: module logging, script block logging, and transcription. These events are written to the Windows Event Log under the path: Microsoft-windows-PowerShell/Operational. Module logging (Event ID 4103) records pipeline execution details as PowerShell executes, including variable initialization and command invocations. It also records the output of the executed commands. Script block logging (Event ID 4104) records blocks of code as they are executed by the PowerShell engine, capturing the full context of the executed code, including scripts and commands. 15 | 16 | Module and script block logging must be enabled through Windows Group Policy (Administrative Templates → Windows Components → Windows PowerShell) 17 | 18 | ## References 19 | 20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1059/001/) 21 | 22 | [PowerShell ♥ the Blue Team](https://devblogs.microsoft.com/powershell/powershell-the-blue-team/) 23 | -------------------------------------------------------------------------------- /Data Collection/tactics/Execution/T1059/T1059.003/README.md: -------------------------------------------------------------------------------- 1 | # T1059.003 - Windows Command Shell 2 | 3 | ## Description 4 | 5 | Command-line interface (CLI) is a way to interact with computer systems by issuing commands using lines of text either locally or via a remote session. It is a common feature across many operating systems, including Windows and Unix-type operating systems such as Linux and macOS. Adversaries often use command-line interface to execute built-in commands in operating systems and launch external software. 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 1: Process creation 10 | 11 | According to MITRE ATT&CK, data sources for command-line interface are process and process command-line parameter monitoring. Both data sources are captured by Sysmon event ID 1. The events should be filtered by process name being "cmd.exe", which is the main command interpreter for Windows. 12 | 13 | ## References 14 | 15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1059/003/) 16 | 17 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation) 18 | -------------------------------------------------------------------------------- /Data Collection/tactics/Execution/T1059/T1059.005/README.md: -------------------------------------------------------------------------------- 1 | # T1059.005 - Visual Basic 2 | 3 | ## Description 4 | 5 | Visual Basic is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. 6 | 7 | Adversaries can use Visual Basic scripts for speeding up operations and ability to bypass process monitoring mechanisms by interacting through the operating system APIs. Adversaries can download scripts from the Internet and execute them without creating files on the system. VBA scripts can also be hidden inside other files, such as Office documents or PDF files, which execute the script when a user opens the file. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 1: Process creation 12 | 13 | Visual Basic script execution can be detected by monitoring Sysmon process creation events (ID 1), where the command line parameters contain file extensions asociated with Visual Basic scripts (.vbs, .vbe, .wsf, .wsf). 14 | 15 | ## References 16 | 17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1059/005/) 18 | 19 | -------------------------------------------------------------------------------- /Data Collection/tactics/Lateral Movement/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Lateral Movement/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Lateral Movement/README.md: -------------------------------------------------------------------------------- 1 | # Lateral Movement 2 | 3 | ## Description 4 | 5 | An initial system that the adversary gains access to in the target environment is often not the ultimate system they are targeting. Reaching the ultimate target requires moving through multiple systems, a process that is called lateral movement. Lateral movement tactic category consists of techniques that enable the adversary to access and control remote systems over the network. Adversaries can take advantage of native remote access tools or install third party tools to accomplish lateral movement. 6 | 7 | ## References 8 | 9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0008/) 10 | -------------------------------------------------------------------------------- /Data Collection/tactics/Lateral Movement/T1021/README.md: -------------------------------------------------------------------------------- 1 | # T1021 - Remote Services 2 | 3 | ## Sub techniques 4 | 5 | * [T1021.001 - Remote Desktop Protocol](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Lateral%20Movement/T1021/T1021.001/README.md) 6 | * [T1021.002 - SMB/Windows Admin Shares](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Lateral%20Movement/T1021/T1021.002/README.md) 7 | -------------------------------------------------------------------------------- /Data Collection/tactics/Lateral Movement/T1021/T1021.001/README.md: -------------------------------------------------------------------------------- 1 | # T1021.001 - Remote Desktop Protocol 2 | 3 | ## Description 4 | 5 | Remote desktop is an operating system feature that allows users to log into a system over a network and interact with the graphical user interface of the system remotely. The best known remote desktop solution is the Windows built-in remote desktop implementation called Remote Desktop Services (RDS); however, many third party remote desktop tools also exist for various operating system platforms. 6 | 7 | Adversaries with valid credentials can use remote desktop connections to easily move laterally between systems. Remote desktop connections can be detected by monitoring Windows Event Logs. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4624: An account was successfully logged on 12 | 13 | Successful authentication using remote desktop connection is recorded in the event ID 2624. The logon type 10 (RemoteInteractive) indicates that the user logged in using remote desktop connection. 14 | 15 | Audit Logon policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Logon) 16 | 17 | ## References 18 | 19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1021/001/) 20 | 21 | [Event ID 4624](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624) 22 | -------------------------------------------------------------------------------- /Data Collection/tactics/Lateral Movement/T1021/T1021.002/README.md: -------------------------------------------------------------------------------- 1 | # T1021.002 - SMB/Windows Admin Shares 2 | 3 | ## Description 4 | 5 | Windows has several hidden network shares that are used for administrative purposes. Common administrative shares include disk volumes (e.g. C$), IPC$ for inter process communication, ADMIN$ for remote administration, SYSVOL and NETLOGON for Windows domain administration. Because these shares are hidden, they are not visible in Windows Explorer. They can, however, be listed on command line using the “net use” command. Accessing admin shares requires administrative access on the system. 6 | 7 | Adversaries may use these shares to access remote systems over network. Some remote administration tools, such as PsExec, also use admin shares to function. PsExec is a tool included in the Windows Sysinternal suite which can be used to execute programs on remote systems. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 5140: A network share object was accessed 12 | 13 | The use of this technique can be detected by monitoring the event ID 5140 and filtering specifically for share names that match the common admin share names. 14 | 15 | Audit File Share audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File Share) 16 | 17 | ## References 18 | 19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1021/002/) 20 | 21 | [Event ID 4150](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140) 22 | -------------------------------------------------------------------------------- /Data Collection/tactics/Lateral Movement/T1570/README.md: -------------------------------------------------------------------------------- 1 | # T1570 - Lateral Tool Transfer 2 | 3 | ## Description 4 | 5 | Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares or Remote Desktop Protocol. 6 | 7 | Remote file copy can be detected by monitoring file creation and access to network shares on servers and workstations. Analyzing network traffic can also reveal unusual data flows between hosts or uncommon protocols being used. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 5140: A network share object was accessed 12 | 13 | Windows file share access is recorded in event ID 5140. 14 | 15 | Audit File Share audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File Share) 16 | 17 | ## References 18 | 19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1570/) 20 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Persistence/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/README.md: -------------------------------------------------------------------------------- 1 | # Persistence 2 | 3 | ## Description 4 | 5 | Persistence is a tactic where the adversary aims to maintain their foothold on systems where they have gained access. An adversary might lose access to the systems due to operating system restarts, credential changes, connection blocking or removal of files or tools. The techniques in this category include any access, action, or configuration changes that let the adversary maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. 