├── .github
└── workflows
│ └── deploy.yml
├── .gitignore
├── .pre-commit-config.yaml
├── .vscode
├── launch.json
└── settings.json
├── CONTRIBUTION.md
├── Dockerfile
├── INSTALLATION.md
├── LICENSE
├── NOTICE.md
├── README.md
├── VISION.md
├── assets
└── ermack-logo-dark.png
├── config.yml
├── data
├── __init__.py
├── en
│ ├── artifacts
│ │ ├── A_1001_windows_domain_account
│ │ │ └── A_1001_windows_domain_account.yml
│ │ ├── A_1002_dns_traffic
│ │ │ └── A_1002_dns_traffic.yml
│ │ ├── A_1003_windows_local_account
│ │ │ └── A_1003_windows_local_account.yml
│ │ ├── A_1004_linux_local_account
│ │ │ └── A_1004_linux_local_account.yml
│ │ ├── A_1005_host
│ │ │ └── A_1005_host.yml
│ │ ├── A_1006_owa_web_token
│ │ │ └── A_1006_owa_web_token.yml
│ │ ├── A_1007_ip_address
│ │ │ └── A_1007_ip_address.yml
│ │ ├── A_1008_log
│ │ │ └── A_1008_log.yml
│ │ ├── A_1009_kerberos_network_traffic
│ │ │ └── A_1009_kerberos_network_traffic.yml
│ │ ├── A_1009_privileged_user_account
│ │ │ └── A_1009_privileged_user_account.yml
│ │ ├── A_1010_authentication_service
│ │ │ └── A_1010_authentication_service.yml
│ │ ├── A_1011_certificate
│ │ │ └── A_1011_certificate.yml
│ │ ├── A_1012_private_key
│ │ │ └── A_1012_private_key.yml
│ │ ├── A_1013_certificate_authority
│ │ │ └── A_1013_certificate_authority.yml
│ │ ├── A_1014_access_right
│ │ │ └── A_1014_access_right.yml
│ │ ├── A_1015_directory_service_object_attribute
│ │ │ └── A_1015_directory_service_object_attribute.yml
│ │ ├── A_1016_kerberos_ticket_granting_tickets
│ │ │ └── A_1016_kerberos_ticket_granting_tickets.yml
│ │ ├── A_1017_url
│ │ │ └── A_1017_url.yml
│ │ ├── A_3001_email_message
│ │ │ └── A_3001_email_message.yml
│ │ ├── A_3002_file
│ │ │ └── A_3002_file.yml
│ │ ├── A_3003_operating_system_executable_file
│ │ │ └── A_3003_operating_system_executable_file.yml
│ │ ├── A_3004_object_file
│ │ │ └── A_3004_object_file.yml
│ │ ├── A_3005_executable_binary
│ │ │ └── A_3005_executable_binary.yml
│ │ ├── A_3006_com_object
│ │ │ └── A_3006_com_object.yml
│ │ ├── A_3007_login_session
│ │ │ └── A_3007_login_session.yml
│ │ ├── A_4001_process
│ │ │ └── A_4001_process.yml
│ │ ├── A_4002_process_image
│ │ │ └── A_4002_process_image.yml
│ │ ├── A_4003_remote_session
│ │ │ └── A_4003_remote_session.yml
│ │ ├── A_5001_executable_script
│ │ │ └── A_5001_executable_script.yml
│ │ ├── A_5002_windows_registry
│ │ │ └── A_5002_windows_registry.yml
│ │ ├── A_5003_windows_pipe
│ │ │ └── A_5003_windows_pipe.yml
│ │ ├── A_5004_access_token
│ │ │ └── A_5004_access_token.yml
│ │ ├── A_5005_encrypted_credential
│ │ │ └── A_5005_encrypted_credential.yml
│ │ ├── A_5006_credential
│ │ │ └── A_5006_credential.yml
│ │ ├── A_5007_remote_session
│ │ │ └── A_5007_remote_session.yml
│ │ ├── A_5008_password
│ │ │ └── A_5008_password.yml
│ │ ├── A_5009_password_file
│ │ │ └── A_5009_password_file.yml
│ │ ├── A_5010_service_application
│ │ │ └── A_5010_service_application.yml
│ │ ├── A_5011_RPC_network_traffic
│ │ │ └── A_5011_RPC_network_traffic.yml
│ │ └── A_5012_remote_procedure_call
│ │ │ └── A_5012_remote_procedure_call.yml
│ ├── infrastructure_profiles
│ │ └── test_infrastructure_profile
│ │ │ ├── test_infrastructure_profile.yml
│ │ │ └── test_infrastructure_profile.yml.bak
│ ├── response_actions
│ │ ├── RA_1001_practice
│ │ │ └── RA_1001_practice.yml
│ │ ├── RA_1002_take_trainings
│ │ │ └── RA_1002_take_trainings.yml
│ │ ├── RA_1003_raise_personnel_awareness
│ │ │ └── RA_1003_raise_personnel_awareness.yml
│ │ ├── RA_1004_make_personnel_report_suspicious_activity
│ │ │ └── RA_1004_make_personnel_report_suspicious_activity.yml
│ │ ├── RA_1005_set_up_relevant_data_collection
│ │ │ └── RA_1005_set_up_relevant_data_collection.yml
│ │ ├── RA_1006_set_up_a_centralized_long-term_log_storage
│ │ │ └── RA_1006_set_up_a_centralized_long-term_log_storage.yml
│ │ ├── RA_1007_develop_communication_map
│ │ │ └── RA_1007_develop_communication_map.yml
│ │ ├── RA_1008_make_sure_there_are_backups
│ │ │ └── RA_1008_make_sure_there_are_backups.yml
│ │ ├── RA_1009_get_network_architecture_map
│ │ │ └── RA_1009_get_network_architecture_map.yml
│ │ ├── RA_1010_get_access_control_matrix
│ │ │ └── RA_1010_get_access_control_matrix.yml
│ │ ├── RA_1011_develop_assets_knowledge_base
│ │ │ └── RA_1011_develop_assets_knowledge_base.yml
│ │ ├── RA_1012_check_analysis_toolset
│ │ │ └── RA_1012_check_analysis_toolset.yml
│ │ ├── RA_1013_access_vulnerability_management_system_logs
│ │ │ └── RA_1013_access_vulnerability_management_system_logs.yml
│ │ ├── RA_1014_connect_with_trusted_communities
│ │ │ └── RA_1014_connect_with_trusted_communities.yml
│ │ ├── RA_1015_define_teams_and_roles
│ │ │ └── RA_1015_define_teams_and_roles.yml
│ │ ├── RA_1016_define_escalation_path
│ │ │ └── RA_1016_define_escalation_path.yml
│ │ ├── RA_1017_prepare_golden_images
│ │ │ └── RA_1017_prepare_golden_images.yml
│ │ ├── RA_1018_deploy_edr_solution
│ │ │ └── RA_1018_deploy_edr_solution.yml
│ │ ├── RA_1019_check_monitoring_toolset
│ │ │ └── RA_1019_check_monitoring_toolset.yml
│ │ ├── RA_1020_prepare_acquisition_profiles
│ │ │ └── RA_1020_prepare_acquisition_profiles.yml
│ │ ├── RA_1021_prepare_golden_image_comparsion_tool
│ │ │ └── RA_1021_prepare_golden_image_comparsion_tool.yml
│ │ ├── RA_1101_access_external_network_flow_logs
│ │ │ └── RA_1101_access_external_network_flow_logs.yml
│ │ ├── RA_1102_access_internal_network_flow_logs
│ │ │ └── RA_1102_access_internal_network_flow_logs.yml
│ │ ├── RA_1103_access_internal_http_logs
│ │ │ └── RA_1103_access_internal_http_logs.yml
│ │ ├── RA_1104_access_external_http_logs
│ │ │ └── RA_1104_access_external_http_logs.yml
│ │ ├── RA_1105_access_internal_dns_logs
│ │ │ └── RA_1105_access_internal_dns_logs.yml
│ │ ├── RA_1106_access_external_dns_logs
│ │ │ └── RA_1106_access_external_dns_logs.yml
│ │ ├── RA_1107_access_vpn_logs
│ │ │ └── RA_1107_access_vpn_logs.yml
│ │ ├── RA_1108_access_dhcp_logs
│ │ │ └── RA_1108_access_dhcp_logs.yml
│ │ ├── RA_1109_access_internal_packet_capture_data
│ │ │ └── RA_1109_access_internal_packet_capture_data.yml
│ │ ├── RA_1110_access_external_packet_capture_data
│ │ │ └── RA_1110_access_external_packet_capture_data.yml
│ │ ├── RA_1111_get_ability_to_block_external_ip_address
│ │ │ └── RA_1111_get_ability_to_block_external_ip_address.yml
│ │ ├── RA_1112_get_ability_to_block_internal_ip_address
│ │ │ └── RA_1112_get_ability_to_block_internal_ip_address.yml
│ │ ├── RA_1113_get_ability_to_block_external_domain
│ │ │ └── RA_1113_get_ability_to_block_external_domain.yml
│ │ ├── RA_1114_get_ability_to_block_internal_domain
│ │ │ └── RA_1114_get_ability_to_block_internal_domain.yml
│ │ ├── RA_1115_get_ability_to_block_external_url
│ │ │ └── RA_1115_get_ability_to_block_external_url.yml
│ │ ├── RA_1116_get_ability_to_block_internal_url
│ │ │ └── RA_1116_get_ability_to_block_internal_url.yml
│ │ ├── RA_1117_get_ability_to_block_port_external_communication
│ │ │ └── RA_1117_get_ability_to_block_port_external_communication.yml
│ │ ├── RA_1118_get_ability_to_block_port_internal_communication
│ │ │ └── RA_1118_get_ability_to_block_port_internal_communication.yml
│ │ ├── RA_1119_get_ability_to_block_user_external_communication
│ │ │ └── RA_1119_get_ability_to_block_user_external_communication.yml
│ │ ├── RA_1120_get_ability_to_block_user_internal_communication
│ │ │ └── RA_1120_get_ability_to_block_user_internal_communication.yml
│ │ ├── RA_1121_get_ability_to_find_data_transferred_by_content_pattern
│ │ │ └── RA_1121_get_ability_to_find_data_transferred_by_content_pattern.yml
│ │ ├── RA_1122_get_ability_to_block_data_transferring_by_content_pattern
│ │ │ └── RA_1122_get_ability_to_block_data_transferring_by_content_pattern.yml
│ │ ├── RA_1123_get_ability_to_list_data_transferred
│ │ │ └── RA_1123_get_ability_to_list_data_transferred.yml
│ │ ├── RA_1124_get_ability_to_collect_transferred_data
│ │ │ └── RA_1124_get_ability_to_collect_transferred_data.yml
│ │ ├── RA_1125_get_ability_to_identify_transferred_data
│ │ │ └── RA_1125_get_ability_to_identify_transferred_data.yml
│ │ ├── RA_1126_find_data_transferred_by_content_pattern
│ │ │ └── RA_1126_find_data_transferred_by_content_pattern.yml
│ │ ├── RA_1127_get_ability_to_analyse_user-agent
│ │ │ └── RA_1127_get_ability_to_analyse_user-agent.yml
│ │ ├── RA_1128_get_ability_to_list_firewall_rules
│ │ │ └── RA_1128_get_ability_to_list_firewall_rules.yml
│ │ ├── RA_1129_make_sure_all_hosts_get_setting_on_same_ntp
│ │ │ └── RA_1129_make_sure_all_hosts_get_setting_on_same_ntp.yml
│ │ ├── RA_1130_prepare_network_activity_profiles
│ │ │ └── RA_1130_prepare_network_activity_profiles.yml
│ │ ├── RA_1201_get_ability_to_list_users_opened_email_message
│ │ │ └── RA_1201_get_ability_to_list_users_opened_email_message.yml
│ │ ├── RA_1202_get_ability_to_list_email_message_receivers
│ │ │ └── RA_1202_get_ability_to_list_email_message_receivers.yml
│ │ ├── RA_1203_get_ability_to_block_email_domain
│ │ │ └── RA_1203_get_ability_to_block_email_domain.yml
│ │ ├── RA_1204_get_ability_to_block_email_sender
│ │ │ └── RA_1204_get_ability_to_block_email_sender.yml
│ │ ├── RA_1205_get_ability_to_delete_email_message
│ │ │ └── RA_1205_get_ability_to_delete_email_message.yml
│ │ ├── RA_1206_get_ability_to_quarantine_email_message
│ │ │ └── RA_1206_get_ability_to_quarantine_email_message.yml
│ │ ├── RA_1207_get_ability_to_collect_email_message
│ │ │ └── RA_1207_get_ability_to_collect_email_message.yml
│ │ ├── RA_1208_get_ability_to_analyse_email_address
│ │ │ └── RA_1208_get_ability_to_analyse_email_address.yml
│ │ ├── RA_1301_get_ability_to_list_files_created
│ │ │ └── RA_1301_get_ability_to_list_files_created.yml
│ │ ├── RA_1302_get_ability_to_list_files_modified
│ │ │ └── RA_1302_get_ability_to_list_files_modified.yml
│ │ ├── RA_1303_get_ability_to_list_files_deleted
│ │ │ └── RA_1303_get_ability_to_list_files_deleted.yml
│ │ ├── RA_1304_get_ability_to_list_files_downloaded
│ │ │ └── RA_1304_get_ability_to_list_files_downloaded.yml
│ │ ├── RA_1305_get_ability_to_list_files_with_tampered_timestamps
│ │ │ └── RA_1305_get_ability_to_list_files_with_tampered_timestamps.yml
│ │ ├── RA_1306_get_ability_to_find_file_by_path
│ │ │ └── RA_1306_get_ability_to_find_file_by_path.yml
│ │ ├── RA_1307_get_ability_to_find_file_by_metadata
│ │ │ └── RA_1307_get_ability_to_find_file_by_metadata.yml
│ │ ├── RA_1308_get_ability_to_find_file_by_hash
│ │ │ └── RA_1308_get_ability_to_find_file_by_hash.yml
│ │ ├── RA_1309_get_ability_to_find_file_by_format
│ │ │ └── RA_1309_get_ability_to_find_file_by_format.yml
│ │ ├── RA_1310_get_ability_to_find_file_by_content_pattern
│ │ │ └── RA_1310_get_ability_to_find_file_by_content_pattern.yml
│ │ ├── RA_1311_get_ability_to_collect_file
│ │ │ └── RA_1311_get_ability_to_collect_file.yml
│ │ ├── RA_1312_get_ability_to_quarantine_file_by_path
│ │ │ └── RA_1312_get_ability_to_quarantine_file_by_path.yml
│ │ ├── RA_1313_get_ability_to_quarantine_file_by_hash
│ │ │ └── RA_1313_get_ability_to_quarantine_file_by_hash.yml
│ │ ├── RA_1314_get_ability_to_quarantine_file_by_format
│ │ │ └── RA_1314_get_ability_to_quarantine_file_by_format.yml
│ │ ├── RA_1315_get_ability_to_quarantine_file_by_content_pattern
│ │ │ └── RA_1315_get_ability_to_quarantine_file_by_content_pattern.yml
│ │ ├── RA_1316_get_ability_to_remove_file
│ │ │ └── RA_1316_get_ability_to_remove_file.yml
│ │ ├── RA_1317_get_ability_to_analyse_file_hash
│ │ │ └── RA_1317_get_ability_to_analyse_file_hash.yml
│ │ ├── RA_1318_get_ability_to_analyse_windows_pe
│ │ │ └── RA_1318_get_ability_to_analyse_windows_pe.yml
│ │ ├── RA_1319_get_ability_to_analyse_macos_macho
│ │ │ └── RA_1319_get_ability_to_analyse_macos_macho.yml
│ │ ├── RA_1320_get_ability_to_analyse_unix_elf
│ │ │ └── RA_1320_get_ability_to_analyse_unix_elf.yml
│ │ ├── RA_1321_get_ability_to_analyse_ms_office_file
│ │ │ └── RA_1321_get_ability_to_analyse_ms_office_file.yml
│ │ ├── RA_1322_get_ability_to_analyse_pdf_file
│ │ │ └── RA_1322_get_ability_to_analyse_pdf_file.yml
│ │ ├── RA_1323_get_ability_to_analyse_script
│ │ │ └── RA_1323_get_ability_to_analyse_script.yml
│ │ ├── RA_1324_get_ability_to_analyse_jar
│ │ │ └── RA_1324_get_ability_to_analyse_jar.yml
│ │ ├── RA_1325_get_ability_to_analyse_filename
│ │ │ └── RA_1325_get_ability_to_analyse_filename.yml
│ │ ├── RA_1401_get_ability_to_list_processes_executed
│ │ │ └── RA_1401_get_ability_to_list_processes_executed.yml
│ │ ├── RA_1402_get_ability_to_find_process_by_executable_path
│ │ │ └── RA_1402_get_ability_to_find_process_by_executable_path.yml
│ │ ├── RA_1403_get_ability_to_find_process_by_executable_metadata
│ │ │ └── RA_1403_get_ability_to_find_process_by_executable_metadata.yml
│ │ ├── RA_1404_get_ability_to_find_process_by_executable_hash
│ │ │ └── RA_1404_get_ability_to_find_process_by_executable_hash.yml
│ │ ├── RA_1405_get_ability_to_find_process_by_executable_format
│ │ │ └── RA_1405_get_ability_to_find_process_by_executable_format.yml
│ │ ├── RA_1406_get_ability_to_find_process_by_executable_content_pattern
│ │ │ └── RA_1406_get_ability_to_find_process_by_executable_content_pattern.yml
│ │ ├── RA_1407_get_ability_to_block_process_by_executable_path
│ │ │ └── RA_1407_get_ability_to_block_process_by_executable_path.yml
│ │ ├── RA_1408_get_ability_to_block_process_by_executable_metadata
│ │ │ └── RA_1408_get_ability_to_block_process_by_executable_metadata.yml
│ │ ├── RA_1409_get_ability_to_block_process_by_executable_hash
│ │ │ └── RA_1409_get_ability_to_block_process_by_executable_hash.yml
│ │ ├── RA_1410_get_ability_to_block_process_by_executable_format
│ │ │ └── RA_1410_get_ability_to_block_process_by_executable_format.yml
│ │ ├── RA_1411_get_ability_to_block_process_by_executable_content_pattern
│ │ │ └── RA_1411_get_ability_to_block_process_by_executable_content_pattern.yml
│ │ ├── RA_1412_prepare_process_activity_profiles
│ │ │ └── RA_1412_prepare_process_activity_profiles.yml
│ │ ├── RA_1501_manage_remote_computer_management_system_policies
│ │ │ └── RA_1501_manage_remote_computer_management_system_policies.yml
│ │ ├── RA_1502_get_ability_to_list_registry_keys_modified
│ │ │ └── RA_1502_get_ability_to_list_registry_keys_modified.yml
│ │ ├── RA_1503_get_ability_to_list_registry_keys_deleted
│ │ │ └── RA_1503_get_ability_to_list_registry_keys_deleted.yml
│ │ ├── RA_1504_get_ability_to_list_registry_keys_accessed
│ │ │ └── RA_1504_get_ability_to_list_registry_keys_accessed.yml
│ │ ├── RA_1505_get_ability_to_list_registry_keys_created
│ │ │ └── RA_1505_get_ability_to_list_registry_keys_created.yml
│ │ ├── RA_1506_get_ability_to_list_services_created
│ │ │ └── RA_1506_get_ability_to_list_services_created.yml
│ │ ├── RA_1507_get_ability_to_list_services_modified
│ │ │ └── RA_1507_get_ability_to_list_services_modified.yml
│ │ ├── RA_1508_get_ability_to_list_services_deleted
│ │ │ └── RA_1508_get_ability_to_list_services_deleted.yml
│ │ ├── RA_1509_get_ability_to_remove_registry_key
│ │ │ └── RA_1509_get_ability_to_remove_registry_key.yml
│ │ ├── RA_1510_get_ability_to_remove_service
│ │ │ └── RA_1510_get_ability_to_remove_service.yml
│ │ ├── RA_1511_get_ability_to_analyse_registry_key
│ │ │ └── RA_1511_get_ability_to_analyse_registry_key.yml
│ │ ├── RA_1601_manage_identity_management_system
│ │ │ └── RA_1601_manage_identity_management_system.yml
│ │ ├── RA_1602_get_ability_to_lock_user_account
│ │ │ └── RA_1602_get_ability_to_lock_user_account.yml
│ │ ├── RA_1603_get_ability_to_list_users_authenticated
│ │ │ └── RA_1603_get_ability_to_list_users_authenticated.yml
│ │ ├── RA_1604_get_ability_to_revoke_authentication_credentials
│ │ │ └── RA_1604_get_ability_to_revoke_authentication_credentials.yml
│ │ ├── RA_1605_get_ability_to_remove_user_account
│ │ │ └── RA_1605_get_ability_to_remove_user_account.yml
│ │ ├── RA_1606_get_ability_to_list_user_accounts
│ │ │ └── RA_1606_get_ability_to_list_user_accounts.yml
│ │ ├── RA_2001_list_victims_of_security_alert
│ │ │ └── RA_2001_list_victims_of_security_alert.yml
│ │ ├── RA_2002_list_host_vulnerabilities
│ │ │ └── RA_2002_list_host_vulnerabilities.yml
│ │ ├── RA_2003_put_compromised_accounts_on_monitoring
│ │ │ └── RA_2003_put_compromised_accounts_on_monitoring.yml
│ │ ├── RA_2004_find_compromised_host
│ │ │ └── RA_2004_find_compromised_host.yml
│ │ ├── RA_2005_make_a_volatile_memory_capture
│ │ │ └── RA_2005_make_a_volatile_memory_capture.yml
│ │ ├── RA_2006_conduct_memory_analysis
│ │ │ └── RA_2006_conduct_memory_analysis.yml
│ │ ├── RA_2007_build_super_timeline
│ │ │ └── RA_2007_build_super_timeline.yml
│ │ ├── RA_2008_prepare_iocs_list
│ │ │ └── RA_2008_prepare_iocs_list.yml
│ │ ├── RA_2009_scan_with_iocs_and_rules
│ │ │ └── RA_2009_scan_with_iocs_and_rules.yml
│ │ ├── RA_2101_list_hosts_communicated_with_internal_domain
│ │ │ └── RA_2101_list_hosts_communicated_with_internal_domain.yml
│ │ ├── RA_2102_list_hosts_communicated_with_internal_ip
│ │ │ └── RA_2102_list_hosts_communicated_with_internal_ip.yml
│ │ ├── RA_2103_list_hosts_communicated_with_internal_url
│ │ │ └── RA_2103_list_hosts_communicated_with_internal_url.yml
│ │ ├── RA_2104_analyse_domain_name
│ │ │ └── RA_2104_analyse_domain_name.yml
│ │ ├── RA_2105_analyse_ip
│ │ │ └── RA_2105_analyse_ip.yml
│ │ ├── RA_2106_analyse_uri
│ │ │ └── RA_2106_analyse_uri.yml
│ │ ├── RA_2107_list_hosts_communicated_by_port
│ │ │ └── RA_2107_list_hosts_communicated_by_port.yml
│ │ ├── RA_2108_list_hosts_connected_to_vpn
│ │ │ └── RA_2108_list_hosts_connected_to_vpn.yml
│ │ ├── RA_2109_list_hosts_connected_to_intranet
│ │ │ └── RA_2109_list_hosts_connected_to_intranet.yml
│ │ ├── RA_2110_list_data_transferred
│ │ │ └── RA_2110_list_data_transferred.yml
│ │ ├── RA_2111_collect_transferred_data
│ │ │ └── RA_2111_collect_transferred_data.yml
│ │ ├── RA_2112_identify_transferred_data
│ │ │ └── RA_2112_identify_transferred_data.yml
│ │ ├── RA_2113_list_hosts_communicated_with_external_domain
│ │ │ └── RA_2113_list_hosts_communicated_with_external_domain.yml
│ │ ├── RA_2114_list_hosts_communicated_with_external_ip
│ │ │ └── RA_2114_list_hosts_communicated_with_external_ip.yml
│ │ ├── RA_2115_list_hosts_communicated_with_external_url
│ │ │ └── RA_2115_list_hosts_communicated_with_external_url.yml
│ │ ├── RA_2116_find_data_transferred_by_content_pattern
│ │ │ └── RA_2116_find_data_transferred_by_content_pattern.yml
│ │ ├── RA_2117_analyse_user-agent
│ │ │ └── RA_2117_analyse_user-agent.yml
│ │ ├── RA_2118_list_firewall_rules
│ │ │ └── RA_2118_list_firewall_rules.yml
│ │ ├── RA_2120_identify_impacted_services
│ │ │ └── RA_2120_identify_impacted_services.yml
│ │ ├── RA_2121_identify_useful_security_systems
│ │ │ └── RA_2121_identify_useful_security_systems.yml
│ │ ├── RA_2201_list_users_opened_email_message
│ │ │ └── RA_2201_list_users_opened_email_message.yml
│ │ ├── RA_2202_collect_email_message
│ │ │ └── RA_2202_collect_email_message.yml
│ │ ├── RA_2203_list_email_message_receivers
│ │ │ └── RA_2203_list_email_message_receivers.yml
│ │ ├── RA_2204_make_sure_email_message_is_phishing
│ │ │ └── RA_2204_make_sure_email_message_is_phishing.yml
│ │ ├── RA_2205_extract_observables_from_email_message
│ │ │ └── RA_2205_extract_observables_from_email_message.yml
│ │ ├── RA_2206_analyse_email_address
│ │ │ └── RA_2206_analyse_email_address.yml
│ │ ├── RA_2301_list_files_created
│ │ │ └── RA_2301_list_files_created.yml
│ │ ├── RA_2302_list_files_modified
│ │ │ └── RA_2302_list_files_modified.yml
│ │ ├── RA_2303_list_files_deleted
│ │ │ └── RA_2303_list_files_deleted.yml
│ │ ├── RA_2304_list_files_downloaded
│ │ │ └── RA_2304_list_files_downloaded.yml
│ │ ├── RA_2305_list_files_with_tampered_timestamps
│ │ │ └── RA_2305_list_files_with_tampered_timestamps.yml
│ │ ├── RA_2306_find_file_by_path
│ │ │ └── RA_2306_find_file_by_path.yml
│ │ ├── RA_2307_find_file_by_metadata
│ │ │ └── RA_2307_find_file_by_metadata.yml
│ │ ├── RA_2308_find_file_by_hash
│ │ │ └── RA_2308_find_file_by_hash.yml
│ │ ├── RA_2309_find_file_by_format
│ │ │ └── RA_2309_find_file_by_format.yml
│ │ ├── RA_2310_find_file_by_content_pattern
│ │ │ └── RA_2310_find_file_by_content_pattern.yml
│ │ ├── RA_2311_collect_file
│ │ │ └── RA_2311_collect_file.yml
│ │ ├── RA_2312_analyse_file_hash
│ │ │ └── RA_2312_analyse_file_hash.yml
│ │ ├── RA_2313_analyse_windows_pe
│ │ │ └── RA_2313_analyse_windows_pe.yml
│ │ ├── RA_2314_analyse_macos_macho
│ │ │ └── RA_2314_analyse_macos_macho.yml
│ │ ├── RA_2315_analyse_unix_elf
│ │ │ └── RA_2315_analyse_unix_elf.yml
│ │ ├── RA_2316_analyse_ms_office_file
│ │ │ └── RA_2316_analyse_ms_office_file.yml
│ │ ├── RA_2317_analyse_pdf_file
│ │ │ └── RA_2317_analyse_pdf_file.yml
│ │ ├── RA_2318_analyse_script
│ │ │ └── RA_2318_analyse_script.yml
│ │ ├── RA_2319_analyse_jar
│ │ │ └── RA_2319_analyse_jar.yml
│ │ ├── RA_2320_analyse_filename
│ │ │ └── RA_2320_analyse_filename.yml
│ │ ├── RA_2401_list_processes_executed
│ │ │ └── RA_2401_list_processes_executed.yml
│ │ ├── RA_2402_find_process_by_executable_path
│ │ │ └── RA_2402_find_process_by_executable_path.yml
│ │ ├── RA_2403_find_process_by_executable_metadata
│ │ │ └── RA_2403_find_process_by_executable_metadata.yml
│ │ ├── RA_2404_find_process_by_executable_hash
│ │ │ └── RA_2404_find_process_by_executable_hash.yml
│ │ ├── RA_2405_find_process_by_executable_format
│ │ │ └── RA_2405_find_process_by_executable_format.yml
│ │ ├── RA_2406_find_process_by_executable_content_pattern
│ │ │ └── RA_2406_find_process_by_executable_content_pattern.yml
│ │ ├── RA_2501_list_registry_keys_modified
│ │ │ └── RA_2501_list_registry_keys_modified.yml
│ │ ├── RA_2502_list_registry_keys_deleted
│ │ │ └── RA_2502_list_registry_keys_deleted.yml
│ │ ├── RA_2503_list_registry_keys_accessed
│ │ │ └── RA_2503_list_registry_keys_accessed.yml
│ │ ├── RA_2504_list_registry_keys_created
│ │ │ └── RA_2504_list_registry_keys_created.yml
│ │ ├── RA_2505_list_services_created
│ │ │ └── RA_2505_list_services_created.yml
│ │ ├── RA_2506_list_services_modified
│ │ │ └── RA_2506_list_services_modified.yml
│ │ ├── RA_2507_list_services_deleted
│ │ │ └── RA_2507_list_services_deleted.yml
│ │ ├── RA_2508_analyse_registry_key
│ │ │ └── RA_2508_analyse_registry_key.yml
│ │ ├── RA_2601_list_users_authenticated
│ │ │ └── RA_2601_list_users_authenticated.yml
│ │ ├── RA_2602_list_user_accounts
│ │ │ └── RA_2602_list_user_accounts.yml
│ │ ├── RA_2603_find_successfully_enumerated_users
│ │ │ └── RA_2603_find_successfully_enumerated_users.yml
│ │ ├── RA_2604_find_compromised_user
│ │ │ └── RA_2604_find_compromised_user.yml
│ │ ├── RA_2999_examine_content
│ │ │ └── RA_2999_examine_content.yml
│ │ ├── RA_3001_patch_vulnerability
│ │ │ └── RA_3001_patch_vulnerability.yml
│ │ ├── RA_3101_block_external_ip_address
