├── .github
└── FUNDING.yml
├── .gitignore
├── .gitmodules
├── .travis.yml
├── Atomic_Threat_Coverage
├── Customers
│ ├── CU_0001_TESTCUSTOMER.md
│ └── CU_0002_TESTCUSTOMER2.md
├── Data_Needed
│ ├── DN_0001_4688_windows_process_creation.md
│ ├── DN_0002_4688_windows_process_creation_with_commandline.md
│ ├── DN_0003_1_windows_sysmon_process_creation.md
│ ├── DN_0004_4624_windows_account_logon.md
│ ├── DN_0005_7045_windows_service_insatalled.md
│ ├── DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md
│ ├── DN_0007_3_windows_sysmon_network_connection.md
│ ├── DN_0008_4_windows_sysmon_sysmon_service_state_changed.md
│ ├── DN_0009_5_windows_sysmon_process_terminated.md
│ ├── DN_0010_6_windows_sysmon_driver_loaded.md
│ ├── DN_0011_7_windows_sysmon_image_loaded.md
│ ├── DN_0012_8_windows_sysmon_CreateRemoteThread.md
│ ├── DN_0013_9_windows_sysmon_RawAccessRead.md
│ ├── DN_0014_10_windows_sysmon_ProcessAccess.md
│ ├── DN_0015_11_windows_sysmon_FileCreate.md
│ ├── DN_0016_12_windows_sysmon_RegistryEvent.md
│ ├── DN_0017_13_windows_sysmon_RegistryEvent.md
│ ├── DN_0018_14_windows_sysmon_RegistryEvent.md
│ ├── DN_0019_15_windows_sysmon_FileCreateStreamHash.md
│ ├── DN_0020_17_windows_sysmon_PipeEvent.md
│ ├── DN_0021_18_windows_sysmon_PipeEvent.md
│ ├── DN_0022_19_windows_sysmon_WmiEvent.md
│ ├── DN_0023_20_windows_sysmon_WmiEvent.md
│ ├── DN_0024_21_windows_sysmon_WmiEvent.md
│ ├── DN_0026_5136_windows_directory_service_object_was_modified.md
│ ├── DN_0027_4738_user_account_was_changed.md
│ ├── DN_0028_4794_directory_services_restore_mode_admin_password_set.md
│ ├── DN_0029_4661_handle_to_an_object_was_requested.md
│ ├── DN_0030_4662_operation_was_performed_on_an_object.md
│ ├── DN_0031_7036_service_started_stopped.md
│ ├── DN_0032_5145_network_share_object_was_accessed_detailed.md
│ ├── DN_0033_5140_network_share_object_was_accessed.md
│ ├── DN_0034_104_log_file_was_cleared.md
│ ├── DN_0035_106_task_scheduler_task_registered.md
│ ├── DN_0036_4104_windows_powershell_script_block.md
│ ├── DN_0037_4103_windows_powershell_executing_pipeline.md
│ ├── DN_0038_400_engine_state_is_changed_from_none_to_available.md
│ ├── DN_0039_524_system_catalog_has_been_deleted.md
│ ├── DN_0040_528_user_successfully_logged_on_to_a_computer.md
│ ├── DN_0041_529_logon_failure.md
│ ├── DN_0042_675_kerberos_preauthentication_failed.md
│ ├── DN_0043_770_dns_server_plugin_dll_has_been_loaded.md
│ ├── DN_0044_1000_application_crashed.md
│ ├── DN_0045_1001_windows_error_reporting.md
│ ├── DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md
│ ├── DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md
│ ├── DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls.md
│ ├── DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.md
│ ├── DN_0050_1102_audit_log_was_cleared.md
│ ├── DN_0051_1121_attack_surface_reduction_blocking_mode_event.md
│ ├── DN_0052_2003_query_to_load_usb_drivers.md
│ ├── DN_0053_2100_pnp_or_power_operation_for_usb_device.md
│ ├── DN_0054_2102_pnp_or_power_operation_for_usb_device.md
│ ├── DN_0054_linux_auditd_execve.md
│ ├── DN_0055_linux_auditd_read_access_to_file.md
│ ├── DN_0056_linux_auditd_syscall.md
│ ├── DN_0057_4625_account_failed_to_logon.md
│ ├── DN_0058_4656_handle_to_an_object_was_requested.md
│ ├── DN_0059_4657_registry_value_was_modified.md
│ ├── DN_0060_4658_handle_to_an_object_was_closed.md
│ ├── DN_0061_4660_object_was_deleted.md
│ ├── DN_0062_4663_attempt_was_made_to_access_an_object.md
│ ├── DN_0063_4697_service_was_installed_in_the_system.md
│ ├── DN_0064_4698_scheduled_task_was_created.md
│ ├── DN_0065_4701_scheduled_task_was_disabled.md
│ ├── DN_0066_4704_user_right_was_assigned.md
│ ├── DN_0067_4719_system_audit_policy_was_changed.md
│ ├── DN_0068_4728_member_was_added_to_security_enabled_global_group.md
│ ├── DN_0069_4732_member_was_added_to_security_enabled_local_group.md
│ ├── DN_0070_4735_security_enabled_local_group_was_changed.md
│ ├── DN_0071_4737_security_enabled_global_group_was_changed.md
│ ├── DN_0072_4755_security_enabled_universal_group_was_changed.md
│ ├── DN_0073_4756_member_was_added_to_a_security_enabled_universal_group.md
│ ├── DN_0074_4765_sid_history_was_added_to_an_account.md
│ ├── DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md
│ ├── DN_0076_4768_kerberos_authentication_ticket_was_requested.md
│ ├── DN_0077_4769_kerberos_service_ticket_was_requested.md
│ ├── DN_0078_4771_kerberos_pre_authentication_failed.md
│ ├── DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md
│ ├── DN_0080_5859_wmi_activity.md
│ ├── DN_0081_5861_wmi_activity.md
│ ├── DN_0082_8002_ntlm_server_blocked_audit.md
│ ├── DN_0083_16_access_history_in_hive_was_cleared.md
│ ├── DN_0084_av_alert.md
│ ├── DN_0085_22_windows_sysmon_DnsQuery.md
│ ├── DN_0086_4720_user_account_was_created.md
│ ├── DN_0087_5156_windows_filtering_platform_has_permitted_connection.md
│ ├── DN_0088_4616_system_time_was_changed.md
│ ├── DN_0089_56_terminal_server_security_layer_detected_an_error.md
│ ├── DN_0090_50_terminal_server_security_layer_detected_an_error.md
│ ├── DN_0091_linux_modsecurity_log.md
│ ├── DN_0092_unix_generic_syslog.md
│ ├── DN_0093_linux_clamav_log.md
│ ├── DN_0094_linux_sshd_log.md
│ ├── DN_0095_linux_auth_pam_log.md
│ ├── DN_0096_linux_named_client_security_log.md
│ ├── DN_0097_linux_daemon_log.md
│ ├── DN_0098_linux_vsftpd_log.md
│ ├── DN_0099_Bind_DNS_query.md
│ ├── DN_0100_Passive_DNS_log.md
│ └── DN_0108_150_dns_server_could_not_load_dll.md
├── Detection_Rules
│ ├── av_exploiting.md
│ ├── av_password_dumper.md
│ ├── av_relevant_files.md
│ ├── av_webshell.md
│ ├── powershell_alternate_powershell_hosts.md
│ ├── powershell_clear_powershell_history.md
│ ├── powershell_create_local_user.md
│ ├── powershell_data_compressed.md
│ ├── powershell_dnscat_execution.md
│ ├── powershell_downgrade_attack.md
│ ├── powershell_exe_calling_ps.md
│ ├── powershell_invoke_obfuscation_obfuscated_iex.md
│ ├── powershell_malicious_commandlets.md
│ ├── powershell_malicious_keywords.md
│ ├── powershell_nishang_malicious_commandlets.md
│ ├── powershell_ntfs_ads_access.md
│ ├── powershell_prompt_credentials.md
│ ├── powershell_psattack.md
│ ├── powershell_remote_powershell_session.md
│ ├── powershell_shellcode_b64.md
│ ├── powershell_suspicious_download.md
│ ├── powershell_suspicious_invocation_generic.md
│ ├── powershell_suspicious_invocation_specific.md
│ ├── powershell_suspicious_keywords.md
│ ├── powershell_suspicious_profile_create.md
│ ├── powershell_winlogon_helper_dll.md
│ ├── powershell_wmimplant.md
│ ├── sysmon_ads_executable.md
│ ├── sysmon_alternate_powershell_hosts_moduleload.md
│ ├── sysmon_alternate_powershell_hosts_pipe.md
│ ├── sysmon_apt_oceanlotus_registry.md
│ ├── sysmon_apt_pandemic.md
│ ├── sysmon_apt_turla_namedpipes.md
│ ├── sysmon_asep_reg_keys_modification.md
│ ├── sysmon_cactustorch.md
│ ├── sysmon_cmstp_execution.md
│ ├── sysmon_cobaltstrike_process_injection.md
│ ├── sysmon_createremotethread_loadlibrary.md
│ ├── sysmon_cred_dump_lsass_access.md
│ ├── sysmon_cred_dump_tools_dropped_files.md
│ ├── sysmon_cred_dump_tools_named_pipes.md
│ ├── sysmon_dhcp_calloutdll.md
│ ├── sysmon_disable_security_events_logging_adding_reg_key_minint.md
│ ├── sysmon_dns_serverlevelplugindll.md
│ ├── sysmon_ghostpack_safetykatz.md
│ ├── sysmon_hack_dumpert.md
│ ├── sysmon_hack_wce.md
│ ├── sysmon_in_memory_assembly_execution.md
│ ├── sysmon_in_memory_powershell.md
│ ├── sysmon_invoke_phantom.md
│ ├── sysmon_logon_scripts_userinitmprlogonscript.md
│ ├── sysmon_lsass_memdump.md
│ ├── sysmon_lsass_memory_dump_file_creation.md
│ ├── sysmon_mal_namedpipes.md
│ ├── sysmon_malware_backconnect_ports.md
│ ├── sysmon_malware_verclsid_shellcode.md
│ ├── sysmon_mimikatz_inmemory_detection.md
│ ├── sysmon_mimikatz_trough_winrm.md
│ ├── sysmon_minidumwritedump_lsass.md
│ ├── sysmon_narrator_feedback_persistance.md
│ ├── sysmon_new_dll_added_to_appcertdlls_registry_key.md
│ ├── sysmon_new_dll_added_to_appinit_dlls_registry_key.md
│ ├── sysmon_password_dumper_lsass.md
│ ├── sysmon_possible_dns_rebinding.md
│ ├── sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.md
│ ├── sysmon_powershell_execution_moduleload.md
│ ├── sysmon_powershell_exploit_scripts.md
│ ├── sysmon_powershell_network_connection.md
│ ├── sysmon_quarkspw_filedump.md
│ ├── sysmon_raw_disk_access_using_illegitimate_tools.md
│ ├── sysmon_rdp_registry_modification.md
│ ├── sysmon_rdp_reverse_tunnel.md
│ ├── sysmon_rdp_settings_hijack.md
│ ├── sysmon_registry_persistence_key_linking.md
│ ├── sysmon_registry_persistence_search_order.md
│ ├── sysmon_registry_trust_record_modification.md
│ ├── sysmon_regsvr32_network_activity.md
│ ├── sysmon_remote_powershell_session_network.md
│ ├── sysmon_renamed_jusched.md
│ ├── sysmon_renamed_powershell.md
│ ├── sysmon_renamed_procdump.md
│ ├── sysmon_renamed_psexec.md
│ ├── sysmon_rundll32_net_connections.md
│ ├── sysmon_ssp_added_lsa_config.md
│ ├── sysmon_stickykey_like_backdoor.md
│ ├── sysmon_susp_adsi_cache_usage.md
│ ├── sysmon_susp_desktop_ini.md
│ ├── sysmon_susp_download_run_key.md
│ ├── sysmon_susp_driver_load.md
│ ├── sysmon_susp_file_characteristics.md
│ ├── sysmon_susp_image_load.md
│ ├── sysmon_susp_lsass_dll_load.md
│ ├── sysmon_susp_office_dotnet_assembly_dll_load.md
│ ├── sysmon_susp_office_dotnet_clr_dll_load.md
│ ├── sysmon_susp_office_dotnet_gac_dll_load.md
│ ├── sysmon_susp_office_dsparse_dll_load.md
│ ├── sysmon_susp_office_kerberos_dll_load.md
│ ├── sysmon_susp_powershell_rundll32.md
│ ├── sysmon_susp_procexplorer_driver_created_in_tmp_folder.md
│ ├── sysmon_susp_prog_location_network_connection.md
│ ├── sysmon_susp_rdp.md
│ ├── sysmon_susp_reg_persist_explorer_run.md
│ ├── sysmon_susp_run_key_img_folder.md
│ ├── sysmon_susp_service_installed.md
│ ├── sysmon_susp_winword_vbadll_load.md
│ ├── sysmon_susp_winword_wmidll_load.md
│ ├── sysmon_suspicious_keyboard_layout_load.md
│ ├── sysmon_suspicious_outbound_kerberos_connection.md
│ ├── sysmon_suspicious_remote_thread.md
│ ├── sysmon_svchost_dll_search_order_hijack.md
│ ├── sysmon_sysinternals_eula_accepted.md
│ ├── sysmon_tsclient_filewrite_startup.md
│ ├── sysmon_uac_bypass_eventvwr.md
│ ├── sysmon_uac_bypass_sdclt.md
│ ├── sysmon_unsigned_image_loaded_into_lsass.md
│ ├── sysmon_webshell_creation_detect.md
│ ├── sysmon_win_binary_github_com.md
│ ├── sysmon_win_binary_susp_com.md
│ ├── sysmon_win_reg_persistence.md
│ ├── sysmon_wmi_event_subscription.md
│ ├── sysmon_wmi_module_load.md
│ ├── sysmon_wmi_persistence_commandline_event_consumer.md
│ ├── sysmon_wmi_persistence_script_event_consumer_write.md
│ ├── sysmon_wmi_susp_scripting.md
│ ├── win_GPO_scheduledtasks.md
│ ├── win_account_backdoor_dcsync_rights.md
│ ├── win_account_discovery.md
│ ├── win_ad_object_writedac_access.md
│ ├── win_ad_replication_non_machine_account.md
│ ├── win_ad_user_enumeration.md
│ ├── win_admin_rdp_login.md
│ ├── win_admin_share_access.md
│ ├── win_alert_active_directory_user_control.md
│ ├── win_alert_ad_user_backdoors.md
│ ├── win_alert_enable_weak_encryption.md
│ ├── win_alert_lsass_access.md
│ ├── win_alert_mimikatz_keywords.md
│ ├── win_alert_ruler.md
│ ├── win_apt_apt29_thinktanks.md
│ ├── win_apt_apt29_tor.md
│ ├── win_apt_babyshark.md
│ ├── win_apt_bear_activity_gtr19.md
│ ├── win_apt_bluemashroom.md
│ ├── win_apt_carbonpaper_turla.md
│ ├── win_apt_chafer_mar18.md
│ ├── win_apt_cloudhopper.md
│ ├── win_apt_dragonfly.md
│ ├── win_apt_elise.md
│ ├── win_apt_emissarypanda_sep19.md
│ ├── win_apt_empiremonkey.md