6 | 7 | ## References 8 | 9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0003/) 10 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1053/README.md: -------------------------------------------------------------------------------- 1 | # T1053 - Scheduled Task/Job 2 | 3 | ## Sub techniques 4 | 5 | * [T1053.002 - At (Windows)](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1053/T1053.002/README.md) 6 | * [T1053.005 - Scheduled Task](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1053/T1053.005/README.md) 7 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1053/T1053.002/README.md: -------------------------------------------------------------------------------- 1 | # T1053.002 - At (Windows) 2 | 3 | ## Description 4 | 5 | At.exe is a Windows command line tool for scheduling a command, a script, or a program to run at a specified date and time. An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 4698: A scheduled task was created 10 | * Event ID 4702: A scheduled task was updated 11 | 12 | Windows generates event ID 4698 when at.exe is used to schedule task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel. 13 | 14 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events) 15 | 16 | ## References 17 | 18 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/002/) 19 | 20 | [How To Use the AT Command to Schedule Tasks](https://support.microsoft.com/en-us/help/313565/how-to-use-the-at-command-to-schedule-tasks) 21 | 22 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698) 23 | 24 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1053/T1053.005/README.md: -------------------------------------------------------------------------------- 1 | # T1053.005 - Scheduled Task 2 | 3 | ## Description 4 | 5 | Windows has a built-in component called Task Scheduler for performing automated tasks on a chosen computer. It executes tasks based on a trigger that can be based on features such as specific time or schedule, user logging in, system boot, or specific event happening on the system. The action that the task executes can be showing a message, sending email, executing command or firing a COM handle. Task Scheduler can be managed through graphical user interface taskschd.msc or command-line tools schtasks.exe and at.exe. 6 | 7 | An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. Adversary may, for example, create a scheduled tasks that downloads and executes malicious code to regain foothold even if the malicious process is interrupted or its code removed. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4698: A scheduled task was created 12 | * Event ID 4702: A scheduled task was updated 13 | 14 | Windows generates event ID 4698 when Task Scheduler is used to schedule a task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel. 15 | 16 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events) 17 | 18 | ## References 19 | 20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/005/) 21 | 22 | [Task Scheduler for developers](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page) 23 | 24 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698) 25 | 26 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702) 27 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1078/README.md: -------------------------------------------------------------------------------- 1 | # T1078 - Valid Accounts 2 | 3 | ## Sub techniques 4 | 5 | * [T1078.001 - Default Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1078/T1078.001/README.md) 6 | * [T1078.002 - Domain Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1078/T1078.002/README.md) 7 | * [T1078.003 - Local Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1078/T1078.003/README.md) 8 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1078/T1078.001/README.md: -------------------------------------------------------------------------------- 1 | # T1078.001 - Default Accounts 2 | 3 | ## Description 4 | 5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources. 6 | 7 | Adversaries may use user accounts for persistency by creating new accounts that they can use in case access to others is lost. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4720: A user account was created 12 | 13 | The main method for monitoring user account related activity in Windows is the security audit logs. The user account management events are particularly relevant for the persistence tactic. These events indicate for example if a user account was created, changed or deleted. 14 | 15 | The event ID 4270 is generated every time a new user object is created. These events are written to Event Log Security channel. 16 | 17 | Audit User Account Management audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management) 18 | 19 | ## References 20 | 21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/001/) 22 | 23 | 24 | [Event ID 4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1078/T1078.002/README.md: -------------------------------------------------------------------------------- 1 | # T1078.002 - Domain Accounts 2 | 3 | ## Description 4 | 5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources. 6 | 7 | Adversaries may use user accounts for persistency by creating new accounts that they can use in case access to others is lost. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4720: A user account was created 12 | 13 | The main method for monitoring user account related activity in Windows is the security audit logs. The user account management events are particularly relevant for the persistence tactic. These events indicate for example if a user account was created, changed or deleted. 14 | 15 | The event ID 4270 is generated every time a new user object is created. These events are written to Event Log Security channel. 16 | 17 | Audit User Account Management audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management) 18 | 19 | ## References 20 | 21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/002/) 22 | 23 | 24 | [Event ID 4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1078/T1078.003/README.md: -------------------------------------------------------------------------------- 1 | # T1078.003 - Local Accounts 2 | 3 | ## Description 4 | 5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources. 6 | 7 | Adversaries may use user accounts for persistency by creating new accounts that they can use in case access to others is lost. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4720: A user account was created 12 | 13 | The main method for monitoring user account related activity in Windows is the security audit logs. The user account management events are particularly relevant for the persistence tactic. These events indicate for example if a user account was created, changed or deleted. 14 | 15 | The event ID 4270 is generated every time a new user object is created. These events are written to Event Log Security channel. 16 | 17 | Audit User Account Management audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management) 18 | 19 | ## References 20 | 21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/003/) 22 | 23 | 24 | [Event ID 4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1547/README.md: -------------------------------------------------------------------------------- 1 | # T1547 - Boot or Logon Autostart Execution 2 | 3 | ## Sub techniques 4 | 5 | * [T1547.001 - Registry Run Keys / Startup Folder](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1547/T1547.001/README.md) 6 | -------------------------------------------------------------------------------- /Data Collection/tactics/Persistence/T1547/T1547.001/README.md: -------------------------------------------------------------------------------- 1 | # T1547.001 - Registry Run Keys / Startup Folder 2 | 3 | ## Description 4 | 5 | Windows registry includes specific keys called Run and RunOnce, which cause programs to run each time that a user logs on. The difference between Run and RunOnce is that Run is executed every time a user logs on whereas RunOnce key is removed after execution. The value for the keys is a command line that gets executed and it is possible to register multiple programs under any particular key. 6 | 7 | While the registry run keys are often used by legitimate software, they are also used by adversaries for establishing persistency on a system. Another common persistence technique the adversaries use is Windows startup folders. Windows startup folder contains shortcuts to an application that starts when the system boots. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 11: FileCreate 12 | * Event ID 13: RegistryEvent (Value Set) 13 | 14 | Detecting the use of registry run keys requires monitoring changes to the relevant registry keys. The paths from registry run keys are: 15 | 16 | * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 17 | * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 18 | * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 19 | * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 20 | * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx 21 | 22 | Changes to the registry keys can be monitored using Sysmon, which generates Event ID 13 when registry key is set. 23 | 24 | Windows startup folders are located under individual user’s profiles (C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) and under ProgramData for all users (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp). Sysmon can be configured to monitor these location for file creation events (ID 11). 25 | 26 | ## References 27 | 28 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1547/001/) 29 | 30 | [Run and RunOnce Registry Keys](https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys?redirectedfrom=MSDN) 31 | 32 | [Event ID 11](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-11-filecreate) 33 | 34 | [Event ID 13](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-13-registryevent-value-set) 35 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Privilege Escalation/.gitkeep -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/README.md: -------------------------------------------------------------------------------- 1 | # Privilege Escalation 2 | 3 | ## Description 4 | 5 | Privilege escalation tactic consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries often gain initial access to systems through normal unprivileged user accounts. However, many of the techniques later in the kill chain require privileged account to be executed, thus the adversary needs a way to escalate their privileges. Common ways to accomplish privilege escalation is to take advantage of system weaknesses, misconfiguration or vulnerabilities. 