│ │ │ └── RA_3101_block_external_ip_address.yml
│ │ ├── RA_3102_block_internal_ip_address
│ │ │ └── RA_3102_block_internal_ip_address.yml
│ │ ├── RA_3103_block_external_domain
│ │ │ └── RA_3103_block_external_domain.yml
│ │ ├── RA_3104_block_internal_domain
│ │ │ └── RA_3104_block_internal_domain.yml
│ │ ├── RA_3105_block_external_url
│ │ │ └── RA_3105_block_external_url.yml
│ │ ├── RA_3106_block_internal_url
│ │ │ └── RA_3106_block_internal_url.yml
│ │ ├── RA_3107_block_port_external_communication
│ │ │ └── RA_3107_block_port_external_communication.yml
│ │ ├── RA_3108_block_port_internal_communication
│ │ │ └── RA_3108_block_port_internal_communication.yml
│ │ ├── RA_3109_block_user_external_communication
│ │ │ └── RA_3109_block_user_external_communication.yml
│ │ ├── RA_3110_block_user_internal_communication
│ │ │ └── RA_3110_block_user_internal_communication.yml
│ │ ├── RA_3111_block_data_transferring_by_content_pattern
│ │ │ └── RA_3111_block_data_transferring_by_content_pattern.yml
│ │ ├── RA_3112_isolate_asset
│ │ │ └── RA_3112_isolate_asset.yml
│ │ ├── RA_3113_inspect_network_shares
│ │ │ └── RA_3113_inspect_network_shares.yml
│ │ ├── RA_3201_block_domain_on_email
│ │ │ └── RA_3201_block_domain_on_email.yml
│ │ ├── RA_3202_block_sender_on_email
│ │ │ └── RA_3202_block_sender_on_email.yml
│ │ ├── RA_3203_quarantine_email_message
│ │ │ └── RA_3203_quarantine_email_message.yml
│ │ ├── RA_3301_quarantine_file_by_format
│ │ │ └── RA_3301_quarantine_file_by_format.yml
│ │ ├── RA_3302_quarantine_file_by_hash
│ │ │ └── RA_3302_quarantine_file_by_hash.yml
│ │ ├── RA_3303_quarantine_file_by_path
│ │ │ └── RA_3303_quarantine_file_by_path.yml
│ │ ├── RA_3304_quarantine_file_by_content_pattern
│ │ │ └── RA_3304_quarantine_file_by_content_pattern.yml
│ │ ├── RA_3401_block_process_by_executable_path
│ │ │ └── RA_3401_block_process_by_executable_path.yml
│ │ ├── RA_3402_block_process_by_executable_metadata
│ │ │ └── RA_3402_block_process_by_executable_metadata.yml
│ │ ├── RA_3403_block_process_by_executable_hash
│ │ │ └── RA_3403_block_process_by_executable_hash.yml
│ │ ├── RA_3404_block_process_by_executable_format
│ │ │ └── RA_3404_block_process_by_executable_format.yml
│ │ ├── RA_3405_block_process_by_executable_content_pattern
│ │ │ └── RA_3405_block_process_by_executable_content_pattern.yml
│ │ ├── RA_3501_disable_system_service
│ │ │ └── RA_3501_disable_system_service.yml
│ │ ├── RA_3601_lock_user_account
│ │ │ └── RA_3601_lock_user_account.yml
│ │ ├── RA_3602_block_user_account
│ │ │ └── RA_3602_block_user_account.yml
│ │ ├── RA_4001_report_incident_to_external_companies
│ │ │ └── RA_4001_report_incident_to_external_companies.yml
│ │ ├── RA_4002_apply_prevention_mode_for_iocs
│ │ │ └── RA_4002_apply_prevention_mode_for_iocs.yml
│ │ ├── RA_4101_remove_rogue_network_device
│ │ │ └── RA_4101_remove_rogue_network_device.yml
│ │ ├── RA_4201_delete_email_message
│ │ │ └── RA_4201_delete_email_message.yml
│ │ ├── RA_4301_remove_file
│ │ │ └── RA_4301_remove_file.yml
│ │ ├── RA_4501_remove_registry_key
│ │ │ └── RA_4501_remove_registry_key.yml
│ │ ├── RA_4502_remove_service
│ │ │ └── RA_4502_remove_service.yml
│ │ ├── RA_4503_remove_persistence_mechanisms
│ │ │ └── RA_4503_remove_persistence_mechanisms.yml
│ │ ├── RA_4601_revoke_authentication_credentials
│ │ │ └── RA_4601_revoke_authentication_credentials.yml
│ │ ├── RA_4602_remove_user_account
│ │ │ └── RA_4602_remove_user_account.yml
│ │ ├── RA_4603_reset_authentication_credentials
│ │ │ └── RA_4603_reset_authentication_credentials.yml
│ │ ├── RA_4604_delete_attribute_from_object
│ │ │ └── RA_4604_delete_attribute_from_object.yml
│ │ ├── RA_4605_revoke_certificate
│ │ │ └── RA_4605_revoke_certificate.yml
│ │ ├── RA_5001_reinstall_host_from_golden_image
│ │ │ └── RA_5001_reinstall_host_from_golden_image.yml
│ │ ├── RA_5002_restore_data_from_backup
│ │ │ └── RA_5002_restore_data_from_backup.yml
│ │ ├── RA_5101_unblock_blocked_ip
│ │ │ └── RA_5101_unblock_blocked_ip.yml
│ │ ├── RA_5102_unblock_blocked_domain
│ │ │ └── RA_5102_unblock_blocked_domain.yml
│ │ ├── RA_5103_unblock_blocked_url
│ │ │ └── RA_5103_unblock_blocked_url.yml
│ │ ├── RA_5104_unblock_blocked_port
│ │ │ └── RA_5104_unblock_blocked_port.yml
│ │ ├── RA_5105_unblock_blocked_user
│ │ │ └── RA_5105_unblock_blocked_user.yml
│ │ ├── RA_5201_unblock_domain_on_email
│ │ │ └── RA_5201_unblock_domain_on_email.yml
│ │ ├── RA_5202_unblock_sender_on_email
│ │ │ └── RA_5202_unblock_sender_on_email.yml
│ │ ├── RA_5203_restore_quarantined_email_message
│ │ │ └── RA_5203_restore_quarantined_email_message.yml
│ │ ├── RA_5301_restore_quarantined_file
│ │ │ └── RA_5301_restore_quarantined_file.yml
│ │ ├── RA_5302_restore_modified_file
│ │ │ └── RA_5302_restore_modified_file.yml
│ │ ├── RA_5401_unblock_blocked_process
│ │ │ └── RA_5401_unblock_blocked_process.yml
│ │ ├── RA_5501_enable_disabled_service
│ │ │ └── RA_5501_enable_disabled_service.yml
│ │ ├── RA_5601_unlock_locked_user_account
│ │ │ └── RA_5601_unlock_locked_user_account.yml
│ │ ├── RA_5602_reissue_revoked_certificate
│ │ │ └── RA_5602_reissue_revoked_certificate.yml
│ │ ├── RA_6001_develop_incident_report
│ │ │ └── RA_6001_develop_incident_report.yml
│ │ ├── RA_6002_conduct_lessons_learned_exercise
│ │ │ └── RA_6002_conduct_lessons_learned_exercise.yml
│ │ ├── RA_6003_update_acquisition_profiles
│ │ │ └── RA_6003_update_acquisition_profiles.yml
│ │ ├── RA_6004_update_network_profiles
│ │ │ └── RA_6004_update_network_profiles.yml
│ │ ├── RA_6005_update_process_profiles
│ │ │ └── RA_6005_update_process_profiles.yml
│ │ └── respose_action.yml.template
│ ├── response_actions_implementations
│ │ ├── RAI_1602_0001_preparing_to_block_user_account_via_powershell
│ │ │ └── RAI_1602_0001_preparing_to_block_user_account_via_powershell.yml
│ │ ├── RAI_2311_0001_soldr_file_collection
│ │ │ ├── 5.JPG
│ │ │ ├── 6.JPG
│ │ │ ├── 7.JPG
│ │ │ └── RAI_2311_0001_soldr_file_collection.yml
│ │ ├── RAI_2313_0001_soldr_pe_analysis_with_a_sandbox
│ │ │ └── RAI_2313_0001_soldr_pe_analysis_with_a_sandbox.yml
│ │ ├── RAI_2504_0001_powershell_list_registry_keys
│ │ │ └── RAI_2504_0001_powershell_list_registry_keys.yml
│ │ ├── RAI_2604_0001_find_account_with_shadow_credential_via_powershell
│ │ │ └── RAI_2604_0001_find_account_with_shadow_credential_via_powershell.yml
│ │ ├── RAI_3303_0001_soldr_quarantine_file
│ │ │ └── RAI_3303_0001_soldr_quarantine_file.yml
│ │ ├── RAI_3401_0001_soldr_terminate_process
│ │ │ ├── 54.JPG
│ │ │ ├── 55.JPG
│ │ │ └── RAI_3401_0001_soldr_terminate_process.yml
│ │ ├── RAI_3601_0002_powershell_disable_ad_user
│ │ │ └── RAI_3601_0002_powershell_disable_ad_user.yml
│ │ ├── RAI_3602_0001_block_domain_user_account_via_powershell
│ │ │ └── RAI_3602_0001_block_domain_user_account_via_powershell.yml
│ │ ├── RAI_4301_0001_powershell_delete_file
│ │ │ └── RAI_4301_0001_powershell_delete_file.yml
│ │ ├── RAI_4301_0002_soldr_delete_file
│ │ │ └── RAI_4301_0002_soldr_delete_file.yml
│ │ ├── RAI_4501_0001_powershell_remove_registry_key
│ │ │ └── RAI_4501_0001_powershell_remove_registry_key.yml
│ │ ├── RAI_4604_0001_powershell_delete_attribute_from_object
│ │ │ └── RAI_4604_0001_powershell_delete_attribute_from_object.yml
│ │ ├── RAI_5105_0001_unblock_domain_account_via_powershell
│ │ │ └── RAI_5105_0001_unblock_domain_account_via_powershell.yml
│ │ ├── RAI_5601_0001_powershell_unlock_ad_user
│ │ │ └── RAI_5601_0001_powershell_unlock_ad_user.yml
│ │ ├── rai_automation_script_template.md
│ │ ├── rai_automation_soft_template.md
│ │ └── rai_manual_action_template.md
│ ├── response_playbooks
│ │ ├── RP_0001_external_phishing_email
│ │ │ ├── RP0001.png
│ │ │ └── RP_0001_external_phishing_email.yml
│ │ ├── RP_0002_as_req_domain_user_enumerate
│ │ │ ├── RP0002.png
│ │ │ └── RP_0002_as_req_domain_user_enumerate.yml
│ │ ├── RP_0003_adding_shadow_credential
│ │ │ ├── RP_0003_adding_shadow_credential.yml
│ │ │ └── workflow.jpg
│ │ ├── RP_0004_pass_the_certificate
│ │ │ ├── RP0004.png
│ │ │ └── RP_0004_pass_the_certificate.yml
│ │ ├── RP_0005_theft_of_user_certificate_and_private_key
│ │ │ ├── RP0005.png
│ │ │ └── RP_0005_theft_of_user_certificate_and_private_key.yml
│ │ ├── RP_0006_successfull_owa_password_spraying
│ │ │ ├── RP0006.png
│ │ │ └── RP_0006_successfull_owa_password_spraying.yml
│ │ ├── RP_0007_malware_outbrake
│ │ │ ├── RP0007.png
│ │ │ └── RP_0007_malware_outbrake.yml
│ │ ├── RP_0008_windows_host_compromise
│ │ │ ├── RP0008.png
│ │ │ └── RP_0008_windows_host_compromise.yml
│ │ ├── RP_0009_compromised_active_directory_account
│ │ │ ├── RP0009.png
│ │ │ └── RP_0009_compromised_active_directory_account.yml
│ │ ├── RP_1001_operational_preparations
│ │ │ ├── RP1001.png
│ │ │ └── RP_1001_operational_preparations.yml
│ │ ├── RP_1002_identify_affected_systems_and_users
│ │ │ ├── RP1002.png
│ │ │ └── RP_1002_identify_affected_systems_and_users.yml
│ │ ├── RP_1003_identify_compromised_data
│ │ │ ├── RP1003.png
│ │ │ └── RP_1003_identify_compromised_data.yml
│ │ ├── RP_1004_identify_means_of_attack
│ │ │ ├── RP1004.png
│ │ │ └── RP_1004_identify_means_of_attack.yml
│ │ ├── RP_2001_dll_load_via_com_abuse
│ │ │ ├── 21.svg
│ │ │ ├── RP2001.png
│ │ │ └── RP_2001_dll_load_via_com_abuse.yml
│ │ ├── RP_2002_priv_esc_through_named_pipe
│ │ │ ├── 02.svg
│ │ │ ├── RP2002.png
│ │ │ └── RP_2002_priv_esc_through_named_pipe.yml
│ │ ├── RP_2003_dumping_mscash
│ │ │ ├── 03.svg
│ │ │ ├── RP2003.png
│ │ │ └── RP_2003_dumping_mscash.yml
│ │ ├── RP_2004_wdigest_credential_access
│ │ │ ├── 04.svg
│ │ │ ├── RP2004.png
│ │ │ └── RP_2004_wdigest_credential_access.yml
│ │ ├── RP_2005_hijack_default_fle_extension
│ │ │ ├── 05.svg
│ │ │ ├── 41.JPG
│ │ │ ├── 42.JPG
│ │ │ ├── RP2005.png
│ │ │ └── RP_2005_hijack_default_fle_extension.yml
│ │ ├── RP_2006_lateral_movement_using_scm
│ │ │ ├── 06.svg
│ │ │ ├── RP2006.png
│ │ │ └── RP_2006_lateral_movement_using_scm.yml
│ │ ├── RP_2007_lateral_movement_winrm_pwsh
│ │ │ ├── 07.svg
│ │ │ ├── RP2007.png
│ │ │ └── RP_2007_lateral_movement_winrm_pwsh.yml
│ │ ├── RP_2008_persistence_using_winlogon
│ │ │ ├── 08.svg
│ │ │ ├── RP2008.png
│ │ │ └── RP_2008_persistence_using_winlogon.yml
│ │ └── respose_playbook.yml.template
│ ├── response_stages
│ │ ├── RS0001
│ │ │ └── RS0001.yml
│ │ ├── RS0002
│ │ │ └── RS0002.yml
│ │ ├── RS0003
│ │ │ └── RS0003.yml
│ │ ├── RS0004
│ │ │ └── RS0004.yml
│ │ ├── RS0005
│ │ │ └── RS0005.yml
│ │ └── RS0006
│ │ │ └── RS0006.yml
│ ├── software
│ │ ├── S_0003_windows_host
│ │ │ └── S_0003_windows_host.yml
│ │ ├── S_0004_windows_powershell
│ │ │ └── S_0004_windows_powershell.yml
│ │ ├── S_0005_soldr
│ │ │ └── S_0005_soldr.yml
│ │ ├── S_0100_linux
│ │ │ └── S_0100_linux.yml
│ │ ├── S_1001_check_point_firewall
│ │ │ └── S_1001_check_point_firewall.yml
│ │ ├── S_1002_cisco_asa_firewall
│ │ │ └── S_1002_cisco_asa_firewall.yml
│ │ ├── S_3001_ms_exchange_server
│ │ │ └── S_3001_ms_exchange_server.yml
│ │ ├── S_3002_postfix_mail_server
│ │ │ └── S_3002_postfix_mail_server.yml
│ │ ├── S_3003_skype4business_server
│ │ │ └── S_3003_skype4business_server.yml
│ │ ├── S_3004_bitrix_server
│ │ │ └── S_3004_bitrix_server.yml
│ │ ├── S_3005_ms_sharepoint_server
│ │ │ └── S_3005_ms_sharepoint_server.yml
│ │ ├── S_3006_citrix_server
│ │ │ └── S_3006_citrix_server.yml
│ │ ├── S_3007_apache_tomcat_server
│ │ │ └── S_3007_apache_tomcat_server.yml
│ │ ├── S_3008_weblogic_server
│ │ │ └── S_3008_weblogic_server.yml
│ │ ├── S_3009_zabbix_server
│ │ │ └── S_3009_zabbix_server.yml
│ │ ├── S_3010_gitlab_server
│ │ │ └── S_3010_gitlab_server.yml
│ │ ├── S_3011_mysql_server
│ │ │ └── S_3011_mysql_server.yml
│ │ ├── S_3012_postgresql_server
│ │ │ └── S_3012_postgresql_server.yml
│ │ ├── S_5001_ms_dns_server
│ │ │ └── S_5001_ms_dns_server.yml
│ │ └── S_6001_ms_domain_controller_server
│ │ │ └── S_6001_ms_domain_controller_server.yml
│ └── usecases
│ │ ├── UC_0002_as_req_domain_user_enumerate
│ │ └── UC_0002_as_req_domain_user_enumerate.yml
│ │ ├── UC_0003_adding_shadow_credential
│ │ └── UC_0003_adding_shadow_credential.yml
│ │ ├── UC_0004_pass_the_certificate
│ │ └── UC_0004_pass_the_certificate.yml
│ │ ├── UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI
│ │ ├── PatchMemoryAndExport.PNG
│ │ ├── SimpleExport.PNG
│ │ ├── TryExport.PNG
│ │ ├── UC0005.png
│ │ └── UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI.yml
│ │ ├── UC_0006_owa_password_spraying
│ │ └── UC_0006_owa_password_spraying.yml
│ │ ├── UC_0012_load_dll_via_com_abuse
│ │ ├── 1.JPG
│ │ ├── 2.JPG
│ │ ├── 3.JPG
│ │ ├── 36.svg
│ │ ├── 4.JPG
│ │ ├── UC0012.afb
│ │ ├── UC0012.png
│ │ └── UC_0012_load_dll_via_com_abuse.yml
│ │ ├── UC_0021_priv_esc_through_named_pipe
│ │ ├── 11.JPG
│ │ ├── 12.JPG
│ │ ├── 13.JPG
│ │ ├── 14.JPG
│ │ ├── 37.svg
│ │ └── UC_0021_priv_esc_through_named_pipe.yml
│ │ ├── UC_0031_dumping_and_cracking_mscash
│ │ ├── 15.JPG
│ │ ├── 16.JPG
│ │ ├── 17.JPG
│ │ ├── 18.JPG
│ │ ├── 27.JPG
│ │ ├── 29.svg
│ │ └── UC_0031_dumping_and_cracking_mscash.yml
│ │ ├── UC_0032_forcing_wdigest_to_store_credential_in_plaintext
│ │ ├── 19.JPG
│ │ ├── 20.JPG
│ │ ├── 31.svg
│ │ ├── 40.png
│ │ └── UC_0032_forcing_wdigest_to_store_credential_in_plaintext.yml
│ │ ├── UC_0041_lateral_movement_via_service_configuration_manager
│ │ ├── 20.gif
│ │ ├── 28.JPG
│ │ ├── 32.svg
│ │ └── UC_0041_lateral_movement_via_service_configuration_manager.yml
│ │ ├── UC_0042_winrm_for_lateral_movement
│ │ ├── 22.JPG
│ │ ├── 29.JPG
│ │ ├── 30.JPG
│ │ ├── 33.svg
│ │ ├── 51.JPG
│ │ ├── 52.JPG
│ │ └── UC_0042_winrm_for_lateral_movement.yml
│ │ ├── UC_0051_persistense_windows_logon_helper
│ │ ├── 23.JPG
│ │ ├── 24.JPG
│ │ ├── 34.svg
│ │ └── UC_0051_persistense_windows_logon_helper.yml
│ │ └── UC_0052_hijacking_default_file_extension
│ │ ├── 22.gif
│ │ ├── 25.JPG
│ │ ├── 35.svg
│ │ └── UC_0052_hijacking_default_file_extension.yml
└── ru
│ ├── artifacts
│ ├── A_1001_windows_domain_account
│ │ └── A_1001_windows_domain_account.yml
│ ├── A_1002_dns_traffic
│ │ └── A_1002_dns_traffic.yml
│ ├── A_1003_windows_local_account
│ │ └── A_1003_windows_local_account.yml
│ ├── A_1004_linux_local_account
│ │ └── A_1004_linux_local_account.yml
│ ├── A_1005_host
│ │ └── A_1005_host.yml
│ ├── A_1006_owa_web_token
│ │ └── A_1006_owa_web_token.yml
│ ├── A_1007_ip_address
│ │ └── A_1007_ip_address.yml
│ ├── A_1008_log
│ │ └── A_1008_log.yml
│ ├── A_1009_kerberos_network_traffic
│ │ └── A_1009_kerberos_network_traffic.yml
│ ├── A_1009_privileged_user_account
│ │ └── A_1009_privileged_user_account.yml
│ ├── A_1010_authentication_service
│ │ └── A_1010_authentication_service.yml
│ ├── A_1011_certificate
│ │ └── A_1011_certificate.yml
│ ├── A_1012_private_key
│ │ └── A_1012_private_key.yml
│ ├── A_1013_certificate_authority
│ │ └── A_1013_certificate_authority.yml
│ ├── A_1014_access_right
│ │ └── A_1014_access_right.yml
│ ├── A_1015_directory_service_object_attribute
│ │ └── A_1015_directory_service_object_attribute.yml
│ ├── A_1017_url
│ │ └── A_1017_url.yml
│ ├── A_3001_email_message
│ │ └── A_3001_email_message.yml
│ ├── A_3002_file
│ │ └── A_3002_file.yml
│ ├── A_3003_operating_system_executable_file
│ │ └── A_3003_operating_system_executable_file.yml
│ ├── A_3004_object_file
│ │ └── A_3004_object_file.yml
│ ├── A_3005_executable_binary
│ │ └── A_3005_executable_binary.yml
│ ├── A_3006_com_object
│ │ └── A_3006_com_object.yml
│ ├── A_3007_login_session
│ │ └── A_3007_login_session.yml
│ ├── A_4001_process
│ │ └── A_4001_process.yml
│ ├── A_4002_process_image
│ │ └── A_4002_process_image.yml
│ ├── A_4003_remote_session
│ │ └── A_4003_remote_session.yml
│ ├── A_5001_executable_script
│ │ └── A_5001_executable_script.yml
│ ├── A_5002_windows_registry
│ │ └── A_5002_windows_registry.yml
│ ├── A_5003_windows_pipe
│ │ └── A_5003_windows_pipe.yml
│ ├── A_5004_access_token
│ │ └── A_5004_access_token.yml
│ ├── A_5005_encrypted_credential
│ │ └── A_5005_encrypted_credential.yml
│ ├── A_5006_credential
│ │ └── A_5006_credential.yml
│ ├── A_5007_remote_session
│ │ └── A_5007_remote_session.yml
│ ├── A_5008_password
│ │ └── A_5008_password.yml
│ ├── A_5009_password_file
│ │ └── A_5009_password_file.yml
│ ├── A_5010_service_application
│ │ └── A_5010_service_application.yml
│ ├── A_5011_RPC_network_traffic
│ │ └── A_5011_RPC_network_traffic.yml
│ └── A_5012_remote_procedure_call
│ │ └── A_5012_remote_procedure_call.yml
│ ├── infrastructure_profiles
│ └── test_infrastructure_profile
│ │ ├── test_infrastructure_profile.yml
│ │ └── test_infrastructure_profile.yml.bak
│ ├── response_actions
│ ├── RA_1001_practice
│ │ └── RA_1001_practice.yml
│ ├── RA_1002_take_trainings
│ │ └── RA_1002_take_trainings.yml
│ ├── RA_1003_raise_personnel_awareness
│ │ └── RA_1003_raise_personnel_awareness.yml
│ ├── RA_1004_make_personnel_report_suspicious_activity
│ │ └── RA_1004_make_personnel_report_suspicious_activity.yml
│ ├── RA_1005_set_up_relevant_data_collection
│ │ └── RA_1005_set_up_relevant_data_collection.yml
│ ├── RA_1006_set_up_a_centralized_long-term_log_storage
│ │ └── RA_1006_set_up_a_centralized_long-term_log_storage.yml
│ ├── RA_1007_develop_communication_map
│ │ └── RA_1007_develop_communication_map.yml
│ ├── RA_1008_make_sure_there_are_backups
│ │ └── RA_1008_make_sure_there_are_backups.yml
│ ├── RA_1009_get_network_architecture_map
│ │ └── RA_1009_get_network_architecture_map.yml
│ ├── RA_1010_get_access_control_matrix
│ │ └── RA_1010_get_access_control_matrix.yml
│ ├── RA_1011_develop_assets_knowledge_base
│ │ └── RA_1011_develop_assets_knowledge_base.yml
│ ├── RA_1012_check_analysis_toolset
│ │ └── RA_1012_check_analysis_toolset.yml
│ ├── RA_1013_access_vulnerability_management_system_logs
│ │ └── RA_1013_access_vulnerability_management_system_logs.yml
│ ├── RA_1014_connect_with_trusted_communities
│ │ └── RA_1014_connect_with_trusted_communities.yml
│ ├── RA_1015_define_teams_and_roles
│ │ └── RA_1015_define_teams_and_roles.yml
│ ├── RA_1016_define_escalation_path
│ │ └── RA_1016_define_escalation_path.yml
│ ├── RA_1101_access_external_network_flow_logs
│ │ └── RA_1101_access_external_network_flow_logs.yml
│ ├── RA_1102_access_internal_network_flow_logs
│ │ └── RA_1102_access_internal_network_flow_logs.yml
│ ├── RA_1103_access_internal_http_logs
│ │ └── RA_1103_access_internal_http_logs.yml
│ ├── RA_1104_access_external_http_logs
│ │ └── RA_1104_access_external_http_logs.yml
│ ├── RA_1105_access_internal_dns_logs
│ │ └── RA_1105_access_internal_dns_logs.yml
│ ├── RA_1106_access_external_dns_logs
│ │ └── RA_1106_access_external_dns_logs.yml
│ ├── RA_1107_access_vpn_logs
│ │ └── RA_1107_access_vpn_logs.yml
│ ├── RA_1108_access_dhcp_logs
│ │ └── RA_1108_access_dhcp_logs.yml
│ ├── RA_1109_access_internal_packet_capture_data
│ │ └── RA_1109_access_internal_packet_capture_data.yml
│ ├── RA_1110_access_external_packet_capture_data
│ │ └── RA_1110_access_external_packet_capture_data.yml
│ ├── RA_1111_get_ability_to_block_external_ip_address
│ │ └── RA_1111_get_ability_to_block_external_ip_address.yml
│ ├── RA_1112_get_ability_to_block_internal_ip_address
│ │ └── RA_1112_get_ability_to_block_internal_ip_address.yml
│ ├── RA_1113_get_ability_to_block_external_domain
│ │ └── RA_1113_get_ability_to_block_external_domain.yml
│ ├── RA_1114_get_ability_to_block_internal_domain
│ │ └── RA_1114_get_ability_to_block_internal_domain.yml
│ ├── RA_1115_get_ability_to_block_external_url
│ │ └── RA_1115_get_ability_to_block_external_url.yml
│ ├── RA_1116_get_ability_to_block_internal_url
│ │ └── RA_1116_get_ability_to_block_internal_url.yml
│ ├── RA_1117_get_ability_to_block_port_external_communication
│ │ └── RA_1117_get_ability_to_block_port_external_communication.yml
│ ├── RA_1118_get_ability_to_block_port_internal_communication
│ │ └── RA_1118_get_ability_to_block_port_internal_communication.yml
│ ├── RA_1119_get_ability_to_block_user_external_communication
│ │ └── RA_1119_get_ability_to_block_user_external_communication.yml
│ ├── RA_1120_get_ability_to_block_user_internal_communication
│ │ └── RA_1120_get_ability_to_block_user_internal_communication.yml
│ ├── RA_1121_get_ability_to_find_data_transferred_by_content_pattern
│ │ └── RA_1121_get_ability_to_find_data_transferred_by_content_pattern.yml
│ ├── RA_1122_get_ability_to_block_data_transferring_by_content_pattern
│ │ └── RA_1122_get_ability_to_block_data_transferring_by_content_pattern.yml
│ ├── RA_1123_get_ability_to_list_data_transferred
│ │ └── RA_1123_get_ability_to_list_data_transferred.yml
│ ├── RA_1124_get_ability_to_collect_transferred_data
│ │ └── RA_1124_get_ability_to_collect_transferred_data.yml
│ ├── RA_1125_get_ability_to_identify_transferred_data
│ │ └── RA_1125_get_ability_to_identify_transferred_data.yml
│ ├── RA_1126_find_data_transferred_by_content_pattern
│ │ └── RA_1126_find_data_transferred_by_content_pattern.yml
│ ├── RA_1127_get_ability_to_analyse_user-agent
│ │ └── RA_1127_get_ability_to_analyse_user-agent.yml
│ ├── RA_1128_get_ability_to_list_firewall_rules
│ │ └── RA_1128_get_ability_to_list_firewall_rules.yml
│ ├── RA_1201_get_ability_to_list_users_opened_email_message
│ │ └── RA_1201_get_ability_to_list_users_opened_email_message.yml
│ ├── RA_1202_get_ability_to_list_email_message_receivers
│ │ └── RA_1202_get_ability_to_list_email_message_receivers.yml
│ ├── RA_1203_get_ability_to_block_email_domain
│ │ └── RA_1203_get_ability_to_block_email_domain.yml
│ ├── RA_1204_get_ability_to_block_email_sender
│ │ └── RA_1204_get_ability_to_block_email_sender.yml
│ ├── RA_1205_get_ability_to_delete_email_message
│ │ └── RA_1205_get_ability_to_delete_email_message.yml
│ ├── RA_1206_get_ability_to_quarantine_email_message
│ │ └── RA_1206_get_ability_to_quarantine_email_message.yml
│ ├── RA_1207_get_ability_to_collect_email_message
│ │ └── RA_1207_get_ability_to_collect_email_message.yml
│ ├── RA_1208_get_ability_to_analyse_email_address
│ │ └── RA_1208_get_ability_to_analyse_email_address.yml
│ ├── RA_1209_access_mail_server_logs
│ │ └── RA_1209_access_mail_server_logs.yml
│ ├── RA_1210_access_mail_service_logs
│ │ └── RA_1210_access_mail_service_logs.yml
│ ├── RA_1211_configure_spf_dkim_dmarc
│ │ └── RA_1211_configure_spf_dkim_dmarc.yml
│ ├── RA_1301_get_ability_to_list_files_created
│ │ └── RA_1301_get_ability_to_list_files_created.yml
│ ├── RA_1302_get_ability_to_list_files_modified
│ │ └── RA_1302_get_ability_to_list_files_modified.yml
│ ├── RA_1303_get_ability_to_list_files_deleted
│ │ └── RA_1303_get_ability_to_list_files_deleted.yml
│ ├── RA_1304_get_ability_to_list_files_downloaded
│ │ └── RA_1304_get_ability_to_list_files_downloaded.yml
│ ├── RA_1305_get_ability_to_list_files_with_tampered_timestamps
│ │ └── RA_1305_get_ability_to_list_files_with_tampered_timestamps.yml
│ ├── RA_1306_get_ability_to_find_file_by_path