│ ├── win_apt_equationgroup_dll_u_load.md
│ ├── win_apt_gallium.md
│ ├── win_apt_hurricane_panda.md
│ ├── win_apt_judgement_panda_gtr19.md
│ ├── win_apt_mustangpanda.md
│ ├── win_apt_slingshot.md
│ ├── win_apt_sofacy.md
│ ├── win_apt_stonedrill.md
│ ├── win_apt_ta17_293a_ps.md
│ ├── win_apt_tropictrooper.md
│ ├── win_apt_turla_commands.md
│ ├── win_apt_turla_service_png.md
│ ├── win_apt_unidentified_nov_18.md
│ ├── win_apt_winnti_mal_hk_jan20.md
│ ├── win_apt_wocao.md
│ ├── win_apt_zxshell.md
│ ├── win_atsvc_task.md
│ ├── win_attrib_hiding_files.md
│ ├── win_audit_cve.md
│ ├── win_av_relevant_match.md
│ ├── win_bootconf_mod.md
│ ├── win_bypass_squiblytwo.md
│ ├── win_change_default_file_association.md
│ ├── win_cmdkey_recon.md
│ ├── win_cmstp_com_object_access.md
│ ├── win_control_panel_item.md
│ ├── win_copying_sensitive_files_with_credential_data.md
│ ├── win_crime_fireball.md
│ ├── win_data_compressed_with_rar.md
│ ├── win_dcsync.md
│ ├── win_defender_bypass.md
│ ├── win_disable_event_logging.md
│ ├── win_dns_exfiltration_tools_execution.md
│ ├── win_dpapi_domain_backupkey_extraction.md
│ ├── win_dpapi_domain_masterkey_backup_attempt.md
│ ├── win_dsquery_domain_trust_discovery.md
│ ├── win_encoded_frombase64string.md
│ ├── win_encoded_iex.md
│ ├── win_etw_trace_evasion.md
│ ├── win_exfiltration_and_tunneling_tools_execution.md
│ ├── win_exploit_cve_2015_1641.md
│ ├── win_exploit_cve_2017_0261.md
│ ├── win_exploit_cve_2017_11882.md
│ ├── win_exploit_cve_2017_8759.md
│ ├── win_exploit_cve_2019_1378.md
│ ├── win_exploit_cve_2019_1388.md
│ ├── win_exploit_cve_2020_10189.md
│ ├── win_external_device.md
│ ├── win_file_permission_modifications.md
│ ├── win_grabbing_sensitive_hives_via_reg.md
│ ├── win_hack_bloodhound.md
│ ├── win_hack_koadic.md
│ ├── win_hack_rubeus.md
│ ├── win_hack_secutyxploded.md
│ ├── win_hack_smbexec.md
│ ├── win_hh_chm.md
│ ├── win_hktl_createminidump.md
│ ├── win_html_help_spawn.md
│ ├── win_hwp_exploits.md
│ ├── win_impacket_lateralization.md
│ ├── win_impacket_secretdump.md
│ ├── win_indirect_cmd.md
│ ├── win_install_reg_debugger_backdoor.md
│ ├── win_interactive_at.md
│ ├── win_invoke_obfuscation_obfuscated_iex_commandline.md
│ ├── win_invoke_obfuscation_obfuscated_iex_services.md
│ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.md
│ ├── win_lethalhta.md
│ ├── win_lm_namedpipe.md
│ ├── win_local_system_owner_account_discovery.md
│ ├── win_lsass_access_non_system_account.md
│ ├── win_lsass_dump.md
│ ├── win_mal_adwind.md
│ ├── win_mal_creddumper.md
│ ├── win_mal_ryuk.md
│ ├── win_mal_service_installs.md
│ ├── win_mal_ursnif.md
│ ├── win_mal_wceaux_dll.md
│ ├── win_malware_dridex.md
│ ├── win_malware_dtrack.md
│ ├── win_malware_emotet.md
│ ├── win_malware_formbook.md
│ ├── win_malware_notpetya.md
│ ├── win_malware_qbot.md
│ ├── win_malware_ryuk.md
│ ├── win_malware_script_dropper.md
│ ├── win_malware_trickbot_recon_activity.md
│ ├── win_malware_wannacry.md
│ ├── win_mavinject_proc_inj.md
│ ├── win_meterpreter_or_cobaltstrike_getsystem_service_installation.md
│ ├── win_meterpreter_or_cobaltstrike_getsystem_service_start.md
│ ├── win_mimikatz_command_line.md
│ ├── win_mmc20_lateral_movement.md
│ ├── win_mmc_spawn_shell.md
│ ├── win_mshta_javascript.md
│ ├── win_mshta_spawn_shell.md
│ ├── win_multiple_suspicious_cli.md
│ ├── win_net_enum.md
│ ├── win_net_ntlm_downgrade.md
│ ├── win_net_user_add.md
│ ├── win_netsh_fw_add.md
│ ├── win_netsh_packet_capture.md
│ ├── win_netsh_port_fwd.md
│ ├── win_netsh_port_fwd_3389.md
│ ├── win_network_sniffing.md
│ ├── win_new_or_renamed_user_account_with_dollar_sign.md
│ ├── win_new_service_creation.md
│ ├── win_non_interactive_powershell.md
│ ├── win_office_shell.md
│ ├── win_office_spawn_exe_from_users_directory.md
│ ├── win_overpass_the_hash.md
│ ├── win_pass_the_hash.md
│ ├── win_pass_the_hash_2.md
│ ├── win_plugx_susp_exe_locations.md
│ ├── win_possible_applocker_bypass.md
│ ├── win_possible_dc_sync.md
│ ├── win_possible_privilege_escalation_using_rotten_potato.md
│ ├── win_powershell_amsi_bypass.md
│ ├── win_powershell_audio_capture.md
│ ├── win_powershell_b64_shellcode.md
│ ├── win_powershell_bitsjob.md
│ ├── win_powershell_dll_execution.md
│ ├── win_powershell_downgrade_attack.md
│ ├── win_powershell_download.md
│ ├── win_powershell_frombase64string.md
│ ├── win_powershell_suspicious_parameter_variation.md
│ ├── win_powershell_xor_commandline.md
│ ├── win_powersploit_empire_schtasks.md
│ ├── win_proc_wrong_parent.md
│ ├── win_process_creation_bitsadmin_download.md
│ ├── win_process_dump_rundll32_comsvcs.md
│ ├── win_protected_storage_service_access.md
│ ├── win_psexesvc_start.md
│ ├── win_quarkspwdump_clearing_hive_access_history.md
│ ├── win_query_registry.md
│ ├── win_rare_schtask_creation.md
│ ├── win_rare_schtasks_creations.md
│ ├── win_rare_service_installs.md
│ ├── win_rdp_bluekeep_poc_scanner.md
│ ├── win_rdp_hijack_shadowing.md
│ ├── win_rdp_localhost_login.md
│ ├── win_rdp_potential_cve-2019-0708.md
│ ├── win_rdp_reverse_tunnel.md
│ ├── win_register_new_logon_process_by_rubeus.md
│ ├── win_remote_powershell_session.md
│ ├── win_remote_powershell_session_process.md
│ ├── win_remote_registry_management_using_reg_utility.md
│ ├── win_remote_time_discovery.md
│ ├── win_renamed_binary.md
│ ├── win_renamed_binary_highly_relevant.md
│ ├── win_renamed_paexec.md
│ ├── win_run_powershell_script_from_ads.md
│ ├── win_sam_registry_hive_handle_request.md
│ ├── win_scm_database_handle_failure.md
│ ├── win_scm_database_privileged_operation.md
│ ├── win_sdbinst_shim_persistence.md
│ ├── win_service_execution.md
│ ├── win_service_stop.md
│ ├── win_shadow_copies_access_symlink.md
│ ├── win_shadow_copies_creation.md
│ ├── win_shadow_copies_deletion.md
│ ├── win_shell_spawn_susp_program.md
│ ├── win_silenttrinity_stage_use.md
│ ├── win_soundrec_audio_capture.md
│ ├── win_spn_enum.md
│ ├── win_susp_add_domain_trust.md
│ ├── win_susp_add_sid_history.md
│ ├── win_susp_backup_delete.md
│ ├── win_susp_bcdedit.md
│ ├── win_susp_bginfo.md
│ ├── win_susp_calc.md
│ ├── win_susp_cdb.md
│ ├── win_susp_certutil_command.md
│ ├── win_susp_certutil_encode.md
│ ├── win_susp_cli_escape.md
│ ├── win_susp_cmd_http_appdata.md
│ ├── win_susp_codeintegrity_check_failure.md
│ ├── win_susp_codepage_switch.md
│ ├── win_susp_commands_recon_activity.md
│ ├── win_susp_compression_params.md
│ ├── win_susp_comsvcs_procdump.md
│ ├── win_susp_control_dll_load.md
│ ├── win_susp_copy_lateral_movement.md
│ ├── win_susp_csc.md
│ ├── win_susp_csc_folder.md
│ ├── win_susp_curl_start_combo.md
│ ├── win_susp_dctask64_proc_inject.md
│ ├── win_susp_devtoolslauncher.md
│ ├── win_susp_dhcp_config.md
│ ├── win_susp_dhcp_config_failed.md
│ ├── win_susp_direct_asep_reg_keys_modification.md
│ ├── win_susp_dns_config.md
│ ├── win_susp_dnx.md
│ ├── win_susp_double_extension.md
│ ├── win_susp_dsrm_password_change.md
│ ├── win_susp_dxcap.md
│ ├── win_susp_eventlog_clear.md
│ ├── win_susp_eventlog_cleared.md
│ ├── win_susp_exec_folder.md
│ ├── win_susp_execution_path.md
│ ├── win_susp_execution_path_webserver.md
│ ├── win_susp_failed_logon_reasons.md
│ ├── win_susp_failed_logons_single_source.md
│ ├── win_susp_firewall_disable.md
│ ├── win_susp_fsutil_usage.md
│ ├── win_susp_gup.md
│ ├── win_susp_interactive_logons.md
│ ├── win_susp_iss_module_install.md
│ ├── win_susp_kerberos_manipulation.md
│ ├── win_susp_ldap_dataexchange.md
│ ├── win_susp_local_anon_logon_created.md
│ ├── win_susp_lsass_dump.md
│ ├── win_susp_lsass_dump_generic.md
│ ├── win_susp_mshta_execution.md
│ ├── win_susp_msiexec_cwd.md
│ ├── win_susp_msiexec_web_install.md
│ ├── win_susp_msmpeng_crash.md
│ ├── win_susp_msoffice.md
│ ├── win_susp_net_execution.md
│ ├── win_susp_net_recon_activity.md
│ ├── win_susp_netsh_dll_persistence.md
│ ├── win_susp_ntdsutil.md
│ ├── win_susp_ntlm_auth.md
│ ├── win_susp_odbcconf.md
│ ├── win_susp_openwith.md
│ ├── win_susp_outlook.md
│ ├── win_susp_outlook_temp.md
│ ├── win_susp_ping_hex_ip.md
│ ├── win_susp_powershell_empire_launch.md
│ ├── win_susp_powershell_empire_uac_bypass.md
│ ├── win_susp_powershell_enc_cmd.md
│ ├── win_susp_powershell_hidden_b64_cmd.md
│ ├── win_susp_powershell_parent_combo.md
│ ├── win_susp_procdump.md
│ ├── win_susp_process_creations.md
│ ├── win_susp_prog_location_process_starts.md
│ ├── win_susp_ps_appdata.md
│ ├── win_susp_ps_downloadfile.md
│ ├── win_susp_psexec.md
│ ├── win_susp_psr_capture_screenshots.md
│ ├── win_susp_raccess_sensitive_fext.md
│ ├── win_susp_rasdial_activity.md
│ ├── win_susp_rc4_kerberos.md
│ ├── win_susp_recon_activity.md
│ ├── win_susp_regsvr32_anomalies.md
│ ├── win_susp_renamed_dctask64.md
│ ├── win_susp_rottenpotato.md
│ ├── win_susp_run_locations.md
│ ├── win_susp_rundll32_activity.md
│ ├── win_susp_rundll32_by_ordinal.md
│ ├── win_susp_sam_dump.md
│ ├── win_susp_samr_pwset.md
│ ├── win_susp_schtask_creation.md
│ ├── win_susp_script_execution.md
│ ├── win_susp_sdelete.md
│ ├── win_susp_security_eventlog_cleared.md
│ ├── win_susp_service_path_modification.md
│ ├── win_susp_squirrel_lolbin.md
│ ├── win_susp_svchost.md
│ ├── win_susp_svchost_no_cli.md
│ ├── win_susp_sysprep_appdata.md
│ ├── win_susp_sysvol_access.md
│ ├── win_susp_taskmgr_localsystem.md
│ ├── win_susp_taskmgr_parent.md
│ ├── win_susp_time_modification.md
│ ├── win_susp_tscon_localsystem.md
│ ├── win_susp_tscon_rdp_redirect.md
│ ├── win_susp_use_of_csharp_console.md
│ ├── win_susp_userinit_child.md
│ ├── win_susp_whoami.md
│ ├── win_susp_wmi_execution.md
│ ├── win_susp_wmi_login.md
│ ├── win_suspicious_outbound_kerberos_connection.md
│ ├── win_svcctl_remote_service.md
│ ├── win_syskey_registry_access.md
│ ├── win_sysmon_driver_unload.md
│ ├── win_system_exe_anomaly.md
│ ├── win_tap_driver_installation.md
│ ├── win_tap_installer_execution.md
│ ├── win_task_folder_evasion.md
│ ├── win_termserv_proc_spawn.md
│ ├── win_tool_psexec.md
│ ├── win_transferring_files_with_credential_data_via_network_shares.md
│ ├── win_trust_discovery.md
│ ├── win_uac_cmstp.md
│ ├── win_uac_fodhelper.md
│ ├── win_uac_wsreset.md
│ ├── win_usb_device_plugged.md
│ ├── win_user_added_to_local_administrators.md
│ ├── win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.md
│ ├── win_user_creation.md
│ ├── win_user_driver_loaded.md
│ ├── win_using_sc_to_change_sevice_image_path_by_non_admin.md
│ ├── win_vul_cve_2020_0688.md
│ ├── win_vul_java_remote_debugging.md
│ ├── win_webshell_detection.md
│ ├── win_webshell_spawn.md
│ ├── win_whoami_as_system.md
│ ├── win_win10_sched_task_0day.md
│ ├── win_wmi_backdoor_exchange_transport_agent.md
│ ├── win_wmi_persistence.md
│ ├── win_wmi_persistence_script_event_consumer.md
│ ├── win_wmi_spwns_powershell.md
│ ├── win_wmiprvse_spawning_process.md
│ ├── win_workflow_compiler.md
│ ├── win_wsreset_uac_bypass.md
│ └── win_xsl_script_processing.md
├── Enrichments
│ ├── EN_0001_cache_sysmon_event_id_1_info.md
│ ├── EN_0002_enrich_sysmon_event_id_1_with_parent_info.md
│ ├── EN_0003_enrich_other_sysmon_events_with_event_id_1_data.md
│ ├── EN_0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint.md
│ └── EN_0005_cache_TargetFilePathFingerprint_from_enriched_sysmon_event_id_11.md
├── Hardening_Policies
│ └── HP_0001_windows_LocalAccountTokenFilterPolicy.md
├── Logging_Policies
│ ├── LP_0001_windows_audit_process_creation.md
│ ├── LP_0002_windows_audit_process_creation_with_commandline.md
│ ├── LP_0003_windows_sysmon_process_creation.md
│ ├── LP_0004_windows_audit_logon.md
│ ├── LP_0005_windows_sysmon_network_connection.md
│ ├── LP_0006_windows_sysmon_image_loaded.md