6 | 7 | ## References 8 | 9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0004/) 10 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1053/README.md: -------------------------------------------------------------------------------- 1 | # T1053 - Scheduled Task/Job 2 | 3 | ## Sub techniques 4 | 5 | * [T1053.002 - At (Windows)](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1053/T1053.002/README.md) 6 | * [T1053.005 - Scheduled Task](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1053/T1053.005/README.md) 7 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1053/T1053.002/README.md: -------------------------------------------------------------------------------- 1 | # T1053.002 - At (Windows) 2 | 3 | ## Description 4 | 5 | At.exe is a Windows command line tool for scheduling a command, a script, or a program to run at a specified date and time. An adversary may use at.exe to escalate their privileges by running a process under the context of a specified account (such as SYSTEM). 6 | 7 | ## Event Mapping 8 | 9 | * Event ID 4698: A scheduled task was created 10 | * Event ID 4702: A scheduled task was updated 11 | 12 | Windows generates event ID 4698 when at.exe is used to schedule task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel. 13 | 14 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events) 15 | 16 | ## References 17 | 18 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/002/) 19 | 20 | [How To Use the AT Command to Schedule Tasks](https://support.microsoft.com/en-us/help/313565/how-to-use-the-at-command-to-schedule-tasks) 21 | 22 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698) 23 | 24 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1053/T1053.005/README.md: -------------------------------------------------------------------------------- 1 | # T1053.005 - Scheduled Task 2 | 3 | ## Description 4 | 5 | Windows has a built-in component called Task Scheduler for performing automated tasks on a chosen computer. It executes tasks based on a trigger that can be based on features such as specific time or schedule, user logging in, system boot, or specific event happening on the system. The action that the task executes can be showing a message, sending email, executing command or firing a COM handle. Task Scheduler can be managed through graphical user interface taskschd.msc or command-line tools schtasks.exe and at.exe. 6 | 7 | An adversary may use Windows Task Scheduler to escalate their privileges by running a process under the context of a specified account (such as SYSTEM). 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4698: A scheduled task was created 12 | * Event ID 4702: A scheduled task was updated 13 | 14 | Windows generates event ID 4698 when Task Scheduler is used to schedule a task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel. 15 | 16 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events) 17 | 18 | ## References 19 | 20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/005/) 21 | 22 | [Task Scheduler for developers](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page) 23 | 24 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698) 25 | 26 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702) 27 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1078/README.md: -------------------------------------------------------------------------------- 1 | # T1078 - Valid Accounts 2 | 3 | ## Sub techniques 4 | 5 | * [T1078.001 - Default Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1078/T1078.001/README.md) 6 | * [T1078.002 - Domain Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1078/T1078.002/README.md) 7 | * [T1078.003 - Local Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1078/T1078.003/README.md) 8 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1078/T1078.001/README.md: -------------------------------------------------------------------------------- 1 | # T1078.001 - Default Accounts 2 | 3 | ## Description 4 | 5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources. 6 | 7 | Adversaries can accomplish privilege escalation using existing unprivileged user or service accounts. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4672: Special privileges assigned to new logon 12 | 13 | The main method for monitoring user account related activity in Windows is the security audit logs. User account privilege escalation is captured by several Windows audit events 14 | 15 | The event ID 4672 is generated when a new logon session has sensitive privileges assigned to it. This event is an indicator that a user account has escalated privileges. These events are written to Event Log Security channel. 16 | 17 | Audit Special Logon policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Special Logon) 18 | 19 | ## References 20 | 21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/001/) 22 | 23 | 24 | [Event ID 4672](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1078/T1078.002/README.md: -------------------------------------------------------------------------------- 1 | # T1078.002 - Domain Accounts 2 | 3 | ## Description 4 | 5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources. 6 | 7 | Adversaries can accomplish privilege escalation using existing unprivileged user or service accounts. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4672: Special privileges assigned to new logon 12 | 13 | The main method for monitoring user account related activity in Windows is the security audit logs. User account privilege escalation is captured by several Windows audit events 14 | 15 | The event ID 4672 is generated when a new logon session has sensitive privileges assigned to it. This event is an indicator that a user account has escalated privileges. These events are written to Event Log Security channel. 16 | 17 | Audit Special Logon policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Special Logon) 18 | 19 | ## References 20 | 21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/002/) 22 | 23 | 24 | [Event ID 4672](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1078/T1078.003/README.md: -------------------------------------------------------------------------------- 1 | # T1078.003 - Local Accounts 2 | 3 | ## Description 4 | 5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources. 6 | 7 | Adversaries can accomplish privilege escalation using existing unprivileged user or service accounts. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 4672: Special privileges assigned to new logon 12 | 13 | The main method for monitoring user account related activity in Windows is the security audit logs. User account privilege escalation is captured by several Windows audit events 14 | 15 | The event ID 4672 is generated when a new logon session has sensitive privileges assigned to it. This event is an indicator that a user account has escalated privileges. These events are written to Event Log Security channel. 16 | 17 | Audit Special Logon policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Special Logon) 18 | 19 | ## References 20 | 21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/003/) 22 | 23 | 24 | [Event ID 4672](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672) 25 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1543/README.md: -------------------------------------------------------------------------------- 1 | # T1543 - Create or Modify System Process 2 | 3 | ## Sub techniques 4 | 5 | * [T1543.003 - Windows Service](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1543/T1543.003/README.md) 6 | -------------------------------------------------------------------------------- /Data Collection/tactics/Privilege Escalation/T1543/T1543.003/README.md: -------------------------------------------------------------------------------- 1 | # T1543.003 - Windows Service 2 | 3 | ## Description 4 | 5 | Services in Windows are applications that run in the system background without user interaction. Many of the core operating system features, such as event logging, file serving and printing are run as services. Services are often started automatically when the operating system boots 6 | 7 | Services can be executed using LocalSystem account, which enables an adversary with administrator account to escalate privileges to SYSTEM level. 8 | 9 | ## Event Mapping 10 | 11 | * Event ID 7045: A new service was installed in the system 12 | * Event ID 4697: A service was installed in the system 13 | 14 | The event ID 7045 is generated in all modern Windows versions when a new service is created. There is also event ID 4697, which is generated in newer versions of Windows (Windows 10 and Server 2016). 