│ │ └── RA_1306_get_ability_to_find_file_by_path.yml
│ ├── RA_1307_get_ability_to_find_file_by_metadata
│ │ └── RA_1307_get_ability_to_find_file_by_metadata.yml
│ ├── RA_1308_get_ability_to_find_file_by_hash
│ │ └── RA_1308_get_ability_to_find_file_by_hash.yml
│ ├── RA_1309_get_ability_to_find_file_by_format
│ │ └── RA_1309_get_ability_to_find_file_by_format.yml
│ ├── RA_1310_get_ability_to_find_file_by_content_pattern
│ │ └── RA_1310_get_ability_to_find_file_by_content_pattern.yml
│ ├── RA_1311_get_ability_to_collect_file
│ │ └── RA_1311_get_ability_to_collect_file.yml
│ ├── RA_1312_get_ability_to_quarantine_file_by_path
│ │ └── RA_1312_get_ability_to_quarantine_file_by_path.yml
│ ├── RA_1313_get_ability_to_quarantine_file_by_hash
│ │ └── RA_1313_get_ability_to_quarantine_file_by_hash.yml
│ ├── RA_1314_get_ability_to_quarantine_file_by_format
│ │ └── RA_1314_get_ability_to_quarantine_file_by_format.yml
│ ├── RA_1315_get_ability_to_quarantine_file_by_content_pattern
│ │ └── RA_1315_get_ability_to_quarantine_file_by_content_pattern.yml
│ ├── RA_1316_get_ability_to_remove_file
│ │ └── RA_1316_get_ability_to_remove_file.yml
│ ├── RA_1317_get_ability_to_analyse_file_hash
│ │ └── RA_1317_get_ability_to_analyse_file_hash.yml
│ ├── RA_1318_get_ability_to_analyse_windows_pe
│ │ └── RA_1318_get_ability_to_analyse_windows_pe.yml
│ ├── RA_1319_get_ability_to_analyse_macos_macho
│ │ └── RA_1319_get_ability_to_analyse_macos_macho.yml
│ ├── RA_1320_get_ability_to_analyse_unix_elf
│ │ └── RA_1320_get_ability_to_analyse_unix_elf.yml
│ ├── RA_1321_get_ability_to_analyse_ms_office_file
│ │ └── RA_1321_get_ability_to_analyse_ms_office_file.yml
│ ├── RA_1322_get_ability_to_analyse_pdf_file
│ │ └── RA_1322_get_ability_to_analyse_pdf_file.yml
│ ├── RA_1323_get_ability_to_analyse_script
│ │ └── RA_1323_get_ability_to_analyse_script.yml
│ ├── RA_1324_get_ability_to_analyse_jar
│ │ └── RA_1324_get_ability_to_analyse_jar.yml
│ ├── RA_1325_get_ability_to_analyse_filename
│ │ └── RA_1325_get_ability_to_analyse_filename.yml
│ ├── RA_1401_get_ability_to_list_processes_executed
│ │ └── RA_1401_get_ability_to_list_processes_executed.yml
│ ├── RA_1402_get_ability_to_find_process_by_executable_path
│ │ └── RA_1402_get_ability_to_find_process_by_executable_path.yml
│ ├── RA_1403_get_ability_to_find_process_by_executable_metadata
│ │ └── RA_1403_get_ability_to_find_process_by_executable_metadata.yml
│ ├── RA_1404_get_ability_to_find_process_by_executable_hash
│ │ └── RA_1404_get_ability_to_find_process_by_executable_hash.yml
│ ├── RA_1405_get_ability_to_find_process_by_executable_format
│ │ └── RA_1405_get_ability_to_find_process_by_executable_format.yml
│ ├── RA_1406_get_ability_to_find_process_by_executable_content_pattern
│ │ └── RA_1406_get_ability_to_find_process_by_executable_content_pattern.yml
│ ├── RA_1407_get_ability_to_block_process_by_executable_path
│ │ └── RA_1407_get_ability_to_block_process_by_executable_path.yml
│ ├── RA_1408_get_ability_to_block_process_by_executable_metadata
│ │ └── RA_1408_get_ability_to_block_process_by_executable_metadata.yml
│ ├── RA_1409_get_ability_to_block_process_by_executable_hash
│ │ └── RA_1409_get_ability_to_block_process_by_executable_hash.yml
│ ├── RA_1410_get_ability_to_block_process_by_executable_format
│ │ └── RA_1410_get_ability_to_block_process_by_executable_format.yml
│ ├── RA_1411_get_ability_to_block_process_by_executable_content_pattern
│ │ └── RA_1411_get_ability_to_block_process_by_executable_content_pattern.yml
│ ├── RA_1501_manage_remote_computer_management_system_policies
│ │ └── RA_1501_manage_remote_computer_management_system_policies.yml
│ ├── RA_1502_get_ability_to_list_registry_keys_modified
│ │ └── RA_1502_get_ability_to_list_registry_keys_modified.yml
│ ├── RA_1503_get_ability_to_list_registry_keys_deleted
│ │ └── RA_1503_get_ability_to_list_registry_keys_deleted.yml
│ ├── RA_1504_get_ability_to_list_registry_keys_accessed
│ │ └── RA_1504_get_ability_to_list_registry_keys_accessed.yml
│ ├── RA_1505_get_ability_to_list_registry_keys_created
│ │ └── RA_1505_get_ability_to_list_registry_keys_created.yml
│ ├── RA_1506_get_ability_to_list_services_created
│ │ └── RA_1506_get_ability_to_list_services_created.yml
│ ├── RA_1507_get_ability_to_list_services_modified
│ │ └── RA_1507_get_ability_to_list_services_modified.yml
│ ├── RA_1508_get_ability_to_list_services_deleted
│ │ └── RA_1508_get_ability_to_list_services_deleted.yml
│ ├── RA_1509_get_ability_to_remove_registry_key
│ │ └── RA_1509_get_ability_to_remove_registry_key.yml
│ ├── RA_1510_get_ability_to_remove_service
│ │ └── RA_1510_get_ability_to_remove_service.yml
│ ├── RA_1511_get_ability_to_analyse_registry_key
│ │ └── RA_1511_get_ability_to_analyse_registry_key.yml
│ ├── RA_1601_manage_identity_management_system
│ │ └── RA_1601_manage_identity_management_system.yml
│ ├── RA_1602_get_ability_to_lock_user_account
│ │ └── RA_1602_get_ability_to_lock_user_account.yml
│ ├── RA_1603_get_ability_to_list_users_authenticated
│ │ └── RA_1603_get_ability_to_list_users_authenticated.yml
│ ├── RA_1604_get_ability_to_revoke_authentication_credentials
│ │ └── RA_1604_get_ability_to_revoke_authentication_credentials.yml
│ ├── RA_1605_get_ability_to_remove_user_account
│ │ └── RA_1605_get_ability_to_remove_user_account.yml
│ ├── RA_1606_get_ability_to_list_user_accounts
│ │ └── RA_1606_get_ability_to_list_user_accounts.yml
│ ├── RA_1607_enable_mfa
│ │ └── RA_1607_enable_mfa.yml
│ ├── RA_2001_list_victims_of_security_alert
│ │ └── RA_2001_list_victims_of_security_alert.yml
│ ├── RA_2002_list_host_vulnerabilities
│ │ └── RA_2002_list_host_vulnerabilities.yml
│ ├── RA_2003_put_compromised_accounts_on_monitoring
│ │ └── RA_2003_put_compromised_accounts_on_monitoring.yml
│ ├── RA_2004_find_compromised_host
│ │ └── RA_2004_find_compromised_host.yml
│ ├── RA_2101_list_hosts_communicated_with_internal_domain
│ │ └── RA_2101_list_hosts_communicated_with_internal_domain.yml
│ ├── RA_2102_list_hosts_communicated_with_internal_ip
│ │ └── RA_2102_list_hosts_communicated_with_internal_ip.yml
│ ├── RA_2103_list_hosts_communicated_with_internal_url
│ │ └── RA_2103_list_hosts_communicated_with_internal_url.yml
│ ├── RA_2104_analyse_domain_name
│ │ └── RA_2104_analyse_domain_name.yml
│ ├── RA_2105_analyse_ip
│ │ └── RA_2105_analyse_ip.yml
│ ├── RA_2106_analyse_uri
│ │ └── RA_2106_analyse_uri.yml
│ ├── RA_2107_list_hosts_communicated_by_port
│ │ └── RA_2107_list_hosts_communicated_by_port.yml
│ ├── RA_2108_list_hosts_connected_to_vpn
│ │ └── RA_2108_list_hosts_connected_to_vpn.yml
│ ├── RA_2109_list_hosts_connected_to_intranet
│ │ └── RA_2109_list_hosts_connected_to_intranet.yml
│ ├── RA_2110_list_data_transferred
│ │ └── RA_2110_list_data_transferred.yml
│ ├── RA_2111_collect_transferred_data
│ │ └── RA_2111_collect_transferred_data.yml
│ ├── RA_2112_identify_transferred_data
│ │ └── RA_2112_identify_transferred_data.yml
│ ├── RA_2113_list_hosts_communicated_with_external_domain
│ │ └── RA_2113_list_hosts_communicated_with_external_domain.yml
│ ├── RA_2114_list_hosts_communicated_with_external_ip
│ │ └── RA_2114_list_hosts_communicated_with_external_ip.yml
│ ├── RA_2115_list_hosts_communicated_with_external_url
│ │ └── RA_2115_list_hosts_communicated_with_external_url.yml
│ ├── RA_2116_find_data_transferred_by_content_pattern
│ │ └── RA_2116_find_data_transferred_by_content_pattern.yml
│ ├── RA_2117_analyse_user-agent
│ │ └── RA_2117_analyse_user-agent.yml
│ ├── RA_2118_list_firewall_rules
│ │ └── RA_2118_list_firewall_rules.yml
│ ├── RA_2120_identify_impacted_services
│ │ └── RA_2120_identify_impacted_services.yml
│ ├── RA_2121_identify_useful_security_systems
│ │ └── RA_2121_identify_useful_security_systems.yml
│ ├── RA_2201_list_users_opened_email_message
│ │ └── RA_2201_list_users_opened_email_message.yml
│ ├── RA_2202_collect_email_message
│ │ └── RA_2202_collect_email_message.yml
│ ├── RA_2203_list_email_message_receivers
│ │ └── RA_2203_list_email_message_receivers.yml
│ ├── RA_2204_make_sure_email_message_is_phishing
│ │ └── RA_2204_make_sure_email_message_is_phishing.yml
│ ├── RA_2205_extract_observables_from_email_message
│ │ └── RA_2205_extract_observables_from_email_message.yml
│ ├── RA_2206_analyse_email_address
│ │ └── RA_2206_analyse_email_address.yml
│ ├── RA_2207_find_similar_email_messages
│ │ └── RA_2207_find_similar_email_messages.yml
│ ├── RA_2301_list_files_created
│ │ └── RA_2301_list_files_created.yml
│ ├── RA_2302_list_files_modified
│ │ └── RA_2302_list_files_modified.yml
│ ├── RA_2303_list_files_deleted
│ │ └── RA_2303_list_files_deleted.yml
│ ├── RA_2304_list_files_downloaded
│ │ └── RA_2304_list_files_downloaded.yml
│ ├── RA_2305_list_files_with_tampered_timestamps
│ │ └── RA_2305_list_files_with_tampered_timestamps.yml
│ ├── RA_2306_find_file_by_path
│ │ └── RA_2306_find_file_by_path.yml
│ ├── RA_2307_find_file_by_metadata
│ │ └── RA_2307_find_file_by_metadata.yml
│ ├── RA_2308_find_file_by_hash
│ │ └── RA_2308_find_file_by_hash.yml
│ ├── RA_2309_find_file_by_format
│ │ └── RA_2309_find_file_by_format.yml
│ ├── RA_2310_find_file_by_content_pattern
│ │ └── RA_2310_find_file_by_content_pattern.yml
│ ├── RA_2311_collect_file
│ │ └── RA_2311_collect_file.yml
│ ├── RA_2312_analyse_file_hash
│ │ └── RA_2312_analyse_file_hash.yml
│ ├── RA_2313_analyse_windows_pe
│ │ └── RA_2313_analyse_windows_pe.yml
│ ├── RA_2314_analyse_macos_macho
│ │ └── RA_2314_analyse_macos_macho.yml
│ ├── RA_2315_analyse_unix_elf
│ │ └── RA_2315_analyse_unix_elf.yml
│ ├── RA_2316_analyse_ms_office_file
│ │ └── RA_2316_analyse_ms_office_file.yml
│ ├── RA_2317_analyse_pdf_file
│ │ └── RA_2317_analyse_pdf_file.yml
│ ├── RA_2318_analyse_script
│ │ └── RA_2318_analyse_script.yml
│ ├── RA_2319_analyse_jar
│ │ └── RA_2319_analyse_jar.yml
│ ├── RA_2320_analyse_filename
│ │ └── RA_2320_analyse_filename.yml
│ ├── RA_2321_list_hosts_have_file_opened
│ │ └── RA_2321_list_hosts_have_file_opened.yml
│ ├── RA_2322_analyse_file_behavior
│ │ └── RA_2322_analyse_file_behavior.yml
│ ├── RA_2401_list_processes_executed
│ │ └── RA_2401_list_processes_executed.yml
│ ├── RA_2402_find_process_by_executable_path
│ │ └── RA_2402_find_process_by_executable_path.yml
│ ├── RA_2403_find_process_by_executable_metadata
│ │ └── RA_2403_find_process_by_executable_metadata.yml
│ ├── RA_2404_find_process_by_executable_hash
│ │ └── RA_2404_find_process_by_executable_hash.yml
│ ├── RA_2405_find_process_by_executable_format
│ │ └── RA_2405_find_process_by_executable_format.yml
│ ├── RA_2406_find_process_by_executable_content_pattern
│ │ └── RA_2406_find_process_by_executable_content_pattern.yml
│ ├── RA_2407_analyse_process_execution_history
│ │ └── RA_2407_analyse_process_execution_history.yml
│ ├── RA_2408_analyse_parent_process
│ │ └── RA_2408_analyse_parent_process.yml
│ ├── RA_2409_analyse_command_line_arguments
│ │ └── RA_2409_analyse_command_line_arguments.yml
│ ├── RA_2410_list_child_processes
│ │ └── RA_2410_list_child_processes.yml
│ ├── RA_2501_list_registry_keys_modified
│ │ └── RA_2501_list_registry_keys_modified.yml
│ ├── RA_2502_list_registry_keys_deleted
│ │ └── RA_2502_list_registry_keys_deleted.yml
│ ├── RA_2503_list_registry_keys_accessed
│ │ └── RA_2503_list_registry_keys_accessed.yml
│ ├── RA_2504_list_registry_keys_created
│ │ └── RA_2504_list_registry_keys_created.yml
│ ├── RA_2505_list_services_created
│ │ └── RA_2505_list_services_created.yml
│ ├── RA_2506_list_services_modified
│ │ └── RA_2506_list_services_modified.yml
│ ├── RA_2507_list_services_deleted
│ │ └── RA_2507_list_services_deleted.yml
│ ├── RA_2508_analyse_registry_key
│ │ └── RA_2508_analyse_registry_key.yml
│ ├── RA_2601_list_users_authenticated
│ │ └── RA_2601_list_users_authenticated.yml
│ ├── RA_2602_list_user_accounts
│ │ └── RA_2602_list_user_accounts.yml
│ ├── RA_2603_analyse_user_account_properties
│ │ └── RA_2603_analyse_user_account_properties.yml
│ ├── RA_2603_find_successfully_enumerated_users
│ │ └── RA_2603_find_successfully_enumerated_users.yml
│ ├── RA_2604_contact_user
│ │ └── RA_2604_contact_user.yml
│ ├── RA_2604_find_compromised_user
│ │ └── RA_2604_find_compromised_user.yml
│ ├── RA_2999_examine_content
│ │ └── RA_2999_examine_content.yml
│ ├── RA_3001_patch_vulnerability
│ │ └── RA_3001_patch_vulnerability.yml
│ ├── RA_3101_block_external_ip_address
│ │ └── RA_3101_block_external_ip_address.yml
│ ├── RA_3102_block_internal_ip_address
│ │ └── RA_3102_block_internal_ip_address.yml
│ ├── RA_3103_block_external_domain
│ │ └── RA_3103_block_external_domain.yml
│ ├── RA_3104_block_internal_domain
│ │ └── RA_3104_block_internal_domain.yml
│ ├── RA_3105_block_external_url
│ │ └── RA_3105_block_external_url.yml
│ ├── RA_3106_block_internal_url
│ │ └── RA_3106_block_internal_url.yml
│ ├── RA_3107_block_port_external_communication
│ │ └── RA_3107_block_port_external_communication.yml
│ ├── RA_3108_block_port_internal_communication
│ │ └── RA_3108_block_port_internal_communication.yml
│ ├── RA_3109_block_user_external_communication
│ │ └── RA_3109_block_user_external_communication.yml
│ ├── RA_3110_block_user_internal_communication
│ │ └── RA_3110_block_user_internal_communication.yml
│ ├── RA_3111_block_data_transferring_by_content_pattern
│ │ └── RA_3111_block_data_transferring_by_content_pattern.yml
│ ├── RA_3201_block_domain_on_email
│ │ └── RA_3201_block_domain_on_email.yml
│ ├── RA_3202_block_sender_on_email
│ │ └── RA_3202_block_sender_on_email.yml
│ ├── RA_3203_quarantine_email_message
│ │ └── RA_3203_quarantine_email_message.yml
│ ├── RA_3204_block_internal_email
│ │ └── RA_3204_block_internal_email.yml
│ ├── RA_3301_quarantine_file_by_format
│ │ └── RA_3301_quarantine_file_by_format.yml
│ ├── RA_3302_quarantine_file_by_hash
│ │ └── RA_3302_quarantine_file_by_hash.yml
│ ├── RA_3303_quarantine_file_by_path
│ │ └── RA_3303_quarantine_file_by_path.yml
│ ├── RA_3304_quarantine_file_by_content_pattern
│ │ └── RA_3304_quarantine_file_by_content_pattern.yml
│ ├── RA_3401_block_process_by_executable_path
│ │ └── RA_3401_block_process_by_executable_path.yml
│ ├── RA_3402_block_process_by_executable_metadata
│ │ └── RA_3402_block_process_by_executable_metadata.yml
│ ├── RA_3403_block_process_by_executable_hash
│ │ └── RA_3403_block_process_by_executable_hash.yml
│ ├── RA_3404_block_process_by_executable_format
│ │ └── RA_3404_block_process_by_executable_format.yml
│ ├── RA_3405_block_process_by_executable_content_pattern
│ │ └── RA_3405_block_process_by_executable_content_pattern.yml
│ ├── RA_3501_disable_system_service
│ │ └── RA_3501_disable_system_service.yml
│ ├── RA_3502_run_antivirus_scan
│ │ └── RA_3502_run_antivirus_scan.yml
│ ├── RA_3601_lock_user_account
│ │ └── RA_3601_lock_user_account.yml
│ ├── RA_4001_report_incident_to_external_companies
│ │ └── RA_4001_report_incident_to_external_companies.yml
│ ├── RA_4002_report_incident_to_external_companies
│ │ └── RA_4002_report_incident_to_external_companies.yml
│ ├── RA_4101_remove_rogue_network_device
│ │ └── RA_4101_remove_rogue_network_device.yml
│ ├── RA_4201_delete_email_message
│ │ └── RA_4201_delete_email_message.yml
│ ├── RA_4301_remove_file
│ │ └── RA_4301_remove_file.yml
│ ├── RA_4501_remove_registry_key
│ │ └── RA_4501_remove_registry_key.yml
│ ├── RA_4502_remove_service
│ │ └── RA_4502_remove_service.yml
│ ├── RA_4601_revoke_authentication_credentials
│ │ └── RA_4601_revoke_authentication_credentials.yml
│ ├── RA_4602_remove_user_account
│ │ └── RA_4602_remove_user_account.yml
│ ├── RA_4603_reset_authentication_credentials
│ │ └── RA_4603_reset_authentication_credentials.yml
│ ├── RA_4604_delete_attribute_from_object
│ │ └── RA_4604_delete_attribute_from_object.yml
│ ├── RA_5001_reinstall_host_from_golden_image
│ │ └── RA_5001_reinstall_host_from_golden_image.yml
│ ├── RA_5002_restore_data_from_backup
│ │ └── RA_5002_restore_data_from_backup.yml
│ ├── RA_5101_unblock_blocked_internal_ip
│ │ └── RA_5101_unblock_blocked_internal_ip.yml
│ ├── RA_5101_unblock_blocked_ip
│ │ └── RA_5101_unblock_blocked_ip.yml
│ ├── RA_5102_unblock_blocked_domain
│ │ └── RA_5102_unblock_blocked_domain.yml
│ ├── RA_5103_unblock_blocked_url
│ │ └── RA_5103_unblock_blocked_url.yml
│ ├── RA_5104_unblock_blocked_port
│ │ └── RA_5104_unblock_blocked_port.yml
│ ├── RA_5105_unblock_blocked_user
│ │ └── RA_5105_unblock_blocked_user.yml
│ ├── RA_5201_unblock_domain_on_email
│ │ └── RA_5201_unblock_domain_on_email.yml
│ ├── RA_5202_unblock_sender_on_email
│ │ └── RA_5202_unblock_sender_on_email.yml
│ ├── RA_5203_restore_quarantined_email_message
│ │ └── RA_5203_restore_quarantined_email_message.yml
│ ├── RA_5204_unblock_internal_email
│ │ └── RA_5204_unblock_internal_email.yml
│ ├── RA_5301_restore_quarantined_file
│ │ └── RA_5301_restore_quarantined_file.yml
│ ├── RA_5401_unblock_blocked_process
│ │ └── RA_5401_unblock_blocked_process.yml
│ ├── RA_5501_enable_disabled_service
│ │ └── RA_5501_enable_disabled_service.yml
│ ├── RA_5601_unlock_locked_user_account
│ │ └── RA_5601_unlock_locked_user_account.yml
│ ├── RA_6001_develop_incident_report
│ │ └── RA_6001_develop_incident_report.yml
│ ├── RA_6002_conduct_lessons_learned_exercise
│ │ └── RA_6002_conduct_lessons_learned_exercise.yml
│ └── respose_action.yml.template
│ ├── response_actions_implementations
│ ├── RAI_2105_0001_ptnad_analyse_ip
│ │ └── RAI_2105_0001_ptnad_analyse_ip.yml
│ ├── RAI_2113_0001_ptnad_link_clicked
│ │ └── RAI_2113_0001_ptnad_link_clicked.yml
│ ├── RAI_2113_0002_mpsiem_link_clicked
│ │ └── RAI_2113_0002_mpsiem_link_clicked.yml
│ ├── RAI_2203_0001_ptnad_list_receivers
│ │ └── RAI_2203_0001_ptnad_list_receivers.yml
│ ├── RAI_2205_0001_ptnad_email_observables
│ │ └── RAI_2205_0001_ptnad_email_observables.yml
│ ├── RAI_2205_0002_mpsiem_email_observables
│ │ └── RAI_2205_0002_mpsiem_email_observables.yml
│ ├── RAI_2311_0001_soldr_file_collection
│ │ ├── RAI_2311_0001_soldr_file_collection.yml
│ │ └── RAI_2311_0001_soldr_file_collection.yml.bak
│ ├── RAI_2318_0001_mpsiem_script_executed
│ │ └── RAI_2318_0001_mpsiem_script_executed.yml
│ ├── RAI_2321_0001_mpsiem_file_opened
│ │ └── RAI_2321_0001_mpsiem_file_opened.yml
│ ├── RAI_2407_0001_mpsiem_process_execution_history
│ │ └── RAI_2407_0001_mpsiem_process_execution_history.yml
│ ├── RAI_2410_0001_mpsiem_list_child_processes
│ │ └── RAI_2410_0001_mpsiem_list_child_processes.yml
│ ├── RAI_2504_0001_powershell_list_registry_keys
│ │ └── RAI_2504_0001_powershell_list_registry_keys.yml
│ ├── RAI_2603_0001_get_domain_user_account_attributes
│ │ └── RAI_2603_0001_get_domain_user_account_attributes.yml
│ ├── RAI_2603_0002_get_domain_user_account_groups
│ │ └── RAI_2603_0002_get_domain_user_account_groups.yml
│ ├── RAI_3302_0001_soldr_quarantine_file
│ │ └── RAI_3302_0001_soldr_quarantine_file.yml
│ ├── RAI_4301_0002_soldr_delete_file
│ │ └── RAI_4301_0002_soldr_delete_file.yml
│ ├── RAI_4501_0001_powershell_remove_registry_key
│ │ └── RAI_4501_0001_powershell_remove_registry_key.yml
│ ├── RAI_4604_0001_powershell_delete_attribute_from_object
│ │ └── RAI_4604_0001_powershell_delete_attribute_from_object.yml
│ ├── rai_automation_script_template.md
│ ├── rai_automation_soft_template.md
│ └── rai_manual_action_template.md
│ ├── response_playbooks
│ ├── RP_0001_external_phishing_email
│ │ └── RP_0001_external_phishing_email.yml
│ ├── RP_0002_as_req_domain_user_enumerate
│ │ └── RP_0002_as_req_domain_user_enumerate.yml
│ ├── RP_0003_adding_shadow_credential
│ │ └── RP_0003_adding_shadow_credential.yml
│ ├── RP_0006_successfull_owa_password_spraying
│ │ └── RP_0006_successfull_owa_password_spraying.yml
│ ├── RP_0007_malware_outbrake
│ │ └── RP_0007_malware_outbrake.yml
│ ├── RP_0007_spam_attack_from_internal_network
│ │ └── RP_0007_spam_attack_from_internal_network.yml
│ ├── RP_0009_malicious_process
│ │ └── RP_0009_malicious_process.yml
│ ├── RP_1001_operational_preparations
│ │ └── RP_1001_operational_preparations.yml
│ ├── RP_1002_identify_affected_systems_and_users
│ │ └── RP_1002_identify_affected_systems_and_users.yml
│ ├── RP_1003_identify_compromised_data
│ │ └── RP_1003_identify_compromised_data.yml
│ ├── RP_1004_identify_means_of_attack
│ │ └── RP_1004_identify_means_of_attack.yml
│ ├── RP_2001_dll_load_via_com_abuse
│ │ └── RP_2001_dll_load_via_com_abuse.yml
│ ├── RP_2002_priv_esc_through_named_pipe
│ │ └── RP_2002_priv_esc_through_named_pipe.yml
│ ├── RP_2003_dumping_mscash
│ │ └── RP_2003_dumping_mscash.yml
│ ├── RP_2004_wdigest_credential_access
│ │ └── RP_2004_wdigest_credential_access.yml
│ ├── RP_2005_hijack_default_fle_extension
│ │ └── RP_2005_hijack_default_fle_extension.yml
│ ├── RP_2006_lateral_movement_using_scm
│ │ └── RP_2006_lateral_movement_using_scm.yml
│ ├── RP_2007_lateral_movement_winrm_pwsh
│ │ └── RP_2007_lateral_movement_winrm_pwsh.yml
│ ├── RP_2008_persistence_using_winlogon
│ │ └── RP_2008_persistence_using_winlogon.yml
│ └── respose_playbook.yml.template
│ ├── response_stages
│ ├── RS0001
│ │ └── RS0001.yml
│ ├── RS0002
│ │ └── RS0002.yml
│ ├── RS0003
│ │ └── RS0003.yml
│ ├── RS0004
│ │ └── RS0004.yml
│ ├── RS0005
│ │ └── RS0005.yml
│ └── RS0006
│ │ └── RS0006.yml
│ ├── software
│ ├── S_0003_windows_host
│ │ └── S_0003_windows_host.yml
│ ├── S_0004_windows_powershell
│ │ └── S_0004_windows_powershell.yml
│ ├── S_0005_soldr
│ │ └── S_0005_soldr.yml
│ ├── S_0100_linux
│ │ └── S_0100_linux.yml
│ ├── S_1001_check_point_firewall
│ │ └── S_1001_check_point_firewall.yml
│ ├── S_1002_cisco_asa_firewall
│ │ └── S_1002_cisco_asa_firewall.yml
│ ├── S_3001_ms_exchange_server
│ │ └── S_3001_ms_exchange_server.yml
│ ├── S_3002_postfix_mail_server
│ │ └── S_3002_postfix_mail_server.yml
│ ├── S_3003_skype4business_server
│ │ └── S_3003_skype4business_server.yml
│ ├── S_3004_bitrix_server
│ │ └── S_3004_bitrix_server.yml
│ ├── S_3005_ms_sharepoint_server
│ │ └── S_3005_ms_sharepoint_server.yml
│ ├── S_3006_citrix_server
│ │ └── S_3006_citrix_server.yml
│ ├── S_3007_apache_tomcat_server
│ │ └── S_3007_apache_tomcat_server.yml
│ ├── S_3008_weblogic_server
│ │ └── S_3008_weblogic_server.yml
│ ├── S_3009_zabbix_server
│ │ └── S_3009_zabbix_server.yml
│ ├── S_3010_gitlab_server
│ │ └── S_3010_gitlab_server.yml
│ ├── S_3011_mysql_server
│ │ └── S_3011_mysql_server.yml
│ ├── S_3012_postgresql_server
│ │ └── S_3012_postgresql_server.yml
│ ├── S_5001_ms_dns_server
│ │ └── S_5001_ms_dns_server.yml
│ └── S_6001_ms_domain_controller_server
│ │ └── S_6001_ms_domain_controller_server.yml
│ └── usecases
│ ├── UC_0002_as_req_domain_user_enumerate
│ └── UC_0002_as_req_domain_user_enumerate.yml
│ ├── UC_0003_adding_shadow_credential
│ └── UC_0003_adding_shadow_credential.yml
│ ├── UC_0006_owa_password_spraying
│ └── UC_0006_owa_password_spraying.yml