│ ├── LP_0007_windows_sysmon_ProcessAccess.md
│ ├── LP_0008_windows_sysmon_FileCreate.md
│ ├── LP_0009_windows_sysmon_PipeEvent.md
│ ├── LP_0010_windows_sysmon_WmiEvent.md
│ ├── LP_0011_windows_sysmon_DnsQuery.md
│ ├── LP_0025_windows_audit_directory_service_changes.md
│ ├── LP_0026_windows_audit_user_account_management.md
│ ├── LP_0027_windows_audit_directory_service_access.md
│ ├── LP_0028_windows_audit_sam.md
│ ├── LP_0029_windows_audit_detailed_file_share.md
│ ├── LP_0030_windows_audit_file_share.md
│ ├── LP_0031_linux_auditd_execve.md
│ ├── LP_0032_linux_auditd_read_access_to_file.md
│ ├── LP_0033_linux_auditd_syscall.md
│ ├── LP_0034_linux_named_client_security_log.md
│ ├── LP_0037_windows_audit_audit_policy_change.md
│ ├── LP_0038_windows_audit_kerberos_authentication_service.md
│ ├── LP_0039_windows_audit_kernel_object.md
│ ├── LP_0041_windows_audit_other_object_access_events.md
│ ├── LP_0042_windows_audit_handle_manipulation.md
│ ├── LP_0044_windows_ntlm_audit.md
│ ├── LP_0045_windows_audit_filtering_platform_connection.md
│ ├── LP_0046_windows_audit_security_state_change.md
│ ├── LP_0047_BIND_DNS_queries.md
│ ├── LP_0048_Passive_DNS_logging.md
│ ├── LP_0100_windows_audit_security_system_extension.md
│ ├── LP_0101_windows_audit_security_group_management.md
│ ├── LP_0102_windows_audit_file_system.md
│ ├── LP_0103_windows_audit_registry.md
│ ├── LP_0104_windows_audit_removable_storage.md
│ ├── LP_0105_windows_audit_authorization_policy_change.md
│ ├── LP_0106_windows_audit_kerberos_service_ticket_operations.md
│ ├── LP_0107_windows_audit_credential_validation.md
│ ├── LP_0108_windows_powershell_module_logging.md
│ ├── LP_0109_windows_powershell_script_block_log.md
│ └── LP_0110_windows_powershell_transcript.md
├── Mitigation_Policies
│ └── MP_0001_windows_asr_block_credential_stealing_from_lsass.md
├── Mitigation_Systems
│ └── MS_0001_microsoft_defender_advanced_threat_protection.md
├── Response_Actions
│ ├── RA_1001_practice.md
│ ├── RA_1002_take_trainings.md
│ ├── RA_1003_raise_personnel_awareness.md
│ ├── RA_1004_make_personnel_report_suspicious_activity.md
│ ├── RA_1005_set_up_relevant_data_collection.md
│ ├── RA_1006_set_up_a_centralized_long-term_log_storage.md
│ ├── RA_1007_develop_communication_map.md
│ ├── RA_1008_make_sure_there_are_backups.md
│ ├── RA_1009_get_network_architecture_map.md
│ ├── RA_1010_get_access_control_matrix.md
│ ├── RA_1011_develop_assets_knowledge_base.md
│ ├── RA_1012_check_analysis_toolset.md
│ ├── RA_1013_access_vulnerability_management_system_logs.md
│ ├── RA_1014_connect_with_trusted_communities.md
│ ├── RA_1101_access_external_network_flow_logs.md
│ ├── RA_1102_access_internal_network_flow_logs.md
│ ├── RA_1103_access_internal_http_logs.md
│ ├── RA_1104_access_external_http_logs.md
│ ├── RA_1105_access_internal_dns_logs.md
│ ├── RA_1106_access_external_dns_logs.md
│ ├── RA_1107_access_vpn_logs.md
│ ├── RA_1108_access_dhcp_logs.md
│ ├── RA_1109_access_internal_packet_capture_data.md
│ ├── RA_1110_access_external_packet_capture_data.md
│ ├── RA_1111_get_ability_to_block_external_ip_address.md
│ ├── RA_1112_get_ability_to_block_internal_ip_address.md
│ ├── RA_1113_get_ability_to_block_external_domain.md
│ ├── RA_1114_get_ability_to_block_internal_domain.md
│ ├── RA_1115_get_ability_to_block_external_url.md
│ ├── RA_1116_get_ability_to_block_internal_url.md
│ ├── RA_1117_get_ability_to_block_port_external_communication.md
│ ├── RA_1118_get_ability_to_block_port_internal_communication.md
│ ├── RA_1119_get_ability_to_block_user_external_communication.md
│ ├── RA_1120_get_ability_to_block_user_internal_communication.md
│ ├── RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md
│ ├── RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md
│ ├── RA_1123_get_ability_to_list_data_transferred.md
│ ├── RA_1124_get_ability_to_collect_transferred_data.md
│ ├── RA_1125_get_ability_to_identify_transferred_data.md
│ ├── RA_1126_find_data_transferred_by_content_pattern.md
│ ├── RA_1201_get_ability_to_list_users_opened_email_message.md
│ ├── RA_1202_get_ability_to_list_email_message_receivers.md
│ ├── RA_1203_get_ability_to_block_email_domain.md
│ ├── RA_1204_get_ability_to_block_email_sender.md
│ ├── RA_1205_get_ability_to_delete_email_message.md
│ ├── RA_1206_get_ability_to_quarantine_email_message.md
│ ├── RA_1207_get_ability_to_collect_email_message.md
│ ├── RA_1301_get_ability_to_list_files_created.md
│ ├── RA_1302_get_ability_to_list_files_modified.md
│ ├── RA_1303_get_ability_to_list_files_deleted.md
│ ├── RA_1304_get_ability_to_list_files_downloaded.md
│ ├── RA_1305_get_ability_to_list_files_with_tampered_timestamps.md
│ ├── RA_1306_get_ability_to_find_file_by_path.md
│ ├── RA_1307_get_ability_to_find_file_by_metadata.md
│ ├── RA_1308_get_ability_to_find_file_by_hash.md
│ ├── RA_1309_get_ability_to_find_file_by_format.md
│ ├── RA_1310_get_ability_to_find_file_by_content_pattern.md
│ ├── RA_1311_get_ability_to_collect_file.md
│ ├── RA_1312_get_ability_to_quarantine_file_by_path.md
│ ├── RA_1313_get_ability_to_quarantine_file_by_hash.md
│ ├── RA_1314_get_ability_to_quarantine_file_by_format.md
│ ├── RA_1315_get_ability_to_quarantine_file_by_content_pattern.md
│ ├── RA_1316_get_ability_to_remove_file.md
│ ├── RA_1317_get_ability_to_analyse_file_hash.md
│ ├── RA_1318_get_ability_to_analyse_windows_pe.md
│ ├── RA_1319_get_ability_to_analyse_macos_macho.md
│ ├── RA_1320_get_ability_to_analyse_unix_elf.md
│ ├── RA_1321_get_ability_to_analyse_ms_office_file.md
│ ├── RA_1322_get_ability_to_analyse_pdf_file.md
│ ├── RA_1323_get_ability_to_analyse_script.md
│ ├── RA_1401_get_ability_to_list_processes_executed.md
│ ├── RA_1402_get_ability_to_find_process_by_executable_path.md
│ ├── RA_1403_get_ability_to_find_process_by_executable_metadata.md
│ ├── RA_1404_get_ability_to_find_process_by_executable_hash.md
│ ├── RA_1405_get_ability_to_find_process_by_executable_format.md
│ ├── RA_1406_get_ability_to_find_process_by_executable_content_pattern.md
│ ├── RA_1407_get_ability_to_block_process_by_executable_path.md
│ ├── RA_1408_get_ability_to_block_process_by_executable_metadata.md
│ ├── RA_1409_get_ability_to_block_process_by_executable_hash.md
│ ├── RA_1410_get_ability_to_block_process_by_executable_format.md
│ ├── RA_1411_get_ability_to_block_process_by_executable_content_pattern.md
│ ├── RA_1501_manage_remote_computer_management_system_policies.md
│ ├── RA_1502_get_ability_to_list_registry_keys_modified.md
│ ├── RA_1503_get_ability_to_list_registry_keys_deleted.md
│ ├── RA_1504_get_ability_to_list_registry_keys_accessed.md
│ ├── RA_1505_get_ability_to_list_registry_keys_created.md
│ ├── RA_1506_get_ability_to_list_services_created.md
│ ├── RA_1507_get_ability_to_list_services_modified.md
│ ├── RA_1508_get_ability_to_list_services_deleted.md
│ ├── RA_1509_get_ability_to_remove_registry_key.md
│ ├── RA_1510_get_ability_to_remove_service.md
│ ├── RA_1601_manage_identity_management_system.md
│ ├── RA_1602_get_ability_to_lock_user_account.md
│ ├── RA_1603_get_ability_to_list_users_authenticated.md
│ ├── RA_1604_get_ability_to_revoke_authentication_credentials.md
│ ├── RA_1605_get_ability_to_remove_user_account.md
│ ├── RA_2001_list_victims_of_security_alert.md
│ ├── RA_2002_list_host_vulnerabilities.md
│ ├── RA_2003_put_compromised_accounts_on_monitoring.md
│ ├── RA_2101_list_hosts_communicated_with_internal_domain.md
│ ├── RA_2102_list_hosts_communicated_with_internal_ip.md
│ ├── RA_2103_list_hosts_communicated_with_internal_url.md
│ ├── RA_2104_analyse_domain_name.md
│ ├── RA_2105_analyse_ip.md
│ ├── RA_2106_analyse_uri.md
│ ├── RA_2107_list_hosts_communicated_by_port.md
│ ├── RA_2108_list_hosts_connected_to_vpn.md
│ ├── RA_2109_list_hosts_connected_to_intranet.md
│ ├── RA_2110_list_data_transferred.md
│ ├── RA_2111_collect_transferred_data.md
│ ├── RA_2112_identify_transferred_data.md
│ ├── RA_2113_list_hosts_communicated_with_external_domain.md
│ ├── RA_2114_list_hosts_communicated_with_external_ip.md
│ ├── RA_2115_list_hosts_communicated_with_external_url.md
│ ├── RA_2116_find_data_transferred_by_content_pattern.md
│ ├── RA_2201_list_users_opened_email_message.md
│ ├── RA_2202_collect_email_message.md
│ ├── RA_2203_list_email_message_receivers.md
│ ├── RA_2204_make_sure_email_message_is_phishing.md
│ ├── RA_2205_extract_observables_from_email_message.md
│ ├── RA_2301_list_files_created.md
│ ├── RA_2302_list_files_modified.md
│ ├── RA_2303_list_files_deleted.md
│ ├── RA_2304_list_files_downloaded.md
│ ├── RA_2305_list_files_with_tampered_timestamps.md
│ ├── RA_2306_find_file_by_path.md
│ ├── RA_2307_find_file_by_metadata.md
│ ├── RA_2308_find_file_by_hash.md
│ ├── RA_2309_find_file_by_format.md
│ ├── RA_2310_find_file_by_content_pattern.md
│ ├── RA_2311_collect_file.md
│ ├── RA_2312_analyse_file_hash.md
│ ├── RA_2313_analyse_windows_pe.md
│ ├── RA_2314_analyse_macos_macho.md
│ ├── RA_2315_analyse_unix_elf.md
│ ├── RA_2316_analyse_ms_office_file.md
│ ├── RA_2317_analyse_pdf_file.md
│ ├── RA_2318_analyse_script.md
│ ├── RA_2401_list_processes_executed.md
│ ├── RA_2402_find_process_by_executable_path.md
│ ├── RA_2403_find_process_by_executable_metadata.md
│ ├── RA_2404_find_process_by_executable_hash.md
│ ├── RA_2405_find_process_by_executable_format.md
│ ├── RA_2406_find_process_by_executable_content_pattern.md
│ ├── RA_2501_list_registry_keys_modified.md
│ ├── RA_2502_list_registry_keys_deleted.md
│ ├── RA_2503_list_registry_keys_accessed.md
│ ├── RA_2504_list_registry_keys_created.md
│ ├── RA_2505_list_services_created.md
│ ├── RA_2506_list_services_modified.md
│ ├── RA_2507_list_services_deleted.md
│ ├── RA_2601_list_users_authenticated.md
│ ├── RA_3001_patch_vulnerability.md
│ ├── RA_3101_block_external_ip_address.md
│ ├── RA_3102_block_internal_ip_address.md
│ ├── RA_3103_block_external_domain.md
│ ├── RA_3104_block_internal_domain.md
│ ├── RA_3105_block_external_url.md
│ ├── RA_3106_block_internal_url.md
│ ├── RA_3107_block_port_external_communication.md
│ ├── RA_3108_block_port_internal_communication.md
│ ├── RA_3109_block_user_external_communication.md
│ ├── RA_3110_block_user_internal_communication.md
│ ├── RA_3111_block_data_transferring_by_content_pattern.md
│ ├── RA_3201_block_domain_on_email.md
│ ├── RA_3202_block_sender_on_email.md
│ ├── RA_3203_quarantine_email_message.md
│ ├── RA_3301_quarantine_file_by_format.md
│ ├── RA_3302_quarantine_file_by_hash.md
│ ├── RA_3303_quarantine_file_by_path.md
│ ├── RA_3304_quarantine_file_by_content_pattern.md
│ ├── RA_3401_block_process_by_executable_path.md
│ ├── RA_3402_block_process_by_executable_metadata.md
│ ├── RA_3403_block_process_by_executable_hash.md
│ ├── RA_3404_block_process_by_executable_format.md
│ ├── RA_3405_block_process_by_executable_content_pattern.md
│ ├── RA_3501_disable_system_service.md
│ ├── RA_3601_lock_user_account.md
│ ├── RA_4001_report_incident_to_external_companies.md
│ ├── RA_4101_remove_rogue_network_device.md
│ ├── RA_4201_delete_email_message.md
│ ├── RA_4301_remove_file.md
│ ├── RA_4501_remove_registry_key.md
│ ├── RA_4502_remove_service.md
│ ├── RA_4601_revoke_authentication_credentials.md
│ ├── RA_4602_remove_user_account.md
│ ├── RA_5001_reinstall_host_from_golden_image.md
│ ├── RA_5002_restore_data_from_backup.md
│ ├── RA_5101_unblock_blocked_ip.md
│ ├── RA_5102_unblock_blocked_domain.md
│ ├── RA_5103_unblock_blocked_url.md
│ ├── RA_5104_unblock_blocked_port.md
│ ├── RA_5105_unblock_blocked_user.md
│ ├── RA_5201_unblock_domain_on_email.md
