├── GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.pdf ├── GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.pdf ├── GSPBC-1002 - Credential Access - Spearphishing - Phishing.pdf ├── GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.pdf ├── GSPBC-1004 - Lateral Movement - Pass the Hash.pdf ├── GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.pdf ├── GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.pdf ├── GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.pdf ├── GSPBC-1008 - Money Mule Scams - CEO Fraud.pdf ├── GSPBC-1009 - Persistence - Web Shells.pdf ├── GSPBC-1010 - Device Theft - Device Loss.pdf ├── GSPBC-1011 - Initial Access - Drive By Compromise.pdf ├── GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.pdf ├── GSPBC-1013 - Impact - Defacement.pdf ├── GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.pdf ├── GSPBC-1015 - Defense Evasion - Disabling Security Software.pdf ├── GSPBC-1016 - Defense Evasion - Install Root Certificate.pdf ├── GSPBC-1017 - Credential Access - Password Spraying.pdf ├── GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.pdf ├── GSPBC-1019 - Persistence - BITS Jobs.pdf ├── GSPBC-1020 - Persistence - Pre-OS Boot.pdf ├── GSPBC-1021 - Privilege Escalation - Group Policy Modification.pdf ├── GSPBC-1022 - Defense Evasion - Process Injection.pdf ├── GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.pdf ├── GSPBC-1024 - Credential Access - OS Credential Dumping.pdf ├── GSPBC-1025 - Credential Access - Unsecured Credentials.pdf ├── GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.pdf ├── GSPBC-1027 - Impact - Disk Wipe.pdf ├── GSPBC-1028 - Persistence - Office Application Startup.pdf ├── GSPBC-1029 - Execution - User Execution.pdf ├── GSPBC-1030 - Reconnaissance - Active Scanning.pdf ├── GSPBC-1031 - Persistence - Hijack Execution Flow.pdf ├── GSPBC-1032 - Resource Development - Compromise Accounts.pdf ├── GSPBC-1033 - Credential Access - Input Capture.pdf ├── GSPBC-1034 - Execution - Native API.pdf ├── GSPBC-1035 - Credential Access - Credentials from Password Stores.pdf ├── GSPBC-1036 - Defense Evasion - Indirect Command Execution.pdf ├── GSPBC-1037 - Execution - Deploy Container.pdf ├── GSPBC-1038 - Credential Access - Steal Web Session Cookies.pdf ├── GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.pdf ├── GSPBC-1040 - Discovery - Process Discovery.pdf ├── GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.pdf ├── GSPBC-1042 - Lateral Movement - Replication Through Removable Media.pdf ├── GSPBC-1043 - Execution - Exploitation for Client Execution.pdf ├── GSPBC-1044 - Lateral Movement - Taint Shared Content.pdf ├── GSPBC-1045 - Privilege Escalation - Create or Modify System Process.pdf ├── GSPBC-1046 - Defense Evasion - Subvert Trust Controls.pdf ├── GSPBC-1047 - Defense Evasion - Domain Policy Modification.pdf ├── GSPBC-1048 - Credential Access - Brute Force.pdf ├── GSPBC-1049 - Impact - Resource Hijacking.pdf ├── GSPBC-1050 - Initial Access - Hardware Additions.pdf ├── GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.pdf ├── GSPBC-1052 - Defense Evasion - Impair Defenses.pdf ├── GSPBC-1053 - Initial Access - Exploit Public-Facing Application.pdf ├── GSPBC-1054 - Discovery - Password Policy Discovery.pdf ├── GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.pdf ├── GSPBC-1056 - Reconnaissance - Gather Victim Host Information.pdf ├── GSPBC-1057 - Defense Evasion - Valid Accounts.pdf ├── GSPBC-1058 - Persistence - Modify Authentication Process.pdf ├── GSPBC-1059 - Discovery - Browser Bookmark Discovery.pdf ├── GSPBC-1060 - Lateral Movement - Internal Spearphishing.pdf ├── GSPBC-1061 - Reconnaissance - Gather Victim Identity Information.pdf ├── GSPBC-1062 - Command and Control - Application Layer Protocol.pdf ├── GSPBC-1063 - Execution - Scheduled Task or Job.pdf ├── GSPBC-1064 - Persistence - Event Triggered Execution.pdf ├── GSPBC-1065 - Privilege Escalation - Boot or Logon Initialization Scripts.pdf ├── GSPBC-1066 - Initial Access - Replication Through Removable Media.pdf ├── GSPBC-1067 - Persistence - Scheduled Task or Job.pdf ├── GSPBC-1068 - Credential Access - Network Sniffing.pdf ├── GSPBC-1069 - Command and Control - Communication Through Removable Media.pdf ├── GSPBC-1070 - Command and Control - Protocol Tunneling.pdf ├── GSPBC-1071 - Exfiltration - Exfiltration Over Web Service.pdf ├── GSPBC-1072 - Privilege Escalation - Process Injection.pdf ├── GSPBC-1073 - Privilege Escalation - Access Token Manipulation.pdf ├── GSPBC-1074 - Reconnaissance - Search Open Websites_Domains.pdf ├── GSPBC-1075 - Initial Access - Supply Chain Compromise.pdf ├── GSPBC-1076 - Discovery - Group Policy Discovery.pdf ├── GSPBC-1077 - Persistence - Power Settings (1).pdf ├── GSPBC-1078 - Lateral Movement - Lateral Tool Transfer.pdf ├── GSPBC-1079 - Defense Evasion - XSL Script Processing.pdf ├── GSPBC-1080 - Impact - Network Denial of Service.pdf ├── GSPBC-1081 - Impact - Endpoint Denial of Service.pdf ├── GSPBC-1082 - Reconnaissance - Gather Victim Network Information.pdf ├── GSPBC-1083 - Initial Access - Content Injection.pdf ├── GSPBC-1084 - Persistence - Compromise Client Software Binary.pdf ├── GSPBC-1085 - Defense Evasion - Template Injection.pdf ├── GSPBC-1086 - Discovery - Query Registry.pdf ├── GSPBC-1087 - Collection - Video Capture.pdf ├── GSPBC-1088 - Reconnaissance - Gather Victim Org Information.pdf ├── HTML ├── GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.html ├── GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.html ├── GSPBC-1002 - Credential Access - Spearphishing - Phishing.html ├── GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.html ├── GSPBC-1004 - Lateral Movement - Pass the Hash.html ├── GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.html ├── GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.html ├── GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.html ├── GSPBC-1008 - Money Mule Scams - CEO Fraud.html ├── GSPBC-1009 - Persistence - Web Shells.html ├── GSPBC-1010 - Device Theft - Device Loss.html ├── GSPBC-1011 - Initial Access - Drive By Compromise.html ├── GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.html ├── GSPBC-1013 - Impact - Defacement.html ├── GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.html ├── GSPBC-1015 - Defense Evasion - Disabling Security Software.html ├── GSPBC-1016 - Defense Evasion - Install Root Certificate.html ├── GSPBC-1017 - Credential Access - Password Spraying.html ├── GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.html ├── GSPBC-1019 - Persistence - BITS Jobs.html ├── GSPBC-1020 - Persistence - Pre-OS Boot.html ├── GSPBC-1021 - Privilege Escalation - Group Policy Modification.html ├── GSPBC-1022 - Defense Evasion - Process Injection.html ├── GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.html ├── GSPBC-1024 - Credential Access - OS Credential Dumping.html ├── GSPBC-1025 - Credential Access - Unsecured Credentials.html ├── GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.html ├── GSPBC-1027 - Impact - Disk Wipe.html ├── GSPBC-1028 - Persistence - Office Application Startup.html ├── GSPBC-1029 - Execution - User Execution.html ├── GSPBC-1030 - Reconnaissance - Active Scanning.html ├── GSPBC-1031 - Persistence - Hijack Execution Flow.html ├── GSPBC-1032 - Resource Development - Compromise Accounts.html ├── GSPBC-1033 - Credential Access - Input Capture.html ├── GSPBC-1034 - Execution - Native API.html ├── GSPBC-1035 - Credential Access - Credentials from Password Stores.html ├── GSPBC-1036 - Defense Evasion - Indirect Command Execution.html ├── GSPBC-1037 - Execution - Deploy Container.html ├── GSPBC-1038 - Credential Access - Steal Web Session Cookies.html ├── GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.html ├── GSPBC-1040 - Discovery - Process Discovery.html ├── GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.html ├── GSPBC-1042 - Lateral Movement - Replication Through Removable Media.html ├── GSPBC-1043 - Execution - Exploitation for Client Execution.html ├── GSPBC-1044 - Lateral Movement - Taint Shared Content.html ├── GSPBC-1045 - Privilege Escalation - Create or Modify System Process.html ├── GSPBC-1046 - Defense Evasion - Subvert Trust Controls.html ├── GSPBC-1047 - Defense Evasion - Domain Policy Modification.html ├── GSPBC-1048 - Credential Access - Brute Force.html ├── GSPBC-1049 - Impact - Resource Hijacking.html ├── GSPBC-1050 - Initial Access - Hardware Additions.html ├── GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.html ├── GSPBC-1052 - Defense Evasion - Impair Defenses.html ├── GSPBC-1053 - Initial Access - Exploit Public-Facing Application.html ├── GSPBC-1054 - Discovery - Password Policy Discovery.html ├── GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.html ├── GSPBC-1056 - Reconnaissance - Gather Victim Host Information.html ├── GSPBC-1057 - Defense Evasion - Valid Accounts.html ├── GSPBC-1058 - Persistence - Modify Authentication Process.html ├── GSPBC-1059 - Discovery - Browser Bookmark Discovery.html ├── GSPBC-1062 - Command and Control - Application Layer Protocol.html ├── GSPBC-1063 - Execution - Scheduled Task or Job.html ├── GSPBC-1064 - Persistence - Event Triggered Execution.html ├── GSPBC-1066 - Initial Access - Replication Through Removable Media.html ├── GSPBC-1067 - Persistence - Scheduled Task or Job.html ├── GSPBC-1068 - Credential Access - Network Sniffing.html ├── GSPBC-1069 - Command and Control - Communication Through Removable Media.html ├── GSPBC-1071 - Exfiltration - Exfiltration Over Web Services.html └── GSPBC-1074 - Reconnaissance - Search Open Websites and Domains.html ├── LICENSE ├── Markdown ├── GSPBC - 1071 - Exfiltration - Exfiltration Over Web Services.md ├── GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.md ├── GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.md ├── GSPBC-1002 - Credential Access - Spearphishing - Phishing.md ├── GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.md ├── GSPBC-1004 - Lateral Movement - Pass the Hash.md ├── GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.md ├── GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.md ├── GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.md ├── GSPBC-1008 - Money Mule Scams - CEO Fraud.md ├── GSPBC-1009 - Persistence - Web Shells.md ├── GSPBC-1010 - Device Theft - Device Loss.md ├── GSPBC-1011 - Initial Access - Drive By Compromise.md ├── GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.md ├── GSPBC-1013 - Impact - Defacement.md ├── GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.md ├── GSPBC-1015 - Defense Evasion - Disabling Security Software.md ├── GSPBC-1016 - Defense Evasion - Install Root Certificate.md ├── GSPBC-1017 - Credential Access - Password Spraying.md ├── GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.md ├── GSPBC-1019 - Persistence - BITS Jobs.md ├── GSPBC-1020 - Persistence - Pre-OS Boot.md ├── GSPBC-1021 - Privilege Escalation - Group Policy Modification.md ├── GSPBC-1022 - Defense Evasion - Process Injection.md ├── GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.md ├── GSPBC-1024 - Credential Access - OS Credential Dumping.md ├── GSPBC-1025 - Credential Access - Unsecured Credentials.md ├── GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.md ├── GSPBC-1027 - Impact - Disk Wipe.md ├── GSPBC-1028 - Persistence - Office Application Startup.md ├── GSPBC-1029 - Execution - User Execution.md ├── GSPBC-1030 - Reconnaissance - Active Scanning.md ├── GSPBC-1031 - Persistence - Hijack Execution Flow.md ├── GSPBC-1032 - Resource Development - Compromise Accounts.md ├── GSPBC-1033 - Credential Access - Input Capture.md ├── GSPBC-1034 - Execution - Native API.md ├── GSPBC-1035 - Credential Access - Credentials from Password Stores.md ├── GSPBC-1036 - Defense Evasion - Indirect Command Execution.md ├── GSPBC-1037 - Execution - Deploy Container.md ├── GSPBC-1038 - Credential Access - Steal Web Session Cookies.md ├── GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.md ├── GSPBC-1040 - Discovery - Process Discovery.md ├── GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.md ├── GSPBC-1042 - Lateral Movement - Replication Through Removable Media.md ├── GSPBC-1043 - Execution - Exploitation for Client Execution.md ├── GSPBC-1044 - Lateral Movement - Taint Shared Content.md ├── GSPBC-1045 - Privilege Escalation - Create or Modify System Process.md ├── GSPBC-1046 - Defense Evasion - Subvert Trust Controls.md ├── GSPBC-1047 - Defense Evasion - Domain Policy Modification.md ├── GSPBC-1048 - Credential Access - Brute Force.md ├── GSPBC-1049 - Impact - Resource Hijacking.md ├── GSPBC-1050 - Initial Access - Hardware Additions.md ├── GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.md ├── GSPBC-1052 - Defense Evasion - Impair Defenses.md ├── GSPBC-1053 - Initial Access - Exploit Public-Facing Application.md ├── GSPBC-1054 - Discovery - Password Policy Discovery.md ├── GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.md ├── GSPBC-1056 - Reconnaissance - Gather Victim Host Information.md ├── GSPBC-1057 - Defense Evasion - Valid Accounts.md ├── GSPBC-1058 - Persistence - Modify Authentication Process.md ├── GSPBC-1059 - Discovery - Browser Bookmark Discovery.md ├── GSPBC-1062 - Command and Control - Application Layer Protocol.md ├── GSPBC-1063 - Execution - Scheduled Task or Job.md ├── GSPBC-1064 - Persistence - Event Triggered Execution.md ├── GSPBC-1066 - Initial Access - Replication Through Removable Media.md ├── GSPBC-1067 - Persistence - Scheduled Task or Job.md ├── GSPBC-1068 - Credential Access - Network Sniffing.md └── GSPBC-1069 - Command and Control - Communication Through Removable Media.md ├── README.md ├── images └── GSPBC-1000.png └── presentation-20191101-1.pdf /GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.pdf -------------------------------------------------------------------------------- /GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.pdf -------------------------------------------------------------------------------- /GSPBC-1002 - Credential Access - Spearphishing - Phishing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1002 - Credential Access - Spearphishing - Phishing.pdf -------------------------------------------------------------------------------- /GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.pdf -------------------------------------------------------------------------------- /GSPBC-1004 - Lateral Movement - Pass the Hash.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1004 - Lateral Movement - Pass the Hash.pdf -------------------------------------------------------------------------------- /GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.pdf -------------------------------------------------------------------------------- /GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.pdf -------------------------------------------------------------------------------- /GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.pdf -------------------------------------------------------------------------------- /GSPBC-1008 - Money Mule Scams - CEO Fraud.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1008 - Money Mule Scams - CEO Fraud.pdf -------------------------------------------------------------------------------- /GSPBC-1009 - Persistence - Web Shells.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1009 - Persistence - Web Shells.pdf -------------------------------------------------------------------------------- /GSPBC-1010 - Device Theft - Device Loss.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1010 - Device Theft - Device Loss.pdf -------------------------------------------------------------------------------- /GSPBC-1011 - Initial Access - Drive By Compromise.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1011 - Initial Access - Drive By Compromise.pdf -------------------------------------------------------------------------------- /GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.pdf -------------------------------------------------------------------------------- /GSPBC-1013 - Impact - Defacement.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1013 - Impact - Defacement.pdf -------------------------------------------------------------------------------- /GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.pdf -------------------------------------------------------------------------------- /GSPBC-1015 - Defense Evasion - Disabling Security Software.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1015 - Defense Evasion - Disabling Security Software.pdf -------------------------------------------------------------------------------- /GSPBC-1016 - Defense Evasion - Install Root Certificate.