│ ├── UC_0012_load_dll_via_com_abuse
│ └── UC_0012_load_dll_via_com_abuse.yml
│ ├── UC_0021_priv_esc_through_named_pipe
│ └── UC_0021_priv_esc_through_named_pipe.yml
│ ├── UC_0031_dumping_and_cracking_mscash
│ └── UC_0031_dumping_and_cracking_mscash.yml
│ ├── UC_0032_forcing_wdigest_to_store_credential_in_plaintext
│ └── UC_0032_forcing_wdigest_to_store_credential_in_plaintext.yml
│ ├── UC_0041_lateral_movement_via_service_configuration_manager
│ └── UC_0041_lateral_movement_via_service_configuration_manager.yml
│ ├── UC_0042_winrm_for_lateral_movement
│ └── UC_0042_winrm_for_lateral_movement.yml
│ ├── UC_0051_persistense_windows_logon_helper
│ └── UC_0051_persistense_windows_logon_helper.yml
│ └── UC_0052_hijacking_default_file_extension
│ └── UC_0052_hijacking_default_file_extension.yml
├── docker-compose.yml
├── ermack
├── __init__.py
├── data_providers
│ ├── __init__.py
│ ├── confluence_provider.py
│ ├── data_provider.py
│ ├── markdown_provider.py
│ └── mkdocs_provider.py
├── entities
│ ├── __init__.py
│ ├── artifact.py
│ ├── entities_map.py
│ ├── entity.py
│ ├── infrastructure_profile.py
│ ├── response_action.py
│ ├── response_action_implementation.py
│ ├── response_playbook.py
│ ├── response_stage.py
│ ├── software.py
│ └── usecases.py
├── render_knowledge_base.py
├── templates
│ ├── en
│ │ ├── confluence
│ │ │ ├── artifact.html.j2
│ │ │ ├── entity_table.html.j2
│ │ │ ├── infrastructure_profile.html.j2
│ │ │ ├── response_action.html.j2
│ │ │ ├── response_action_implementation.html.j2
│ │ │ ├── response_playbook.html.j2
│ │ │ ├── response_stage.html.j2
│ │ │ ├── software.html.j2
│ │ │ ├── standard_summary.html.j2
│ │ │ ├── tags.html.j2
│ │ │ ├── toc_macros.html.j2
│ │ │ └── usecase.html.j2
│ │ └── markdown
│ │ │ ├── artifact.md.j2
│ │ │ ├── entity_table.md.j2
│ │ │ ├── infrastructure_profile.md.j2
│ │ │ ├── mkdocs.yml.j2
│ │ │ ├── response_action.md.j2
│ │ │ ├── response_action_implementation.md.j2
│ │ │ ├── response_playbook.md.j2
│ │ │ ├── response_stage.md.j2
│ │ │ ├── software.md.j2
│ │ │ ├── standard_summary.md.j2
│ │ │ ├── tags.md.j2
│ │ │ ├── usecase.md.j2
│ │ │ └── visual_concepts.md.j2
│ └── ru
│ │ ├── confluence
│ │ ├── artifact.html.j2
│ │ ├── entity_table.html.j2
│ │ ├── infrastructure_profile.html.j2
│ │ ├── response_action.html.j2
│ │ ├── response_action_implementation.html.j2
│ │ ├── response_playbook.html.j2
│ │ ├── response_stage.html.j2
│ │ ├── software.html.j2
│ │ ├── standard_summary.html.j2
│ │ ├── tags.html.j2
│ │ ├── toc_macros.html.j2
│ │ └── usecase.html.j2
│ │ └── markdown
│ │ ├── artifact.md.j2
│ │ ├── entity_table.md.j2
│ │ ├── infrastructure_profile.md.j2
│ │ ├── mkdocs.yml.j2
│ │ ├── response_action.md.j2
│ │ ├── response_action_implementation.md.j2
│ │ ├── response_playbook.md.j2
│ │ ├── response_stage.md.j2
│ │ ├── software.md.j2
│ │ ├── standard_summary.md.j2
│ │ ├── tags.md.j2
│ │ ├── usecase.md.j2
│ │ └── visual_concepts.md.j2
└── utils
│ ├── __init__.py
│ ├── attack_mapping.py
│ ├── cpe_wrapper.py
│ ├── create_entity_fs.py
│ ├── localization.py
│ ├── update_attack_mapping.py
│ ├── utils.py
│ └── visual.py
├── main.py
├── pyproject.toml
├── requirements.txt
├── requirements_test.txt
├── spell_checking_dict.txt
├── tests
├── __init__.py
├── code_tests
│ ├── __init__.py
│ ├── artifact
│ │ ├── __init__.py
│ │ ├── parse_test.py
│ │ └── standard_artifact.yml
│ ├── response_action
│ │ ├── __init__.py
│ │ ├── parse_test.py
│ │ └── standard_response_action.yml
│ ├── response_action_impl
│ │ ├── __init__.py
│ │ ├── parse_test.py
│ │ └── standard_response_action_impl.yml
│ ├── response_playbook
│ │ ├── parse_test.py
│ │ └── standard_response_playbook.yml
│ ├── software
│ │ ├── __init__.py
│ │ ├── parse_test.py
│ │ └── standard_software.yml
│ └── usecase
│ │ ├── __init__.py
│ │ ├── parse_test.py
│ │ └── standard_usecase.yml
└── data_tests
│ ├── __init__.py
│ ├── artifact
│ ├── __init__.py
│ └── data_integrity_test.py
│ ├── response_action
│ ├── __init__.py
│ └── data_integrity_test.py
│ ├── response_action_impl
│ ├── __init__.py
│ └── data_integrity_test.py
│ ├── response_playbook
│ ├── __init__.py
│ └── data_integrity_test.py
│ ├── software
│ ├── __init__.py
│ └── data_integrity_test.py
│ └── usecase
│ ├── __init__.py
│ └── data_integrity_test.py
├── tox.ini
└── whitelist.txt
/.vscode/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "python.formatting.provider": "black",
3 | "python.testing.unittestEnabled": false,
4 | "python.testing.pytestEnabled": true,
5 | }
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | # Security Extepts Community: ERM&CK Dockerfile
2 | # Author: Anton Kutepov (@aw350m33)
3 | # License: MIT
4 |
5 | FROM python:3.11
6 |
7 | LABEL maintainer="Anton Kutepov (@aw350m33)"
8 | LABEL description="Dockerfile for ERM&CK project knowledge base"
9 |
10 | WORKDIR /ermack
11 | COPY requirements.txt requirements.txt
12 | RUN pip3 install -r requirements.txt
13 |
14 | COPY main.py main.py
15 | COPY README.md README.md
16 | COPY *.md .
17 |
18 | CMD [ "/bin/bash", "-c", "python3 main.py mkdocs --init --all-entities --debug && cd build && python3 -m mkdocs serve -a 0.0.0.0:8000" ]
19 |
--------------------------------------------------------------------------------
/assets/ermack-logo-dark.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/assets/ermack-logo-dark.png
--------------------------------------------------------------------------------
/data/__init__.py:
--------------------------------------------------------------------------------
1 | __version__ = "0.0.4"
2 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_1002_dns_traffic/A_1002_dns_traffic.yml:
--------------------------------------------------------------------------------
1 | title: DNS Network Traffic
2 | id: A1002
3 | description: This artifact describes user DNS Network Traffic entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:DNSNetworkTraffic/
9 | mapping:
10 | - d3f:DNSNetworkTraffic
11 | extended_description: |
12 | This artifact describes user DNS Network Traffic entity
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_1003_windows_local_account/A_1003_windows_local_account.yml:
--------------------------------------------------------------------------------
1 | title: Local Windows Account
2 | id: A1003
3 | description: This artifact describes Local Windows Account entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:LocalUserAccount/
9 | mapping:
10 | - d3f:LocalUserAccount
11 | extended_description: |
12 | A user account on a given Windows host is a local user account for that specific host.
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_1004_linux_local_account/A_1004_linux_local_account.yml:
--------------------------------------------------------------------------------
1 | title: Linux Local Account
2 | id: A1004
3 | description: This artifact describes Local Linux Account entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:LocalUserAccount/
9 | mapping:
10 | - d3f:LocalUserAccount
11 | extended_description: |
12 | A user account on a given Linux host is a local user account for that specific host.
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_1006_owa_web_token/A_1006_owa_web_token.yml:
--------------------------------------------------------------------------------
1 | title: OWA Web Token
2 | id: A1006
3 | description: This artifact describes Outlook Web Access web token entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | tags:
8 | references:
9 | extended_description: |
10 | This artifact describes Outlook Web Access web token entity
11 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_1008_log/A_1008_log.yml:
--------------------------------------------------------------------------------
1 | title: Log
2 | id: A1008
3 | description: Chronology
4 | author: '@Cyberok'
5 | creation_date: 2023/03/02
6 | modification_date: 2023/03/02
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Log/
9 | mapping:
10 | - d3f:Log
11 | extended_description: |
12 | A record of events in the order of their occurrence
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_1009_kerberos_network_traffic/A_1009_kerberos_network_traffic.yml:
--------------------------------------------------------------------------------
1 | title: Kerberos Network Traffic
2 | id: A1009
3 | description: This artifact describes Kerberos Network Traffic entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | modification_date: 2023/03/13
7 | references:
8 | mapping:
9 | extended_description: |
10 | This artifact describes Kerberos Network Traffic entity
--------------------------------------------------------------------------------
/data/en/artifacts/A_1010_authentication_service/A_1010_authentication_service.yml:
--------------------------------------------------------------------------------
1 | title: Authentication service
2 | id: A1010
3 | description: This artifact describes authentication service
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | modification_date: 2023/03/13
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:AuthenticationService/
9 | mapping:
10 | - d3f:AuthenticationService
11 | extended_description: |
12 | Authentication service is a service, which provides an authentication mechanism
--------------------------------------------------------------------------------
/data/en/artifacts/A_1012_private_key/A_1012_private_key.yml:
--------------------------------------------------------------------------------
1 | title: Private key
2 | id: A1012
3 | description: This artifact describes private key
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/04
6 | modification_date: 2023/05/04
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:PrivateKey/
9 | mapping:
10 | - d3f:PrivateKey
11 | extended_description: |
12 | A private key can be used to decrypt messages encrypted using the corresponding public key, or used to sign a message that can be authenticated with the corresponding public key.
--------------------------------------------------------------------------------
/data/en/artifacts/A_1013_certificate_authority/A_1013_certificate_authority.yml:
--------------------------------------------------------------------------------
1 | title: Certificate authority
2 | id: A1013
3 | description: Certificate authority is an entity that stores, signs and issues certificates
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/04
6 | modification_date: 2023/05/04
7 | references:
8 | - https://en.wikipedia.org/wiki/Certificate_authority
9 | mapping:
10 | extended_description: |
11 | Certificates authority is a part of Public key infrastructure (PKI). Certificate authority is an entity that stores, signs and issues certificates
--------------------------------------------------------------------------------
/data/en/artifacts/A_1014_access_right/A_1014_access_right.yml:
--------------------------------------------------------------------------------
1 | title: Access right
2 | id: A1014
3 | description: This artifact describes Access right entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/04
6 | modification_date: 2023/05/04
7 | references:
8 | mapping:
9 | extended_description: |
10 | Access right is the right of the subject to certain access (e.g. read or write) to the object
--------------------------------------------------------------------------------
/data/en/artifacts/A_1015_directory_service_object_attribute/A_1015_directory_service_object_attribute.yml:
--------------------------------------------------------------------------------
1 | title: Directory Service object attribute
2 | id: A1015
3 | description: This artifact describes Directory Service object attribute
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/04
6 | modification_date: 2023/05/04
7 | references:
8 | mapping:
9 | extended_description: |
10 | Directory Service object attribute is a attribute of the certain object.
--------------------------------------------------------------------------------
/data/en/artifacts/A_3001_email_message/A_3001_email_message.yml:
--------------------------------------------------------------------------------
1 | title: Email Message
2 | id: A3001
3 | description: This artifact describes email message entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Email/
9 | mapping:
10 | - d3f:Email
11 | extended_description: |
12 | An email, or email message, is a document that is sent between computer users across computer networks.
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_3002_file/A_3002_file.yml:
--------------------------------------------------------------------------------
1 | title: File
2 | id: A3002
3 | description: This artifact describes file entity
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:File/
9 | mapping:
10 | - d3f:File
11 | extended_description: |
12 | This artifact describes computer file entity
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_3004_object_file/A_3004_object_file.yml:
--------------------------------------------------------------------------------
1 | title: Object File
2 | id: A3004
3 | description: This artifact describes object entity
4 | author: '@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:ObjectFile/
9 | mapping:
10 | - d3f:ObjectFile
11 | extended_description: |
12 | Relocatable machine code
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_4002_process_image/A_4002_process_image.yml:
--------------------------------------------------------------------------------
1 | title: Process Image
2 | id: A4002
3 | description: This artifact describes process entity
4 | author: '@Cyberok'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:ProcessImage/
9 | mapping:
10 | - d3f:ProcessImage
11 | extended_description: |
12 | A process image is a copy of a given process's state at a given point in time. It is often used to create persistence within an otherwise volatile system.
--------------------------------------------------------------------------------
/data/en/artifacts/A_4003_remote_session/A_4003_remote_session.yml:
--------------------------------------------------------------------------------
1 | title: Remote Session
2 | id: A4003
3 | description: This artifact describes remote session entity
4 | author: '@Cyberok'
5 | creation_date: 2023/03/22
6 | modification_date: 2023/03/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:RemoteSession/
9 | mapping:
10 | - d3f:RemoteSession
11 | extended_description: |
12 | A remote login session is a login session where a client has logged in from their local host machine to a server via a network.
--------------------------------------------------------------------------------
/data/en/artifacts/A_5005_encrypted_credential/A_5005_encrypted_credential.yml:
--------------------------------------------------------------------------------
1 | title: Encrypted Credential
2 | id: A5005
3 | description: This artifact describes encrypted credential entity
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:EncryptedCredential/
9 | mapping:
10 | - d3f:EncryptedCredential
11 | extended_description: |
12 | A credential that is encrypted.
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_5007_remote_session/A_5007_remote_session.yml:
--------------------------------------------------------------------------------
1 | title: Remote Session
2 | id: A5007
3 | description: This artifact describes remote session entity
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:RemoteSession/
9 | mapping:
10 | - d3f:RemoteSession
11 | extended_description: |
12 | A remote login session is a login session where a client has logged in from their local host machine to a server via a network.
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_5009_password_file/A_5009_password_file.yml:
--------------------------------------------------------------------------------
1 | title: Password file
2 | id: A5009
3 | description: This artifact describes password file entity
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:PasswordFile/
9 | mapping:
10 | - d3f:PasswordFile
11 | extended_description: |
12 | Simple form of password database held in a single file (e.g., /etc/shadow)
13 |
--------------------------------------------------------------------------------
/data/en/artifacts/A_5010_service_application/A_5010_service_application.yml:
--------------------------------------------------------------------------------
1 | title: Service Application
2 | id: A5010
3 | description: This artifact describes service entity
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:ServiceApplication/
9 | mapping:
10 | - d3f:ServiceApplication
11 | extended_description: |
12 | An application that provides a set of software functionalities so that multiple clients who can reuse the functionality, provided they are authorized for use of the service.
13 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1016_define_escalation_path/RA_1016_define_escalation_path.yml:
--------------------------------------------------------------------------------
1 | title: Define Escalation Path
2 | id: RA1016
3 | description: Define Escalation Path
4 | author: '@ermack_community'
5 | creation_date: 2020/04/08
6 | tags:
7 | - operational
8 | stage: preparation
9 | extended_description: |
10 | Create Escalation Document for your teams:
11 | - Internal Path
12 | - External Path
13 | Follow instructions in your escalation document
14 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1017_prepare_golden_images/RA_1017_prepare_golden_images.yml:
--------------------------------------------------------------------------------
1 | title: RA_1017_prepare_golden_images
2 | id: RA1017
3 | description: >
4 | Prepare golden images for servers and workstations
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: preparation
8 | references:
9 | requirements:
10 | extended_description: |
11 | Prepare golden images for servers and workstations
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1019_check_monitoring_toolset/RA_1019_check_monitoring_toolset.yml:
--------------------------------------------------------------------------------
1 | title: RA_1019_check_monitoring_toolset
2 | id: RA1019
3 | description: >
4 | Make sure monitoring tools are working and up to date
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: preparation
8 | references:
9 | requirements:
10 | extended_description: |
11 | Make sure monitoring tools are working and up to date
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1020_prepare_acquisition_profiles/RA_1020_prepare_acquisition_profiles.yml:
--------------------------------------------------------------------------------
1 | title: RA_1020_prepare_acquisition_profiles
2 | id: RA1020
3 | description: >
4 | Prepare acquisition profiles
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: preparation
8 | references:
9 | - https://github.com/certsocietegenerale/IRM/blob/main/EN/IRM-2-WindowsIntrusion.pdf
10 | extended_description: |
11 | Acquisition profiles for EDR or tools like FastIR, DFIR Orc, KAPE must be prepared.
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1021_prepare_golden_image_comparsion_tool/RA_1021_prepare_golden_image_comparsion_tool.yml:
--------------------------------------------------------------------------------
1 | title: RA_1021_prepare_golden_image_comparsion_tool
2 | id: RA1021
3 | description: >
4 | Prepare golden image vs system snapshot comparsion tool
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: preparation
8 | references:
9 | requirements:
10 | extended_description: |
11 | Prepare golden image vs system snapshot comparsion tool
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1102_access_internal_network_flow_logs/RA_1102_access_internal_network_flow_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1102_access_internal_network_flow_logs
2 | id: RA1102
3 | description: >
4 | Make sure you have access to internal communication Network Flow logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1103_access_internal_http_logs/RA_1103_access_internal_http_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1103_access_internal_http_logs
2 | id: RA1103
3 | description: >
4 | Make sure you have access to internal communication HTTP logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_http_log
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1105_access_internal_dns_logs/RA_1105_access_internal_dns_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1105_access_internal_dns_logs
2 | id: RA1105
3 | description: >
4 | Make sure you have access to internal communication DNS logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_dns_log
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1107_access_vpn_logs/RA_1107_access_vpn_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1107_access_vpn_logs
2 | id: RA1107
3 | description: >
4 | Make sure you have access to VPN logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1108_access_dhcp_logs/RA_1108_access_dhcp_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1108_access_dhcp_logs
2 | id: RA1108
3 | description: >
4 | Make sure you have access to DHCP logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1109_access_internal_packet_capture_data/RA_1109_access_internal_packet_capture_data.yml:
--------------------------------------------------------------------------------
1 | title: RA_1109_access_internal_packet_capture_data
2 | id: RA1109
3 | description: >
4 | Make sure you have access to internal communication Packet Capture data
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_PCAP
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1110_access_external_packet_capture_data/RA_1110_access_external_packet_capture_data.yml:
--------------------------------------------------------------------------------
1 | title: RA_1110_access_external_packet_capture_data
2 | id: RA1110
3 | description: >
4 | Make sure you have access to external communication Packet Capture data
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_PCAP
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1128_get_ability_to_list_firewall_rules/RA_1128_get_ability_to_list_firewall_rules.yml:
--------------------------------------------------------------------------------
1 | title: RA_1128_get_ability_to_list_firewall_rules
2 | id: RA1128
3 | description: Make sure you have the ability to list firewall rules
4 | author: '@atc_project'
5 | creation_date: 2021/06/27
6 | stage: preparation
7 | extended_description: |
8 | Make sure you have the ability to list firewall rules on a particular firewall.