15 | 16 | Audit Security System Extension policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System → Audit Security System Extension) 17 | 18 | ## References 19 | 20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1543/003/) 21 | 22 | 23 | [Event ID 4697](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697) 24 | -------------------------------------------------------------------------------- /Enrichment/Feature-Extractor/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Enrichment/Feature-Extractor/.gitkeep -------------------------------------------------------------------------------- /Enrichment/Feature-Extractor/README.md: -------------------------------------------------------------------------------- 1 | # Feature Extractor 2 | 3 | ### Introduction 4 | 5 | Feature extractor is a Dockerized tool that can be used to enrich an organization's collected data using open source threat intelligence APIs. The tool can be quickly setup, confingured and run with a couple of commands. The motivation for the tool is to make the work of analysts quicker by aiding in the process of deciding relevance of various IoCs (indicators of compromise). The open source code for the tool is provided in GitLab https://gitlab.com/CinCan/wp1/tree/master/feature_extractor and the docker container can be downloaded from DockerHub https://hub.docker.com/r/cincan/feature_extractor. The tool provides access to a variety of OSINT APIs, including: 6 | 7 | * AbuseIPDB 8 | * Censys 9 | * DShield 10 | * EmergingThreats 11 | * GoogleSafebrowsing 12 | * Greynoise 13 | * MISPWarningLists2 14 | * OTXQuery 15 | * PhishTank 16 | * Shodan 17 | * Threatcrowd 18 | * VirusTotal 19 | 20 | If a potentially malicious file has been downloaded or a potential attacker IP is discovered, the file hash or the IP address can be supplied to the feature extractor. The feature extractor queries the above-mentioned APIs and compiles the returned results into an HTML report. The results contain information if the provided file or IP address is malicious or not. 21 | 22 | ### Usage 23 | 24 | Most of the APIs require API keys for usage, which need to be manually requested from each API and configured in the tool. Docker commands and necessary configurations can be found in the README https://gitlab.com/CinCan/tools/-/tree/feature-extractor/feature_extractor. You can also follow this blog tutorial, where IoCs are extracted from a WannaCry executable https://cincan.io/blog/2020_05_25_wannacry/. The dockerized tool of extracting IoCs from file can also be sent to a Cortex server for analysis by Cortex analyzers, check this blog for a tutorial https://cincan.io/blog/2020_06_10_dockerized_cortex_and_ioc_strings/. 25 | 26 | In short, IoCs can be given to analyze.py Python script in format of: 27 | ```bash 28 | ./analyze.py datatype:data 29 | ``` 30 | where datatatype is ip, domain, url, fqdn, hash or mail. For example: 31 | ```bash 32 | ./analyze.py url:https://www.iltalehti.fi 33 | ./analyze.py ip:8.8.8.8 34 | ``` 35 | 36 | The IoCs can be read from a newline separated file or in jsonl format. The tool can also read CSV - files provided by ioc_parser tool https://github.com/armbues/ioc_parser 37 | 38 | An example docker run command after configuration: 39 | ```bash 40 | sudo docker run -v $(pwd)/docker_volume:/data -v $(pwd)/samples:/samples cincan/feature_extractor:dev --path /data --injsonl /samples/jsonl_input 41 | ``` 42 | -------------------------------------------------------------------------------- /Enrichment/README.md: -------------------------------------------------------------------------------- 1 | # Enrichment 2 | 3 | **Introduction:** 4 | Enrichment contains additional methods to enrich data that has been collected for detection and analysis purposes. More contextual information that can be added to collected data, helps utilize it in a meaningful way. Enrichment can be done in various ways, depending on collected data and the environment. One of biggest methods to enrich data is to use technical threat intellicence data to identify already known malicious activies from the environment. 5 | 6 | **Benefits:** 7 | * Enrichment can add additional information to existing data 8 | * Enrichment can make the existing data more meaningful for detection capabilities or analysts investigating cyber attack 9 | 10 | **Worth noticing:** 11 | 12 | **Features:** 13 | 14 | **Use cases:** 15 | -------------------------------------------------------------------------------- /Enrichment/Threat Intelligence/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Enrichment/Threat Intelligence/.gitkeep -------------------------------------------------------------------------------- /Enrichment/Threat Intelligence/Mitre Att&ck/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Enrichment/Threat Intelligence/Mitre Att&ck/.gitkeep -------------------------------------------------------------------------------- /Enrichment/Threat Intelligence/Mitre Att&ck/README.md: -------------------------------------------------------------------------------- 1 | # Mitre Att&ck 2 | 3 | 4 | https://attack.mitre.org/ 5 | 6 | 7 | **Worth noticing:** 8 | 9 | 10 | - When adding autamatically tehnique IDs with rules, rules need to be specific enough. 11 | 12 | 13 | **How this tool integrates to our PHR model:** 14 | 15 | 16 | Adding/Mapping tehnique IDs to our detections, we will get bigger view about what is going on. We can detect different attack phases. By knowing who is introducer and what tehniques are commonly used, we might be able to stop attack chain. Also helps us to choose controls that we need to be able to detect/prevent attacks. 17 | 18 | 19 | **Use case:** Enrichment alerts 20 | 21 | 22 | **Question:** How enrichment with Mitre Att&ck can help us 23 | 24 | 25 | We get logs from multiple places, it is hard to determine which alerts are false or true positives, or what does these alerts actually mean. To make it easier for analyzer to make decisions/understand the situation we can encrich our alerts data for certain tehnique IDs 26 | 27 | 28 | **Use case:** Enrichment reports 29 | 30 | 31 | Requires a shift in analyst thinking. Changing from indicators to behaviors. So basically from reports we try to map what happened by translating behaviour to tactic. Forces analytics to learn techinal side of reports. 32 | -------------------------------------------------------------------------------- /Enrichment/Threat Intelligence/Open Source Intelligence/README.md: -------------------------------------------------------------------------------- 1 | # Open Souce Intelligence (OSINT) 2 | 3 | **Introduction:** 4 | 5 | OSINT is the gathering of intelligence from free and open sources, usually utilizing an API. [OSINT Framework](https://osintframework.com/) provides a huge list of available sources ranging from username search engines to geolocation tools. The website [Cyber Threat Feeds](https://www.cyberthreatfeeds.com/) provides links to sources specific to threat intelligence. [Threatfeeds](https://threatfeeds.io/) contains a simplified list of free and open source threat intelligence feeds. The list contains minimal information about the feeds: who manages the feed, how many IoCs are contained and when it was last updated. 6 | 7 | Some tools provide easy command line access to multiple OSINT sources, for example [the Harpoon tool](https://github.com/Te-k/harpoon). 8 | 9 | **Benefits:** 10 | 11 | - Easy to access source of information, most sources follow REST API guidelines 12 | - APIs are often utilized and updated by other cybersecurity professionals worldwide 13 | 14 | **Worth noticing:** 15 | - APIs may require a an API key, which is provided after registration 16 | - APIs may also impose usage restrictions that are lifted when premium access is purchased 17 | 18 | **Use cases:** 19 | - Uploading a suspicious file to VirusTotal to scan it from multiple different virus databases, see [Upload file to Virustotal notebook for an example](https://github.com/JYVSECTEC/PHR-model/blob/master/Enrichment/Threat%20Intelligence/Open%20Source%20Intelligence/upload_file_to_virustotal.ipynb) 20 | - Querying IP addresses for geolocation etc. information 21 | - See the [Jupyter Notebook for an example](https://github.com/JYVSECTEC/PHR-model/blob/master/Enrichment/Threat%20Intelligence/Open%20Source%20Intelligence/analyze_ip_address.ipynb) 22 | - Usually more useful for whitelisting IP addresses due to attackers using proxies. 23 | - A defender could download a daily threat feed for example from [Mrlooquer threat feed](https://iocfeed.mrlooquer.com/), which provides IPv4 and IPv6 Indicators of Compromise (IoCs) and parse if the IP addresses listed in the feed are found in the defender's network logs. The threat feed is available in JSON or CSV format. 24 | - Gathering new domain registrations in order to prepare for possible phishing attacks where domains closely related to other common domains (amazon vs amazoon) are registered. 25 | - The latest four days of newly registered domains can be downloaded from [WhoisDS](https://whoisds.com/newly-registered-domains) 26 | - Some countries provide a publicly accessible database of their domain's registrations. In Finland, Traficom provides a database of finnish domain registration data, which includes the holder, postal code and area and registrar of the domain. Check the [notebook](https://github.com/JYVSECTEC/PHR-model/blob/master/Enrichment/Threat%20Intelligence/Open%20Source%20Intelligence/finnish_domains.ipynb) for instructions on how to load finnish domain registrations in OData format to Pandas Dataframes in Python 27 | 28 | **Combining intelligence sources** 29 | 30 | - Combining multile threat intelligence sources using [ThreatIngestor](https://github.com/InQuest/ThreatIngestor). The tool aims to easily automate gathering of IoCs from multiple intelligence sources with minimal configuration. The tool provides examples of parsing Twitter feeds and SQS queues to generate YARA rules which are sent to a MISP operator. The image from ThreatIngestor documentation provides an example of how much is possible to automate with a single configuration file: [ThreatIngestor](https://inquest.readthedocs.io/projects/threatingestor/en/latest/_images/mermaid-everything.png) 31 | 32 | **List of open source threat intelligence** 33 | 34 | **IP addresses and websites** 35 | - [AbuseIPDB](https://www.abuseipdb.com/) - User reported IP addresses and hostnames. Reports contain log lines as comment and category of abuse 36 | 37 | **Indicators of compromise and threat information** 38 | - [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - An API for latest threats and IoCs. Features Direct Connect agents which provide a way to update intrusion detection systems and firewalls with new threat data from subscriptions. 39 | - [Yara Rules](https://github.com/Yara-Rules/rules) - A repository of Yara signatures, which can be easily imported to MISP 40 | 41 | **[Abuse.ch](https://abuse.ch/) - Community-driven projects which mostly provide blocklists:** 42 | - [MalwareBazaar](https://bazaar.abuse.ch/browse/) - Search malware samples by hash, ClamAV signature, tag or malware family. 