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1016 - Defense Evasion - Install Root Certificate.pdf -------------------------------------------------------------------------------- /GSPBC-1017 - Credential Access - Password Spraying.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1017 - Credential Access - Password Spraying.pdf -------------------------------------------------------------------------------- /GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.pdf -------------------------------------------------------------------------------- /GSPBC-1019 - Persistence - BITS Jobs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1019 - Persistence - BITS Jobs.pdf -------------------------------------------------------------------------------- /GSPBC-1020 - Persistence - Pre-OS Boot.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1020 - Persistence - Pre-OS Boot.pdf -------------------------------------------------------------------------------- /GSPBC-1021 - Privilege Escalation - Group Policy Modification.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1021 - Privilege Escalation - Group Policy Modification.pdf -------------------------------------------------------------------------------- /GSPBC-1022 - Defense Evasion - Process Injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1022 - Defense Evasion - Process Injection.pdf -------------------------------------------------------------------------------- /GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.pdf -------------------------------------------------------------------------------- /GSPBC-1024 - Credential Access - OS Credential Dumping.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1024 - Credential Access - OS Credential Dumping.pdf -------------------------------------------------------------------------------- /GSPBC-1025 - Credential Access - Unsecured Credentials.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1025 - Credential Access - Unsecured Credentials.pdf -------------------------------------------------------------------------------- /GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.pdf -------------------------------------------------------------------------------- /GSPBC-1027 - Impact - Disk Wipe.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1027 - Impact - Disk Wipe.pdf -------------------------------------------------------------------------------- /GSPBC-1028 - Persistence - Office Application Startup.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1028 - Persistence - Office Application Startup.pdf -------------------------------------------------------------------------------- /GSPBC-1029 - Execution - User Execution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1029 - Execution - User Execution.pdf -------------------------------------------------------------------------------- /GSPBC-1030 - Reconnaissance - Active Scanning.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1030 - Reconnaissance - Active Scanning.pdf -------------------------------------------------------------------------------- /GSPBC-1031 - Persistence - Hijack Execution Flow.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1031 - Persistence - Hijack Execution Flow.pdf -------------------------------------------------------------------------------- /GSPBC-1032 - Resource Development - Compromise Accounts.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1032 - Resource Development - Compromise Accounts.pdf -------------------------------------------------------------------------------- /GSPBC-1033 - Credential Access - Input Capture.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1033 - Credential Access - Input Capture.pdf -------------------------------------------------------------------------------- /GSPBC-1034 - Execution - Native API.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1034 - Execution - Native API.pdf -------------------------------------------------------------------------------- /GSPBC-1035 - Credential Access - Credentials from Password Stores.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1035 - Credential Access - Credentials from Password Stores.pdf -------------------------------------------------------------------------------- /GSPBC-1036 - Defense Evasion - Indirect Command Execution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1036 - Defense Evasion - Indirect Command Execution.pdf -------------------------------------------------------------------------------- /GSPBC-1037 - Execution - Deploy Container.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1037 - Execution - Deploy Container.pdf -------------------------------------------------------------------------------- /GSPBC-1038 - Credential Access - Steal Web Session Cookies.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1038 - Credential Access - Steal Web Session Cookies.pdf -------------------------------------------------------------------------------- /GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.pdf -------------------------------------------------------------------------------- /GSPBC-1040 - Discovery - Process Discovery.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1040 - Discovery - Process Discovery.pdf -------------------------------------------------------------------------------- /GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.pdf -------------------------------------------------------------------------------- /GSPBC-1042 - Lateral Movement - Replication Through Removable Media.