│ ├── RA_5202_unblock_sender_on_email.md
│ ├── RA_5203_restore_quarantined_email_message.md
│ ├── RA_5301_restore_quarantined_file.md
│ ├── RA_5401_unblock_blocked_process.md
│ ├── RA_5501_enable_disabled_service.md
│ ├── RA_5601_unlock_locked_user_account.md
│ ├── RA_6001_develop_incident_report.md
│ └── RA_6002_conduct_lessons_learned_exercise.md
├── Response_Playbooks
│ └── RP_0001_phishing_email.md
├── Response_Stages
│ ├── RS0001.md
│ ├── RS0002.md
│ ├── RS0003.md
│ ├── RS0004.md
│ ├── RS0005.md
│ ├── RS0006.md
│ └── responsestages.md
├── Triggers
│ ├── T1002.md
│ ├── T1003.md
│ ├── T1004.md
│ ├── T1005.md
│ ├── T1007.md
│ ├── T1009.md
│ ├── T1010.md
│ ├── T1012.md
│ ├── T1014.md
│ ├── T1015.md
│ ├── T1016.md
│ ├── T1018.md
│ ├── T1022.md
│ ├── T1023.md
│ ├── T1027.md
│ ├── T1028.md
│ ├── T1030.md
│ ├── T1031.md
│ ├── T1032.md
│ ├── T1033.md
│ ├── T1035.md
│ ├── T1036.md
│ ├── T1037.md
│ ├── T1038.md
│ ├── T1040.md
│ ├── T1042.md
│ ├── T1044.md
│ ├── T1046.md
│ ├── T1047.md
│ ├── T1048.md
│ ├── T1049.md
│ ├── T1050.md
│ ├── T1053.md
│ ├── T1055.md
│ ├── T1056.md
│ ├── T1057.md
│ ├── T1058.md
│ ├── T1059.md
│ ├── T1060.md
│ ├── T1062.md
│ ├── T1063.md
│ ├── T1064.md
│ ├── T1065.md
│ ├── T1069.md
│ ├── T1070.md
│ ├── T1071.md
│ ├── T1073.md
│ ├── T1074.md
│ ├── T1075.md
│ ├── T1076.md
│ ├── T1077.md
│ ├── T1081.md
│ ├── T1082.md
│ ├── T1083.md
│ ├── T1084.md
│ ├── T1085.md
│ ├── T1086.md
│ ├── T1087.md
│ ├── T1088.md
│ ├── T1089.md
│ ├── T1090.md
│ ├── T1093.md
│ ├── T1095.md
│ ├── T1096.md
│ ├── T1097.md
│ ├── T1098.md
│ ├── T1099.md
│ ├── T1100.md
│ ├── T1101.md
│ ├── T1102.md
│ ├── T1103.md
│ ├── T1105.md
│ ├── T1107.md
│ ├── T1110.md
│ ├── T1112.md
│ ├── T1113.md
│ ├── T1114.md
│ ├── T1115.md
│ ├── T1117.md
│ ├── T1118.md
│ ├── T1119.md
│ ├── T1121.md
│ ├── T1123.md
│ ├── T1124.md
│ ├── T1126.md
│ ├── T1127.md
│ ├── T1128.md
│ ├── T1130.md
│ ├── T1132.md
│ ├── T1135.md
│ ├── T1136.md
│ ├── T1137.md
│ ├── T1138.md
│ ├── T1139.md
│ ├── T1140.md
│ ├── T1141.md
│ ├── T1142.md
│ ├── T1143.md
│ ├── T1144.md
│ ├── T1145.md
│ ├── T1146.md
│ ├── T1147.md
│ ├── T1148.md
│ ├── T1150.md
│ ├── T1151.md
│ ├── T1152.md
│ ├── T1153.md
│ ├── T1154.md
│ ├── T1155.md
│ ├── T1156.md
│ ├── T1158.md
│ ├── T1159.md
│ ├── T1160.md
│ ├── T1163.md
│ ├── T1164.md
│ ├── T1165.md
│ ├── T1166.md
│ ├── T1168.md
│ ├── T1169.md
│ ├── T1170.md
│ ├── T1173.md
│ ├── T1174.md
│ ├── T1176.md
│ ├── T1179.md
│ ├── T1180.md
│ ├── T1183.md
│ ├── T1191.md
│ ├── T1193.md
│ ├── T1196.md
│ ├── T1197.md
│ ├── T1201.md
│ ├── T1202.md
│ ├── T1204.md
│ ├── T1206.md
│ ├── T1207.md
│ ├── T1208.md
│ ├── T1214.md
│ ├── T1215.md
│ ├── T1216.md
│ ├── T1217.md
│ ├── T1218.md
│ ├── T1219.md
│ ├── T1220.md
│ ├── T1222.md
│ ├── T1223.md
│ ├── T1482.md
│ ├── T1485.md
│ ├── T1489.md
│ ├── T1490.md
│ ├── T1496.md
│ ├── T1500.md
│ ├── T1501.md
│ ├── T1502.md
│ ├── T1504.md
│ ├── T1505.md
│ ├── T1518.md
│ ├── T1519.md
│ ├── T1529.md
│ └── T1531.md
├── Use_Cases
│ ├── UC_0001_TESTUSECASE.md
│ └── UC_0002_INITIALACCESS.md
└── index.md
├── CONTRIBUTING.md
├── DEVELOP.md
├── Dockerfile
├── LICENSE
├── Makefile
├── README.md
├── README_PL.md
├── README_RU.md
├── analytics
├── generated
│ ├── analytics.csv
│ ├── atc_es_index.json
│ ├── attack_navigator_profiles
│ │ ├── atc_attack_navigator_profile.json
│ │ ├── atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json
│ │ └── atc_attack_navigator_profile_CU_0002_TESTCUSTOMER2.json
│ ├── pivoting.csv
│ ├── react_navigator_profile.json
│ └── thehive_templates
│ │ └── RP_0001_phishing_email.json
└── predefined
│ ├── atc-analytics-dashboard.json
│ ├── atc-analytics-index-pattern.json
│ └── atc-analytics-index-template.json
├── customers
├── CU_0001_TESTCUSTOMER.yml
├── CU_0002_TESTCUSTOMER2.yml
└── customer.yml.template
├── docker-entrypoint.sh
├── images
├── analytics_pth_v1.png
├── atc_analytics_dashboard.png
├── atc_scheme_v2.jpg
├── cu_confluence_v1.png
├── cu_markdown_v1.png
├── cu_yaml_v1.png
├── dashboard_v1.png
├── dashboard_yaml_v1.png
├── dataneeded_v1.png
├── dn_confluence_v1.png
├── dn_markdown_v1.png
├── dr_confluence_v1.png
├── dr_markdown_v1.png
├── en_confluence_v1.png
├── en_markdown_v1.png
├── en_yaml_v1.png
├── loggingpolicy.png
├── logo_v1.png
├── lp_confluence_v1.png
├── lp_markdown_v1.png
├── navigator_v1.png
├── pivoting_hash_v1.png
├── pivoting_parent_v1.png
├── ra_confluence_v3.png
├── ra_markdown_v3.png
├── ra_yaml_v3.png
├── rp_confluence_v3.png
├── rp_markdown_v3.png
├── rp_yaml_v3.png
├── sigma_rule.png
├── tg_markdown_v1.png
├── thehive_case_task_v1.png
├── thehive_case_template_v1.png
├── trigger.png
├── trigger_confluence_v1.png
└── visualisation_yaml_v1.png
├── main.py
├── mkdocs.yml
├── requirements.txt
├── run_tests.sh
├── scripts
├── amitt_mapping.py
├── atc_visualizations
│ ├── DEVELOPMENT_README.md
│ ├── README.md
│ ├── TODO.md
│ ├── aggs.py
│ ├── base.py
│ ├── dashboard.py
│ ├── kibana_api.py
│ ├── metrics.py
│ ├── params.py
│ ├── visualisation.py
│ └── yaml_handler.py
├── atcutils.py
├── attack_mapping.py
├── attack_navigator_export.py
├── attack_navigator_per_customer_export.py
├── config.default.yml
├── customer.py
├── detectionrule.py
├── es_index_export.py
├── hardeningpolicy.py
├── init_confluence.py
├── init_markdown.py
├── mitigationpolicy.py
├── mitigationsystem.py
├── populateconfluence.py
├── populatemarkdown.py
├── sigma_mapping.py
├── templates
│ ├── confluence_alert_template.html.j2
│ ├── confluence_customer_template.html.j2
│ ├── confluence_hardeningpolicies_template.html.j2
│ ├── confluence_mitigationpolicies_template.html.j2
│ ├── confluence_mitigationsystems_template.html.j2
│ ├── confluence_trigger_template.html.j2
│ ├── confluence_usecase_template.html.j2
│ ├── markdown_alert_template.md.j2
│ ├── markdown_customer_template.md.j2
│ ├── markdown_hardeningpolicies_template.md.j2
│ ├── markdown_mitigationpolicies_template.md.j2
│ ├── markdown_mitigationsystems_template.md.j2
│ └── markdown_usecase_template.md.j2
├── triggers.py
├── update_amitt_mapping.py
├── update_attack_mapping.py
└── usecases.py
├── tests
├── __init__.py
├── conftest.py
└── test_syntax.py
├── use_cases
├── UC_0001_TESTUSECASE.yml
└── UC_0002_INITIALACCESS.yml
└── visualizations
├── dashboards
├── examples
│ └── test_dashboard_document.yml
└── os_hunting_dashboard.yml
└── visualizations
├── examples
├── metric.yml
├── pie.yml
├── saved_search.yml
└── vert_bar.yml
├── fileshares_operations.yml
├── local_file_operations.yml
├── logon_activities.yml
├── pipe_events.yml
├── powershell_activity.yml
├── process_activities.yml
├── process_execution.yml
├── rdp_activity.yml
├── registry_operations.yml
├── services_and_drivers_operations.yml
├── tasks_operations.yml
└── wmi_activity.yml
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | patreon: yugoslavskiy
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *DS_Store
2 | *__pycache__/*
3 | *.pyc
4 | *.idea
5 | _*
6 | .pytest_cache
7 | # Ignore local configuration
8 | config.yml
9 | Atomic_Threat_Coverage_test
10 | detection_rules/sigma
11 | triggers/atomic-red-team
12 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "detection_rules/sigma"]
2 | path = detection_rules/sigma
3 | url = https://github.com/Neo23x0/sigma
4 | [submodule "triggers/atomic-red-team"]
5 | path = triggers/atomic-red-team
6 | url = https://github.com/redcanaryco/atomic-red-team
7 | [submodule "mitigation/atc-mitigation"]
8 | path = mitigation/atc-mitigation
9 | url = https://github.com/atc-project/atc-mitigation
10 | [submodule "response/atc_react"]
11 | path = response/atc_react
12 | url = https://github.com/atc-project/atc-react
13 | [submodule "data/atc_data"]
14 | path = data/atc_data
15 | url = https://github.com/atc-project/atc-data
16 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | dist: xenial
2 | language: python
3 | python:
4 | - "3.7"
5 |
6 | install: pip install -r requirements.txt
7 |
8 | script: pytest
9 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Data_Needed/DN_0092_unix_generic_syslog.md:
--------------------------------------------------------------------------------
1 | | Title | DN_0092_unix_generic_syslog |
2 | |:-------------------|:------------------|
3 | | **Author** | @atc_project |
4 | | **Description** | Unix generic syslog |
5 | | **Logging Policy** | |
6 | | **References** | - [https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml](https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml)
|
7 | | **Platform** | Unix |
8 | | **Type** | generic |
9 | | **Channel** | syslog |
10 | | **Provider** | syslog |
11 | | **Fields** | |
12 |
13 |
14 | ## Log Samples
15 |
16 | ### Raw Log
17 |
18 | ```
19 | Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0
20 |
21 | ```
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Data_Needed/DN_0094_linux_sshd_log.md:
--------------------------------------------------------------------------------
1 | | Title | DN_0094_linux_sshd_log |
2 | |:-------------------|:------------------|
3 | | **Author** | @atc_project |
4 | | **Description** | OpenSSH SSH daemon (sshd) log |
5 | | **Logging Policy** | |
6 | | **References** | - [https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting](https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting)
|
7 | | **Platform** | Linux |
8 | | **Type** | auth |
9 | | **Channel** | auth.log |
10 | | **Provider** | sshd |
11 | | **Fields** | - Hostname
- UserName
- Daemon
- Program
- Message
|
12 |
13 |
14 | ## Log Samples
15 |
16 | ### Raw Log
17 |
18 | ```
19 | May 18 16:41:20 hostname sshd[890]: error: buffer_get_string_ret: buffer_get failed
20 |
21 | ```
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Data_Needed/DN_0097_linux_daemon_log.md:
--------------------------------------------------------------------------------
1 | | Title | DN_0097_linux_daemon_log |
2 | |:-------------------|:------------------|
3 | | **Author** | @atc_project |
4 | | **Description** | The daemons log at /var/log/daemon.log and contains information about running system and application daemons |
5 | | **Logging Policy** | |
6 | | **References** | - [https://help.ubuntu.com/community/LinuxLogFiles](https://help.ubuntu.com/community/LinuxLogFiles)
|
7 | | **Platform** | Linux |
8 | | **Type** | daemon |
9 | | **Channel** | daemon.log |
10 | | **Provider** | many |
11 | | **Fields** | - Hostname
- Daemon
- Program
- Message
|
12 |
13 |
14 | ## Log Samples
15 |
16 | ### Raw Log
17 |
18 | ```
19 | Aug 28 23:39:09 debian-9-x64-atc named[32010]: exiting (due to fatal error)
20 |
21 | ```
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Data_Needed/DN_0098_linux_vsftpd_log.md:
--------------------------------------------------------------------------------
1 | | Title | DN_0098_linux_vsftpd_log |
2 | |:-------------------|:------------------|
3 | | **Author** | @atc_project |
4 | | **Description** | vsftpd (FTP server) log |
5 | | **Logging Policy** | |
6 | | **References** | - [https://en.wikipedia.org/wiki/Vsftpd](https://en.wikipedia.org/wiki/Vsftpd)
- [https://security.appspot.com/vsftpd.html](https://security.appspot.com/vsftpd.html)
|
7 | | **Platform** | Linux |
8 | | **Type** | vsftpd.log |
9 | | **Channel** | vsftpd.log |
10 | | **Provider** | vsftpd |
11 | | **Fields** | - Hostname
- Daemon
- Program
- ClientIP
- PID
- Message
|
12 |
13 |
14 | ## Log Samples
15 |
16 | ### Raw Log
17 |
18 | ```
19 | Sat Jun 2 11:20:19 2018 [pid 3616] CONNECT: Client "ip", "Connection refused: too many sessions for this address."