9 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1129_make_sure_all_hosts_get_setting_on_same_ntp/RA_1129_make_sure_all_hosts_get_setting_on_same_ntp.yml:
--------------------------------------------------------------------------------
1 | title: RA_1129_make_sure_all_hosts_get_setting_on_same_ntp
2 | id: RA1129
3 | description: >
4 | Make sure all hosts get setting on same NTP
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: preparation
8 | references:
9 | requirements:
10 | extended_description: |
11 | Make sure all hosts get setting on same NTP
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1322_get_ability_to_analyse_pdf_file/RA_1322_get_ability_to_analyse_pdf_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_1322_get_ability_to_analyse_pdf_file
2 | id: RA1322
3 | description: >
4 | Make sure you have the ability to analyse a PDF file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1324_get_ability_to_analyse_jar/RA_1324_get_ability_to_analyse_jar.yml:
--------------------------------------------------------------------------------
1 | title: RA_1324_get_ability_to_analyse_jar
2 | id: RA1324
3 | description: >
4 | Make sure you have the ability to analyse JAR file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1325_get_ability_to_analyse_filename/RA_1325_get_ability_to_analyse_filename.yml:
--------------------------------------------------------------------------------
1 | title: RA_1325_get_ability_to_analyse_filename
2 | id: RA1325
3 | description: >
4 | Make sure you have the ability to analyse a filename
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1510_get_ability_to_remove_service/RA_1510_get_ability_to_remove_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_1510_get_ability_to_remove_service
2 | id: RA1510
3 | description: >
4 | Make sure you have the ability to remove a service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_1606_get_ability_to_list_user_accounts/RA_1606_get_ability_to_list_user_accounts.yml:
--------------------------------------------------------------------------------
1 | title: RA_1606_get_ability_to_list_user_accounts
2 | id: RA1606
3 | description: Make sure you have the ability to list user accounts on a particular system
4 | author: '@atc_project'
5 | creation_date: 2021/06/27
6 | stage: preparation
7 | extended_description: |
8 | Make sure you have the ability to list user accounts on a particular system.
9 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2001_list_victims_of_security_alert/RA_2001_list_victims_of_security_alert.yml:
--------------------------------------------------------------------------------
1 | title: RA_2001_list_victims_of_security_alert
2 | id: RA2001
3 | description: >
4 | List victims of a security alert
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2004_find_compromised_host/RA_2004_find_compromised_host.yml:
--------------------------------------------------------------------------------
1 | title: RA_2005_make_a_volatile_memory_capture
2 | id: RA2005
3 | description: Make a volatile memory capture
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | stage: identification
7 | extended_description: |
8 | Make a volatile memory capture
9 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2007_build_super_timeline/RA_2007_build_super_timeline.yml:
--------------------------------------------------------------------------------
1 | title: RA_2007_build_super_timeline
2 | id: RA2007
3 | description: Build super timeline
4 | author: '@SEC'
5 | creation_date: 2023/05/20
6 | stage: identification
7 | references:
8 | - https://github.com/certsocietegenerale/IRM/blob/main/EN/IRM-2-WindowsIntrusion.pdf
9 | extended_description: |
10 | Super-Timeline
11 | - Process evidence and generate a super-timeline with tools like Log2timeline
12 | - Analyze the generated timeline with TimelineExplorer or glogg for example
13 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2008_prepare_iocs_list/RA_2008_prepare_iocs_list.yml:
--------------------------------------------------------------------------------
1 | title: RA_2008_prepare_iocs_list
2 | id: RA2008
3 | description: Prepare IOCs list
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | stage: identification
7 | references:
8 | - https://github.com/certsocietegenerale/IRM/blob/main/EN/IRM-2-WindowsIntrusion.pdf
9 | extended_description: |
10 | Prepare IOCs list
11 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2101_list_hosts_communicated_with_internal_domain/RA_2101_list_hosts_communicated_with_internal_domain.yml:
--------------------------------------------------------------------------------
1 | title: RA_2101_list_hosts_communicated_with_internal_domain
2 | id: RA2101
3 | description: >
4 | List hosts communicated with an internal domain
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2102_list_hosts_communicated_with_internal_ip/RA_2102_list_hosts_communicated_with_internal_ip.yml:
--------------------------------------------------------------------------------
1 | title: RA_2102_list_hosts_communicated_with_internal_ip
2 | id: RA2102
3 | description: >
4 | List hosts communicated with an internal IP address
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2103_list_hosts_communicated_with_internal_url/RA_2103_list_hosts_communicated_with_internal_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_2103_list_hosts_communicated_with_internal_url
2 | id: RA2103
3 | description: >
4 | List hosts communicated with an internal URL
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2104_analyse_domain_name/RA_2104_analyse_domain_name.yml:
--------------------------------------------------------------------------------
1 | title: RA_2104_analyse_domain_name
2 | id: RA2104
3 | description: >
4 | Analyse a domain name
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2105_analyse_ip/RA_2105_analyse_ip.yml:
--------------------------------------------------------------------------------
1 | title: RA_2105_analyse_IP
2 | id: RA2105
3 | description: >
4 | Analyse an IP address
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2106_analyse_uri/RA_2106_analyse_uri.yml:
--------------------------------------------------------------------------------
1 | title: RA_2106_analyse_uri
2 | id: RA2106
3 | description: >
4 | Analyse an URI
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2114_list_hosts_communicated_with_external_ip/RA_2114_list_hosts_communicated_with_external_ip.yml:
--------------------------------------------------------------------------------
1 | title: RA_2114_list_hosts_communicated_with_external_ip
2 | id: RA2114
3 | description: >
4 | List hosts communicated with an external IP address
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: identification
8 | requirements:
9 | - DN_network_flow_log
10 | - DN_zeek_conn_log
11 | extended_description: |
12 | List hosts communicated with an external IP address using the most efficient way.
13 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2115_list_hosts_communicated_with_external_url/RA_2115_list_hosts_communicated_with_external_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_2115_list_hosts_communicated_with_external_url
2 | id: RA2115
3 | description: >
4 | List hosts communicated with an external URL
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: identification
8 | requirements:
9 | - DN_zeek_http_log
10 | - DN_proxy_log
11 | extended_description: |
12 | List hosts communicated with an external URL using the most efficient way.
13 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2118_list_firewall_rules/RA_2118_list_firewall_rules.yml:
--------------------------------------------------------------------------------
1 | title: RA_2118_list_firewall_rules
2 | id: RA2118
3 | description: List firewall rules
4 | author: Andreas Hunkeler (@Karneades)
5 | creation_date: 2021/05/21
6 | stage: identification
7 | requirements:
8 | - DN_zeek_conn_log # placeholder
9 | extended_description: |
10 | List firewall rules.
11 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2120_identify_impacted_services/RA_2120_identify_impacted_services.yml:
--------------------------------------------------------------------------------
1 | title: Identify impacted services
2 | id: RA2120
3 | description: >
4 | Identify the IT services being impacted
5 | author: "@ermack_community"
6 | creation_date: 2019/01/31
7 | stage: identification
8 | extended_description: |
9 | Identify services by IP and DNS, their owners and impact.
10 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2121_identify_useful_security_systems/RA_2121_identify_useful_security_systems.yml:
--------------------------------------------------------------------------------
1 | title: Identify userful security systems
2 | id: RA2121
3 | description: >
4 | Identify the tools used to detect the incident and useful for investigation
5 | author: "@ermack_community"
6 | creation_date: 2019/01/31
7 | stage: identification
8 | extended_description: |
9 | Search IOCs in all your security systems.
10 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2201_list_users_opened_email_message/RA_2201_list_users_opened_email_message.yml:
--------------------------------------------------------------------------------
1 | title: RA_2201_list_users_opened_email_message
2 | id: RA2201
3 | description: >
4 | List users that have opened am email message
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: identification
8 | references:
9 | - https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/
10 | requirements:
11 | - MS_email_server
12 | extended_description: |
13 | List users who opened/read a particular email message using the Email Server's functionality.
14 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2206_analyse_email_address/RA_2206_analyse_email_address.yml:
--------------------------------------------------------------------------------
1 | title: RA_2206_analyse_email_address
2 | id: RA2206
3 | description: Analyse an email address
4 | author: name/nickname/twitter
5 | creation_date: YYYY/MM/DD
6 | stage: identification
7 | automation:
8 | - thehive
9 | references:
10 | - https://example.com
11 | extended_description: |
12 | Description of the extended_description for the Response Action in markdown format.
13 | Here newlines will be saved.
14 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2301_list_files_created/RA_2301_list_files_created.yml:
--------------------------------------------------------------------------------
1 | title: RA_2301_list_files_created
2 | id: RA2301
3 | description: >
4 | List files that have been created at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2302_list_files_modified/RA_2302_list_files_modified.yml:
--------------------------------------------------------------------------------
1 | title: RA_2302_list_files_modified
2 | id: RA2302
3 | description: >
4 | List files that have been modified at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2303_list_files_deleted/RA_2303_list_files_deleted.yml:
--------------------------------------------------------------------------------
1 | title: RA_2303_list_files_deleted
2 | id: RA2303
3 | description: >
4 | List files that have been deleted at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2304_list_files_downloaded/RA_2304_list_files_downloaded.yml:
--------------------------------------------------------------------------------
1 | title: RA_2304_list_files_downloaded
2 | id: RA2304
3 | description: >
4 | List files that have been downloaded at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2305_list_files_with_tampered_timestamps/RA_2305_list_files_with_tampered_timestamps.yml:
--------------------------------------------------------------------------------
1 | title: RA_2305_list_files_with_tampered_timestamps
2 | id: RA2305
3 | description: >
4 | List files with tampered timestamps
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2306_find_file_by_path/RA_2306_find_file_by_path.yml:
--------------------------------------------------------------------------------
1 | title: RA_2306_find_file_by_path
2 | id: RA2306
3 | description: >
4 | Find a file by its path (including its name)
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2307_find_file_by_metadata/RA_2307_find_file_by_metadata.yml:
--------------------------------------------------------------------------------
1 | title: RA_2307_find_file_by_metadata
2 | id: RA2307
3 | description: >
4 | Find a file by its metadata (i.e. signature, permissions, MAC times)
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2308_find_file_by_hash/RA_2308_find_file_by_hash.yml:
--------------------------------------------------------------------------------
1 | title: RA_2308_find_file_by_hash
2 | id: RA2308
3 | description: >
4 | Find a file by its hash
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2309_find_file_by_format/RA_2309_find_file_by_format.yml:
--------------------------------------------------------------------------------
1 | title: RA_2309_find_file_by_format
2 | id: RA2309
3 | description: >
4 | Find a file by its format
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2312_analyse_file_hash/RA_2312_analyse_file_hash.yml:
--------------------------------------------------------------------------------
1 | title: RA_2312_analyse_file_hash
2 | id: RA2312
3 | description: >
4 | Analise a hash of a file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2314_analyse_macos_macho/RA_2314_analyse_macos_macho.yml:
--------------------------------------------------------------------------------
1 | title: RA_2314_analyse_macos_macho
2 | id: RA2314
3 | description: >
4 | Analise macOS Mach-O
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2315_analyse_unix_elf/RA_2315_analyse_unix_elf.yml:
--------------------------------------------------------------------------------
1 | title: RA_2315_analyse_unix_elf
2 | id: RA2315
3 | description: >
4 | Analise Unix ELF
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2316_analyse_ms_office_file/RA_2316_analyse_ms_office_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_2316_analyse_ms_office_file
2 | id: RA2316
3 | description: >
4 | Analise MS Office file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2317_analyse_pdf_file/RA_2317_analyse_pdf_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_2317_analyse_pdf_file
2 | id: RA2317
3 | description: >
4 | Analise PDF file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2318_analyse_script/RA_2318_analyse_script.yml:
--------------------------------------------------------------------------------
1 | title: RA_2318_analyse_script
2 | id: RA2318
3 | description: >
4 | Analyse a script file (i.e. Python, PowerShell, Bash src etc)
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2319_analyse_jar/RA_2319_analyse_jar.yml:
--------------------------------------------------------------------------------
1 | title: RA_2319_analyse_jar
2 | id: RA2319
3 | description: >
4 | Analyse a JAR file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2320_analyse_filename/RA_2320_analyse_filename.yml:
--------------------------------------------------------------------------------
1 | title: RA_2320_analyse_filename
2 | id: RA2320
3 | description: >
4 | Analyse a filename
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2501_list_registry_keys_modified/RA_2501_list_registry_keys_modified.yml:
--------------------------------------------------------------------------------
1 | title: RA_2501_list_registry_keys_modified
2 | id: RA2501
3 | description: >
4 | List registry keys modified at a particular time in the past
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2505_list_services_created/RA_2505_list_services_created.yml:
--------------------------------------------------------------------------------
1 | title: RA_2505_list_services_created
2 | id: RA2505
3 | description: >
4 | List services that have been created at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2506_list_services_modified/RA_2506_list_services_modified.yml:
--------------------------------------------------------------------------------
1 | title: RA_2506_list_services_modified
2 | id: RA2506
3 | description: >
4 | List services that have been modified at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2507_list_services_deleted/RA_2507_list_services_deleted.yml:
--------------------------------------------------------------------------------
1 | title: RA_2507_list_services_deleted
2 | id: RA2507
3 | description: >
4 | List services that have been deleted at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2508_analyse_registry_key/RA_2508_analyse_registry_key.yml:
--------------------------------------------------------------------------------
1 | title: RA_2508_analyse_registry_key
2 | id: RA2508
3 | description: >
4 | Analyse a registry key
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2601_list_users_authenticated/RA_2601_list_users_authenticated.yml:
--------------------------------------------------------------------------------
1 | title: RA_2601_list_users_authenticated
2 | id: RA2601
3 | description: >
4 | List users authenticated at a particular time in the past on a particular system
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2602_list_user_accounts/RA_2602_list_user_accounts.yml:
--------------------------------------------------------------------------------
1 | title: RA_2602_list_user_accounts
2 | id: RA2602
3 | description: >
4 | List user accounts on a particular system
5 | author: Andreas Hunkeler (@Karneades)
6 | creation_date: 2021/05/21
7 | stage: identification
8 | references:
9 | - Valid Accounts, https://attack.mitre.org/techniques/T1078/
10 | - Account Manipulation, https://attack.mitre.org/techniques/T1098/
11 | extended_description: |
12 | List user accounts on a particular system to get an overview of
13 | the available accounts.
14 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2603_find_successfully_enumerated_users/RA_2603_find_successfully_enumerated_users.yml:
--------------------------------------------------------------------------------
1 | title: Find successfully enumerated users
2 | id: RA2603
3 | description: Find successfully enumerated users
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | stage: identification
7 | references:
8 | - Account Discovery, https://attack.mitre.org/techniques/T1087/
9 | extended_description: |
10 | Find out by network traffic which users were successfully enumerated
11 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_2604_find_compromised_user/RA_2604_find_compromised_user.yml:
--------------------------------------------------------------------------------
1 | title: RA_2604_find_compromised_user
2 | id: RA2604
3 | description: Find compromised user
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/07
6 | stage: identification
7 | extended_description: |
8 | Find user with suspicious activity. Check it on logs or on network traffic
9 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3001_patch_vulnerability/RA_3001_patch_vulnerability.yml:
--------------------------------------------------------------------------------
1 | title: RA_3001_patch_vulnerability
2 | id: RA3001
3 | description: >
4 | Patch a vulnerability in an asset
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3105_block_external_url/RA_3105_block_external_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_3105_block_external_url
2 | id: RA3105
3 | description: >
4 | Block an external URL from being accessed by corporate assets
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_dns_server
13 | extended_description: |
14 | Block an external URL from being accessed by corporate assets, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3106_block_internal_url/RA_3106_block_internal_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_3106_block_internal_url
2 | id: RA3106
3 | description: >
4 | Block an internal URL from being accessed by corporate assets
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_intranet_proxy
10 | - MS_intranet_ips
11 | - MS_intranet_ngfw
12 | - MS_dns_server
13 | extended_description: |
14 | Block an internal URL from being accessed by corporate assets, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3107_block_port_external_communication/RA_3107_block_port_external_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3107_block_port_external_communication
2 | id: RA3107
3 | description: >
4 | Block a network port for external communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_border_firewall
10 | - MS_border_proxy
11 | - MS_border_ips
12 | - MS_border_ngfw
13 | - MS_host_firewall
14 | extended_description: |
15 | Block a network port for external communications, using the most efficient way.
16 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3108_block_port_internal_communication/RA_3108_block_port_internal_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3108_block_port_internal_communication
2 | id: RA3108
3 | description: >
4 | Block a network port for internal communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_intranet_firewall
10 | - MS_intranet_proxy
11 | - MS_intranet_ips
12 | - MS_intranet_ngfw
13 | - MS_host_firewall
14 | extended_description: |
15 | Block a network port for internal communications, using the most efficient way.
16 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3109_block_user_external_communication/RA_3109_block_user_external_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3109_block_user_external_communication
2 | id: RA3109
3 | description: >
4 | Block a user for external communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_nac
13 | extended_description: |
14 | Block a user for external communications, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3110_block_user_internal_communication/RA_3110_block_user_internal_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3110_block_user_internal_communication
2 | id: RA3110
3 | description: >
4 | Block a user for internal communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_intranet_proxy
10 | - MS_intranet_ips
11 | - MS_intranet_ngfw
12 | - MS_nac
13 | extended_description: |
14 | Block a user for internal communications, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3113_inspect_network_shares/RA_3113_inspect_network_shares.yml:
--------------------------------------------------------------------------------
1 | title: RA_3113_inspect_network_shares
2 | id: RA3113
3 | description: >
4 | Inspect network shares
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: containment
8 | references:
9 | - https://github.com/certsocietegenerale/IRM/blob/main/EN/IRM-2-WindowsIntrusion.pdf
10 | extended_description: |
11 | Inspect network shares or any publicly accessible folders shared with other users to see if the malware has spread through it.
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3202_block_sender_on_email/RA_3202_block_sender_on_email.yml:
--------------------------------------------------------------------------------
1 | title: RA_3202_block_sender_on_email
2 | id: RA3202
3 | description: >
4 | Block an email sender on the Email-server
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: containment
8 | references:
9 | - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide
10 | requirements:
11 | - MS_email_server
12 | extended_description: |
13 | Block an email sender on an Email Server using its native filtering functionality.
14 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3301_quarantine_file_by_format/RA_3301_quarantine_file_by_format.yml:
--------------------------------------------------------------------------------
1 | title: RA_3301_quarantine_file_by_format
2 | id: RA3301
3 | description: >
4 | Quarantine a file by its format
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3303_quarantine_file_by_path/RA_3303_quarantine_file_by_path.yml:
--------------------------------------------------------------------------------
1 | title: RA_3303_quarantine_file_by_path
2 | id: RA3303
3 | description: >
4 | Quarantine a file by its path
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3304_quarantine_file_by_content_pattern/RA_3304_quarantine_file_by_content_pattern.yml:
--------------------------------------------------------------------------------
1 | title: RA_3304_quarantine_file_by_content_pattern
2 | id: RA3304
3 | description: >
4 | Quarantine a file by its content pattern
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3403_block_process_by_executable_hash/RA_3403_block_process_by_executable_hash.yml:
--------------------------------------------------------------------------------
1 | title: RA_3403_block_process_by_executable_hash
2 | id: RA3403
3 | description: >
4 | Block a process execution by its executable hash
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3404_block_process_by_executable_format/RA_3404_block_process_by_executable_format.yml:
--------------------------------------------------------------------------------
1 | title: RA_3404_block_process_by_executable_format
2 | id: RA3404
3 | description: >
4 | Block a process execution by its executable format
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3501_disable_system_service/RA_3501_disable_system_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_3501_disable_system_service
2 | id: RA3501
3 | description: >
4 | Disable a system service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3601_lock_user_account/RA_3601_lock_user_account.yml:
--------------------------------------------------------------------------------
1 | title: RA_3601_lock_user_account
2 | id: RA3601
3 | description: >
4 | Lock an user account
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_3602_block_user_account/RA_3602_block_user_account.yml:
--------------------------------------------------------------------------------
1 | title: RA_3602_block_user_account
2 | id: RA3602
3 | description: >
4 | Block an user account
5 | author: '@SEC'
6 | creation_date: 2023/05/18
7 | stage: containment
8 | extended_description: |
9 | Block an user account
10 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4002_apply_prevention_mode_for_iocs/RA_4002_apply_prevention_mode_for_iocs.yml:
--------------------------------------------------------------------------------
1 | title: RA_4002_apply_prevention_mode_for_iocs
2 | id: RA4002
3 | description: Apply security solution prevention mode for all identified IOCs.
4 | author: '@SEC'
5 | creation_date: 2023/05/20
6 | stage: eradication
7 | references:
8 | - https://github.com/certsocietegenerale/IRM/blob/main/EN/IRM-2-WindowsIntrusion.pdf
9 | extended_description: |
10 | Apply security solution prevention mode for all identified IOCs.
11 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4101_remove_rogue_network_device/RA_4101_remove_rogue_network_device.yml:
--------------------------------------------------------------------------------
1 | title: RA_4101_remove_rogue_network_device
2 | id: RA4101
3 | description: >
4 | Remove a rogue network device
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4201_delete_email_message/RA_4201_delete_email_message.yml:
--------------------------------------------------------------------------------
1 | title: RA_4201_delete_email_message
2 | id: RA4201
3 | description: Delete an email message from an Email Server and users' email boxes
4 | author: '@atc_project'
5 | creation_date: 2019/01/31
6 | stage: eradication
7 | requirements:
8 | - MS_email_server
9 | artifacts:
10 | - A3001_Email_Message
11 | - A1001_User_AD_Account
12 | extended_description: |
13 | Delete an email message from an Email Server and users' email boxes using its native functionality.
14 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4502_remove_service/RA_4502_remove_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_4502_remove_service
2 | id: RA4502
3 | description: >
4 | Remove a service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4503_remove_persistence_mechanisms/RA_4503_remove_persistence_mechanisms.yml:
--------------------------------------------------------------------------------
1 | title: RA_4503_remove_persistence_mechanisms
2 | id: RA4503
3 | description: >
4 | Remove persistence mechanisms
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: eradication
8 | references:
9 | - https://github.com/certsocietegenerale/IRM/blob/main/EN/IRM-2-WindowsIntrusion.pdf
10 | extended_description: |
11 | Remove persistence mechanisms
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4602_remove_user_account/RA_4602_remove_user_account.yml:
--------------------------------------------------------------------------------
1 | title: RA_4602_remove_user_account
2 | id: RA4602
3 | description: >
4 | Remove a user account
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4604_delete_attribute_from_object/RA_4604_delete_attribute_from_object.yml:
--------------------------------------------------------------------------------
1 | title: RA_4604_delete_attribute_from_object
2 | id: RA4604
3 | description: >
4 | Remove a record from object attribute
5 | author: '@ERMACK_COMMUNITY'
6 | creation_date: 2023/05/07
7 | stage: eradication
8 | extended_description: |
9 | Delete record from object attribute
10 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_4605_revoke_certificate/RA_4605_revoke_certificate.yml:
--------------------------------------------------------------------------------
1 | title: RA_4605_revoke_certificate
2 | id: RA4605
3 | description: >
4 | Revocation of an issued certificate
5 | author: '@ERMACK_COMMUNITY'
6 | creation_date: 2023/05/12
7 | stage: eradication
8 | extended_description: |
9 | Revocation of an issued certificate.
10 | To revoke a certificate, you must uniquely identify it. It is better to do this using the value of the certificate thumbprint
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5001_reinstall_host_from_golden_image/RA_5001_reinstall_host_from_golden_image.yml:
--------------------------------------------------------------------------------
1 | title: RA_5001_reinstall_host_from_golden_image
2 | id: RA5001
3 | description: >
4 | Reinstall host OS from a golden image
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5002_restore_data_from_backup/RA_5002_restore_data_from_backup.yml:
--------------------------------------------------------------------------------
1 | title: RA_5002_restore_data_from_backup
2 | id: RA5002
3 | description: >
4 | Restore data from a backup
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5102_unblock_blocked_domain/RA_5102_unblock_blocked_domain.yml:
--------------------------------------------------------------------------------
1 | title: RA_5102_unblock_blocked_domain
2 | id: RA5102
3 | description: >
4 | Unblock a blocked domain name
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_intranet_proxy
13 | - MS_intranet_ips
14 | - MS_intranet_ngfw
15 | - MS_dns_server
16 | extended_description: |
17 | Unblock a blocked domain name in the system(s) used to block it.
18 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5103_unblock_blocked_url/RA_5103_unblock_blocked_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_5103_unblock_blocked_url
2 | id: RA5103
3 | description: >
4 | Unblock a blocked URL
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_intranet_proxy
13 | - MS_intranet_ips
14 | - MS_intranet_ngfw
15 | extended_description: |
16 | Unblock a blocked URL in the system(s) used to block it.
17 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5104_unblock_blocked_port/RA_5104_unblock_blocked_port.yml:
--------------------------------------------------------------------------------
1 | title: RA_5104_unblock_blocked_port
2 | id: RA5104
3 | description: >
4 | Unblock a blocked port
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5105_unblock_blocked_user/RA_5105_unblock_blocked_user.yml:
--------------------------------------------------------------------------------
1 | title: RA_5105_unblock_blocked_user
2 | id: RA5105
3 | description: >
4 | Unblock a blocked user
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5201_unblock_domain_on_email/RA_5201_unblock_domain_on_email.yml:
--------------------------------------------------------------------------------
1 | title: RA_5201_unblock_domain_on_email
2 | id: RA5201
3 | description: >
4 | Unblock a domain on email
5 | author: '@atc_project'
6 | creation_date: 2020/05/07
7 | stage: recovery
8 | references:
9 | - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide
10 | requirements:
11 | - MS_email_server
12 | extended_description: |
13 | Unblock an email domain on an Email Server using its native functionality.
14 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5202_unblock_sender_on_email/RA_5202_unblock_sender_on_email.yml:
--------------------------------------------------------------------------------
1 | title: RA_5202_unblock_sender_on_email
2 | id: RA5202
3 | description: >
4 | Unblock a sender on email
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_email_server
10 | extended_description: |
11 | Unblock an email sender on an Email Server using its native functionality.
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5203_restore_quarantined_email_message/RA_5203_restore_quarantined_email_message.yml:
--------------------------------------------------------------------------------
1 | title: RA_5203_restore_quarantined_email_message
2 | id: RA5203
3 | description: >
4 | Restore a quarantined email message
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_email_server
10 | extended_description: |
11 | Restore a quarantined email message on an Email Server using its native functionality.