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1042 - Lateral Movement - Replication Through Removable Media.pdf -------------------------------------------------------------------------------- /GSPBC-1043 - Execution - Exploitation for Client Execution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1043 - Execution - Exploitation for Client Execution.pdf -------------------------------------------------------------------------------- /GSPBC-1044 - Lateral Movement - Taint Shared Content.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1044 - Lateral Movement - Taint Shared Content.pdf -------------------------------------------------------------------------------- /GSPBC-1045 - Privilege Escalation - Create or Modify System Process.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1045 - Privilege Escalation - Create or Modify System Process.pdf -------------------------------------------------------------------------------- /GSPBC-1046 - Defense Evasion - Subvert Trust Controls.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1046 - Defense Evasion - Subvert Trust Controls.pdf -------------------------------------------------------------------------------- /GSPBC-1047 - Defense Evasion - Domain Policy Modification.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1047 - Defense Evasion - Domain Policy Modification.pdf -------------------------------------------------------------------------------- /GSPBC-1048 - Credential Access - Brute Force.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1048 - Credential Access - Brute Force.pdf -------------------------------------------------------------------------------- /GSPBC-1049 - Impact - Resource Hijacking.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1049 - Impact - Resource Hijacking.pdf -------------------------------------------------------------------------------- /GSPBC-1050 - Initial Access - Hardware Additions.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1050 - Initial Access - Hardware Additions.pdf -------------------------------------------------------------------------------- /GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.pdf -------------------------------------------------------------------------------- /GSPBC-1052 - Defense Evasion - Impair Defenses.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1052 - Defense Evasion - Impair Defenses.pdf -------------------------------------------------------------------------------- /GSPBC-1053 - Initial Access - Exploit Public-Facing Application.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1053 - Initial Access - Exploit Public-Facing Application.pdf -------------------------------------------------------------------------------- /GSPBC-1054 - Discovery - Password Policy Discovery.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1054 - Discovery - Password Policy Discovery.pdf -------------------------------------------------------------------------------- /GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.pdf -------------------------------------------------------------------------------- /GSPBC-1056 - Reconnaissance - Gather Victim Host Information.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1056 - Reconnaissance - Gather Victim Host Information.pdf -------------------------------------------------------------------------------- /GSPBC-1057 - Defense Evasion - Valid Accounts.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1057 - Defense Evasion - Valid Accounts.pdf -------------------------------------------------------------------------------- /GSPBC-1058 - Persistence - Modify Authentication Process.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1058 - Persistence - Modify Authentication Process.pdf -------------------------------------------------------------------------------- /GSPBC-1059 - Discovery - Browser Bookmark Discovery.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1059 - Discovery - Browser Bookmark Discovery.pdf -------------------------------------------------------------------------------- /GSPBC-1060 - Lateral Movement - Internal Spearphishing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1060 - Lateral Movement - Internal Spearphishing.pdf -------------------------------------------------------------------------------- /GSPBC-1061 - Reconnaissance - Gather Victim Identity Information.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1061 - Reconnaissance - Gather Victim Identity Information.pdf -------------------------------------------------------------------------------- /GSPBC-1062 - Command and Control - Application Layer Protocol.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1062 - Command and Control - Application Layer Protocol.pdf -------------------------------------------------------------------------------- /GSPBC-1063 - Execution - Scheduled Task or Job.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1063 - Execution - Scheduled Task or Job.pdf -------------------------------------------------------------------------------- /GSPBC-1064 - Persistence - Event Triggered Execution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1064 - Persistence - Event Triggered Execution.pdf -------------------------------------------------------------------------------- /GSPBC-1065 - Privilege Escalation - Boot or Logon Initialization Scripts.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1065 - Privilege Escalation - Boot or Logon Initialization Scripts.pdf -------------------------------------------------------------------------------- /GSPBC-1066 - Initial Access - Replication Through Removable Media.