20 |
21 | ```
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md:
--------------------------------------------------------------------------------
1 | | Title | DN_0099_Bind_DNS_query |
2 | |:-------------------|:------------------|
3 | | **Author** | @atc_project |
4 | | **Description** | DNS Query from BIND Server |
5 | | **Logging Policy** | - [LP_0047_BIND_DNS_queries](../Logging_Policies/LP_0047_BIND_DNS_queries.md)
|
6 | | **References** | |
7 | | **Platform** | Linux |
8 | | **Type** | queries log |
9 | | **Channel** | queries_log |
10 | | **Provider** | BIND |
11 | | **Fields** | - date
- record_type
- client_ip
- src_ip
- domain_name
- query
- dns_query
- destination_ip
- dst_ip
- parent_domain
- question_length
|
12 |
13 |
14 | ## Log Samples
15 |
16 | ### Raw Log
17 |
18 | ```
19 | 25-Oct-2019 01:22:19.421 queries: info: client 192.168.1.200#51364 (yahoo.com): query: yahoo.com IN TXT + (192.168.1.235)
20 |
21 | ```
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md:
--------------------------------------------------------------------------------
1 | | Title | DN_0100_Passive_DNS_log |
2 | |:-------------------|:------------------|
3 | | **Author** | @atc_project |
4 | | **Description** | Log from Passive DNS |
5 | | **Logging Policy** | - [LP_0048_Passive_DNS_logging](../Logging_Policies/LP_0048_Passive_DNS_logging.md)
|
6 | | **References** | |
7 | | **Platform** | Linux |
8 | | **Type** | queries log |
9 | | **Channel** | passivedns |
10 | | **Provider** | Passive DNS |
11 | | **Fields** | - date
- record_type
- client_ip
- src_ip
- destination_ip
- dst_ip
- ttl
- domain_name
- query
- dns_query
- answer
- parent_domain
- question_length
|
12 |
13 |
14 | ## Log Samples
15 |
16 | ### Raw Log
17 |
18 | ```
19 | 1523230478.705932||192.168.1.235||8.8.8.8||IN||facebook.com.||TXT||"v=spf1 redirect=_spf.facebook.com"||21323||1
20 |
21 | ```
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Data_Needed/DN_0108_150_dns_server_could_not_load_dll.md:
--------------------------------------------------------------------------------
1 | | Title | DN_0108_150_dns_server_could_not_load_dll |
2 | |:-------------------|:------------------|
3 | | **Author** | @atc_project |
4 | | **Description** | Windows DNS server could not load or initialize the plug-in DLL |
5 | | **Logging Policy** | |
6 | | **References** | - [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10))
|
7 | | **Platform** | Windows |
8 | | **Type** | Applications and Services Logs |
9 | | **Channel** | DNS Server |
10 | | **Provider** | Microsoft-Windows-DNS-Server-Service |
11 | | **Fields** | |
12 |
13 |
14 | ## Log Samples
15 |
16 | ### Raw Log
17 |
18 | ```
19 | todo
20 |
21 | ```
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1001_practice.md:
--------------------------------------------------------------------------------
1 | | Title | Practice |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1001 |
4 | | **Description** | Practice in the real environment. Sharpen Response Actions within your organization |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 08.04.2020 |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 |
10 | ### Workflow
11 |
12 | Make sure that most of the Response Action has been performed on an internal exercise by your Incident Response Team.
13 | You need to make sure that when an Incident will happen, the team will not just try to follow the playbooks they see first time in their lives, but will be able to quickly execute the actual steps in **your environment**, i.e. blocking an IP address or a domain name.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1003_raise_personnel_awareness.md:
--------------------------------------------------------------------------------
1 | | Title | Raise personnel awareness |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1003 |
4 | | **Description** | Raise personnel awareness regarding phishing, ransomware, social engineering, and other attacks that involve user interaction |
5 | | **Author** | @atc_project, ported from @MITREattack |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://attack.mitre.org/mitigations/M1017/](https://attack.mitre.org/mitigations/M1017/)
|
10 |
11 | ### Workflow
12 |
13 | Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of
14 | successful spearphishing, social engineering, and other techniques that involve user interaction.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md:
--------------------------------------------------------------------------------
1 | | Title | Make personnel report suspicious activity |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1004 |
4 | | **Description** | Make sure that personnel will report suspicious activity i.e. suspicious emails, links, files, activity on their computers, etc |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 |
10 | ### Workflow
11 |
12 | Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system.
13 | Make sure that the personnel is aware of it, can and will use it.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md:
--------------------------------------------------------------------------------
1 | | Title | Set up a centralized long-term log storage |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1006 |
4 | | **Description** | Set up a centralized long-term log storage. This is one of the most critical problems companies have nowadays. Even if there is such a system, in most of the cases it stores irrelevant data or has too small retention period |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1008_make_sure_there_are_backups.md:
--------------------------------------------------------------------------------
1 | | Title | Make sure there are backups |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1008 |
4 | | **Description** | Make sure there are both online and offline backups. Make sure they are fully operational. In the case of a successful ransomware worm attack, thats the only thing that will help you to safe your critically important data |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1009_get_network_architecture_map.md:
--------------------------------------------------------------------------------
1 | | Title | Get network architecture map |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1009 |
4 | | **Description** | Get network architecture map. Usually, its managed by the Network security team. It will help you to choose the containment strategy, such as isolating specific network segments |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1010_get_access_control_matrix.md:
--------------------------------------------------------------------------------
1 | | Title | Get access control matrix |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1010 |
4 | | **Description** | Get Access Control Matrix. Usually, its managed by the Network security team. It will help you to identify adversary opportunities, such as laterally movement and so on |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1011_develop_assets_knowledge_base.md:
--------------------------------------------------------------------------------
1 | | Title | Develop assets knowledge base |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1011 |
4 | | **Description** | Develop assets knowledge base. It will help you to compare observed activity with a normal activity profile for a specific host, user or network segment |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1012_check_analysis_toolset.md:
--------------------------------------------------------------------------------
1 | | Title | Check analysis toolset |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1012 |
4 | | **Description** | Make sure your toolset for analysis and management is updated and fully operational. Make sure that all the required permissions have been granted as well |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1013_access_vulnerability_management_system_logs.md:
--------------------------------------------------------------------------------
1 | | Title | Access vulnerability management system logs |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1013 |
4 | | **Description** | Access vulnerability management system logs. It will help to identify the vulnerabilities a specific host had at a specific time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1014_connect_with_trusted_communities.md:
--------------------------------------------------------------------------------
1 | | Title | Connect with trusted communities |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1014 |
4 | | **Description** | Connect with trusted communities for information exchange |
5 | | **Author** | Andreas Hunkeler (@Karneades) |
6 | | **Creation Date** | 14.05.2020 |
7 | | **Category** | General |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://www.misp-project.org/](https://www.misp-project.org/)
|
10 | | **Requirements** |- MISP connection to other teams or working on the MISP instance of another institution
- Mailing list
- Slack channel
|
11 |
12 | ### Workflow
13 |
14 | Contact other companies or information providers for getting on a ML or get connected to other MISP instances.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1102_access_internal_network_flow_logs.md:
--------------------------------------------------------------------------------
1 | | Title | Access internal network flow logs |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1102 |
4 | | **Description** | Make sure you have access to internal communication Network Flow logs |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1103_access_internal_http_logs.md:
--------------------------------------------------------------------------------
1 | | Title | Access internal HTTP logs |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1103 |
4 | | **Description** | Make sure you have access to internal communication HTTP logs |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1105_access_internal_dns_logs.md:
--------------------------------------------------------------------------------
1 | | Title | Access internal DNS logs |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1105 |
4 | | **Description** | Make sure you have access to internal communication DNS logs |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1107_access_vpn_logs.md:
--------------------------------------------------------------------------------
1 | | Title | Access VPN logs |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1107 |
4 | | **Description** | Make sure you have access to VPN logs |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1108_access_dhcp_logs.md:
--------------------------------------------------------------------------------
1 | | Title | Access DHCP logs |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1108 |
4 | | **Description** | Make sure you have access to DHCP logs |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1109_access_internal_packet_capture_data.md:
--------------------------------------------------------------------------------
1 | | Title | Access internal packet capture data |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1109 |
4 | | **Description** | Make sure you have access to internal communication Packet Capture data |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1110_access_external_packet_capture_data.md:
--------------------------------------------------------------------------------
1 | | Title | Access external packet capture data |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1110 |
4 | | **Description** | Make sure you have access to external communication Packet Capture data |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block internal IP address |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1112 |
4 | | **Description** | Make sure you can block an internal IP address from being accessed by corporate assets |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** |- MS_intranet_firewall
- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_host_firewall
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1114_get_ability_to_block_internal_domain.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block internal domain |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1114 |
4 | | **Description** | Make sure you can block an internal domain name from being accessed by corporate assets |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** |- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_dns_server
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1116_get_ability_to_block_internal_url.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block internal URL |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1116 |
4 | | **Description** | Make sure you can block an internal URL from being accessed by corporate assets |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** |- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_dns_server
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block port external communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1117 |
4 | | **Description** | Make sure you can block a network port for external communications |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** |- MS_border_firewall
- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_host_firewall
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block port internal communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1118 |
4 | | **Description** | Make sure you can block a network port for internal communications |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** |- MS_intranet_firewall
- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_host_firewall
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block user external communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1119 |
4 | | **Description** | Make sure you can block a user for external communications |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** |- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_nac
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block user internal communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1120 |
4 | | **Description** | Make sure you can block a user for internal communications |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** |- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_nac
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find data transferred by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1121 |
4 | | **Description** | Make sure you have the ability to find data transferred at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block data transferring by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1122 |
4 | | **Description** | Make sure you have the ability to block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1123_get_ability_to_list_data_transferred.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list data transferred |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1123 |
4 | | **Description** | Make sure you have the ability to list the data that is being transferred at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to collect transferred data |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1124 |
4 | | **Description** | Make sure you have the ability to collect the data that is being transferred at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to identify transferred data |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1125 |
4 | | **Description** | Make sure you have the ability to identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Find data transferred by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1126 |
4 | | **Description** | Make sure you have the ability to find the data that is being transferred at the moment or at a particular time in the past by its content pattern |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list users opened email message |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1201 |
4 | | **Description** | Make sure you have the ability to list users who opened a particular email message |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/](https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Make sure you have the ability to list users who opened/read a particular email message using the Email Server's functionality.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1207_get_ability_to_collect_email_message.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to collect email message |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1207 |
4 | | **Description** | Make sure you have the ability to collect an email message |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Email |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1301_get_ability_to_list_files_created.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list files created |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1301 |
4 | | **Description** | Make sure you have the ability to list files that have been created at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1302_get_ability_to_list_files_modified.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list files modified |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1302 |
4 | | **Description** | Make sure you have the ability to list files that have been modified at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1303_get_ability_to_list_files_deleted.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list files deleted |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1303 |
4 | | **Description** | Make sure you have the ability to list files that have been deleted at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list files downloaded |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1304 |
4 | | **Description** | Make sure you have the ability to list files that have been downloaded from the internet at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list files with tampered timestamps |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1305 |
4 | | **Description** | Make sure you have the ability to list files with a tampered timestamp |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1306_get_ability_to_find_file_by_path.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find file by path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1306 |
4 | | **Description** | Make sure you have the ability to find a file by its path (including its name) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find file by metadata |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1307 |
4 | | **Description** | Make sure you have the ability to find file by its metadata (i.e. signature, permissions, MAC times) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find file by hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1308 |
4 | | **Description** | Make sure you have the ability to find a file by its hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1309_get_ability_to_find_file_by_format.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find file by format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1309 |
4 | | **Description** | Make sure you have the ability to find a file by its format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find file by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1310 |
4 | | **Description** | Make sure you have the ability to find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1311_get_ability_to_collect_file.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to collect file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1311 |
4 | | **Description** | Make sure you have the ability to collect a specific file from a (remote) host or a system |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to quarantine file by path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1312 |
4 | | **Description** | Make sure you have the ability to block a file from being accessed by its path (including its name) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to quarantine file by hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1313 |
4 | | **Description** | Make sure you have the ability to block a file from being accessed by its hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to quarantine file by format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1314 |
4 | | **Description** | Make sure you have the ability to block a file from being accessed by its format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to quarantine file by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1315 |
4 | | **Description** | Make sure you have the ability to block a file from being accessed by its content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1316_get_ability_to_remove_file.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to remove file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1316 |
4 | | **Description** | Make sure you have the ability to remove a specific file from a (remote) host or a system |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to analyse file hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1317 |
4 | | **Description** | Make sure you have the ability to analyse a file hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to analyse Windows PE |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1318 |
4 | | **Description** | Make sure you have the ability to analyse a Windows Portable Executable file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to analyse macos macho |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1319 |
4 | | **Description** | Make sure you have the ability to analyse a macOS Mach-O file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to analyse Unix ELF |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1320 |
4 | | **Description** | Make sure you have the ability to analyse a UNIX ELF file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to analyse MS office file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1321 |
4 | | **Description** | Make sure you have the ability to analyse a Microsoft Office file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to analyse PDF file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1322 |
4 | | **Description** | Make sure you have the ability to analyse a PDF file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1323_get_ability_to_analyse_script.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to analyse script |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1323 |
4 | | **Description** | Make sure you have the ability to analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1401_get_ability_to_list_processes_executed.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list processes executed |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1401 |
4 | | **Description** | Make sure you have the ability to list processes being executed at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find process by executable path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1402 |
4 | | **Description** | Make sure you have the ability to find process executed at a particular time in the past by its executable path (including its name) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find process by executable metadata |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1403 |
4 | | **Description** | Make sure you have the ability to find process executed at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find process by executable hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1404 |
4 | | **Description** | Make sure you have the ability to find process executed at a particular time in the past by its executable hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find process by executable format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1405 |
4 | | **Description** | Make sure you have the ability to find process executed at a particular time in the past by its executable format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to find process by executable content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1406 |
4 | | **Description** | Make sure you have the ability to find process executed at a particular time in the past by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block process by executable path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1407 |
4 | | **Description** | Make sure you have the ability to block process by its executable path (including its name) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block process by executable metadata |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1408 |
4 | | **Description** | Make sure you have the ability to block process by its executable metadata (i.e. signature, permissions, MAC times) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block process by executable hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1409 |
4 | | **Description** | Make sure you have the ability to block process by its executable hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block process by executable format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1410 |
4 | | **Description** | Make sure you have the ability to block process by its executable format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to block process by executable content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1411 |
4 | | **Description** | Make sure you have the ability to block process by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md:
--------------------------------------------------------------------------------
1 | | Title | Manage remote computer management system policies |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1501 |
4 | | **Description** | Make sure you can manage Remote Computer Management system policies |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list registry keys modified |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1502 |
4 | | **Description** | Make sure you have the ability to list registry keys modified at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list registry keys deleted |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1503 |
4 | | **Description** | Make sure you have the ability to list registry keys deleted at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list registry keys accessed |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1504 |
4 | | **Description** | Make sure you have the ability to list registry keys accessed at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list registry keys created |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1505 |
4 | | **Description** | Make sure you have the ability to list registry keys created at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1506_get_ability_to_list_services_created.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list services created |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1506 |
4 | | **Description** | Make sure you have the ability to list services that have created at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1507_get_ability_to_list_services_modified.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list services modified |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1507 |
4 | | **Description** | Make sure you have the ability to list services that have been modified at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1508_get_ability_to_list_services_deleted.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list services deleted |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1508 |
4 | | **Description** | Make sure you have the ability to list services that have been deleted at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1509_get_ability_to_remove_registry_key.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to remove registry key |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1509 |
4 | | **Description** | Make sure you have the ability to remove a registry key |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1510_get_ability_to_remove_service.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to remove service |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1510 |
4 | | **Description** | Make sure you have the ability to remove a service |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1601_manage_identity_management_system.md:
--------------------------------------------------------------------------------
1 | | Title | Manage identity management system |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1601 |
4 | | **Description** | Make sure you can manage Identity Management System, i.e. remove/block users, revoke credentials, and execute other Response Actions |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1602_get_ability_to_lock_user_account.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to lock user account |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1602 |
4 | | **Description** | Make sure you have the ability to lock user account from being used |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to list users authenticated |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1603 |
4 | | **Description** | Make sure you have the ability to list users authenticated at a particular time in the past on a particular system |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to revoke authentication credentials |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1604 |
4 | | **Description** | Make sure you have the ability to revoke authentication credentials |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_1605_get_ability_to_remove_user_account.md:
--------------------------------------------------------------------------------
1 | | Title | Get ability to remove user account |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA1605 |
4 | | **Description** | Make sure you have the ability to remove a user account |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2001_list_victims_of_security_alert.md:
--------------------------------------------------------------------------------
1 | | Title | List victims of security alert |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2001 |
4 | | **Description** | List victims of a security alert |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2002_list_host_vulnerabilities.md:
--------------------------------------------------------------------------------
1 | | Title | List host vulnerabilities |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2002 |
4 | | **Description** | Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md:
--------------------------------------------------------------------------------
1 | | Title | Put compromised accounts on monitoring |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2003 |
4 | | **Description** | Put (potentially) compromised accounts on monitoring |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | General |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 |
10 | ### Workflow
11 |
12 | Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts.