43 | - [FeodoTracker](https://feodotracker.abuse.ch/) - An IP blocklist, designed to block command-and-control (C2) servers used by Dridex, Heodo and Trickbot. There are a number of [different blocklists available](https://feodotracker.abuse.ch/blocklist/), ranging from how "aggressive" they are. The more aggressive ones may cause a high number of false positive cases, while the more passive ones only provide IP addresses of active C2 servers. If you are running Suricata or Snort intrusion detection systems (IDS), the blocklists are available as premade rulesets, which you can download and easily put into use in your own IDS. 44 | - [SSL Blacklist](https://sslbl.abuse.ch/) - Contains a blacklist of SHA1 fingerprints of SSL certificates that have been associated with C2 servers. The certificates can be associated with multiple servers, so another C2 IP address blacklist is available with IP address and port combinations. [JA3](https://github.com/salesforce/ja3), which is a method that creates easily shareable SSL/TLS client fingerprints, blocklist is also available. Like in the feodoro blocklist, these blocklist also contain "aggressive" versions and Suricata/Snort rulesets. 45 | - [URLhaus](https://urlhaus.abuse.ch/) - A database of malware URLs. The [API section](https://urlhaus.abuse.ch/api/) provides database dumps, daily MISP events and ClamAV signature databases. 46 | - [ThreatFox](https://threatfox.abuse.ch/) - A platform for sharing IoCs. IoCs not older than 90 days are available for download. Older IoC data can be downloaded from data dumps. Like the URLhaus database, ThreatFox also provides Daily MSIP events. 47 | -------------------------------------------------------------------------------- /Enrichment/Threat Intelligence/README.md: -------------------------------------------------------------------------------- 1 | # Threat Intelligence 2 | 3 | **Introduction:** To protect our assests, we need to know who might be targeting us, what tools/techniques they usually use, so that we can then know where to focus our defence. 4 | 5 | **Benefits:** 6 | - Choosing where to focus on defence. Targeted attacks needs targeted defence. 7 | - Detecting new threats 8 | - Identifying threats 9 | - Understaning what is going on 10 | 11 | **Worth noticing:** 12 | 13 | - Where does the information come from? Can it be trusted? Do the attackers have access to the same information? 14 | 15 | **Features:** 16 | - Indicators of Compromise (IoCs) - data gathered from logs or files that indicate that potentially malicious activity has happened on a system or a network. IoCs are gathered and shared by automated tools and cybersecurity professionals on multiple platforms. Finding an IoC on your own network does not guarantee that your network has been compromised, but it should definitely guide further investigation. 17 | - Indicators of Attack (IoAs) - are proactive to IoCs, where early signs of malicious activity are searched for before the cyber attack itself has a chance to happen. Defenders could for example receive alarms of multiple failed SSH login attemps and then search the machine's log files for unauthorized access. On a larger scale, social media, news and threat intelligence sources could be monitored for possible cybercrime motivations , cyber attack campaigns or other causes for an organization to anticipate an attack. 18 | - Tactics, techniques and procedures (TTPs) - Gathering of data enables the organization to reveal the possible attackers' motives and the means of executing their attack. This allows the organization to prepare their networkm protection and monitoring platforms accordingly to prevent and detect attacks. 19 | 20 | **Use cases** 21 | 22 | Data can be easily gathered from different services, but the problem is that it is often in various formats, so the big obstacle is aggregating the data in an easy manner of automation. Data sources should provide data in a specific format, so it can be easily sent to a server, queried, filtered and visualized. Same problem applies to threat intelligence, there are a lot of different data sources publicly available, but the threat data needs to be in an easily shareable format. Platforms such as [Malware information sharing platform](https://www.misp-project.org/) or MISP aims to make sharing threat information as easy as possible. 23 | 24 | When data sources are in a specific format and available from a centralized server, they can be used to enhance other tools and services. For example the intrusion detection systems Suricata and Snort rulesets can be downloaded from open threat intelligence sources. AI-powered systems also benefit from large amounts of log data, they could be used to perform anomaly detection and create alerts when something is out of the ordinary. 25 | 26 | Whatever threat intelligence sharing tool a organization uses, it has many benefits. [This blog describes simple steps to bring threat intelligence sharing to an organization.](https://www.helpnetsecurity.com/2020/09/21/5-simple-steps-to-bring-cyber-threat-intelligence-sharing-to-your-organization/) 27 | 28 | A list of tools to create, download and share threat information: 29 | - [JA3](https://github.com/salesforce/ja3) - Fingerprinting the TLS negotiation between client and server, meaning for example when a user connects to a bank website secured by HTTPS. If a bad actor uses the HTTPS protocol to connect to a command-and-control server, the TLS negotiation can still be fingerprinted using the JA3 method, even though the messages are encrypted. Sharing JA3 fingerprints allows organizations to detect if a device in their network is connecting to a known command-and-control server, that would send directions to malware inside the organizations network. 30 | - [OpenIOC](https://github.com/mandiant/OpenIOC_1.1) - An XML schema for sharing indicators of compromise. 31 | - [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html) - A language and serialization format for exchanging threat intelligence. STIX objects can be sent in JSON format, which makes it easy to transfer. 32 | - [Elastic Common Schema](https://www.elastic.co/blog/introducing-the-elastic-common-schema) - An open source log format specification designed to combine log data from multiple sources into a unified scheme. Different log files following Elastic Common Schema could be combined in Elasticsearch or other server, making alert creation and anomaly detection easier. The use of the schema makes it easy to parse log files, query the server where log files are aggregated and visualize data from different services. 33 | - [YARA](https://github.com/VirusTotal/yara) - Yara is a tool for identifying malware. It specifies binary patterns and text strings, which tell the malware or the malware family the analyzed sample belongs to. Many threat intelligence sources offer easily downloadable YARA rules, which can be used to spot malware on the organization's devices. 34 | -------------------------------------------------------------------------------- /Enrichment/Time Series Analysis and Log Anomaly Detection/README.md: -------------------------------------------------------------------------------- 1 | # Time Series Analysis 2 | 3 | Time series analysis tools can be used to detect anomalies or patterns in a time series dataset. A time series dataset would be for example a log, where events are in time-based order and are recorded when the event occurs. In this case, the measurements are gathered in irregular time intervals, where as a sensor that records a measurement every second would gather at regular time intervals. The most common use cases for time series analysis would be network traffic analysis or system event logs analysis. 4 | 5 | ### Tools 6 | * [STUMPY](https://github.com/TDAmeritrade/stumpy) - A Python library for constructing matrix profiles, which enable pattern discovery, anomaly detection etc. 7 | * [tslearn](https://github.com/tslearn-team/tslearn) - A machine learning toolkit for time series related data, makes preprocessing and training machine learning algorithms with time series data more streamlined and easier. 8 | 9 | # Log Anomaly Detection 10 | 11 | The amount of log data available in organization's environments can be overwhelming. Even if alarms about specific log entries are configured, malicious activity may disguise itself as a normal log entry. In log anomaly detection, machine learning models are used to parse through large files in search for anomalies or patterns that may indicate unusual behaviour. 12 | 13 | ## Deep learning in anomaly detection 14 | 15 | Automating log analysis with deep learning eliminates the need to create a large amount of rules for each new IoC / malicious IP address. With good domain expertise, the deep learning model could adapt to the target network traffic well and raise alerts on potentially malicious activity to administrators. 16 | 17 | ### Components of an anomaly detection model 18 | * Streaming log entries from multiple systems 19 | * [Elastic Beats](https://www.elastic.co/beats/) - Lightweight data shippers to Logstash or Elasticsearch 20 | * Centralized service for log data 21 | * [Elasticserch, Logstash and Kibana or ELK stack](https://www.elastic.co/elastic-stack) - Combining multiple open-source products for searching and visualizing data 22 | * A log parser 23 | * [Logparser](https://github.com/logpai/logparser) - Toolkit for automated log parsing. Can extract fields from raw log messages according to a defined structure. 24 | * Preprocessing / feature engineering logs for machine learning 25 | * [Loglizer](https://github.com/logpai/loglizer) - A log analysis toolkit by the same developers as Logparser, provides a way to extract relevant features for machine learning algorithms from structured logs. 26 | * A machine learning model, that calculates a score for log events. The score is used to determine if the event is a anomaly or not. This can either be a machine learning algorithm or a deep learning neural network. The machine learning algorithms are quick to deploy and require less computing power, however they may not adapt to a target environment as flexibly as a neural network, which could lead to more false alarms. 