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5301_restore_quarantined_file/RA_5301_restore_quarantined_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_5301_restore_quarantined_file
2 | id: RA5301
3 | description: >
4 | Restore a quarantined file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5302_restore_modified_file/RA_5302_restore_modified_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_5302_restore_modified_file
2 | id: RA5302
3 | description: >
4 | Restore all files that could have been altered by the attacker
5 | author: '@SEC'
6 | creation_date: 2023/05/20
7 | stage: recovery
8 | references:
9 | - https://github.com/certsocietegenerale/IRM/blob/main/EN/IRM-2-WindowsIntrusion.pdf
10 | extended_description: |
11 | Restore all files that could have been altered by the attacker
12 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5401_unblock_blocked_process/RA_5401_unblock_blocked_process.yml:
--------------------------------------------------------------------------------
1 | title: RA_5401_unblock_blocked_process
2 | id: RA5401
3 | description: >
4 | Unblock a blocked process
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5501_enable_disabled_service/RA_5501_enable_disabled_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_5501_enable_disabled_service
2 | id: RA5501
3 | description: >
4 | Enable a disabled service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5601_unlock_locked_user_account/RA_5601_unlock_locked_user_account.yml:
--------------------------------------------------------------------------------
1 | title: RA_5601_unlock_locked_user_account
2 | id: RA5601
3 | description: >
4 | Unlock a locked user account
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_5602_reissue_revoked_certificate/RA_5602_reissue_revoked_certificate.yml:
--------------------------------------------------------------------------------
1 | title: RA_5602_reissue_revoked_certificate
2 | id: RA5602
3 | description: >
4 | Reissue revoked certificate
5 | author: '@ERMACK_COMMUNITY'
6 | creation_date: 2023/05/12
7 | stage: recovery
8 | extended_description: |
9 | Reissue revoked certificate.
10 | To reissue a certificate, use the revoked certificate as a template
--------------------------------------------------------------------------------
/data/en/response_actions/RA_6003_update_acquisition_profiles/RA_6003_update_acquisition_profiles.yml:
--------------------------------------------------------------------------------
1 | title: RA_6003_update_acquisition_profiles
2 | id: RA6003
3 | description: Update acquisition profiles
4 | author: '@SEC'
5 | creation_date: 2023/05/20
6 | stage: lessons_learned
7 | extended_description: |
8 | Update acquisition profiles
9 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_6004_update_network_profiles/RA_6004_update_network_profiles.yml:
--------------------------------------------------------------------------------
1 | title: RA_6004_update_network_profiles
2 | id: RA6004
3 | description: Update network profiles
4 | author: '@SEC'
5 | creation_date: 2023/05/20
6 | stage: lessons_learned
7 | extended_description: |
8 | Update network profiles
9 |
--------------------------------------------------------------------------------
/data/en/response_actions/RA_6005_update_process_profiles/RA_6005_update_process_profiles.yml:
--------------------------------------------------------------------------------
1 | title: RA_6005_update_process_profiles
2 | id: RA6005
3 | description: Update process profiles
4 | author: '@SEC'
5 | creation_date: 2023/05/20
6 | stage: lessons_learned
7 | extended_description: |
8 | Update process profiles
9 |
--------------------------------------------------------------------------------
/data/en/response_actions_implementations/RAI_2311_0001_soldr_file_collection/5.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_actions_implementations/RAI_2311_0001_soldr_file_collection/5.JPG
--------------------------------------------------------------------------------
/data/en/response_actions_implementations/RAI_2311_0001_soldr_file_collection/6.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_actions_implementations/RAI_2311_0001_soldr_file_collection/6.JPG
--------------------------------------------------------------------------------
/data/en/response_actions_implementations/RAI_2311_0001_soldr_file_collection/7.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_actions_implementations/RAI_2311_0001_soldr_file_collection/7.JPG
--------------------------------------------------------------------------------
/data/en/response_actions_implementations/RAI_3401_0001_soldr_terminate_process/54.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_actions_implementations/RAI_3401_0001_soldr_terminate_process/54.JPG
--------------------------------------------------------------------------------
/data/en/response_actions_implementations/RAI_3401_0001_soldr_terminate_process/55.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_actions_implementations/RAI_3401_0001_soldr_terminate_process/55.JPG
--------------------------------------------------------------------------------
/data/en/response_actions_implementations/rai_manual_action_template.md:
--------------------------------------------------------------------------------
1 | ## Описание
2 | ## Требования к целевой системе
3 | ## Требования к средствам воздействия
4 | ## Ожидаемый результат воздействия
5 | ## Реализация
6 | ### <Название действия>
7 | #### Комментарии
8 | #### Алгоритм
9 | #### Проверка результата
10 | #### Ограничения
11 | ## Дополнительные сведения
12 | ### Метки
13 | ### Артефакты
14 | ### Ссылки на внешние ресурсы
15 | ### Соответствие классификациям
16 |
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0001_external_phishing_email/RP0001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0001_external_phishing_email/RP0001.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0002_as_req_domain_user_enumerate/RP0002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0002_as_req_domain_user_enumerate/RP0002.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0003_adding_shadow_credential/workflow.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0003_adding_shadow_credential/workflow.jpg
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0004_pass_the_certificate/RP0004.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0004_pass_the_certificate/RP0004.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0005_theft_of_user_certificate_and_private_key/RP0005.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0005_theft_of_user_certificate_and_private_key/RP0005.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0006_successfull_owa_password_spraying/RP0006.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0006_successfull_owa_password_spraying/RP0006.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0007_malware_outbrake/RP0007.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0007_malware_outbrake/RP0007.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0008_windows_host_compromise/RP0008.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0008_windows_host_compromise/RP0008.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_0009_compromised_active_directory_account/RP0009.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_0009_compromised_active_directory_account/RP0009.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_1001_operational_preparations/RP1001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_1001_operational_preparations/RP1001.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_1002_identify_affected_systems_and_users/RP1002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_1002_identify_affected_systems_and_users/RP1002.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_1003_identify_compromised_data/RP1003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_1003_identify_compromised_data/RP1003.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_1004_identify_means_of_attack/RP1004.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_1004_identify_means_of_attack/RP1004.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2001_dll_load_via_com_abuse/RP2001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2001_dll_load_via_com_abuse/RP2001.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2002_priv_esc_through_named_pipe/RP2002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2002_priv_esc_through_named_pipe/RP2002.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2003_dumping_mscash/RP2003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2003_dumping_mscash/RP2003.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2004_wdigest_credential_access/RP2004.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2004_wdigest_credential_access/RP2004.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2005_hijack_default_fle_extension/41.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2005_hijack_default_fle_extension/41.JPG
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2005_hijack_default_fle_extension/42.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2005_hijack_default_fle_extension/42.JPG
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2005_hijack_default_fle_extension/RP2005.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2005_hijack_default_fle_extension/RP2005.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2006_lateral_movement_using_scm/RP2006.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2006_lateral_movement_using_scm/RP2006.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2007_lateral_movement_winrm_pwsh/RP2007.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2007_lateral_movement_winrm_pwsh/RP2007.png
--------------------------------------------------------------------------------
/data/en/response_playbooks/RP_2008_persistence_using_winlogon/RP2008.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/response_playbooks/RP_2008_persistence_using_winlogon/RP2008.png
--------------------------------------------------------------------------------
/data/en/response_stages/RS0001/RS0001.yml:
--------------------------------------------------------------------------------
1 | title: Preparation
2 | id: RS0001
3 | description: Get prepared for a security incident.
4 |
--------------------------------------------------------------------------------
/data/en/response_stages/RS0002/RS0002.yml:
--------------------------------------------------------------------------------
1 | title: Identification
2 | id: RS0002
3 | description: Gather information about a threat that has triggered a security incident, its TTPs, and affected assets.
4 |
--------------------------------------------------------------------------------
/data/en/response_stages/RS0003/RS0003.yml:
--------------------------------------------------------------------------------
1 | title: Containment
2 | id: RS0003
3 | description: Prevent a threat from achieving its objectives and/or spreading around an environment.
4 |
--------------------------------------------------------------------------------
/data/en/response_stages/RS0004/RS0004.yml:
--------------------------------------------------------------------------------
1 | title: Eradication
2 | id: RS0004
3 | description: Remove a threat from an environment.
4 |
--------------------------------------------------------------------------------
/data/en/response_stages/RS0005/RS0005.yml:
--------------------------------------------------------------------------------
1 | title: Recovery
2 | id: RS0005
3 | description: Recover from the incident and return all the assets back to normal operation.
4 |
--------------------------------------------------------------------------------
/data/en/response_stages/RS0006/RS0006.yml:
--------------------------------------------------------------------------------
1 | title: Lessons Learned
2 | id: RS0006
3 | description: Discover how to improve the Incident Response process and implement the improvements.
4 |
--------------------------------------------------------------------------------
/data/en/software/S_0003_windows_host/S_0003_windows_host.yml:
--------------------------------------------------------------------------------
1 | title: Windows Host
2 | id: S0003
3 | description: Windows Host
4 | author: '@ACTION_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AuthenticationLogging
11 |
--------------------------------------------------------------------------------
/data/en/software/S_0004_windows_powershell/S_0004_windows_powershell.yml:
--------------------------------------------------------------------------------
1 | title: Windows PowerShell
2 | id: S0004
3 | description: Windows PowerShell Interpreter
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - CommandExecution
11 | - CommandExecutionLogging
12 |
--------------------------------------------------------------------------------
/data/en/software/S_0005_soldr/S_0005_soldr.yml:
--------------------------------------------------------------------------------
1 | title: SOLDR
2 | id: S0005
3 | description: System of Orchestration, Lifecycle control, Detection and Response
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/30
6 | modification_date: 2023/03/30
7 | references:
8 | - https://github.com/vxcontrol/soldr
9 | capabilities:
10 | - AuthenticationLogsAnalysis
11 | - NetworkSessionLogging
12 | - LocalProsessControl
13 | - LocalNetworkControl
14 |
--------------------------------------------------------------------------------
/data/en/software/S_0100_linux/S_0100_linux.yml:
--------------------------------------------------------------------------------
1 | title: Linux
2 | id: S0100
3 | description: Any Linux distribution
4 | author: '@ACTION_COMMUNITY'
5 | creation_date: 2022/10/22
6 | references:
7 | - http://www.example.com
8 | capabilities:
9 | - AuthenticationLogsAnalysis
10 | - NetworkSessionLogging
11 | - CommandExecution
12 | extended_description: |
13 | Any Linux distribution with standard command line utilities
14 |
--------------------------------------------------------------------------------
/data/en/software/S_1001_check_point_firewall/S_1001_check_point_firewall.yml:
--------------------------------------------------------------------------------
1 | title: Checkpoint Firewall
2 | id: S1001
3 | description: Check Point Quantum Security Gateways
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - IpBlockingCapability
12 | - PortBlockingCapability
13 |
--------------------------------------------------------------------------------
/data/en/software/S_1002_cisco_asa_firewall/S_1002_cisco_asa_firewall.yml:
--------------------------------------------------------------------------------
1 | title: Cisco ASA Firewall
2 | id: S1002
3 | description: Cisco ASA 5500-X
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - IpBlockingCapability
12 | - PortBlockingCapability
13 |
--------------------------------------------------------------------------------
/data/en/software/S_3001_ms_exchange_server/S_3001_ms_exchange_server.yml:
--------------------------------------------------------------------------------
1 | title: MS Exchange Server
2 | id: S3001
3 | description: Microsoft Exchange Server 2019
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - MailDeletionCapability
12 | - MailSearchingCapability
13 |
--------------------------------------------------------------------------------
/data/en/software/S_3002_postfix_mail_server/S_3002_postfix_mail_server.yml:
--------------------------------------------------------------------------------
1 | title: Postfix Server
2 | id: S3002
3 | description: Postfix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - MailDeletionCapability
12 | - MailSearchingCapability
13 |
--------------------------------------------------------------------------------
/data/en/software/S_3003_skype4business_server/S_3003_skype4business_server.yml:
--------------------------------------------------------------------------------
1 | title: Skype for Business Server
2 | id: S3003
3 | description: Skype for Business Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3004_bitrix_server/S_3004_bitrix_server.yml:
--------------------------------------------------------------------------------
1 | title: Bitrix Server
2 | id: S3004
3 | description: Bitrix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3005_ms_sharepoint_server/S_3005_ms_sharepoint_server.yml:
--------------------------------------------------------------------------------
1 | title: MS Sharepoint Server
2 | id: S3005
3 | description: Microsoft Sharepoint Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 | - DocumentStorageCapability
12 |
--------------------------------------------------------------------------------
/data/en/software/S_3006_citrix_server/S_3006_citrix_server.yml:
--------------------------------------------------------------------------------
1 | title: Citrix Server
2 | id: S3006
3 | description: Citrix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3007_apache_tomcat_server/S_3007_apache_tomcat_server.yml:
--------------------------------------------------------------------------------
1 | title: Apache Tomcat Server
2 | id: S3007
3 | description: Apache Tomcat Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3008_weblogic_server/S_3008_weblogic_server.yml:
--------------------------------------------------------------------------------
1 | title: Weblogic Server
2 | id: S3008
3 | description: Weblogic Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3009_zabbix_server/S_3009_zabbix_server.yml:
--------------------------------------------------------------------------------
1 | title: Zabbix Server
2 | id: S3009
3 | description: Zabbix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3010_gitlab_server/S_3010_gitlab_server.yml:
--------------------------------------------------------------------------------
1 | title: Gitlab Server
2 | id: S3010
3 | description: Gitlab Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3011_mysql_server/S_3011_mysql_server.yml:
--------------------------------------------------------------------------------
1 | title: MySQL Server
2 | id: S3011
3 | description: MySQL Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_3012_postgresql_server/S_3012_postgresql_server.yml:
--------------------------------------------------------------------------------
1 | title: PostgreSQL Server
2 | id: S3012
3 | description: PostgreSQL Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/en/software/S_5001_ms_dns_server/S_5001_ms_dns_server.yml:
--------------------------------------------------------------------------------
1 | title: MS DNS Server
2 | id: S5001
3 | description: Microsoft Windows Server 2019 with DNS role
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DNSAllowlistingCapability
11 | - DNSDenylistingCapability
12 | - DNSLoggingCapability
13 |
--------------------------------------------------------------------------------
/data/en/software/S_6001_ms_domain_controller_server/S_6001_ms_domain_controller_server.yml:
--------------------------------------------------------------------------------
1 | title: MS Server 2019 with Active Directory role
2 | id: S6001
3 | description: Microsoft Server 2019 with Active Directory role
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AuthenticationLogsAnalysis
11 | - AuthenticationLogging
12 |
--------------------------------------------------------------------------------
/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/PatchMemoryAndExport.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/PatchMemoryAndExport.PNG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/SimpleExport.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/SimpleExport.PNG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/TryExport.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/TryExport.PNG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/UC0005.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0005_theft_of_user_certificate_and_private_key_via_CryptoAPI/UC0005.png
--------------------------------------------------------------------------------
/data/en/usecases/UC_0012_load_dll_via_com_abuse/1.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0012_load_dll_via_com_abuse/1.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0012_load_dll_via_com_abuse/2.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0012_load_dll_via_com_abuse/2.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0012_load_dll_via_com_abuse/3.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0012_load_dll_via_com_abuse/3.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0012_load_dll_via_com_abuse/4.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0012_load_dll_via_com_abuse/4.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0012_load_dll_via_com_abuse/UC0012.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0012_load_dll_via_com_abuse/UC0012.png
--------------------------------------------------------------------------------
/data/en/usecases/UC_0021_priv_esc_through_named_pipe/11.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0021_priv_esc_through_named_pipe/11.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0021_priv_esc_through_named_pipe/12.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0021_priv_esc_through_named_pipe/12.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0021_priv_esc_through_named_pipe/13.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0021_priv_esc_through_named_pipe/13.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0021_priv_esc_through_named_pipe/14.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0021_priv_esc_through_named_pipe/14.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0031_dumping_and_cracking_mscash/15.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0031_dumping_and_cracking_mscash/15.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0031_dumping_and_cracking_mscash/16.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0031_dumping_and_cracking_mscash/16.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0031_dumping_and_cracking_mscash/17.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0031_dumping_and_cracking_mscash/17.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0031_dumping_and_cracking_mscash/18.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0031_dumping_and_cracking_mscash/18.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0031_dumping_and_cracking_mscash/27.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0031_dumping_and_cracking_mscash/27.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0032_forcing_wdigest_to_store_credential_in_plaintext/19.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0032_forcing_wdigest_to_store_credential_in_plaintext/19.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0032_forcing_wdigest_to_store_credential_in_plaintext/20.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0032_forcing_wdigest_to_store_credential_in_plaintext/20.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0032_forcing_wdigest_to_store_credential_in_plaintext/40.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0032_forcing_wdigest_to_store_credential_in_plaintext/40.png
--------------------------------------------------------------------------------
/data/en/usecases/UC_0041_lateral_movement_via_service_configuration_manager/20.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0041_lateral_movement_via_service_configuration_manager/20.gif
--------------------------------------------------------------------------------
/data/en/usecases/UC_0041_lateral_movement_via_service_configuration_manager/28.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0041_lateral_movement_via_service_configuration_manager/28.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0042_winrm_for_lateral_movement/22.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0042_winrm_for_lateral_movement/22.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0042_winrm_for_lateral_movement/29.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0042_winrm_for_lateral_movement/29.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0042_winrm_for_lateral_movement/30.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0042_winrm_for_lateral_movement/30.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0042_winrm_for_lateral_movement/51.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0042_winrm_for_lateral_movement/51.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0042_winrm_for_lateral_movement/52.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0042_winrm_for_lateral_movement/52.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0051_persistense_windows_logon_helper/23.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0051_persistense_windows_logon_helper/23.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0051_persistense_windows_logon_helper/24.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0051_persistense_windows_logon_helper/24.JPG
--------------------------------------------------------------------------------
/data/en/usecases/UC_0052_hijacking_default_file_extension/22.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0052_hijacking_default_file_extension/22.gif
--------------------------------------------------------------------------------
/data/en/usecases/UC_0052_hijacking_default_file_extension/25.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/data/en/usecases/UC_0052_hijacking_default_file_extension/25.JPG
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1001_windows_domain_account/A_1001_windows_domain_account.yml:
--------------------------------------------------------------------------------
1 | title: Учётная запись Active Directory
2 | id: A1001
3 | description: Артефакт описывает сущность учётной записи Windows Active Directory
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:DomainUserAccount/
9 | mapping:
10 | - d3f:DomainUserAccount
11 | extended_description: |
12 | Доменная учётная запись позволяет пользователю получать доступ к ресурсам и сервисам внутри домена Active Directory.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1002_dns_traffic/A_1002_dns_traffic.yml:
--------------------------------------------------------------------------------
1 | title: Сетевой DNS-трафик
2 | id: A1002
3 | description: Этот артефакт описывает сущность сетевого DNS-трафикa
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:DNSNetworkTraffic/
9 | mapping:
10 | - d3f:DNSNetworkTraffic
11 | extended_description: |
12 | Сетевой трафик, который генерируется во время работы протокола DNS.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1003_windows_local_account/A_1003_windows_local_account.yml:
--------------------------------------------------------------------------------
1 | title: Локальная учётная запись ОС Windows
2 | id: A1003
3 | description: Этот артефакт описывает сущность локальной учётной записи ОС Windows
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:LocalUserAccount/
9 | mapping:
10 | - d3f:LocalUserAccount
11 | extended_description: |
12 | Локальная учётная запись на конкретном Windows-узле.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1004_linux_local_account/A_1004_linux_local_account.yml:
--------------------------------------------------------------------------------
1 | title: Локальная учётная запись ОС Linux
2 | id: A1004
3 | description: Этот артефакт описывает сущность локальной учётной записи ОС Linux
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:LocalUserAccount/
9 | mapping:
10 | - d3f:LocalUserAccount
11 | extended_description: |
12 | Локальная учётная запись на конкретном Linux-узле.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1005_host/A_1005_host.yml:
--------------------------------------------------------------------------------
1 | title: Хост
2 | id: A1005
3 | description: Этот артефакт описывает сущность хост
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Host
9 | mapping:
10 | - d3f:Host
11 | extended_description: |
12 | Хост - это компьютер или другое устройство, обычно подключенное к компьютерной сети. Сетевой хост может предоставлять информационные ресурсы, сервисы и приложения другим пользователям или узлам сети.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1006_owa_web_token/A_1006_owa_web_token.yml:
--------------------------------------------------------------------------------
1 | title: Веб-токен OWA
2 | id: A1006
3 | description: Этот артефакт описывает сущность токена аутентификации в сервисе Outlook Web Access
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | extended_description: |
8 | Этот артефакт описывает сущность токена аутентификации в сервисе Outlook Web Access
9 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1007_ip_address/A_1007_ip_address.yml:
--------------------------------------------------------------------------------
1 | title: IP-адрес
2 | id: A1007
3 | description: Этот артефакт описывает сущность IP-адрес
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:IPAddress/
9 | mapping:
10 | - d3f:IPAddress
11 | extended_description: |
12 | IP-адрес - это числовая метка, присвоенная каждому устройству, подключенному к компьютерной сети и использующему для обмена протокол IP.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1008_log/A_1008_log.yml:
--------------------------------------------------------------------------------
1 | title: Журнал событий
2 | id: A1008
3 | description: Место хранения определённого набора событий
4 | author: '@Cyberok'
5 | creation_date: 2023/03/02
6 | modification_date: 2023/03/02
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Log/
9 | mapping:
10 | - d3f:Log
11 | extended_description: |
12 | В журнале фиксируются события в порядке их появления. Обычно указывается временная метка и основная информация по каждому событию.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1009_kerberos_network_traffic/A_1009_kerberos_network_traffic.yml:
--------------------------------------------------------------------------------
1 | title: Трафик протокола Kerberos
2 | id: A1009
3 | description: Этот ресурс описывает сущность трафика протокола Kerberos
4 | author: '@SEC'
5 | creation_date: 2023/03/13
6 | modification_date: 2023/03/13
7 | references:
8 | mapping:
9 | extended_description: |
10 | Этот ресурс описывает сущность трафика протокола Kerberos
11 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1010_authentication_service/A_1010_authentication_service.yml:
--------------------------------------------------------------------------------
1 | title: Сервис аутентификации
2 | id: A1010
3 | description: Этот ресурс описывает сущность сервиса аутентификации
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | modification_date: 2023/03/13
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:AuthenticationService/
9 | mapping:
10 | - d3f:AuthenticationService
11 | extended_description: |
12 | Сервис аутенитфикации - это сервис, который предоставляет некоторый механизм аутентификации
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1013_certificate_authority/A_1013_certificate_authority.yml:
--------------------------------------------------------------------------------
1 | title: Центр сертификации
2 | id: A1013
3 | description: Центр сертификации - отвечает за хранение, подпись и выпуск сертификатов
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/04
6 | modification_date: 2023/05/04
7 | references:
8 | - https://en.wikipedia.org/wiki/Certificate_authority
9 | mapping:
10 | extended_description: |
11 | Центр сертификации является частью инфраструктуры открытых ключей. Центр сертификации - отвечает за хранение, подпись и выпуск сертификатов.
12 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1014_access_right/A_1014_access_right.yml:
--------------------------------------------------------------------------------
1 | title: Право доступа
2 | id: A1014
3 | description: Этот ресурс описывает возможный доступ субъекта к объекту
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/04
6 | modification_date: 2023/05/04
7 | references:
8 | mapping:
9 | extended_description: |
10 | Право доступа - это право субъекта осуществлять оперделённые действия (например, чтение или запись) над объектом.
11 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_1015_directory_service_object_attribute/A_1015_directory_service_object_attribute.yml:
--------------------------------------------------------------------------------
1 | title: Атрибут объекта Directory Service
2 | id: A1015
3 | description: Этот ресурс описывает сущность атрибут объекта Directory Service.
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/04
6 | modification_date: 2023/05/04
7 | references:
8 | mapping:
9 | extended_description: |
10 | Атрибут объекта Directory Service - это конкретный атрибут некоторого объекта.
11 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_3001_email_message/A_3001_email_message.yml:
--------------------------------------------------------------------------------
1 | title: Почтовое сообщение
2 | id: A3001
3 | description: Этот артефакт описывает почтовое сообщение
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Email/
9 | mapping:
10 | - d3f:Email
11 | extended_description: |
12 | Почтовое сообщение - это электронный документ, который передаётся между компьютерами пользователей внутри компьютерной сети.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_3002_file/A_3002_file.yml:
--------------------------------------------------------------------------------
1 | title: Файл
2 | id: A3002
3 | description: Этот артефакт описывает файл
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:File/
9 | mapping:
10 | - d3f:File
11 | extended_description: |
12 | Этот артефакт описывает файл
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_3004_object_file/A_3004_object_file.yml:
--------------------------------------------------------------------------------
1 | title: Объектный файл
2 | id: A3004
3 | description: Этот ресурс описывает сущность объектного файла
4 | author: '@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:ObjectFile/
9 | mapping:
10 | - d3f:ObjectFile
11 | extended_description: |
12 | Объектный файл состоит из машинного кода, который может быть слинкован в исполняемый файл.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_3005_executable_binary/A_3005_executable_binary.yml:
--------------------------------------------------------------------------------
1 | title: Исполняемый файл
2 | id: A3005
3 | description: Этот ресурс описывает исполняемый файл
4 | author: 'Cyberok'
5 | creation_date: 2023/03/06
6 | modification_date: 2023/03/06
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:ExecutableBinary/
9 | mapping:
10 | - d3f:ExecutableBinary
11 | extended_description: |
12 | Исполняемый файл содержит машинные инструкции для процессора или байт-код виртуальной машины.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_3007_login_session/A_3007_login_session.yml:
--------------------------------------------------------------------------------
1 | title: Сеанс входа
2 | id: A3007
3 | description: Этот ресурс описывает сеанс входа в некоторую систему
4 | author: '@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:LoginSession/
9 | - http://dbpedia.org/resource/Login_session
10 | mapping:
11 | - d3f:LoginSession
12 | extended_description: |
13 | Сеанс входа - это активность пользователя между входом и выходом из многопользовательской системы.