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1066 - Initial Access - Replication Through Removable Media.pdf -------------------------------------------------------------------------------- /GSPBC-1067 - Persistence - Scheduled Task or Job.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1067 - Persistence - Scheduled Task or Job.pdf -------------------------------------------------------------------------------- /GSPBC-1068 - Credential Access - Network Sniffing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1068 - Credential Access - Network Sniffing.pdf -------------------------------------------------------------------------------- /GSPBC-1069 - Command and Control - Communication Through Removable Media.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1069 - Command and Control - Communication Through Removable Media.pdf -------------------------------------------------------------------------------- /GSPBC-1070 - Command and Control - Protocol Tunneling.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1070 - Command and Control - Protocol Tunneling.pdf -------------------------------------------------------------------------------- /GSPBC-1071 - Exfiltration - Exfiltration Over Web Service.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1071 - Exfiltration - Exfiltration Over Web Service.pdf -------------------------------------------------------------------------------- /GSPBC-1072 - Privilege Escalation - Process Injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1072 - Privilege Escalation - Process Injection.pdf -------------------------------------------------------------------------------- /GSPBC-1073 - Privilege Escalation - Access Token Manipulation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1073 - Privilege Escalation - Access Token Manipulation.pdf -------------------------------------------------------------------------------- /GSPBC-1074 - Reconnaissance - Search Open Websites_Domains.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1074 - Reconnaissance - Search Open Websites_Domains.pdf -------------------------------------------------------------------------------- /GSPBC-1075 - Initial Access - Supply Chain Compromise.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1075 - Initial Access - Supply Chain Compromise.pdf -------------------------------------------------------------------------------- /GSPBC-1076 - Discovery - Group Policy Discovery.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1076 - Discovery - Group Policy Discovery.pdf -------------------------------------------------------------------------------- /GSPBC-1077 - Persistence - Power Settings (1).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1077 - Persistence - Power Settings (1).pdf -------------------------------------------------------------------------------- /GSPBC-1078 - Lateral Movement - Lateral Tool Transfer.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1078 - Lateral Movement - Lateral Tool Transfer.pdf -------------------------------------------------------------------------------- /GSPBC-1079 - Defense Evasion - XSL Script Processing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1079 - Defense Evasion - XSL Script Processing.pdf -------------------------------------------------------------------------------- /GSPBC-1080 - Impact - Network Denial of Service.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1080 - Impact - Network Denial of Service.pdf -------------------------------------------------------------------------------- /GSPBC-1081 - Impact - Endpoint Denial of Service.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1081 - Impact - Endpoint Denial of Service.pdf -------------------------------------------------------------------------------- /GSPBC-1082 - Reconnaissance - Gather Victim Network Information.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1082 - Reconnaissance - Gather Victim Network Information.pdf -------------------------------------------------------------------------------- /GSPBC-1083 - Initial Access - Content Injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1083 - Initial Access - Content Injection.pdf -------------------------------------------------------------------------------- /GSPBC-1084 - Persistence - Compromise Client Software Binary.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1084 - Persistence - Compromise Client Software Binary.pdf -------------------------------------------------------------------------------- /GSPBC-1085 - Defense Evasion - Template Injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1085 - Defense Evasion - Template Injection.pdf -------------------------------------------------------------------------------- /GSPBC-1086 - Discovery - Query Registry.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1086 - Discovery - Query Registry.pdf -------------------------------------------------------------------------------- /GSPBC-1087 - Collection - Video Capture.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1087 - Collection - Video Capture.pdf -------------------------------------------------------------------------------- /GSPBC-1088 - Reconnaissance - Gather Victim Org Information.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/GSPBC-1088 - Reconnaissance - Gather Victim Org Information.pdf -------------------------------------------------------------------------------- /HTML/GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.html -------------------------------------------------------------------------------- /HTML/GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.html -------------------------------------------------------------------------------- /HTML/GSPBC-1002 - Credential Access - Spearphishing - Phishing.