13 | Look for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before.
14 | Keep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts communicated with internal domain |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2101 |
4 | | **Description** | List hosts communicated with an internal domain |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts communicated with internal IP |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2102 |
4 | | **Description** | List hosts communicated with an internal IP address |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts communicated with internal URL |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2103 |
4 | | **Description** | List hosts communicated with an internal URL |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2104_analyse_domain_name.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse domain name |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2104 |
4 | | **Description** | Analyse a domain name |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2105_analyse_ip.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse IP |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2105 |
4 | | **Description** | Analyse an IP address |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2106_analyse_uri.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse uri |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2106 |
4 | | **Description** | Analyse an URI |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2107_list_hosts_communicated_by_port.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts communicated by port |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2107 |
4 | | **Description** | List hosts communicating by a specific port at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2108_list_hosts_connected_to_vpn.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts connected to VPN |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2108 |
4 | | **Description** | List hosts connected to a VPN at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2109_list_hosts_connected_to_intranet.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts connected to intranet |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2109 |
4 | | **Description** | List hosts connected to the internal network at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2110_list_data_transferred.md:
--------------------------------------------------------------------------------
1 | | Title | List data transferred |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2110 |
4 | | **Description** | List the data that is being transferred at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2111_collect_transferred_data.md:
--------------------------------------------------------------------------------
1 | | Title | Collect transferred data |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2111 |
4 | | **Description** | Collect the data that is being transferred at the moment or at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2112_identify_transferred_data.md:
--------------------------------------------------------------------------------
1 | | Title | Identify transferred data |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2112 |
4 | | **Description** | Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts communicated with external domain |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2113 |
4 | | **Description** | List hosts communicated with an external domain |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Requirements** |- DN_zeek_conn_log
- DN_zeek_dns_log
- DN_zeek_http_log
- DN_dns_log
- DN_proxy_log
- DN_network_flow_log
|
10 |
11 | ### Workflow
12 |
13 | List hosts communicated with an external domain using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts communicated with external IP |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2114 |
4 | | **Description** | List hosts communicated with an external IP address |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Requirements** |- DN_network_flow_log
- DN_zeek_conn_log
|
10 |
11 | ### Workflow
12 |
13 | List hosts communicated with an external IP address using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md:
--------------------------------------------------------------------------------
1 | | Title | List hosts communicated with external URL |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2115 |
4 | | **Description** | List hosts communicated with an external URL |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Requirements** |- DN_zeek_http_log
- DN_proxy_log
|
10 |
11 | ### Workflow
12 |
13 | List hosts communicated with an external URL using the most efficient way.
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Find data transferred by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2116 |
4 | | **Description** | Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2201_list_users_opened_email_message.md:
--------------------------------------------------------------------------------
1 | | Title | List users opened email message |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2201 |
4 | | **Description** | List users that have opened am email message |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/](https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | List users who opened/read a particular email message using the Email Server's functionality.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2203_list_email_message_receivers.md:
--------------------------------------------------------------------------------
1 | | Title | List email message receivers |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2203 |
4 | | **Description** | List receivers of a particular email message |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/get-messagetrackinglog?view=exchange-ps](https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/get-messagetrackinglog?view=exchange-ps)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | List receivers of a particular email message using the Email Server's functionality.
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2301_list_files_created.md:
--------------------------------------------------------------------------------
1 | | Title | List files created |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2301 |
4 | | **Description** | List files that have been created at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2302_list_files_modified.md:
--------------------------------------------------------------------------------
1 | | Title | List files modified |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2302 |
4 | | **Description** | List files that have been modified at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2303_list_files_deleted.md:
--------------------------------------------------------------------------------
1 | | Title | List files deleted |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2303 |
4 | | **Description** | List files that have been deleted at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2304_list_files_downloaded.md:
--------------------------------------------------------------------------------
1 | | Title | List files downloaded |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2304 |
4 | | **Description** | List files that have been downloaded at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2305_list_files_with_tampered_timestamps.md:
--------------------------------------------------------------------------------
1 | | Title | List files with tampered timestamps |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2305 |
4 | | **Description** | List files with tampered timestamps |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2306_find_file_by_path.md:
--------------------------------------------------------------------------------
1 | | Title | Find file by path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2306 |
4 | | **Description** | Find a file by its path (including its name) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2307_find_file_by_metadata.md:
--------------------------------------------------------------------------------
1 | | Title | Find file by metadata |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2307 |
4 | | **Description** | Find a file by its metadata (i.e. signature, permissions, MAC times) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2308_find_file_by_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Find file by hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2308 |
4 | | **Description** | Find a file by its hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2309_find_file_by_format.md:
--------------------------------------------------------------------------------
1 | | Title | Find file by format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2309 |
4 | | **Description** | Find a file by its format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2310_find_file_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Find file by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2310 |
4 | | **Description** | Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2311_collect_file.md:
--------------------------------------------------------------------------------
1 | | Title | Collect file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2311 |
4 | | **Description** | Collect a specific file from a (remote) host or a system |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2312_analyse_file_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse file hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2312 |
4 | | **Description** | Analise a hash of a file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2313_analyse_windows_pe.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse Windows PE |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2313 |
4 | | **Description** | Analise MS Windows Portable Executable |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2314_analyse_macos_macho.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse macos macho |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2314 |
4 | | **Description** | Analise macOS Mach-O |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2315_analyse_unix_elf.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse Unix ELF |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2315 |
4 | | **Description** | Analise Unix ELF |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2316_analyse_ms_office_file.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse MS office file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2316 |
4 | | **Description** | Analise MS Office file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2317_analyse_pdf_file.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse PDF file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2317 |
4 | | **Description** | Analise PDF file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2318_analyse_script.md:
--------------------------------------------------------------------------------
1 | | Title | Analyse script |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2318 |
4 | | **Description** | Analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 |
11 | ### Workflow
12 |
13 | Description of the workflow for single Response Action in markdown format.
14 | Here newlines will be saved.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2401_list_processes_executed.md:
--------------------------------------------------------------------------------
1 | | Title | List processes executed |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2401 |
4 | | **Description** | List processes being executed at the moment or at a particular time in the past |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2402_find_process_by_executable_path.md:
--------------------------------------------------------------------------------
1 | | Title | Find process by executable path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2402 |
4 | | **Description** | Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2403_find_process_by_executable_metadata.md:
--------------------------------------------------------------------------------
1 | | Title | Find process by executable metadata |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2403 |
4 | | **Description** | Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2404_find_process_by_executable_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Find process by executable hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2404 |
4 | | **Description** | Find a process that is being executed at the moment or at a particular time in the past by its executable hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2405_find_process_by_executable_format.md:
--------------------------------------------------------------------------------
1 | | Title | Find process by executable format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2405 |
4 | | **Description** | Find a process that is being executed at the moment or at a particular time in the past by its executable format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2406_find_process_by_executable_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Find process by executable content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2406 |
4 | | **Description** | Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2501_list_registry_keys_modified.md:
--------------------------------------------------------------------------------
1 | | Title | List registry keys modified |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2501 |
4 | | **Description** | List registry keys modified at a particular time in the past |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2502_list_registry_keys_deleted.md:
--------------------------------------------------------------------------------
1 | | Title | List registry keys deleted |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2502 |
4 | | **Description** | List registry keys that have been deleted at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2503_list_registry_keys_accessed.md:
--------------------------------------------------------------------------------
1 | | Title | List registry keys accessed |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2503 |
4 | | **Description** | List registry keys that have been accessed at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2504_list_registry_keys_created.md:
--------------------------------------------------------------------------------
1 | | Title | List registry keys created |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2504 |
4 | | **Description** | List registry keys that have been created at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2505_list_services_created.md:
--------------------------------------------------------------------------------
1 | | Title | List services created |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2505 |
4 | | **Description** | List services that have been created at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2506_list_services_modified.md:
--------------------------------------------------------------------------------
1 | | Title | List services modified |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2506 |
4 | | **Description** | List services that have been modified at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2507_list_services_deleted.md:
--------------------------------------------------------------------------------
1 | | Title | List services deleted |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2507 |
4 | | **Description** | List services that have been deleted at a particular time in the past |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_2601_list_users_authenticated.md:
--------------------------------------------------------------------------------
1 | | Title | List users authenticated |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA2601 |
4 | | **Description** | List users authenticated at a particular time in the past on a particular system |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0002: Identification](../Response_Stages/RS0002.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3001_patch_vulnerability.md:
--------------------------------------------------------------------------------
1 | | Title | Patch vulnerability |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3001 |
4 | | **Description** | Patch a vulnerability in an asset |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3102_block_internal_ip_address.md:
--------------------------------------------------------------------------------
1 | | Title | Block internal IP address |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3102 |
4 | | **Description** | Block an internal IP address from being accessed by corporate assets |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Requirements** |- MS_intranet_firewall
- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_host_firewall
|
10 |
11 | ### Workflow
12 |
13 | Block an internal IP address from being accessed by corporate assets, using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3104_block_internal_domain.md:
--------------------------------------------------------------------------------
1 | | Title | Block internal domain |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3104 |
4 | | **Description** | Block an internal domain name from being accessed by corporate assets |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://en.wikipedia.org/wiki/DNS_sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole)
|
10 | | **Requirements** |- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_dns_server
|
11 |
12 | ### Workflow
13 |
14 | Block an internal domain name from being accessed by corporate assets, using the most efficient way.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3105_block_external_url.md:
--------------------------------------------------------------------------------
1 | | Title | Block external URL |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3105 |
4 | | **Description** | Block an external URL from being accessed by corporate assets |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Requirements** |- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_dns_server
|
10 |
11 | ### Workflow
12 |
13 | Block an external URL from being accessed by corporate assets, using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3106_block_internal_url.md:
--------------------------------------------------------------------------------
1 | | Title | Block internal URL |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3106 |
4 | | **Description** | Block an internal URL from being accessed by corporate assets |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Requirements** |- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_dns_server
|
10 |
11 | ### Workflow
12 |
13 | Block an internal URL from being accessed by corporate assets, using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3107_block_port_external_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Block port external communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3107 |
4 | | **Description** | Block a network port for external communications |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Requirements** |- MS_border_firewall
- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_host_firewall
|
10 |
11 | ### Workflow
12 |
13 | Block a network port for external communications, using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3108_block_port_internal_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Block port internal communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3108 |
4 | | **Description** | Block a network port for internal communications |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Requirements** |- MS_intranet_firewall
- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_host_firewall
|
10 |
11 | ### Workflow
12 |
13 | Block a network port for internal communications, using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3109_block_user_external_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Block user external communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3109 |
4 | | **Description** | Block a user for external communications |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Requirements** |- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_nac
|
10 |
11 | ### Workflow
12 |
13 | Block a user for external communications, using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3110_block_user_internal_communication.md:
--------------------------------------------------------------------------------
1 | | Title | Block user internal communication |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3110 |
4 | | **Description** | Block a user for internal communications |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Requirements** |- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_nac
|
10 |
11 | ### Workflow
12 |
13 | Block a user for internal communications, using the most efficient way.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Block data transferring by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3111 |
4 | | **Description** | Block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3202_block_sender_on_email.md:
--------------------------------------------------------------------------------
1 | | Title | Block sender on email |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3202 |
4 | | **Description** | Block an email sender on the Email-server |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Block an email sender on an Email Server using its native filtering functionality.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3301_quarantine_file_by_format.md:
--------------------------------------------------------------------------------
1 | | Title | Quarantine file by format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3301 |
4 | | **Description** | Quarantine a file by its format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3302_quarantine_file_by_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Quarantine file by hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3302 |
4 | | **Description** | Quarantine a file by its hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3303_quarantine_file_by_path.md:
--------------------------------------------------------------------------------
1 | | Title | Quarantine file by path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3303 |
4 | | **Description** | Quarantine a file by its path |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3304_quarantine_file_by_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Quarantine file by content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3304 |
4 | | **Description** | Quarantine a file by its content pattern |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3401_block_process_by_executable_path.md:
--------------------------------------------------------------------------------
1 | | Title | Block process by executable path |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3401 |
4 | | **Description** | Block a process execution by its executable path (including its name) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3402_block_process_by_executable_metadata.md:
--------------------------------------------------------------------------------
1 | | Title | Block process by executable metadata |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3402 |
4 | | **Description** | Block a process execution by its executable metadata (i.e. signature, permissions, MAC times) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3403_block_process_by_executable_hash.md:
--------------------------------------------------------------------------------
1 | | Title | Block process by executable hash |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3403 |
4 | | **Description** | Block a process execution by its executable hash |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3404_block_process_by_executable_format.md:
--------------------------------------------------------------------------------
1 | | Title | Block process by executable format |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3404 |
4 | | **Description** | Block a process execution by its executable format |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3405_block_process_by_executable_content_pattern.md:
--------------------------------------------------------------------------------
1 | | Title | Block process by executable content pattern |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3405 |
4 | | **Description** | Block a process execution by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3501_disable_system_service.md:
--------------------------------------------------------------------------------
1 | | Title | Disable system service |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3501 |
4 | | **Description** | Disable a system service |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_3601_lock_user_account.md:
--------------------------------------------------------------------------------
1 | | Title | Lock user account |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA3601 |
4 | | **Description** | Lock an user account |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0003: Containment](../Response_Stages/RS0003.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_4101_remove_rogue_network_device.md:
--------------------------------------------------------------------------------
1 | | Title | Remove rogue network device |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA4101 |
4 | | **Description** | Remove a rogue network device |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0004: Eradication](../Response_Stages/RS0004.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_4201_delete_email_message.md:
--------------------------------------------------------------------------------
1 | | Title | Delete email message |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA4201 |
4 | | **Description** | Delete an email message from an Email Server and users' email boxes |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 31.01.2019 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0004: Eradication](../Response_Stages/RS0004.md)|
9 | | **Requirements** ||
10 |
11 | ### Workflow
12 |
13 | Delete an email message from an Email Server and users' email boxes using its native functionality.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_4301_remove_file.md:
--------------------------------------------------------------------------------
1 | | Title | Remove file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA4301 |
4 | | **Description** | Remove a specific file from a (remote) host or a system |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0004: Eradication](../Response_Stages/RS0004.md)|
9 | | **Automation** |- thehive/phantom/demisto/etc
|
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_4501_remove_registry_key.md:
--------------------------------------------------------------------------------
1 | | Title | Remove registry key |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA4501 |
4 | | **Description** | Remove a registry key |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0004: Eradication](../Response_Stages/RS0004.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_4502_remove_service.md:
--------------------------------------------------------------------------------
1 | | Title | Remove service |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA4502 |
4 | | **Description** | Remove a service |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0004: Eradication](../Response_Stages/RS0004.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_4602_remove_user_account.md:
--------------------------------------------------------------------------------
1 | | Title | Remove user account |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA4602 |
4 | | **Description** | Remove a user account |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0004: Eradication](../Response_Stages/RS0004.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5001_reinstall_host_from_golden_image.md:
--------------------------------------------------------------------------------
1 | | Title | Reinstall host from golden image |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5001 |
4 | | **Description** | Reinstall host OS from a golden image |
5 | | **Author** | name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **Automation** ||
10 | | **References** |- [https://example.com](https://example.com)
|
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for the Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5002_restore_data_from_backup.md:
--------------------------------------------------------------------------------
1 | | Title | Restore data from backup |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5002 |
4 | | **Description** | Restore data from a backup |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | General |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5101_unblock_blocked_ip.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock blocked IP |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5101 |
4 | | **Description** | Unblock a blocked IP address |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **Requirements** |- MS_border_firewall
- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_intranet_firewall
- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_host_firewall
|
10 |
11 | ### Workflow
12 |
13 | Unblock a blocked IP address in the system(s) used to block it.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5102_unblock_blocked_domain.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock blocked domain |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5102 |
4 | | **Description** | Unblock a blocked domain name |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **Requirements** |- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
- MS_dns_server
|
10 |
11 | ### Workflow
12 |
13 | Unblock a blocked domain name in the system(s) used to block it.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5103_unblock_blocked_url.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock blocked URL |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5103 |
4 | | **Description** | Unblock a blocked URL |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Network |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **Requirements** |- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_intranet_proxy
- MS_intranet_ips
- MS_intranet_ngfw
|
10 |
11 | ### Workflow
12 |
13 | Unblock a blocked URL in the system(s) used to block it.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5104_unblock_blocked_port.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock blocked port |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5104 |
4 | | **Description** | Unblock a blocked port |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5105_unblock_blocked_user.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock blocked user |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5105 |
4 | | **Description** | Unblock a blocked user |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Network |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5201_unblock_domain_on_email.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock domain on email |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5201 |
4 | | **Description** | Unblock a domain on email |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 07.05.2020 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Unblock an email domain on an Email Server using its native functionality.