27 | * [A universal transformer](https://github.com/tensorflow/tensor2tensor/blob/master/tensor2tensor/models/research/universal_transformer.py) trained with either TensorFlow or PyTorch 28 | * An outlier detection algorithm, like k-nearest neighbors or isolation forest 29 | * A visualization of the anomaly (for exmaple frequency and location of network traffic) 30 | * A whitelist database to prevent false alarms 31 | 32 | ### Open-source anomaly detection tools and systems 33 | 34 | * [Log Anomaly Detector](https://github.com/AICoE/log-anomaly-detector) - Uses Word2Vec and SOM (Self-organizing map) for unsupervised learning. Grafana visualization for metrics and a "fact store", where false positives are registered. 35 | * [PyOD](https://github.com/yzhao062/pyod) - Python toolkit for anomaly detection with multiple pre-defined machine learning models 36 | * [PyODDS](https://github.com/datamllab/pyodds) - Anomaly detection system similar to PyOD, but aims to provide usage for developers not familiar with machine learning too. The system queries data straight from a database for analysis and visualization. 37 | * [PySAD](https://github.com/selimfirat/pysad) - Streaming anomaly detection, integrations to PyOD models 38 | * [Cyber Log Accelerator](https://github.com/rapidsai/clx) - Utilize graphical processing units (GPUs) to accelerate log analysis. 39 | 40 | **Automated log analysis tools** 41 | 42 | **Windows Event Logs** 43 | * [APT-Hunter](https://github.com/ahmedkhlief/APT-Hunter) - A useful tool for a threat hunter, where PowerShell script for gathering windows event log data is provided and then analyzed with a Python script, where for example common executables used by attackers are searched and the number of logins is documented. 44 | * [DeepBlue](https://github.com/sans-blue-team/DeepBlueCLI) - Another useful PowerShell script, where specific log event ID's are searched for in Windows EVTX log files and a description of why it might indicate malicious activity is provided. -------------------------------------------------------------------------------- /Eradicate-Recover/README.md: -------------------------------------------------------------------------------- 1 | # Eradication 2 | Eradication is important phase to ensure the attacker foothold and access has been removed from environment. Eradication procedures depend on the nature of attack but it can include removal of attacker tools/software (e.g. malware), reconstruction of systems or reinstallation from backups. 3 | 4 | # Recovery 5 | The recovery phase can be moved on to when it is found that the remedies have worked. Recovery phase measures may include restoring data from backups, patching, updating and reinstalling vulnerabilities, and replacing equipment. During the recovery phase, operations are restored to normal. 6 | 7 | The end of the disruption should be communicated to the target groups, with communications tailored to the needs of each group. The communication can include, for example, a description of what happened, the general reason for the incident and the outcome of the incident. At this stage, information is also provided on any recommendations for action and instructions on how to return to normal operations. After the incident and its effects, it is also useful to organise a joint meeting to discuss the shortcomings and successes identified. 8 | 9 | ## Documentation 10 | It is important to accurately document the steps involved in mitigation and recovery, as well as any associated evidence and indicators of compromise. This will help to understand what happened and prevent similar situations from occurring in the future. It can often be challenging to document in real time alongside other recovery activities, but it is important to take sufficient notes to prepare for future incidents and prevent potential threats from occurring. The shorter the period of time after recovery, the more likely it is that an accurate picture of what happened will be recorded. 11 | 12 | Improvements in recovery capacity should also be documented by analysing the current situation and the recovery phases of previous disorders, and identifying key factors such as problems that caused significant delays or small but recurring problems. 13 | 14 | ## Recovery plan 15 | Systems and processes should have their own recovery plans, which are regularly updated and easily accessible. Recovery plans describe, among other things, the measures, roles and responsibilities for returning to normal and how to communicate in the event of a disruption. Continuity planning must take into account the recovery of individual systems and processes as well as recovery at organisational level. In the event of a large-scale failure, the criticality of systems and the priority of their recovery must be defined. It is important to consider the interactions between systems and any subsystems. 16 | 17 | Service providers and subcontractors must also be required to have recovery plans for their services. Recovery plans must be continuously developed according to identified deficiencies, including the definition of timelines and responsible persons for the implementation of repairs. Deficiencies in outsourced services should be addressed and corrected with service providers. Complaints may also be an option if it is clearly seen that the service provider has acted in breach of contract or practice. 18 | 19 | 20 | -------------------------------------------------------------------------------- /Hypotheses/.gitignore: -------------------------------------------------------------------------------- 1 | !.gitignore 2 | -------------------------------------------------------------------------------- /Hypotheses/README.md: -------------------------------------------------------------------------------- 1 | # Hypotheses 2 | 3 | Hypotheses contains two different sections called threat modeling and risk management. Threat modeling is used as a part of risk management to find threats. Under threat modeling, there is information about different threat modeling [methodologies](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Threat%20Modeling/Methodologies/README.md). 4 | 5 | Risk management contains different phases of risk management process. As a difference compared to several other risk management processes, this documentation contains [hypotheses](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Hypotheses/README.md) and [risk to threat](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20to%20Threat/README.md) sections under risk assessment. These two sections are important in this risk management documentation. 6 | -------------------------------------------------------------------------------- /Hypotheses/Risk Management/Plan Implementation/README.md: -------------------------------------------------------------------------------- 1 | # Plan Implementation 2 | 3 | Implementation is part where the risk mitigation plan is carried out. Different stakeholders responsible for mitigating certain risks are informed about the risk(s) and they are instructed how to deal with these risks. Risk management team may understand these risks well, but personnel in the team may not be the best for mitigating certain risks, if they have no knowledge about the area of the risk. Depending on the risk, the mitigation may be done more efficiently if person or team with experience on the area, are the ones doing the mitigation related tasks. Cost-effectiveness for example could be a thing that influences the decision of whom should do the mitigation. This of course depends on risk management team and stakeholders opinions on what is the best option. 4 | 5 | Staff responsible for mitigating risks, should keep risk management team informed about the mitigation process and potential issues they have noticed during the mitigation, which for example could make the mitigation plan difficult to accomplish. If the staff have their own opinions on how to do the mitigation process or parts of it, they should inform risk management team with these proposals. If anything is done in a different way than originally planned, risk management team should be informed. Performing actions without discussing about them with risk management team, may create new risks if the mitigation is not done accordingly. Supervising mitigation staff is documented in the next step, which is [monitoring](../Risk Monitoring/). 6 | 7 | As stated in [evaluation](../Risk Assessment/Risk Evaluation/) section, risks can be dealt with different ways depending on the risk. For example mitigation process of some risks may be transferred to 3rd party if the mitigation is an insurance for some technical system. There are also positive risks. E.g. company may be too overpowered on certain business area, so the company may be considered as a monopoly by regulators. 8 | 9 | ### References 10 | 11 | 15 | -------------------------------------------------------------------------------- /Hypotheses/Risk Management/README.md: -------------------------------------------------------------------------------- 1 | # Risk Management 2 | 3 | Risk management is process of identifying risks from organization, evaluating those risks, prioritizing risks by level of their potential threat, creating risk management plan, sorting out threat actors that could abuse these risks turning them into real threats, implementing the plan and continuing surveillance of these risks. There are many different views for the steps taken or processes performed in risk management. Some models may consist of less steps and other models contain many operations in a single phase. 