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1002 - Credential Access - Spearphishing - Phishing.html -------------------------------------------------------------------------------- /HTML/GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.html -------------------------------------------------------------------------------- /HTML/GSPBC-1004 - Lateral Movement - Pass the Hash.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1004 - Lateral Movement - Pass the Hash.html -------------------------------------------------------------------------------- /HTML/GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.html -------------------------------------------------------------------------------- /HTML/GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.html -------------------------------------------------------------------------------- /HTML/GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.html -------------------------------------------------------------------------------- /HTML/GSPBC-1008 - Money Mule Scams - CEO Fraud.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1008 - Money Mule Scams - CEO Fraud.html -------------------------------------------------------------------------------- /HTML/GSPBC-1009 - Persistence - Web Shells.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1009 - Persistence - Web Shells.html -------------------------------------------------------------------------------- /HTML/GSPBC-1010 - Device Theft - Device Loss.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1010 - Device Theft - Device Loss.html -------------------------------------------------------------------------------- /HTML/GSPBC-1011 - Initial Access - Drive By Compromise.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1011 - Initial Access - Drive By Compromise.html -------------------------------------------------------------------------------- /HTML/GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.html -------------------------------------------------------------------------------- /HTML/GSPBC-1013 - Impact - Defacement.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1013 - Impact - Defacement.html -------------------------------------------------------------------------------- /HTML/GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.html -------------------------------------------------------------------------------- /HTML/GSPBC-1015 - Defense Evasion - Disabling Security Software.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1015 - Defense Evasion - Disabling Security Software.html -------------------------------------------------------------------------------- /HTML/GSPBC-1016 - Defense Evasion - Install Root Certificate.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1016 - Defense Evasion - Install Root Certificate.html -------------------------------------------------------------------------------- /HTML/GSPBC-1017 - Credential Access - Password Spraying.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1017 - Credential Access - Password Spraying.html -------------------------------------------------------------------------------- /HTML/GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.html -------------------------------------------------------------------------------- /HTML/GSPBC-1019 - Persistence - BITS Jobs.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1019 - Persistence - BITS Jobs.html -------------------------------------------------------------------------------- /HTML/GSPBC-1020 - Persistence - Pre-OS Boot.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1020 - Persistence - Pre-OS Boot.html -------------------------------------------------------------------------------- /HTML/GSPBC-1021 - Privilege Escalation - Group Policy Modification.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1021 - Privilege Escalation - Group Policy Modification.html -------------------------------------------------------------------------------- /HTML/GSPBC-1022 - Defense Evasion - Process Injection.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1022 - Defense Evasion - Process Injection.html -------------------------------------------------------------------------------- /HTML/GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.html -------------------------------------------------------------------------------- /HTML/GSPBC-1024 - Credential Access - OS Credential Dumping.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1024 - Credential Access - OS Credential Dumping.html -------------------------------------------------------------------------------- /HTML/GSPBC-1025 - Credential Access - Unsecured Credentials.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1025 - Credential Access - Unsecured Credentials.html -------------------------------------------------------------------------------- /HTML/GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.html -------------------------------------------------------------------------------- /HTML/GSPBC-1027 - Impact - Disk Wipe.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1027 - Impact - Disk Wipe.html -------------------------------------------------------------------------------- /HTML/GSPBC-1028 - Persistence - Office Application Startup.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1028 - Persistence - Office Application Startup.html -------------------------------------------------------------------------------- /HTML/GSPBC-1029 - Execution - User Execution.