15 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5202_unblock_sender_on_email.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock sender on email |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5202 |
4 | | **Description** | Unblock a sender on email |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **Requirements** ||
10 |
11 | ### Workflow
12 |
13 | Unblock an email sender on an Email Server using its native functionality.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5203_restore_quarantined_email_message.md:
--------------------------------------------------------------------------------
1 | | Title | Restore quarantined email message |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5203 |
4 | | **Description** | Restore a quarantined email message |
5 | | **Author** | @atc_project |
6 | | **Creation Date** | 06.05.2020 |
7 | | **Category** | Email |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **Requirements** ||
10 |
11 | ### Workflow
12 |
13 | Restore a quarantined email message on an Email Server using its native functionality.
14 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5301_restore_quarantined_file.md:
--------------------------------------------------------------------------------
1 | | Title | Restore quarantined file |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5301 |
4 | | **Description** | Restore a quarantined file |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | File |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5401_unblock_blocked_process.md:
--------------------------------------------------------------------------------
1 | | Title | Unblock blocked process |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5401 |
4 | | **Description** | Unblock a blocked process |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Process |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5501_enable_disabled_service.md:
--------------------------------------------------------------------------------
1 | | Title | Enable disabled service |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5501 |
4 | | **Description** | Enable a disabled service |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Configuration |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Actions/RA_5601_unlock_locked_user_account.md:
--------------------------------------------------------------------------------
1 | | Title | Unlock locked user account |
2 | |:---------------------------:|:--------------------|
3 | | **ID** | RA5601 |
4 | | **Description** | Unlock a locked user account |
5 | | **Author** | your name/nickname/twitter |
6 | | **Creation Date** | DD.MM.YYYY |
7 | | **Category** | Identity |
8 | | **Stage** |[RS0005: Recovery](../Response_Stages/RS0005.md)|
9 | | **References** |- [https://example.com](https://example.com)
|
10 | | **Requirements** ||
11 |
12 | ### Workflow
13 |
14 | Description of the workflow for single Response Action in markdown format.
15 | Here newlines will be saved.
16 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Response_Stages/RS0006.md:
--------------------------------------------------------------------------------
1 | # Lessons Learned
2 |
3 | **ID**: RS0006
4 |
5 | Discover how to improve the Incident Response process and implement the improvements.
6 | ## Response Actions
7 |
8 | | ID | Name | Description |
9 | |:-----:|:--------:|-------------|
10 | | [RA6001](../Response_Actions/RA_6001_develop_incident_report.md) | [Develop incident report](../Response_Actions/RA_6001_develop_incident_report.md) | Develop the incident report |
11 | | [RA6002](../Response_Actions/RA_6002_conduct_lessons_learned_exercise.md) | [Conduct lessons learned exercise](../Response_Actions/RA_6002_conduct_lessons_learned_exercise.md) | Conduct Lessons Learned exercise |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/Triggers/T1030.md:
--------------------------------------------------------------------------------
1 | # T1030 - Data Transfer Size Limits
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
3 | An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
4 |
5 | ## Atomic Tests
6 |
7 | - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)
8 |
9 |
10 |
11 |
12 | ## Atomic Test #1 - Data Transfer Size Limits
13 | Take a file/directory, split it into 5Mb chunks
14 |
15 | **Supported Platforms:** macOS, Linux
16 |
17 |
18 |
19 |
20 |
21 | #### Attack Commands: Run with `sh`!
22 |
23 |
24 | ```sh
25 | cd /tmp/
26 | dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
27 | split -b 5000000 /tmp/victim-whole-file
28 | ls -l
29 | ```
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/Atomic_Threat_Coverage/index.md:
--------------------------------------------------------------------------------
1 | # ATC
2 |
3 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine
2 | COPY ./ /app
3 | WORKDIR /app
4 |
5 | RUN apk update; \
6 | apk add --update \
7 | python3 \
8 | python3-dev \
9 | py-pip \
10 | gcc \
11 | musl-dev \
12 | bash;
13 |
14 | RUN pip3 install -r requirements.txt;
15 |
16 | RUN apk del python3-dev \
17 | gcc \
18 | musl-dev;
19 |
20 | RUN rm -rf /var/cache/apk/* ; \
21 | rm -rf Atomic_Threat_Coverage;
22 |
23 | CMD /app/docker-entrypoint.sh
24 |
--------------------------------------------------------------------------------
/customers/CU_0001_TESTCUSTOMER.yml:
--------------------------------------------------------------------------------
1 | title: CU_0001_TESTCUSTOMER
2 | customer_name: TESTCUSTOMER
3 | description: >
4 | Some text description here. It will be merged into one line.
5 | dataneeded:
6 | - DN_0001_4688_windows_process_creation
7 | - DN_0002_4688_windows_process_creation_with_commandline
8 | - DN_0003_1_windows_sysmon_process_creation
9 | loggingpolicy:
10 | - LP_0001_windows_audit_process_creation
11 | - LP_0002_windows_audit_process_creation_with_commandline
12 | - LP_0003_windows_sysmon_process_creation
13 | detectionrule:
14 | - SquiblyTwo
15 | - Cmdkey Cached Credentials Recon
16 | - CMSTP UAC Bypass via COM Object Access
17 | - CMSTP Execution
18 | - Exploit for CVE-2015-1641
19 | - Exploit for CVE-2017-0261
20 | - Dridex Process Pattern
21 | usecase:
22 | - UC_0001_TESTUSECASE
23 | - UC_0002_INITIALACCESS
--------------------------------------------------------------------------------
/customers/CU_0002_TESTCUSTOMER2.yml:
--------------------------------------------------------------------------------
1 | title: CU_0002_TESTCUSTOMER2
2 | customer_name: TESTCUSTOMER2
3 | description: >
4 | Some text description here. It will be merged into one line.
5 | dataneeded:
6 | - DN_0001_4688_windows_process_creation
7 | - DN_0002_4688_windows_process_creation_with_commandline
8 | - DN_0003_1_windows_sysmon_process_creation
9 | loggingpolicy:
10 | - LP_0001_windows_audit_process_creation
11 | - LP_0002_windows_audit_process_creation_with_commandline
12 | - LP_0003_windows_sysmon_process_creation
13 | detectionrule:
14 | - SquiblyTwo
15 | - Cmdkey Cached Credentials Recon
16 | - CMSTP UAC Bypass via COM Object Access
17 | usecase:
18 |
--------------------------------------------------------------------------------
/customers/customer.yml.template:
--------------------------------------------------------------------------------
1 | title: CU_0000_some_name_here
2 | customer_name: some_name_here
3 | description: >
4 | Some text description here. It will be merged into one line.
5 | dataneeded:
6 | - DN_0000_some_data_needed_name_here
7 | loggingpolicy:
8 | - LP_0000_some_logging_policy_name_here
9 | detectionrule:
10 | - DR_0000_some_detection_rule_name_here
11 |
--------------------------------------------------------------------------------
/docker-entrypoint.sh:
--------------------------------------------------------------------------------
1 | echo "[*] Setting up confluence"
2 | python3 main.py -C --init
3 |
4 | echo "[*] Setting up markdown"
5 | python3 main.py -M --init
6 |
7 | echo "[*] Pushing data to confluence"
8 | python3 main.py -C -A
9 |
10 | echo "[*] Pushing data to markdown"
11 | python3 main.py -M -A
12 |
13 | echo "[*] Creating analytics.csv and pivoting.csv"
14 | python3 main.py -CSV
15 |
16 | echo "[*] Creating ATT&CK Navigator profile"
17 | python3 main.py -TD-NAV
18 |
19 | echo "[*] Creating ATT&CK Navigator profile"
20 | python3 main.py -TD-NAV-CU
21 |
22 | echo "[*] Creating markdown repository and pushing data"
23 | python3 main.py --markdown --auto --init
24 |
25 | echo "[*] Creating confluence repository and pushing data"
26 | python3 main.py --confluence --auto --init
27 |
28 | echo "[*] Creating elastic index"
29 | python3 main.py -ES
30 |
31 | echo "[*] Creating visualizations.."
32 | python3 main.py -V
33 |
34 | echo "[*] Generating TheHive Case templates based on Response Playbooks"
35 | python3 main.py --thehive
36 |
37 | echo "Done!"
38 |
--------------------------------------------------------------------------------
/images/analytics_pth_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/analytics_pth_v1.png
--------------------------------------------------------------------------------
/images/atc_analytics_dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/atc_analytics_dashboard.png
--------------------------------------------------------------------------------
/images/atc_scheme_v2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/atc_scheme_v2.jpg
--------------------------------------------------------------------------------
/images/cu_confluence_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/cu_confluence_v1.png
--------------------------------------------------------------------------------
/images/cu_markdown_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/cu_markdown_v1.png
--------------------------------------------------------------------------------
/images/cu_yaml_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/cu_yaml_v1.png
--------------------------------------------------------------------------------
/images/dashboard_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/dashboard_v1.png
--------------------------------------------------------------------------------
/images/dashboard_yaml_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/dashboard_yaml_v1.png
--------------------------------------------------------------------------------
/images/dataneeded_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/dataneeded_v1.png
--------------------------------------------------------------------------------
/images/dn_confluence_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/dn_confluence_v1.png
--------------------------------------------------------------------------------
/images/dn_markdown_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/dn_markdown_v1.png
--------------------------------------------------------------------------------
/images/dr_confluence_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/dr_confluence_v1.png
--------------------------------------------------------------------------------
/images/dr_markdown_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/dr_markdown_v1.png
--------------------------------------------------------------------------------
/images/en_confluence_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/en_confluence_v1.png
--------------------------------------------------------------------------------
/images/en_markdown_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/en_markdown_v1.png
--------------------------------------------------------------------------------
/images/en_yaml_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/en_yaml_v1.png
--------------------------------------------------------------------------------
/images/loggingpolicy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/loggingpolicy.png
--------------------------------------------------------------------------------
/images/logo_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/logo_v1.png
--------------------------------------------------------------------------------
/images/lp_confluence_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/lp_confluence_v1.png
--------------------------------------------------------------------------------
/images/lp_markdown_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/lp_markdown_v1.png
--------------------------------------------------------------------------------
/images/navigator_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/navigator_v1.png
--------------------------------------------------------------------------------
/images/pivoting_hash_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/pivoting_hash_v1.png
--------------------------------------------------------------------------------
/images/pivoting_parent_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/pivoting_parent_v1.png
--------------------------------------------------------------------------------
/images/ra_confluence_v3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/ra_confluence_v3.png
--------------------------------------------------------------------------------
/images/ra_markdown_v3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/ra_markdown_v3.png
--------------------------------------------------------------------------------
/images/ra_yaml_v3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/ra_yaml_v3.png
--------------------------------------------------------------------------------
/images/rp_confluence_v3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/rp_confluence_v3.png
--------------------------------------------------------------------------------
/images/rp_markdown_v3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/rp_markdown_v3.png
--------------------------------------------------------------------------------
/images/rp_yaml_v3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/rp_yaml_v3.png
--------------------------------------------------------------------------------
/images/sigma_rule.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/sigma_rule.png
--------------------------------------------------------------------------------
/images/tg_markdown_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/tg_markdown_v1.png
--------------------------------------------------------------------------------
/images/thehive_case_task_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/thehive_case_task_v1.png
--------------------------------------------------------------------------------
/images/thehive_case_template_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/thehive_case_template_v1.png
--------------------------------------------------------------------------------
/images/trigger.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/trigger.png
--------------------------------------------------------------------------------
/images/trigger_confluence_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/trigger_confluence_v1.png
--------------------------------------------------------------------------------
/images/visualisation_yaml_v1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/images/visualisation_yaml_v1.png
--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
1 | site_name: ATC
2 | docs_dir: Atomic_Threat_Coverage
3 | site_dir: site/
4 |
5 | theme:
6 | name: 'windmill'
7 |
8 | repo_url: https://github.com/atc-project/atomic-threat-coverage
9 | # edit_uri: blob/master/docs/
10 |
11 | plugins:
12 | - search
13 | - awesome-pages
14 | - exclude:
15 | glob:
16 | - "*DS_Store"
17 | - "*.git"
18 | - "*.idea"
19 | - "thehive_templates"
20 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pyyaml
2 | requests
3 | jinja2
4 | elasticsearch
5 | pytest
6 | stix2<3.0
7 | mkdocs
8 | mkdocs-awesome-pages-plugin
9 | mkdocs-exclude
10 | mkdocs-windmill
11 |
--------------------------------------------------------------------------------
/run_tests.sh:
--------------------------------------------------------------------------------
1 | pytest tests -vvv --capture=no
2 |
--------------------------------------------------------------------------------
/scripts/atc_visualizations/TODO.md:
--------------------------------------------------------------------------------
1 | # Metric
2 |
3 | - [x] show/hide label
4 | - [x] only count (count was made sure is working fine)
5 | - [x] use internal search
6 |
7 | # Pie
8 |
9 | - [x] only index name
10 | - [x] use internal search