14 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_4002_process_image/A_4002_process_image.yml:
--------------------------------------------------------------------------------
1 | title: Образ памяти процесса
2 | id: A4002
3 | description: Этот ресурс представляет образ памяти процесса
4 | author: '@Cyberok'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:ProcessImage/
9 | mapping:
10 | - d3f:ProcessImage
11 | extended_description: |
12 | Образ памяти процесса - это копия оперативной памяти, которая выделена процессу в некоторый момент времени.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_4003_remote_session/A_4003_remote_session.yml:
--------------------------------------------------------------------------------
1 | title: Удалённый сеанс входа
2 | id: A4003
3 | description: Этот ресурс представляет удалённый сеанс входа
4 | author: '@Cyberok'
5 | creation_date: 2023/03/22
6 | modification_date: 2023/03/22
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:RemoteSession/
9 | mapping:
10 | - d3f:RemoteSession
11 | extended_description: |
12 | Удалённый сеанс входа - это сеанс входа, в котором клиент осуществляет подключение с одного хоста на другой.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5002_windows_registry/A_5002_windows_registry.yml:
--------------------------------------------------------------------------------
1 | title: Реестр Windows
2 | id: A5002
3 | description: Этот ресурс представляет реестр Windows
4 | author: '@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistry/
9 | mapping:
10 | - d3f:WindowsRegistry
11 | extended_description: |
12 | Реестр Windows - это иерархичная база данных, которая хранит низкокуровневые настройки операционной системы Microsoft Windows и её проиложений.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5003_windows_pipe/A_5003_windows_pipe.yml:
--------------------------------------------------------------------------------
1 | title: Канал
2 | id: A5003
3 | description: Этот ресурс представляет канал
4 | author: '@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Pipe/
9 | mapping:
10 | - d3f:Pipe
11 | extended_description: |
12 | Канал - это механизм для межпроцессного взаимодействия. Сетевые каналы позволяют взаимодействовать процессам, запущенным на разных сетевых узлах.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5004_access_token/A_5004_access_token.yml:
--------------------------------------------------------------------------------
1 | title: Токен доступа
2 | id: A5004
3 | description: Этот ресурс представляет токен доступа
4 | author: '@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:AccessToken/
9 | mapping:
10 | - d3f:AccessToken
11 | extended_description: |
12 | Этот ресурс представляет токен доступа
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5005_encrypted_credential/A_5005_encrypted_credential.yml:
--------------------------------------------------------------------------------
1 | title: Зашифрованные учётные данные
2 | id: A5005
3 | description: Этот ресурс представляет зашифрованные учётные данные
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:EncryptedCredential/
9 | mapping:
10 | - d3f:EncryptedCredential
11 | extended_description: |
12 | Учётные данные, представленные в зашифрованном виде.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5006_credential/A_5006_credential.yml:
--------------------------------------------------------------------------------
1 | title: Учётные данные
2 | id: A5006
3 | description: Этот ресурс описывает учётные данные
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Credential/
9 | - http://dbpedia.org/resource/Access_control#Credential
10 | mapping:
11 | - d3f:Credential
12 | extended_description: |
13 | Этот ресурс описывает учётные данные
14 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5007_remote_session/A_5007_remote_session.yml:
--------------------------------------------------------------------------------
1 | title: Удалёный сеанс
2 | id: A5007
3 | description: Этот ресурс описывает удалённый сеанс
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:RemoteSession/
9 | mapping:
10 | - d3f:RemoteSession
11 | extended_description: |
12 | Сеанс удалённого входа - это сеанс входа при котором клиент авторизуется с одного сетевого узла на другом.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5008_password/A_5008_password.yml:
--------------------------------------------------------------------------------
1 | title: Пароль
2 | id: A5008
3 | description: Этот ресурс представляет сущность пароль
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:Password/
9 | mapping:
10 | - d3f:Password
11 | extended_description: |
12 | Пароль - это секретная строка, которая используется для подтверждения подлинности личности пользователя.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5009_password_file/A_5009_password_file.yml:
--------------------------------------------------------------------------------
1 | title: Парольный файл
2 | id: A5009
3 | description: This artifact describes password file entity
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:PasswordFile/
9 | mapping:
10 | - d3f:PasswordFile
11 | extended_description: |
12 | Простейшая форма парольной базы данных, когда она является одним файлом (например, /etc/shadow)
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5010_service_application/A_5010_service_application.yml:
--------------------------------------------------------------------------------
1 | title: Сервисное приложение
2 | id: A5010
3 | description: Этот ресурс описывает сервисное приложение
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:ServiceApplication/
9 | mapping:
10 | - d3f:ServiceApplication
11 | extended_description: |
12 | Приложение, которое обеспечивает набор функций, которые могут использовать несколько клиентов.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5011_RPC_network_traffic/A_5011_RPC_network_traffic.yml:
--------------------------------------------------------------------------------
1 | title: Трафик протокола RPC
2 | id: A5011
3 | description: Этот ресурс описывает трафик протокола RPC
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:RPCNetworkTraffic/
9 | mapping:
10 | - d3f:RPCNetworkTraffic
11 | extended_description: |
12 | Трафик протокола RPC - это сетевой трафик, который отвечает за передачу сообщений для удалёного вызова процедур между узлами сети.
13 |
--------------------------------------------------------------------------------
/data/ru/artifacts/A_5012_remote_procedure_call/A_5012_remote_procedure_call.yml:
--------------------------------------------------------------------------------
1 | title: Удалённый вызов процедур
2 | id: A5012
3 | description: Этот ресурс описывает RPC-вызовы
4 | author: 'Alex@Cyberok'
5 | creation_date: 2023/02/03
6 | modification_date: 2023/02/03
7 | references:
8 | - https://d3fend.mitre.org/dao/artifact/d3f:RemoteProcedureCall/
9 | mapping:
10 | - d3f:RemoteProcedureCall
11 | extended_description: |
12 | Этот ресурс описывает RPC-вызовы
13 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1102_access_internal_network_flow_logs/RA_1102_access_internal_network_flow_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1102_access_internal_network_flow_logs
2 | id: RA1102
3 | description: >
4 | Make sure you have access to internal communication Network Flow logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1103_access_internal_http_logs/RA_1103_access_internal_http_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1103_access_internal_http_logs
2 | id: RA1103
3 | description: >
4 | Make sure you have access to internal communication HTTP logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_http_log
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1105_access_internal_dns_logs/RA_1105_access_internal_dns_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1105_access_internal_dns_logs
2 | id: RA1105
3 | description: >
4 | Make sure you have access to internal communication DNS logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_dns_log
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1107_access_vpn_logs/RA_1107_access_vpn_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1107_access_vpn_logs
2 | id: RA1107
3 | description: >
4 | Make sure you have access to VPN logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1108_access_dhcp_logs/RA_1108_access_dhcp_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1108_access_dhcp_logs
2 | id: RA1108
3 | description: >
4 | Make sure you have access to DHCP logs
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1109_access_internal_packet_capture_data/RA_1109_access_internal_packet_capture_data.yml:
--------------------------------------------------------------------------------
1 | title: RA_1109_access_internal_packet_capture_data
2 | id: RA1109
3 | description: >
4 | Make sure you have access to internal communication Packet Capture data
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_PCAP
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1110_access_external_packet_capture_data/RA_1110_access_external_packet_capture_data.yml:
--------------------------------------------------------------------------------
1 | title: RA_1110_access_external_packet_capture_data
2 | id: RA1110
3 | description: >
4 | Make sure you have access to external communication Packet Capture data
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_PCAP
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1128_get_ability_to_list_firewall_rules/RA_1128_get_ability_to_list_firewall_rules.yml:
--------------------------------------------------------------------------------
1 | title: RA_1128_get_ability_to_list_firewall_rules
2 | id: RA1128
3 | description: Make sure you have the ability to list firewall rules
4 | author: '@atc_project'
5 | creation_date: 2021/06/27
6 | stage: preparation
7 | extended_description: |
8 | Make sure you have the ability to list firewall rules on a particular firewall.
9 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1207_get_ability_to_collect_email_message/RA_1207_get_ability_to_collect_email_message.yml:
--------------------------------------------------------------------------------
1 | title: RA_1207_get_ability_to_collect_email_message
2 | id: RA1207
3 | description: >
4 | Убедитесь, что у вас есть возможность выгрузить письмо электронной почты
5 | author: enikulina
6 | creation_date: 2023/02/02
7 | stage: preparation
8 | requirements:
9 | - MS_email_server
10 | extended_description: |
11 | Убедитесь, что у вас есть возможность выгрузить письмо электронной почты и собрать из него все необходимые сведения.
12 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1209_access_mail_server_logs/RA_1209_access_mail_server_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1209_access_mail_server_logs
2 | id: RA1209
3 | description: >
4 | Убедиться, что у вас есть доступ к журналам событий почтовых серверов
5 | author: enikulina
6 | creation_date: 2023/02/02
7 | stage: preparation
8 | references:
9 | requirements:
10 | - MS_email_server
11 | workflow: |
12 | Убедиться, что у вас настроено логгирование событий почтовых серверов.
13 |
14 | Также:
15 |
16 | - Рекомендуется использовать расширенное логгирование (в т.ч. логгирование imap и др.)
17 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1210_access_mail_service_logs/RA_1210_access_mail_service_logs.yml:
--------------------------------------------------------------------------------
1 | title: RA_1210_access_mail_service_logs
2 | id: RA1210
3 | description: >
4 | Убедиться, что у вас есть доступ к журналам событий сервиса электронной почты
5 | author: enikulina
6 | creation_date: 2023/02/02
7 | stage: preparation
8 | references:
9 | requirements:
10 | - email_service
11 | workflow: |
12 | Убедиться, что у вас настроено логгирование событий сервиса электронной почты.
13 |
14 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1322_get_ability_to_analyse_pdf_file/RA_1322_get_ability_to_analyse_pdf_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_1322_get_ability_to_analyse_pdf_file
2 | id: RA1322
3 | description: >
4 | Make sure you have the ability to analyse a PDF file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1324_get_ability_to_analyse_jar/RA_1324_get_ability_to_analyse_jar.yml:
--------------------------------------------------------------------------------
1 | title: RA_1324_get_ability_to_analyse_jar
2 | id: RA1324
3 | description: >
4 | Make sure you have the ability to analyse JAR file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1325_get_ability_to_analyse_filename/RA_1325_get_ability_to_analyse_filename.yml:
--------------------------------------------------------------------------------
1 | title: RA_1325_get_ability_to_analyse_filename
2 | id: RA1325
3 | description: >
4 | Make sure you have the ability to analyse a filename
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1510_get_ability_to_remove_service/RA_1510_get_ability_to_remove_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_1510_get_ability_to_remove_service
2 | id: RA1510
3 | description: >
4 | Make sure you have the ability to remove a service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: preparation
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1606_get_ability_to_list_user_accounts/RA_1606_get_ability_to_list_user_accounts.yml:
--------------------------------------------------------------------------------
1 | title: RA_1606_get_ability_to_list_user_accounts
2 | id: RA1606
3 | description: Make sure you have the ability to list user accounts on a particular system
4 | author: '@atc_project'
5 | creation_date: 2021/06/27
6 | stage: preparation
7 | extended_description: |
8 | Make sure you have the ability to list user accounts on a particular system.
9 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_1607_enable_mfa/RA_1607_enable_mfa.yml:
--------------------------------------------------------------------------------
1 | title: RA_1607_enable_mfa
2 | id: RA1607
3 | description: >
4 | Внедрить многофакторную аутентификацию для удаленных подключений к инфраструктуре и доступа к корпоративным приложениям.
5 | author: enikulina
6 | creation_date: 2023/02/02
7 | stage: preparation
8 | requirements:
9 | - mfa_system
10 | workflow: |
11 | Внедрить многофакторную аутентификацию для удаленных подключений к инфраструктуре и доступа к корпоративным приложениям (особенно доступным извне).
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2001_list_victims_of_security_alert/RA_2001_list_victims_of_security_alert.yml:
--------------------------------------------------------------------------------
1 | title: RA_2001_list_victims_of_security_alert
2 | id: RA2001
3 | description: >
4 | List victims of a security alert
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2004_find_compromised_host/RA_2004_find_compromised_host.yml:
--------------------------------------------------------------------------------
1 | title: Поиск скомпрометированного узла
2 | id: RA2004
3 | description: Найдите скомпрометированный узел
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | stage: identification
7 | extended_description: |
8 | Найдите узел с подозрительной активностью. Проверьте журналы событий и сетевой трафик.
9 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2102_list_hosts_communicated_with_internal_ip/RA_2102_list_hosts_communicated_with_internal_ip.yml:
--------------------------------------------------------------------------------
1 | title: RA_2102_list_hosts_communicated_with_internal_ip
2 | id: RA2102
3 | description: >
4 | List hosts communicated with an internal IP address
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2103_list_hosts_communicated_with_internal_url/RA_2103_list_hosts_communicated_with_internal_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_2103_list_hosts_communicated_with_internal_url
2 | id: RA2103
3 | description: >
4 | List hosts communicated with an internal URL
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2104_analyse_domain_name/RA_2104_analyse_domain_name.yml:
--------------------------------------------------------------------------------
1 | title: RA_2104_analyse_domain_name
2 | id: RA2104
3 | description: >
4 | Analyse a domain name
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2106_analyse_uri/RA_2106_analyse_uri.yml:
--------------------------------------------------------------------------------
1 | title: RA_2106_analyse_uri
2 | id: RA2106
3 | description: >
4 | Analyse an URI
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2114_list_hosts_communicated_with_external_ip/RA_2114_list_hosts_communicated_with_external_ip.yml:
--------------------------------------------------------------------------------
1 | title: RA_2114_list_hosts_communicated_with_external_ip
2 | id: RA2114
3 | description: >
4 | List hosts communicated with an external IP address
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: identification
8 | requirements:
9 | - DN_network_flow_log
10 | - DN_zeek_conn_log
11 | extended_description: |
12 | List hosts communicated with an external IP address using the most efficient way.
13 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2115_list_hosts_communicated_with_external_url/RA_2115_list_hosts_communicated_with_external_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_2115_list_hosts_communicated_with_external_url
2 | id: RA2115
3 | description: >
4 | List hosts communicated with an external URL
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: identification
8 | requirements:
9 | - DN_zeek_http_log
10 | - DN_proxy_log
11 | extended_description: |
12 | List hosts communicated with an external URL using the most efficient way.
13 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2118_list_firewall_rules/RA_2118_list_firewall_rules.yml:
--------------------------------------------------------------------------------
1 | title: RA_2118_list_firewall_rules
2 | id: RA2118
3 | description: List firewall rules
4 | author: Andreas Hunkeler (@Karneades)
5 | creation_date: 2021/05/21
6 | stage: identification
7 | requirements:
8 | - DN_zeek_conn_log # placeholder
9 | extended_description: |
10 | List firewall rules.
11 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2120_identify_impacted_services/RA_2120_identify_impacted_services.yml:
--------------------------------------------------------------------------------
1 | title: Определение вовлечённых сервисов
2 | id: RA2120
3 | description: Определите какие IT-сервисы вовлечены в инцидент
4 | author: "@ermack_community"
5 | creation_date: 2019/01/31
6 | stage: identification
7 | extended_description: |
8 | Определите для каждого сервиса: IP-адрес, DNS-имя, владельцев и тип воздействия.
9 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2121_identify_useful_security_systems/RA_2121_identify_useful_security_systems.yml:
--------------------------------------------------------------------------------
1 | title: Определите полезные СЗИ
2 | id: RA2121
3 | description: Определите набор средств, используемых для выявления инцидента
4 | author: "@ermack_community"
5 | creation_date: 2019/01/31
6 | stage: identification
7 | extended_description: |
8 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2301_list_files_created/RA_2301_list_files_created.yml:
--------------------------------------------------------------------------------
1 | title: RA_2301_list_files_created
2 | id: RA2301
3 | description: >
4 | List files that have been created at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2302_list_files_modified/RA_2302_list_files_modified.yml:
--------------------------------------------------------------------------------
1 | title: RA_2302_list_files_modified
2 | id: RA2302
3 | description: >
4 | List files that have been modified at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2303_list_files_deleted/RA_2303_list_files_deleted.yml:
--------------------------------------------------------------------------------
1 | title: RA_2303_list_files_deleted
2 | id: RA2303
3 | description: >
4 | List files that have been deleted at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2304_list_files_downloaded/RA_2304_list_files_downloaded.yml:
--------------------------------------------------------------------------------
1 | title: RA_2304_list_files_downloaded
2 | id: RA2304
3 | description: >
4 | List files that have been downloaded at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2305_list_files_with_tampered_timestamps/RA_2305_list_files_with_tampered_timestamps.yml:
--------------------------------------------------------------------------------
1 | title: RA_2305_list_files_with_tampered_timestamps
2 | id: RA2305
3 | description: >
4 | List files with tampered timestamps
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2306_find_file_by_path/RA_2306_find_file_by_path.yml:
--------------------------------------------------------------------------------
1 | title: RA_2306_find_file_by_path
2 | id: RA2306
3 | description: >
4 | Find a file by its path (including its name)
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2307_find_file_by_metadata/RA_2307_find_file_by_metadata.yml:
--------------------------------------------------------------------------------
1 | title: RA_2307_find_file_by_metadata
2 | id: RA2307
3 | description: >
4 | Find a file by its metadata (i.e. signature, permissions, MAC times)
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2308_find_file_by_hash/RA_2308_find_file_by_hash.yml:
--------------------------------------------------------------------------------
1 | title: RA_2308_find_file_by_hash
2 | id: RA2308
3 | description: >
4 | Find a file by its hash
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2309_find_file_by_format/RA_2309_find_file_by_format.yml:
--------------------------------------------------------------------------------
1 | title: RA_2309_find_file_by_format
2 | id: RA2309
3 | description: >
4 | Find a file by its format
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2311_collect_file/RA_2311_collect_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_2311_collect_file
2 | id: RA2311
3 | description: >
4 | Collect a specific file from a (remote) host or a system
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2313_analyse_windows_pe/RA_2313_analyse_windows_pe.yml:
--------------------------------------------------------------------------------
1 | title: RA_2313_analyse_windows_pe
2 | id: RA2313
3 | description: >
4 | Analise MS Windows Portable Executable
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2314_analyse_macos_macho/RA_2314_analyse_macos_macho.yml:
--------------------------------------------------------------------------------
1 | title: RA_2314_analyse_macos_macho
2 | id: RA2314
3 | description: >
4 | Analise macOS Mach-O
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2315_analyse_unix_elf/RA_2315_analyse_unix_elf.yml:
--------------------------------------------------------------------------------
1 | title: RA_2315_analyse_unix_elf
2 | id: RA2315
3 | description: >
4 | Analise Unix ELF
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2316_analyse_ms_office_file/RA_2316_analyse_ms_office_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_2316_analyse_ms_office_file
2 | id: RA2316
3 | description: >
4 | Analise MS Office file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2317_analyse_pdf_file/RA_2317_analyse_pdf_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_2317_analyse_pdf_file
2 | id: RA2317
3 | description: >
4 | Analise PDF file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2319_analyse_jar/RA_2319_analyse_jar.yml:
--------------------------------------------------------------------------------
1 | title: RA_2319_analyse_jar
2 | id: RA2319
3 | description: >
4 | Analyse a JAR file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | linked_analytics:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2320_analyse_filename/RA_2320_analyse_filename.yml:
--------------------------------------------------------------------------------
1 | title: RA_2320_analyse_filename
2 | id: RA2320
3 | description: >
4 | Проанализировать имя файла
5 | author: ayakovlev
6 | creation_date: 2023/02/17
7 | stage: identification
8 | references:
9 | - https://any.run
10 | - https://hybrid-analysis.com
11 | - https://www.virustotal.com
12 | extended_description: |
13 | Проверить имя файла на доступных анализаторах.
14 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2322_analyse_file_behavior/RA_2322_analyse_file_behavior.yml:
--------------------------------------------------------------------------------
1 | title: RA_2322_analyse_file_behavior
2 | id: RA2322
3 | description: >
4 | Проанализировать поведение исполняемого файла
5 | author: ayakovlev
6 | creation_date: 2023/02/17
7 | stage: identification
8 | references:
9 | - https://any.run
10 | - https://hybrid-analysis.com
11 | workflow: |
12 | Проверить поведение исполняемого файла на доступных анализаторах.
13 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2401_list_processes_executed/RA_2401_list_processes_executed.yml:
--------------------------------------------------------------------------------
1 | title: RA_2401_list_processes_executed
2 | id: RA2401
3 | description: >
4 | List processes being executed at the moment or at a particular time in the past
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2501_list_registry_keys_modified/RA_2501_list_registry_keys_modified.yml:
--------------------------------------------------------------------------------
1 | title: RA_2501_list_registry_keys_modified
2 | id: RA2501
3 | description: >
4 | List registry keys modified at a particular time in the past
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2505_list_services_created/RA_2505_list_services_created.yml:
--------------------------------------------------------------------------------
1 | title: RA_2505_list_services_created
2 | id: RA2505
3 | description: >
4 | List services that have been created at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2506_list_services_modified/RA_2506_list_services_modified.yml:
--------------------------------------------------------------------------------
1 | title: RA_2506_list_services_modified
2 | id: RA2506
3 | description: >
4 | List services that have been modified at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2507_list_services_deleted/RA_2507_list_services_deleted.yml:
--------------------------------------------------------------------------------
1 | title: RA_2507_list_services_deleted
2 | id: RA2507
3 | description: >
4 | List services that have been deleted at a particular time in the past
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2508_analyse_registry_key/RA_2508_analyse_registry_key.yml:
--------------------------------------------------------------------------------
1 | title: RA_2508_analyse_registry_key
2 | id: RA2508
3 | description: >
4 | Analyse a registry key
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2601_list_users_authenticated/RA_2601_list_users_authenticated.yml:
--------------------------------------------------------------------------------
1 | title: RA_2601_list_users_authenticated
2 | id: RA2601
3 | description: >
4 | List users authenticated at a particular time in the past on a particular system
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: identification
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2602_list_user_accounts/RA_2602_list_user_accounts.yml:
--------------------------------------------------------------------------------
1 | title: RA_2602_list_user_accounts
2 | id: RA2602
3 | description: >
4 | List user accounts on a particular system
5 | author: Andreas Hunkeler (@Karneades)
6 | creation_date: 2021/05/21
7 | stage: identification
8 | references:
9 | - Valid Accounts, https://attack.mitre.org/techniques/T1078/
10 | - Account Manipulation, https://attack.mitre.org/techniques/T1098/
11 | extended_description: |
12 | List user accounts on a particular system to get an overview of
13 | the available accounts.
14 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2603_find_successfully_enumerated_users/RA_2603_find_successfully_enumerated_users.yml:
--------------------------------------------------------------------------------
1 | title: Определите пользователей, которых перечислили атакующие
2 | id: RA2603
3 | description: Определите пользователей, которых перечислили атакующие
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/13
6 | stage: identification
7 | references:
8 | - Account Discovery, https://attack.mitre.org/techniques/T1087/
9 | extended_description: |
10 | Используя средства анализа трафика, определите каких пользователей перечислили атакующие.
11 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2604_contact_user/RA_2604_contact_user.yml:
--------------------------------------------------------------------------------
1 | title: RA_2604_contact_user
2 | id: RA2604
3 | description: >
4 | Получить от пользователя разъяснения по поводу исследуемой активности
5 | author: ayakovlev
6 | creation_date: 2023/02/17
7 | stage: identification
8 | references:
9 | workflow: |
10 | Обратиться к пользователю, под которым производится исследуемая активность или к пользователю хоста для установления легитимности данной активности.
11 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2604_find_compromised_user/RA_2604_find_compromised_user.yml:
--------------------------------------------------------------------------------
1 | title: Выявление скомпрометированных пользователей
2 | id: RA2604
3 | description: Определите скомпрометированные учётные записи.
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/07
6 | stage: identification
7 | extended_description: |
8 | Найдите учётные записи, от имени которых была подозрительная активность. Подозрительную активность можно обнаружить по трафику и журналу событий.
9 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_2999_examine_content/RA_2999_examine_content.yml:
--------------------------------------------------------------------------------
1 | title: Исследование данных
2 | id: RA2999
3 | description: >
4 | Абстрактное действие для извлечения полезной информации
5 | author: Alex@Cyberok
6 | creation_date: 2023/03/22
7 | stage: identification
8 | references:
9 | - https://en.wikipedia.org/wiki/Content_analysis
10 | extended_description: |
11 | Абстрактное действие для извлечения полезной информации
12 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3001_patch_vulnerability/RA_3001_patch_vulnerability.yml:
--------------------------------------------------------------------------------
1 | title: RA_3001_patch_vulnerability
2 | id: RA3001
3 | description: >
4 | Patch a vulnerability in an asset
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3105_block_external_url/RA_3105_block_external_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_3105_block_external_url
2 | id: RA3105
3 | description: >
4 | Block an external URL from being accessed by corporate assets
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_dns_server
13 | extended_description: |
14 | Block an external URL from being accessed by corporate assets, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3106_block_internal_url/RA_3106_block_internal_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_3106_block_internal_url
2 | id: RA3106
3 | description: >
4 | Block an internal URL from being accessed by corporate assets
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_intranet_proxy
10 | - MS_intranet_ips
11 | - MS_intranet_ngfw
12 | - MS_dns_server
13 | extended_description: |
14 | Block an internal URL from being accessed by corporate assets, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3107_block_port_external_communication/RA_3107_block_port_external_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3107_block_port_external_communication
2 | id: RA3107
3 | description: >
4 | Block a network port for external communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_border_firewall
10 | - MS_border_proxy
11 | - MS_border_ips
12 | - MS_border_ngfw
13 | - MS_host_firewall
14 | extended_description: |
15 | Block a network port for external communications, using the most efficient way.
16 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3108_block_port_internal_communication/RA_3108_block_port_internal_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3108_block_port_internal_communication
2 | id: RA3108
3 | description: >
4 | Block a network port for internal communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_intranet_firewall
10 | - MS_intranet_proxy
11 | - MS_intranet_ips
12 | - MS_intranet_ngfw
13 | - MS_host_firewall
14 | extended_description: |
15 | Block a network port for internal communications, using the most efficient way.
16 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3109_block_user_external_communication/RA_3109_block_user_external_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3109_block_user_external_communication
2 | id: RA3109
3 | description: >
4 | Block a user for external communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_nac
13 | extended_description: |
14 | Block a user for external communications, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3110_block_user_internal_communication/RA_3110_block_user_internal_communication.yml:
--------------------------------------------------------------------------------
1 | title: RA_3110_block_user_internal_communication
2 | id: RA3110
3 | description: >
4 | Block a user for internal communications
5 | author: '@atc_project'
6 | creation_date: 2019/01/31
7 | stage: containment
8 | requirements:
9 | - MS_intranet_proxy
10 | - MS_intranet_ips
11 | - MS_intranet_ngfw
12 | - MS_nac
13 | extended_description: |
14 | Block a user for internal communications, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3204_block_internal_email/RA_3204_block_internal_email.yml:
--------------------------------------------------------------------------------
1 | title: RA_3204_block_internal_email
2 | id: RA3204
3 | description: >
4 | Заблокировать скомпрометированный внутренний почтовый ящик для входа пользователя
5 | author: enikulina
6 | creation_date: 2023/02/02
7 | stage: containment
8 | requirements:
9 | - MS_email_server
10 | workflow: |
11 | Заблокировать скомпрометированный внутренний почтовый ящик для входа пользователя с разрывом всех активных сессий.
12 | Сменить (сбросить) пароль от данного почтового ящика.
13 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3301_quarantine_file_by_format/RA_3301_quarantine_file_by_format.yml:
--------------------------------------------------------------------------------
1 | title: RA_3301_quarantine_file_by_format
2 | id: RA3301
3 | description: >
4 | Quarantine a file by its format
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3302_quarantine_file_by_hash/RA_3302_quarantine_file_by_hash.yml:
--------------------------------------------------------------------------------
1 | title: RA_3302_quarantine_file_by_hash
2 | id: RA3302
3 | description: >
4 | Quarantine a file by its hash
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3303_quarantine_file_by_path/RA_3303_quarantine_file_by_path.yml:
--------------------------------------------------------------------------------
1 | title: RA_3303_quarantine_file_by_path
2 | id: RA3303
3 | description: >
4 | Quarantine a file by its path
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3304_quarantine_file_by_content_pattern/RA_3304_quarantine_file_by_content_pattern.yml:
--------------------------------------------------------------------------------
1 | title: RA_3304_quarantine_file_by_content_pattern
2 | id: RA3304
3 | description: >
4 | Quarantine a file by its content pattern
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3402_block_process_by_executable_metadata/RA_3402_block_process_by_executable_metadata.yml:
--------------------------------------------------------------------------------
1 | title: RA_3402_block_process_by_executable_metadata
2 | id: RA3402
3 | description: >
4 | Блокировать выполнение процесса на основе его метаданных (например, подписи, разрешений, времени MAC)
5 | author: bpopovich
6 | creation_date: 2023/04/27
7 | stage: containment
8 | extended_description: |
9 | Блокировка выполнения процесса на основе его метаданных с помощью средств защиты информации и иных автоматизированных средств
10 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3403_block_process_by_executable_hash/RA_3403_block_process_by_executable_hash.yml:
--------------------------------------------------------------------------------
1 | title: RA_3403_block_process_by_executable_hash
2 | id: RA3403
3 | description: >
4 | Блокировать выполнение процесса по его контрольной сумме (хешу)
5 | author: bpopovich
6 | creation_date: 2023/04/27
7 | stage: containment
8 | extended_description: |
9 | Блокировать выполнение процесса по его контрольной сумме (хешу) средствами защиты информации или иными средствами автоматизации
10 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3501_disable_system_service/RA_3501_disable_system_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_3501_disable_system_service
2 | id: RA3501
3 | description: >
4 | Disable a system service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: containment
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_3601_lock_user_account/RA_3601_lock_user_account.yml:
--------------------------------------------------------------------------------
1 | title: RA_3601_lock_user_account
2 | id: RA3601
3 | description: >
4 | Заблокировать учетную запись пользователя
5 | author: enikulina
6 | creation_date: 2023/02/03
7 | stage: containment
8 | extended_description: |
9 | Заблокировать учетную запись пользователя с разрывом всех активных сессий и обязательной сменой пароля.