4 | 5 | In this documentation the risk management phases are these: 6 | 7 | 8 | 1. [Risk assessment](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/README.md) 9 | 1.1 [Risk Identification](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20Identification/README.md) 10 | 1.2 [Risk Analysis](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20Analysis/README.md) 11 | 1.3 [Risk Evaluation](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20Evaluation/README.md) 12 | 1.4 [Hypotheses](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Hypotheses/README.md) 13 | 1.5 [Risk to Threat](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20to%20Threat/README.md) 14 | 2. [Risk Mitigationt Plan](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Mitigation%20Plan/README.md) 15 | 3. [Plan Implementation](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Plan%20Implementation/README.md) 16 | 4. [Risk Monitoring](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Monitoring/README.md) 17 | 5. [Reporting](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Reporting/README.md) 18 | 19 | 20 | Steps are divided into their own sections where actions performed in the step are explained. Purpose of these steps and why risk management is done, is to pre-emptively prepare for potential threats that the risks comprise. Damage caused by the threats can be mitigated before the damage happens. Risks that are unknown may cause shockingly more serious consequences than the risks which are prepared for. 21 | 22 | Risk management process shouldn't be a one time thing. It should be continuous process done between certain time frames or milestones like notable infrastructure changes in organization. This way the new risks can be discovered as soon as possibilities for their exploitation appear. After risk management is done for the first time, future processes will go much smoother since mistakes done previously can be recognized and avoided. It is also important to notify good things done in previous processes and make sure they are utilized in future processes. 23 | 24 | ### References 25 | 26 |
    27 |
  1. https://www.dau.edu/tools/se-brainbook/Pages/Management%20Processes/Risk-Management.aspx
  2. 28 |
  3. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
  4. 29 |
  5. https://www.dhs.gov/xlibrary/assets/rma-risk-management-fundamentals.pdf
  6. 30 |
31 | -------------------------------------------------------------------------------- /Hypotheses/Risk Management/Reporting/README.md: -------------------------------------------------------------------------------- 1 | # Reporting 2 | 3 | During the reporting phase, organization informs personnel about what has been done during risk management process. One important thing that report should include is risk mitigation strategy for each risk and information about the implementation results. E.g. did the strategies used have desired results. Report is useful for internal organization personnel, but also for the team doing risk management. The old report can be utilized next time when doing risk management. It contains information about the old risks, how they were mitigated and was the mitigation successful etc. So, the report is also a documentation for next risk management processes to come. 4 | 5 | ### Report content 6 | 7 | Reports are unique for each organization, since risk management processes vary. E.g. the report could include these sections: 8 | 9 |
    10 |
  1. Risk decription: Description of the risk, which can be general or more detailed information.
  2. 11 |
  3. Risk impact: Potential impacts that risk may cause. This should contain sufficient information about the risk, so that internal audiences will get extensive understanding related to impact.
  4. 12 |
  5. previous plans and goals: Information about potential previous mititigation that may have been used on the risk.
  6. 13 |
  7. Risk mitigation: Mitigation methods that were used during this risk assessment process and personnel who are responsible for the mitigations to succeed.
  8. 14 |
  9. Mitigation effects: Detailed effects of the mitigation strategy used.
  10. 15 |
16 | 17 | ### Reporting tips 18 | 19 | 24 | 25 | ### References 26 | 27 | 31 | -------------------------------------------------------------------------------- /Hypotheses/Risk Management/Risk Assessment/Hypotheses/README.md: -------------------------------------------------------------------------------- 1 | ## Risks into hypotheses 2 | 3 | Hypotheses can be created based on the known risks. These hypotheses expand understanding of impact area caused by the potential risk. With a single hypothese, future impact chain caused by risk can be envisioned before it has even happened. These impact chains may also vary depending on the type of the risk. If the risk impact is caused by some malicious attacker, the attacker's motivations and goals may define what kind of impact the risk will have. This will be discussed more in the [risk to threat](../Risk%20to%20Threat/) section. You can think about different threat scenarios and consider all the risks that may be part of this scenario, since combined together, risks create chains and some risks may cause same the impact, meaning there are variety of attack chains for same impact at the end of the chain. For example [attack tree](../../../Threat%20Modeling/Methodologies/Attack%20Tree/) is a threat modeling methodology that can be used to create these chains. This directory contains few examples of different hypotheses. 4 | 5 | Hypotheses may help to find new undiscovered risks. Whenever a new risk is found, it should be [analysed](../Risk%20Analysis/) and [evaluated](../Risk%20Evaluation/) like all the previously found risks. This creates a cycle inside risk assessment, where risk management team moves backwards after finding new risks. 6 | 7 | ## References 8 | 9 | 13 | -------------------------------------------------------------------------------- /Hypotheses/Risk Management/Risk Assessment/Hypotheses/hypothesis2.md: -------------------------------------------------------------------------------- 1 | ### Hypothesis example 2: Software source code stealing 2 | 3 | Organization called Globex develops software. Organization has an AD environment with about 500 users. Worstations and servers in AD are patched. Environment contains internal Git server where all the software projects are stored. Recently the company did a large purchase by buying 100 new laptops for developer team of a major AI related project. This customer project has been under work for 3 years and rumors about it have spread into other companies that are interested about the technology they are developing. 4 | 5 | #### Chain of events 6 | 7 | One of the new laptops given to the employees contains extra component in the motherboard. This component gives remote access to the laptop by a malicious actor. When the laptop is first time put into use, it calls to the attacker's CnC server for instructions using rootkit that the malicious component installed on the system. Attacker wants to remain as silent as possible, so it commands the rootkit to slowly send information about laptop's system and files to CnC, so the malware affects the system's performance as little as possible. When attacker has received enough information about the system, it has determined based on the information that the company has internal Git server containing all the software projects. Rootkit activates [keylogger](../../../Data%20Collection/tactics/Credential%20Access/T1056/T1056.001/README.md) on the system to capture user's credentials for the internal Git server account. Next time the user updates the project and insert's his username and password along the process, keylogger captures the combination and sends it to CnC. 8 | 9 | With the username and password combination, the malware can now log into the Git server through the user's machine, since the user has not added [MFA](https://attack.mitre.org/mitigations/M1032/) for authentication. User has access to all internal projects in the Git server. Attacker commands the malware to list all the projects that user has access to. After receiving the list, attacker orders the malware to slowly send all the data in projects to CnC. This goes on for six months. Malware keeps sending updated data of the Git projects to the CnC. Eventually person from the company security team notices connections to weird domains from firewall logs. Laptop is seized from the employee and it is investigated. The extra component in motherboard is found and all the laptops from same purchase are also checked for it, but all of them come up clean. 10 | 11 | #### Risks associated with the hypothesis 12 | 13 | This hypothesis did not contain any vulnerabilities in any software, unlike the previous hypothesis. As a result this kind of data exfiltration can be very harmful for company reputation. Attacker had access to the AI project's source code, which is a big setback, especially since customer owns the project and not the software company itself, which is just developing the project. Attacker was targeting the AI project, but also got access to other projects as well, which made the attack more severe. Depending on the attacker, they may for example sell the projects data in dark web or blackmail the organization for ransom. 14 | 15 | Some of the risks listed in the hypothesis are gathered below: 16 | 17 |
    18 |
  1. Backdoor in laptop motherboard: One of the new laptops bought had a malicious component attached to it. This component established backdoor to the laptop for attackers interested in the software they were developing. The method for initial access that the attackers used, is called hardware supply chain compromise. In this attack the malicious component was visible, but firmware based attacks would leave no visible components to look for. Noticing this kind of attack would require thorough exploration of all new devices components and their firmware. This activity would require lot of extra work and a better investment could for example be a trusted platform module in each system or a SOC service doing threat hunting, which would also be helpful in different threat scenarios.