11 | - [x] show labels
12 | - [x] split slices (terms) - else default
13 |
14 | # Bars - vertical
15 |
16 | - [x] X-axis - terms
17 | - [x] split series - terms
18 | - [x] split charts - terms, this wasn't planned but it is handled as well (matter of 1 line)
19 | - [x] else default
20 |
21 | # Area
22 |
23 | - [x] not focus
24 |
25 | # Saved Search
26 |
27 | - [x] it's needed for dashboards (add as object inside dashboard)
28 |
--------------------------------------------------------------------------------
/scripts/init_markdown.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from scripts.atcutils import ATCutils
4 |
5 | from pathlib import Path
6 |
7 |
8 | def create_markdown_dirs():
9 | config = ATCutils.load_config('config.yml')
10 | base_dir = Path(config.get(
11 | 'md_name_of_root_directory',
12 | '../Atomic_Threat_Coverage'
13 | ))
14 |
15 | target_dir_list = [
16 | 'Detection_Rules', 'Logging_Policies', 'Data_Needed',
17 | 'Triggers', 'Enrichments', 'Customers', 'Mitigation_Systems',
18 | 'Mitigation_Policies', 'Hardening_Policies', 'Use_Cases'
19 | ]
20 |
21 | for item in target_dir_list:
22 | (base_dir / item).mkdir(parents=True, exist_ok=True)
23 |
24 |
25 | if __name__ == '__main__':
26 | create_markdown_dirs()
27 |
--------------------------------------------------------------------------------
/scripts/templates/markdown_customer_template.md.j2:
--------------------------------------------------------------------------------
1 | | Title | {{ title }} |
2 | |:-------------------|:--------------------|
3 | | **Customer Name** | {{ customer_name }} |
4 | | **Description** | {{ description }} |
5 | | **Use Cases** | {% for uc, name in usecase %}- {% if uc != "None" %}[{{ uc }}](../Use_Cases/{{name}}.md){% else %} Not existing {% endif %}
{% endfor %}
|
6 | | **Data Needed** | {%- if dataneeded is defined and dataneeded|length %}{% for data in dataneeded %}- [{{ data }}](../Data_Needed/{{data}}.md)
{% endfor %}
{% else %} None{%endif%} |
7 | | **Logging Policy** | {% for policy in loggingpolicy %}- {% if policy != "None" %}[{{ policy }}](../Logging_Policies/{{policy}}.md){% else %} Not existing {% endif %}
{% endfor %}
|
8 | | **Detection Rule** | {% for rule, name in detectionrule %}- {% if rule != "None" %}[{{ rule }}](../Detection_Rules/{{name}}.md){% else %} Not existing {% endif %}
{% endfor %}
|
9 |
--------------------------------------------------------------------------------
/scripts/templates/markdown_mitigationsystems_template.md.j2:
--------------------------------------------------------------------------------
1 | | Title | {{ title }} |
2 | |:--------------------|:--------------------------------------------------------------------------------|
3 | | **Platform** | {% for item in platform %}- {{ item }}
{% endfor %}
|
4 | | **Minimum Version** | {% for version in minimum_version %}- {{ version }}
{% endfor %}
|
5 | | **References** | {% for ref in references %}- [{{ ref }}]({{ ref }})
{% endfor %}
|
6 |
7 | ## Description
8 |
9 | {{ description }}
10 |
11 |
--------------------------------------------------------------------------------
/scripts/templates/markdown_usecase_template.md.j2:
--------------------------------------------------------------------------------
1 | | Title | {{ title }} |
2 | |:-------------------|:--------------------|
3 | | **Use Case Name** | {{ usecase_name }} |
4 | | **Description** | {{ description }} |
5 | | **Data Needed** | {%- if dataneeded is defined and dataneeded|length %}{% for data in dataneeded %}- [{{ data }}](../Data_Needed/{{data}}.md)
{% endfor %}
{% else %} None{%endif%} |
6 | | **Logging Policy** | {% for policy in loggingpolicy %}- {% if policy != "None" %}[{{ policy }}](../Logging_Policies/{{policy}}.md){% else %} Not existing {% endif %}
{% endfor %}
|
7 | | **Detection Rule** | {% for rule, name in detectionrule %}- {% if rule != "None" %}[{{ rule }}](../Detection_Rules/{{name}}.md){% else %} Not existing {% endif %}
{% endfor %}
|
8 |
--------------------------------------------------------------------------------
/tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/4270e4e6f267d9019858f6eace7896178cf156d4/tests/__init__.py
--------------------------------------------------------------------------------
/tests/conftest.py:
--------------------------------------------------------------------------------
1 | from pathlib import Path
2 |
3 |
4 | SOURCE_DIR = Path(__file__).parent.parent / 'scripts'
5 |
--------------------------------------------------------------------------------
/tests/test_syntax.py:
--------------------------------------------------------------------------------
1 | from compileall import compile_file
2 | import pytest
3 | from .conftest import SOURCE_DIR
4 |
5 |
6 | py_files = list(SOURCE_DIR.rglob('*.py'))
7 |
8 |
9 | @pytest.mark.parametrize(
10 | 'item',
11 | py_files,
12 | ids=[item.name for item in py_files])
13 | def test_syntax(item):
14 | assert compile_file(item)
15 |
--------------------------------------------------------------------------------
/use_cases/UC_0001_TESTUSECASE.yml:
--------------------------------------------------------------------------------
1 | title: UC_0001_TESTUSECASE
2 | usecase_name: TESTUSECASE
3 | description: >
4 | Some text description here. It will be merged into one line.
5 | dataneeded:
6 | - DN_0001_4688_windows_process_creation
7 | - DN_0002_4688_windows_process_creation_with_commandline
8 | loggingpolicy:
9 | - LP_0001_windows_audit_process_creation
10 | - LP_0002_windows_audit_process_creation_with_commandline
11 | - LP_0003_windows_sysmon_process_creation
12 | detectionrule:
13 | - SquiblyTwo
14 | - Cmdkey Cached Credentials Recon
15 | - CMSTP UAC Bypass via COM Object Access
16 | - CMSTP Execution
17 | - Exploit for CVE-2015-1641
18 | - Exploit for CVE-2017-0261
19 | - Dridex Process Pattern
20 |
--------------------------------------------------------------------------------
/visualizations/dashboards/examples/test_dashboard_document.yml:
--------------------------------------------------------------------------------
1 | type: dashboard
2 | name: test dashboard
3 | title: test dashboard
4 | darktheme: True
5 | query: '*'
6 | visualizations:
7 | - Count vis
--------------------------------------------------------------------------------
/visualizations/dashboards/os_hunting_dashboard.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: dashboard
3 | name: OS Hunting Dashboard
4 | title: OS Hunting Dashboard
5 | darktheme: True
6 | visualizations:
7 | - Fileshares operations
8 | - Local files operations
9 | - Logon Activities
10 | - Pipe Events
11 | - PowerShell Activity
12 | - Process Activities
13 | - Process Execution
14 | - RDP Activity
15 | - Registry operations
16 | - Services and Drivers operations
17 | - Tasks operations
18 | - WMI Activity
19 |
--------------------------------------------------------------------------------
/visualizations/visualizations/examples/metric.yml:
--------------------------------------------------------------------------------
1 | type: visualization
2 | name: metric
3 | title: Count vis
4 | index: logstash*
5 | query: dupa
6 | labels: False
7 | metrics:
8 | - count
9 | - average:
10 | field: port
11 | enabled: False
--------------------------------------------------------------------------------
/visualizations/visualizations/examples/pie.yml:
--------------------------------------------------------------------------------
1 | type: visualization
2 | name: pie
3 | title: Pie vis
4 | index: logstash*
5 | query: "*"
6 | metrics:
7 | - count
8 | - terms:
9 | field: port
10 | size: 3
11 |
--------------------------------------------------------------------------------
/visualizations/visualizations/examples/saved_search.yml:
--------------------------------------------------------------------------------
1 | type: search
2 | title: dupa
3 | index: logstash*
4 | query: "*"
5 | columns:
6 | - message
7 | - port
8 | - host
--------------------------------------------------------------------------------
/visualizations/visualizations/examples/vert_bar.yml:
--------------------------------------------------------------------------------
1 | type: visualization
2 | name: vbar
3 | title: Vertical Bar visualization
4 | index: logstash*
5 | query: "*"
6 | metrics:
7 | - count
8 | - average:
9 | field: port
10 | - terms:
11 | split: x
12 | field: port
13 | size: 3
14 | - terms:
15 | split: series
16 | field: port
17 | size: 3
18 | - terms:
19 | split: chart
20 | field: port
21 | size: 3
22 |
--------------------------------------------------------------------------------
/visualizations/visualizations/fileshares_operations.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Fileshares operations
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Security\" ) AND event_id:( 5140 OR 5145 )"
6 | language: kuery
7 | columns:
8 | - "event_data.ShareLocalPath"
9 | - "event_data.ShareName"
10 | data_needed:
11 | - DN_0032_5145_network_share_object_was_accessed_detailed
12 | - DN_0033_5140_network_share_object_was_accessed
13 |
--------------------------------------------------------------------------------
/visualizations/visualizations/local_file_operations.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Local files operations
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Microsoft-Windows-Sysmon/Operational\" OR \"Security\" ) AND event_id:( 9 OR 11 OR 4656 OR 4658 OR 4660 OR 4663 )"
6 | language: kuery
7 | columns:
8 | - "event_id"
9 | - "event_data.Image"
10 | - "event_data.Device"
11 | - "event_data.TargetFilename"
12 | - "event_data.ProcessName"
13 | - "event_data.ObjectName"
14 | data_needed:
15 | - DN_0013_9_windows_sysmon_RawAccessRead
16 | - DN_0015_11_windows_sysmon_FileCreate
17 |
--------------------------------------------------------------------------------
/visualizations/visualizations/logon_activities.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Logon Activities
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Security\" ) AND event_id:( 4624 OR 4625 OR 4634 OR 4647 OR 4672 OR 4648 OR 4768 OR 4769 OR 4771 OR 4776 )"
6 | language: kuery
7 | columns:
8 | - "event_id"
9 | - "event_data.TargetUserName"
10 | - "event_data.SubjectUserName"
11 | data_needed:
12 | - DN_0004_4624_windows_account_logon
13 | - DN_0057_4625_account_failed_to_logon
14 |
--------------------------------------------------------------------------------
/visualizations/visualizations/pipe_events.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Pipe Events
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Microsoft-Windows-Sysmon/Operational\" ) AND event_id:( 17 OR 18 )"
6 | language: kuery
7 | columns:
8 | - "event_data.Image"
9 | - "event_data.PipeName"
10 | data_needed:
11 | - DN_0036_4104_windows_powershell_script_block
12 | - DN_0037_4103_windows_powershell_executing_pipeline
13 | - DN_0038_400_windows_powershell_engine_lifecycle
14 |
--------------------------------------------------------------------------------
/visualizations/visualizations/powershell_activity.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: PowerShell Activity
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Microsoft-Windows-PowerShell/Operational\" OR \"Windows PowerShell\" )"
6 | language: kuery
7 | columns:
8 | - "message"
9 | data_needed:
10 | - DN_0036_4104_windows_powershell_script_block
11 | - DN_0037_4103_windows_powershell_executing_pipeline
12 | - DN_0038_400_windows_powershell_engine_lifecycle
13 |
--------------------------------------------------------------------------------
/visualizations/visualizations/process_activities.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Process Activities
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Microsoft-Windows-Sysmon/Operational\" ) AND event_id:( 7 OR 8 OR 10 )"
6 | language: kuery
7 | columns:
8 | - "event_id"
9 | - "event_data.Image"
10 | - "event_data.ImageLoaded"
11 | - "event_data.SourceImage"
12 | - "event_data.TargetImage"
13 | data_needed:
14 | - DN_0011_7_windows_sysmon_image_loaded
15 | - DN_0012_8_windows_sysmon_CreateRemoteThread
16 | - DN_0014_10_windows_sysmon_ProcessAccess
17 |
--------------------------------------------------------------------------------
/visualizations/visualizations/process_execution.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Process Execution
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Security\" OR \"Microsoft-Windows-Sysmon/Operational\" ) AND event_id:( 1 OR 4688 )"
6 | language: kuery
7 | columns:
8 | - "event_id"
9 | - "event_data.CommandLine"
10 | - "event_data.Image"
11 | - "event_data.Hashes"
12 | data_needed:
13 | - DN_0001_4688_windows_process_creation
14 | - DN_0002_4688_windows_process_creation_with_commandline
15 | - DN_0003_1_windows_sysmon_process_creation
16 |
--------------------------------------------------------------------------------
/visualizations/visualizations/rdp_activity.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: RDP Activity
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "( log_name:\"Microsoft-Windows-TerminalServices-RDPClient/Operational\" AND event_id: ( 1024 OR 1102 ) OR ( log_name:\"Security\" AND event_id:( 4624 ) AND event_data.LogonType: 10) OR ( log_name:\"Security\" AND event_id:( 4778 OR 4779 )) OR ( log_name:\"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational\" AND event_id:( 131 OR 98 )) OR ( log_name:\"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\" AND event_id:1149 ) OR ( log_name:\"Microsoft-Windows-TerminalServices-LocalSessionManager\" AND event_id:( 21 OR 22 OR 25 OR 41 )))"
6 | language: kuery
7 | columns:
8 | - "message"
9 | data_needed:
10 | - DN_0004_4624_windows_account_logon
--------------------------------------------------------------------------------
/visualizations/visualizations/registry_operations.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Registry operations
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Security\" OR \"Microsoft-Windows-Sysmon/Operational\" ) AND event_id:(12 OR 13 OR 14 OR 4657) OR ( log_name:\"System\" AND event_id:16 )"
6 | language: kuery
7 | columns:
8 | - "event_data.Image"
9 | - "event_data.TargetObject"
10 | data_needed:
11 | - DN_0016_12_windows_sysmon_RegistryEvent
12 | - DN_0017_13_windows_sysmon_RegistryEvent
13 | - DN_0018_14_windows_sysmon_RegistryEvent
14 | - DN_0083_16_access_history_in_hive_was_cleared
15 |
--------------------------------------------------------------------------------
/visualizations/visualizations/services_and_drivers_operations.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Services and Drivers operations
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"System\" OR \"Microsoft-Windows-Sysmon/Operational\" OR \"Security\" ) AND event_id:( 6 OR 7034 OR 7035 OR 7036 OR 7040 OR 7045 OR 4697 )"
6 | language: kuery
7 | columns:
8 | - "event_id"
9 | - "event_data.ImageLoaded"
10 | data_needed:
11 | - DN_0010_6_windows_sysmon_driver_loaded
12 | - DN_0031_7036_service_started_stopped
13 | - DN_0005_7045_windows_service_insatalled
14 | - DN_0063_4697_service_was_installed_in_the_system
15 |
--------------------------------------------------------------------------------
/visualizations/visualizations/tasks_operations.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: Tasks operations
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Security\" OR \"Microsoft-Windows-TaskScheduler/Operational\" ) AND event_id:( 4698 OR 106 OR 141 OR 200 )"
6 | language: kuery
7 | columns:
8 | - "message"
9 | data_needed:
10 | - DN_0035_106_task_scheduler_task_registered
11 |
--------------------------------------------------------------------------------
/visualizations/visualizations/wmi_activity.yml:
--------------------------------------------------------------------------------
1 | author: '@atc_project'
2 | type: search
3 | title: WMI Activity
4 | index: 94066e90-54a4-11e9-b2fc-91cb2cfc8381
5 | query: "log_name:( \"Microsoft-Windows-WMI-Activity/Operational\" OR \"Microsoft-Windows-Sysmon/Operational\" ) AND event_id:(19 OR 20 OR 21 OR 5859 OR 5861)"
6 | language: kuery
7 | columns:
8 | - "event_id"
9 | - "message"
10 | data_needed:
11 | - DN_0022_19_windows_sysmon_WmiEvent
12 | - DN_0023_20_windows_sysmon_WmiEvent
13 | - DN_0024_21_windows_sysmon_WmiEvent
14 | - DN_0080_5859_wmi_activity
15 | - DN_0081_5861_wmi_activity
16 |
--------------------------------------------------------------------------------