10 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4002_report_incident_to_external_companies/RA_4002_report_incident_to_external_companies.yml:
--------------------------------------------------------------------------------
1 | title: RA_4002_report_incident_to_external_companies
2 | id: RA4002
3 | description: Сообщить об инциденте внешним компаниям
4 | author: enikulina
5 | creation_date: 2023/02/03
6 | stage: eradication
7 | workflow: |
8 | Сообщить об инциденте внешним компаниям, активы которых потенциально были затронуты в ходе атаки.
9 | Предоставить индикаторы компрометации и др. необходимые сведения об атаке, которые были собраны в ходе внутреннего расследования.
10 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4101_remove_rogue_network_device/RA_4101_remove_rogue_network_device.yml:
--------------------------------------------------------------------------------
1 | title: RA_4101_remove_rogue_network_device
2 | id: RA4101
3 | description: >
4 | Remove a rogue network device
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4201_delete_email_message/RA_4201_delete_email_message.yml:
--------------------------------------------------------------------------------
1 | title: RA_4201_delete_email_message
2 | id: RA4201
3 | description: Удалить письмо c почтового сервера и из почтовых ящиков пользователей
4 | author: enikulina
5 | creation_date: 2023/02/02
6 | stage: eradication
7 | requirements:
8 | - MS_email_server
9 | artifacts:
10 | - A3001_Email_Message
11 | - A1001_User_AD_Account
12 | extended_description: |
13 | Удалить письмо c почтового сервера и из почтовых ящиков затронутых внутренних пользователей.
14 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4301_remove_file/RA_4301_remove_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_4301_remove_file
2 | id: RA4301
3 | description: >
4 | Remove a specific file from a (remote) host or a system
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | automation:
9 | - thehive/phantom/demisto/etc
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4501_remove_registry_key/RA_4501_remove_registry_key.yml:
--------------------------------------------------------------------------------
1 | title: RA_4501_remove_registry_key
2 | id: RA4501
3 | description: >
4 | Remove a registry key
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4502_remove_service/RA_4502_remove_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_4502_remove_service
2 | id: RA4502
3 | description: >
4 | Remove a service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4602_remove_user_account/RA_4602_remove_user_account.yml:
--------------------------------------------------------------------------------
1 | title: RA_4602_remove_user_account
2 | id: RA4602
3 | description: >
4 | Remove a user account
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: eradication
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4603_reset_authentication_credentials/RA_4603_reset_authentication_credentials.yml:
--------------------------------------------------------------------------------
1 | title: Сброс пароля учётной записи
2 | id: RA4603
3 | description: Сброс пароля учётной записи
4 | author: '@Cyberok'
5 | creation_date: 2023/04/23
6 | stage: eradication
7 | references:
8 | - https://example.com
9 | extended_description: |
10 | Сброс пароля скомпрометированной учётной записи используюя функционал соответствующей системы (например, Windows AD).
11 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_4604_delete_attribute_from_object/RA_4604_delete_attribute_from_object.yml:
--------------------------------------------------------------------------------
1 | title: Удаление атрибута объекта
2 | id: RA4604
3 | description: Удалите атрибут объекта
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/05/07
6 | stage: eradication
7 | extended_description: |
8 | Удалите запись из атрибутов объекта
9 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5001_reinstall_host_from_golden_image/RA_5001_reinstall_host_from_golden_image.yml:
--------------------------------------------------------------------------------
1 | title: RA_5001_reinstall_host_from_golden_image
2 | id: RA5001
3 | description: >
4 | Reinstall host OS from a golden image
5 | author: name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | automation:
9 | - thehive
10 | references:
11 | - https://example.com
12 | extended_description: |
13 | Description of the extended_description for the Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5002_restore_data_from_backup/RA_5002_restore_data_from_backup.yml:
--------------------------------------------------------------------------------
1 | title: RA_5002_restore_data_from_backup
2 | id: RA5002
3 | description: >
4 | Restore data from a backup
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5102_unblock_blocked_domain/RA_5102_unblock_blocked_domain.yml:
--------------------------------------------------------------------------------
1 | title: RA_5102_unblock_blocked_domain
2 | id: RA5102
3 | description: >
4 | Unblock a blocked domain name
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_intranet_proxy
13 | - MS_intranet_ips
14 | - MS_intranet_ngfw
15 | - MS_dns_server
16 | extended_description: |
17 | Unblock a blocked domain name in the system(s) used to block it.
18 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5103_unblock_blocked_url/RA_5103_unblock_blocked_url.yml:
--------------------------------------------------------------------------------
1 | title: RA_5103_unblock_blocked_url
2 | id: RA5103
3 | description: >
4 | Unblock a blocked URL
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_border_proxy
10 | - MS_border_ips
11 | - MS_border_ngfw
12 | - MS_intranet_proxy
13 | - MS_intranet_ips
14 | - MS_intranet_ngfw
15 | extended_description: |
16 | Unblock a blocked URL in the system(s) used to block it.
17 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5104_unblock_blocked_port/RA_5104_unblock_blocked_port.yml:
--------------------------------------------------------------------------------
1 | title: RA_5104_unblock_blocked_port
2 | id: RA5104
3 | description: >
4 | Unblock a blocked port
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5105_unblock_blocked_user/RA_5105_unblock_blocked_user.yml:
--------------------------------------------------------------------------------
1 | title: RA_5105_unblock_blocked_user
2 | id: RA5105
3 | description: >
4 | Unblock a blocked user
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5201_unblock_domain_on_email/RA_5201_unblock_domain_on_email.yml:
--------------------------------------------------------------------------------
1 | title: RA_5201_unblock_domain_on_email
2 | id: RA5201
3 | description: >
4 | Unblock a domain on email
5 | author: '@atc_project'
6 | creation_date: 2020/05/07
7 | stage: recovery
8 | references:
9 | - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide
10 | requirements:
11 | - MS_email_server
12 | extended_description: |
13 | Unblock an email domain on an Email Server using its native functionality.
14 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5202_unblock_sender_on_email/RA_5202_unblock_sender_on_email.yml:
--------------------------------------------------------------------------------
1 | title: RA_5202_unblock_sender_on_email
2 | id: RA5202
3 | description: >
4 | Unblock a sender on email
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_email_server
10 | extended_description: |
11 | Unblock an email sender on an Email Server using its native functionality.
12 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5203_restore_quarantined_email_message/RA_5203_restore_quarantined_email_message.yml:
--------------------------------------------------------------------------------
1 | title: RA_5203_restore_quarantined_email_message
2 | id: RA5203
3 | description: >
4 | Restore a quarantined email message
5 | author: '@atc_project'
6 | creation_date: 2020/05/06
7 | stage: recovery
8 | requirements:
9 | - MS_email_server
10 | extended_description: |
11 | Restore a quarantined email message on an Email Server using its native functionality.
12 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5204_unblock_internal_email/RA_5204_unblock_internal_email.yml:
--------------------------------------------------------------------------------
1 | title: RA_5204_unblock_internal_email
2 | id: RA5203
3 | description: >
4 | Разблокировать скомпрометированный внутренний почтовый ящик для входа пользователя
5 | author: enikulina
6 | creation_date: 2023/02/02
7 | stage: containment
8 | requirements:
9 | - MS_email_server
10 | workflow: |
11 | Разблокировать скомпрометированный внутренний почтовый ящик для входа пользователя.
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5301_restore_quarantined_file/RA_5301_restore_quarantined_file.yml:
--------------------------------------------------------------------------------
1 | title: RA_5301_restore_quarantined_file
2 | id: RA5301
3 | description: >
4 | Restore a quarantined file
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5401_unblock_blocked_process/RA_5401_unblock_blocked_process.yml:
--------------------------------------------------------------------------------
1 | title: RA_5401_unblock_blocked_process
2 | id: RA5401
3 | description: >
4 | Unblock a blocked process
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5501_enable_disabled_service/RA_5501_enable_disabled_service.yml:
--------------------------------------------------------------------------------
1 | title: RA_5501_enable_disabled_service
2 | id: RA5501
3 | description: >
4 | Enable a disabled service
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions/RA_5601_unlock_locked_user_account/RA_5601_unlock_locked_user_account.yml:
--------------------------------------------------------------------------------
1 | title: RA_5601_unlock_locked_user_account
2 | id: RA5601
3 | description: >
4 | Unlock a locked user account
5 | author: your name/nickname/twitter
6 | creation_date: YYYY/MM/DD
7 | stage: recovery
8 | references:
9 | - https://example.com
10 | requirements:
11 | - DN_zeek_conn_log # placeholder
12 | extended_description: |
13 | Description of the extended_description for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/data/ru/response_actions_implementations/rai_manual_action_template.md:
--------------------------------------------------------------------------------
1 | ## Описание
2 | ## Требования к целевой системе
3 | ## Требования к средствам воздействия
4 | ## Ожидаемый результат воздействия
5 | ## Реализация
6 | ### <Название действия>
7 | #### Комментарии
8 | #### Алгоритм
9 | #### Проверка результата
10 | #### Ограничения
11 | ## Дополнительные сведения
12 | ### Метки
13 | ### Артефакты
14 | ### Ссылки на внешние ресурсы
15 | ### Соответствие классификациям
16 |
--------------------------------------------------------------------------------
/data/ru/response_playbooks/RP_1003_identify_compromised_data/RP_1003_identify_compromised_data.yml:
--------------------------------------------------------------------------------
1 | title: Identify compromised data
2 | id: RP1003
3 | description: Identify the data compromised
4 | author: '@ermack_community'
5 | creation_date: 2019/01/31
6 | modification_date: 2019/01/31
7 | severity: M
8 | tlp: AMBER
9 | pap: WHITE
10 | tags:
11 | - sub-playbook
12 | identification:
13 | - RA_2110_list_data_transferred
14 | - RA_2111_collect_transferred_data
15 | - RA_2112_identify_transferred_data
16 | - RA_2304_list_files_downloaded
17 | workflow: |
18 | 1. TODO: create workflow
19 |
--------------------------------------------------------------------------------
/data/ru/response_playbooks/RP_1004_identify_means_of_attack/RP_1004_identify_means_of_attack.yml:
--------------------------------------------------------------------------------
1 | title: Identify means of attack
2 | id: RP1004
3 | description: Identify the means through which the malware or attacker gained access
4 | author: '@ermack_community'
5 | creation_date: 2019/01/31
6 | modification_date: 2019/01/31
7 | severity: M
8 | tlp: AMBER
9 | pap: WHITE
10 | tags:
11 | - sub-playbook
12 | identification:
13 | - RA_2002_list_host_vulnerabilities
14 | - RA_2121_identiry_useful_security_systems
15 | workflow: |
16 | 1. TODO: create workflow
17 |
--------------------------------------------------------------------------------
/data/ru/response_stages/RS0001/RS0001.yml:
--------------------------------------------------------------------------------
1 | title: Подготовка
2 | id: RS0001
3 | description: Подготовка к инциденту ИБ
4 |
--------------------------------------------------------------------------------
/data/ru/response_stages/RS0002/RS0002.yml:
--------------------------------------------------------------------------------
1 | title: Идентификация
2 | id: RS0002
3 | description: Сбор информации об угрозе, которая вызвала фиксацию инцидента ИБ, её классификацию и вовлечённые активы.
4 |
--------------------------------------------------------------------------------
/data/ru/response_stages/RS0003/RS0003.yml:
--------------------------------------------------------------------------------
1 | title: Сдерживание
2 | id: RS0003
3 | description: Недопущение реализации целей угрозы и\или распространения по инфраструктуре.
4 |
--------------------------------------------------------------------------------
/data/ru/response_stages/RS0004/RS0004.yml:
--------------------------------------------------------------------------------
1 | title: Ликвидация
2 | id: RS0004
3 | description: Удаление угрозы из инфраструктуры
4 |
--------------------------------------------------------------------------------
/data/ru/response_stages/RS0005/RS0005.yml:
--------------------------------------------------------------------------------
1 | title: Восстановление
2 | id: RS0005
3 | description: Восстановление после инцидента и возвращение активов к нормальному функционированию.
4 |
--------------------------------------------------------------------------------
/data/ru/response_stages/RS0006/RS0006.yml:
--------------------------------------------------------------------------------
1 | title: Выводы
2 | id: RS0006
3 | description: Понять как улучшить процесс реагирования и применить улучшения на практике.
4 |
--------------------------------------------------------------------------------
/data/ru/software/S_0003_windows_host/S_0003_windows_host.yml:
--------------------------------------------------------------------------------
1 | title: Windows Host
2 | id: S0003
3 | description: Windows Host
4 | author: '@ACTION_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AuthenticationLogging
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_0004_windows_powershell/S_0004_windows_powershell.yml:
--------------------------------------------------------------------------------
1 | title: Windows PowerShell
2 | id: S0004
3 | description: Windows PowerShell Interpreter
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - CommandExecution
11 | - CommandExecutionLogging
12 |
--------------------------------------------------------------------------------
/data/ru/software/S_0005_soldr/S_0005_soldr.yml:
--------------------------------------------------------------------------------
1 | title: SOLDR
2 | id: S0005
3 | description: System of Orchestration, Lifecycle control, Detection and Response
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2023/03/30
6 | modification_date: 2023/03/30
7 | references:
8 | - https://github.com/vxcontrol/soldr
9 | capabilities:
10 | - AuthenticationLogsAnalysis
11 | - NetworkSessionLogging
12 | - LocalProsessControl
13 | - LocalNetworkControl
14 |
--------------------------------------------------------------------------------
/data/ru/software/S_0100_linux/S_0100_linux.yml:
--------------------------------------------------------------------------------
1 | title: Linux
2 | id: S0100
3 | description: Любой дистрибутив Linux
4 | author: '@ACTION_COMMUNITY'
5 | creation_date: 2022/10/22
6 | references:
7 | - http://www.example.com
8 | capabilities:
9 | - AuthenticationLogsAnalysis
10 | - NetworkSessionLogging
11 | extended_description: |
12 | Любой дистрибутив Linux со стандартными утилитами командной строки
13 |
--------------------------------------------------------------------------------
/data/ru/software/S_1001_check_point_firewall/S_1001_check_point_firewall.yml:
--------------------------------------------------------------------------------
1 | title: Checkpoint Firewall
2 | id: S1001
3 | description: Check Point Quantum Security Gateways
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - IpBlockingCapability
12 | - PortBlockingCapability
13 |
--------------------------------------------------------------------------------
/data/ru/software/S_1002_cisco_asa_firewall/S_1002_cisco_asa_firewall.yml:
--------------------------------------------------------------------------------
1 | title: Cisco ASA Firewall
2 | id: S1002
3 | description: Cisco ASA 5500-X
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - IpBlockingCapability
12 | - PortBlockingCapability
13 |
--------------------------------------------------------------------------------
/data/ru/software/S_3001_ms_exchange_server/S_3001_ms_exchange_server.yml:
--------------------------------------------------------------------------------
1 | title: MS Exchange Server
2 | id: S3001
3 | description: Почтовый сервер Microsoft Exchange Server 2019
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - MailDeletionCapability
12 | - MailSearchingCapability
13 |
--------------------------------------------------------------------------------
/data/ru/software/S_3002_postfix_mail_server/S_3002_postfix_mail_server.yml:
--------------------------------------------------------------------------------
1 | title: Postfix Server
2 | id: S3002
3 | description: Почтовый сервер Postfix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AccessLoggingCapability
11 | - MailDeletionCapability
12 | - MailSearchingCapability
13 |
--------------------------------------------------------------------------------
/data/ru/software/S_3003_skype4business_server/S_3003_skype4business_server.yml:
--------------------------------------------------------------------------------
1 | title: Skype for Business Server
2 | id: S3003
3 | description: Skype for Business Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3004_bitrix_server/S_3004_bitrix_server.yml:
--------------------------------------------------------------------------------
1 | title: Bitrix Server
2 | id: S3004
3 | description: Bitrix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3005_ms_sharepoint_server/S_3005_ms_sharepoint_server.yml:
--------------------------------------------------------------------------------
1 | title: MS Sharepoint Server
2 | id: S3005
3 | description: Microsoft Sharepoint Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 | - DocumentStorageCapability
12 |
--------------------------------------------------------------------------------
/data/ru/software/S_3006_citrix_server/S_3006_citrix_server.yml:
--------------------------------------------------------------------------------
1 | title: Citrix Server
2 | id: S3006
3 | description: Citrix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3007_apache_tomcat_server/S_3007_apache_tomcat_server.yml:
--------------------------------------------------------------------------------
1 | title: Apache Tomcat Server
2 | id: S3007
3 | description: Apache Tomcat Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3008_weblogic_server/S_3008_weblogic_server.yml:
--------------------------------------------------------------------------------
1 | title: Weblogic Server
2 | id: S3008
3 | description: Weblogic Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3009_zabbix_server/S_3009_zabbix_server.yml:
--------------------------------------------------------------------------------
1 | title: Zabbix Server
2 | id: S3009
3 | description: Zabbix Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3010_gitlab_server/S_3010_gitlab_server.yml:
--------------------------------------------------------------------------------
1 | title: Gitlab Server
2 | id: S3010
3 | description: Gitlab Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3011_mysql_server/S_3011_mysql_server.yml:
--------------------------------------------------------------------------------
1 | title: MySQL Server
2 | id: S3011
3 | description: MySQL Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_3012_postgresql_server/S_3012_postgresql_server.yml:
--------------------------------------------------------------------------------
1 | title: PostgreSQL Server
2 | id: S3012
3 | description: PostgreSQL Server
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DomainAuthenticationCapability
11 |
--------------------------------------------------------------------------------
/data/ru/software/S_5001_ms_dns_server/S_5001_ms_dns_server.yml:
--------------------------------------------------------------------------------
1 | title: MS DNS Server
2 | id: S5001
3 | description: Microsoft Windows Server 2019 with DNS role
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | modification_date: 2022/10/22
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - DNSAllowlistingCapability
11 | - DNSDenylistingCapability
12 | - DNSLoggingCapability
13 |
--------------------------------------------------------------------------------
/data/ru/software/S_6001_ms_domain_controller_server/S_6001_ms_domain_controller_server.yml:
--------------------------------------------------------------------------------
1 | title: MS Server 2019 with Active Directory role
2 | id: S6001
3 | description: Microsoft Server 2019 with Active Directory role
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/25
6 | modification_date: 2022/10/25
7 | references:
8 | - http://www.example.com
9 | capabilities:
10 | - AuthenticationLogsAnalysis
11 | - AuthenticationLogging
12 |
--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: "3.9"
2 | services:
3 | code-server:
4 | image: aw350m3/ermack
5 | container_name: ermack
6 | ports:
7 | - 8000:8000
8 | volumes:
9 | - ./ermack:/ermack/ermack
10 | - ./config.yml:/ermack/config.yml
11 | - ./data:/ermack/data
12 | - ./assets:/ermack/assets
13 |
--------------------------------------------------------------------------------
/ermack/__init__.py:
--------------------------------------------------------------------------------
1 | __version__ = "0.0.4"
2 |
--------------------------------------------------------------------------------
/ermack/data_providers/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/ermack/data_providers/__init__.py
--------------------------------------------------------------------------------
/ermack/entities/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/ermack/entities/__init__.py
--------------------------------------------------------------------------------
/ermack/templates/en/confluence/toc_macros.html.j2:
--------------------------------------------------------------------------------
1 |
2 | true
3 | none
4 | 5
5 | 10px
6 | 1
7 | list
8 | false
9 |
10 |
--------------------------------------------------------------------------------
/ermack/templates/en/markdown/entity_table.md.j2:
--------------------------------------------------------------------------------
1 | # {{ entity_name }}
2 |
3 | | ID | Title | Brief Description |
4 | |:--------------------:|:------------------------:|---------------------------------|
5 | {%- for entity in entities_list -%}
6 | {{ '\n' }}| [{{ entity['id'] }}][{{ entity['link_id'] }}] | [{{ entity['title'] }}][{{ entity['link_id'] }}] | {{entity['description'].strip()}} |
7 | {%- endfor -%}
8 | {{ '\n' }}
9 | {%- for entity in entities_list -%}
10 | {{ '\n' }} [{{ entity['link_id'] }}]: {{entity['filename']}}
11 | {%- endfor -%}
12 |
--------------------------------------------------------------------------------
/ermack/templates/ru/confluence/toc_macros.html.j2:
--------------------------------------------------------------------------------
1 |
2 | true
3 | none
4 | 5
5 | 10px
6 | 1
7 | list
8 | false
9 |
10 |
--------------------------------------------------------------------------------
/ermack/templates/ru/markdown/entity_table.md.j2:
--------------------------------------------------------------------------------
1 | # {{ entity_name }}
2 |
3 | | Идентификатор | Название | Короткое описание |
4 | |:-------------:|:--------:|-------------------|
5 | {%- for entity in entities_list -%}
6 | {{ '\n' }}| [{{ entity['id'] }}][{{ entity['link_id'] }}] | [{{ entity['title'] }}][{{ entity['link_id'] }}] | {{entity['description'].strip()}} |
7 | {%- endfor -%}
8 | {{ '\n' }}
9 | {%- for entity in entities_list -%}
10 | {{ '\n' }} [{{ entity['link_id'] }}]: {{entity['filename']}}
11 | {%- endfor -%}
12 |
--------------------------------------------------------------------------------
/ermack/utils/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/ermack/utils/__init__.py
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | atlassian-python-api==3.31.0
2 | Jinja2==3.1.2
3 | mkdocs==1.4.2
4 | mkdocs-awesome-pages-plugin==2.8.0
5 | mkdocs-exclude==1.0.2
6 | mkdocs-material==9.1.0
7 | mkdocs-material-extensions==1.1.1
8 | mkdocs-glightbox==0.3.4
9 | PyYAML==6.0
10 | tqdm==4.64.1
11 | docopt==0.6.2
12 | cpe==1.2.1
13 |
--------------------------------------------------------------------------------
/requirements_test.txt:
--------------------------------------------------------------------------------
1 | flake8
2 | flake8-blind-except
3 | flake8-bugbear
4 | flake8-builtins
5 | flake8-comprehensions
6 | flake8-debugger
7 | flake8-docstrings
8 | flake8-isort
9 | flake8-quotes
10 | flake8-string-format
11 | black
12 | pre-commit
13 | pytest
14 | pytest-cov
15 | pylint
16 | pyenchant
17 |
--------------------------------------------------------------------------------
/spell_checking_dict.txt:
--------------------------------------------------------------------------------
1 | args
2 | bool
3 | config
4 | confluencecontent
5 | cpe
6 | enum
7 | env
8 | ERM&CK
9 | ermack
10 | ERMACK
11 | filepath
12 | impl
13 | md
14 | Mitigations
15 | mkdocs
16 | prepend
17 | prepended
18 | rtype
19 | ui
20 | usecase
21 | usecases
22 | XDR
23 | xml
24 | yaml
25 | yamls
26 | yml
27 |
--------------------------------------------------------------------------------
/tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/__init__.py
--------------------------------------------------------------------------------
/tests/code_tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/code_tests/__init__.py
--------------------------------------------------------------------------------
/tests/code_tests/artifact/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/code_tests/artifact/__init__.py
--------------------------------------------------------------------------------
/tests/code_tests/artifact/standard_artifact.yml:
--------------------------------------------------------------------------------
1 | title: Название артефакта
2 | id: A1001
3 | description: Краткое описание артефакта
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | references: # Полезные ссылки
7 | - http://www.example.com
8 | - https://d3fend.mitre.org/dao/artifact/d3f:DNSNetworkTraffic/
9 | mapping: # Маппинг на публичные онтологии
10 | - d3f:DNSNetworkTraffic
11 | extended_description: |
12 | Расширенное описание артефакта
13 |
--------------------------------------------------------------------------------
/tests/code_tests/response_action/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/code_tests/response_action/__init__.py
--------------------------------------------------------------------------------
/tests/code_tests/response_action_impl/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/code_tests/response_action_impl/__init__.py
--------------------------------------------------------------------------------
/tests/code_tests/software/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/code_tests/software/__init__.py
--------------------------------------------------------------------------------
/tests/code_tests/software/standard_software.yml:
--------------------------------------------------------------------------------
1 | title: Название ПО
2 | id: S0002
3 | description: Краткое описание продукта или решения
4 | author: '@ERMACK_COMMUNITY'
5 | creation_date: 2022/10/22
6 | references:
7 | - http://www.example.com
8 | capabilities: # Возможно есть смысл выделить иерархию возможностей для разных типов ПО
9 | - AuthenticationLogsAnalysis
10 | - NetworkSessionLogging
11 | - LocalProsessControl
12 | - LocalNetworkControl
--------------------------------------------------------------------------------
/tests/code_tests/usecase/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/code_tests/usecase/__init__.py
--------------------------------------------------------------------------------
/tests/data_tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/data_tests/__init__.py
--------------------------------------------------------------------------------
/tests/data_tests/artifact/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/data_tests/artifact/__init__.py
--------------------------------------------------------------------------------
/tests/data_tests/response_action/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/data_tests/response_action/__init__.py
--------------------------------------------------------------------------------
/tests/data_tests/response_action_impl/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/data_tests/response_action_impl/__init__.py
--------------------------------------------------------------------------------
/tests/data_tests/response_playbook/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/data_tests/response_playbook/__init__.py
--------------------------------------------------------------------------------
/tests/data_tests/software/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/data_tests/software/__init__.py
--------------------------------------------------------------------------------
/tests/data_tests/usecase/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Experts-Community/ERMACK/53a767b8d5e0037ba002890f391d2f947c550ec9/tests/data_tests/usecase/__init__.py
--------------------------------------------------------------------------------
/whitelist.txt:
--------------------------------------------------------------------------------
1 | args
2 | bool
3 | config
4 | confluencecontent
5 | cpe
6 | cpe2_3_fs
7 | CPE2_3_FS
8 | cpe_fs
9 | cpe_lang
10 | cpe_set
11 | cpelang2_3
12 | CPELanguage2_3
13 | cpeset2_3
14 | CPESet2_3
15 | DataRenderer
16 | desc
17 | enum
18 | env
19 | ERM&CK
20 | ermack
21 | ERMACK
22 | filepath
23 | impl
24 | impls
25 | issubset
26 | lfs
27 | md
28 | Mitigations
29 | mkdocs
30 | prepend
31 | prepended
32 | rtype
33 | tqdm
34 | ui
35 | usecase
36 | usecases
37 | utils
38 | XDR
39 | xml
40 | yaml
41 | yamls
42 | yml
--------------------------------------------------------------------------------