  2. 19 |
  3. Git account had no MFA: If user had added MFA for his Git account, capturing user credentials would have not been enough for the the attacker to gain access to the Git account. There are several types of ways to implement MFA, e.g. SMS token or biometric verification.
  4. 20 |
  5. Git account had permissions to all the projects: User affected by the malware had an internal Git account with access to all the projects. Attacker acquired the account's credentials using keylogger. Attacker was then able to fetch all the Git projects using user's laptop as a proxy between internal Git server and attacker's CnC server. User account should have only had access to projects he actually was developing and not to all of them. Far less different projects would have been compromised, if this would have been the case.
  6. 21 |
  7. Data leak: Attacker was able to transmit data from organization network into their CnC network. Organization did not have any way to stop the data from leaking to internet. One way to mitigate this activity would be more restrictive firewall rules to filter network traffic or implement some sort of network intrusion prevention.
  8. 22 |
  9. Slow reaction: It took 6 months from the organization to react to this data exfiltration. These incidents can be hard to spot, since you have to manually look for traces of them if there is no IDS implemented or other kind of surveillance like SOC sercice. In come cases these events are never detected, especially if attacker has access to system logs and is able to manipulate them, while administrators are not doing any realtime exploration and only rely on logs.
  10. 23 |
24 | 25 | ## References 26 | 27 | 31 | 32 | -------------------------------------------------------------------------------- /Hypotheses/Risk Management/Risk Assessment/README.md: -------------------------------------------------------------------------------- 1 | # Risk Assessment 2 | 3 | Risk management starts with risk assessment that consists of five consecutive phases. These phases cover identification of risks, analysis of the risks found, evaluation of their criticality, hypotheses based on the risks and risk to threat where risks are refined to threats. After the risk assessment is done, potential risks should be identified, analysed and categorized, so next [step](../Risk Mitigation Plan/) of the process can be conducted. Risk assessment steps can be different depending on documentation. Usually risk assessment consists of the first three steps (Identification, analysis and evaluation). In this documentation, hypotheses and risk to threat were added as their own steps for risk assessment process. 4 | 5 | Risk assessment should be planned carefully before its execution. Preparation includes identification of the assessment's purpose, determination of the risk assessment scope, identification of risk model and analytic approaches used during the assessment etc. 6 | 7 | ### References 8 | 9 | 12 | -------------------------------------------------------------------------------- /Hypotheses/Risk Management/Risk Assessment/Risk Analysis/README.md: -------------------------------------------------------------------------------- 1 | # Risk Analysis 2 | 3 | After the risks are identified in the first phase of risk assessment process, they should be analyzed. Analysis is done to understand possibility and consequences of each risk. Information like historical data and theoretical analysis about each risk should gathered to gain greater understanding of the risk. 4 | 5 | ### Analysis Methods 6 | 7 | Risks can be assessed by using different methodologies. In this documentation the methods are based on quolitative, semi-quontitave and quontitave methodologies. 8 | 9 | In **quolitative**, potential losses caused by risk are determined using different metrics like vulnerabilities related to the risk or controls that reduce effectiveness of the risk. After risk is identified using those metrics, it can be assessed in a matrix using importance and occurring possibility as metrics. CIRA and CORAS are methodologies using qualitative approach. 10 | 11 | **Semi-quantitative** methods are used to describe the relative risk scale. This approach tries to combine benefits of quolitative and quontitative methodologies to decrease disadvantages of the two. Risks can be classified into different rankings like low, medium, high etc. Minimum of these ranking levels is 3. Risk-Level matrix with two metrics; impact and threat likelihood is created using these levels. Each level equals to certain number of points e.g. medium level impact could be 10 points and critical level impact could be 100 points. Higher impact and likelihood mean greater points. Table below contains example of Risk-Level matrix. 12 | 13 | | | Impact | Impact | Impact | Impact | 14 | |-----------------------|-----------------------|---------------------------|--------------------------|----------------------------| 15 | | **Threat Likelihood** | Low (10) | Medium (50) | High (75) | Critical (100) | 16 | | Critical (1.0) | Low (1.0 x 10 = 10) | Medium (1.0 x 50 = 50) | High (1.0 x 75 = 75) | Critical (1.0 x 100 = 100) | 17 | | High (0.75) | Low (0.75 x 10 = 7.5) | Medium (0.75 x 50 = 37.5) | High (0.75 x 75 = 56.25) | High (0.75 x 100 = 75) | 18 | | Medium (0.5) | Low (0.5 x 10 = 5) | Medium (0.5 x 50 = 25) | Medium (0.5 x 75 = 37.5) | Medium (0.5 x 100 = 50) | 19 | | Low (0.1) | Low (0.1 x 10 = 1) | Low (0.1 x 50 = 5) | Low (0.1 x 75 = 7.5) | Low (0.1 x 100 = 10) | 20 | 21 | As seen from the table above, each risk has rating between 1-100. The rating can be used to reflect seriousness of the risk and should be taken to account when doing [risk evaluation](../Risk%20Evaluation/). 22 | 23 | **Quantitative** risk assessment offers more mathematical and objective approach compared to qualitative methods. Quantitative approaches are Monte Carlo method, historical simulation method, IS, ISRAM and Delphi method. 24 | 25 | ### References 26 | 27 |