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1029 - Execution - User Execution.html -------------------------------------------------------------------------------- /HTML/GSPBC-1030 - Reconnaissance - Active Scanning.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1030 - Reconnaissance - Active Scanning.html -------------------------------------------------------------------------------- /HTML/GSPBC-1031 - Persistence - Hijack Execution Flow.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1031 - Persistence - Hijack Execution Flow.html -------------------------------------------------------------------------------- /HTML/GSPBC-1032 - Resource Development - Compromise Accounts.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1032 - Resource Development - Compromise Accounts.html -------------------------------------------------------------------------------- /HTML/GSPBC-1033 - Credential Access - Input Capture.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1033 - Credential Access - Input Capture.html -------------------------------------------------------------------------------- /HTML/GSPBC-1034 - Execution - Native API.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1034 - Execution - Native API.html -------------------------------------------------------------------------------- /HTML/GSPBC-1035 - Credential Access - Credentials from Password Stores.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1035 - Credential Access - Credentials from Password Stores.html -------------------------------------------------------------------------------- /HTML/GSPBC-1036 - Defense Evasion - Indirect Command Execution.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1036 - Defense Evasion - Indirect Command Execution.html -------------------------------------------------------------------------------- /HTML/GSPBC-1037 - Execution - Deploy Container.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1037 - Execution - Deploy Container.html -------------------------------------------------------------------------------- /HTML/GSPBC-1038 - Credential Access - Steal Web Session Cookies.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1038 - Credential Access - Steal Web Session Cookies.html -------------------------------------------------------------------------------- /HTML/GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.html -------------------------------------------------------------------------------- /HTML/GSPBC-1040 - Discovery - Process Discovery.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1040 - Discovery - Process Discovery.html -------------------------------------------------------------------------------- /HTML/GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.html -------------------------------------------------------------------------------- /HTML/GSPBC-1042 - Lateral Movement - Replication Through Removable Media.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1042 - Lateral Movement - Replication Through Removable Media.html -------------------------------------------------------------------------------- /HTML/GSPBC-1043 - Execution - Exploitation for Client Execution.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1043 - Execution - Exploitation for Client Execution.html -------------------------------------------------------------------------------- /HTML/GSPBC-1044 - Lateral Movement - Taint Shared Content.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1044 - Lateral Movement - Taint Shared Content.html -------------------------------------------------------------------------------- /HTML/GSPBC-1045 - Privilege Escalation - Create or Modify System Process.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1045 - Privilege Escalation - Create or Modify System Process.html -------------------------------------------------------------------------------- /HTML/GSPBC-1046 - Defense Evasion - Subvert Trust Controls.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1046 - Defense Evasion - Subvert Trust Controls.html -------------------------------------------------------------------------------- /HTML/GSPBC-1047 - Defense Evasion - Domain Policy Modification.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1047 - Defense Evasion - Domain Policy Modification.html -------------------------------------------------------------------------------- /HTML/GSPBC-1048 - Credential Access - Brute Force.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1048 - Credential Access - Brute Force.html -------------------------------------------------------------------------------- /HTML/GSPBC-1049 - Impact - Resource Hijacking.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1049 - Impact - Resource Hijacking.html -------------------------------------------------------------------------------- /HTML/GSPBC-1050 - Initial Access - Hardware Additions.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1050 - Initial Access - Hardware Additions.html -------------------------------------------------------------------------------- /HTML/GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.html -------------------------------------------------------------------------------- /HTML/GSPBC-1052 - Defense Evasion - Impair Defenses.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1052 - Defense Evasion - Impair Defenses.html -------------------------------------------------------------------------------- /HTML/GSPBC-1053 - Initial Access - Exploit Public-Facing Application.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1053 - Initial Access - Exploit Public-Facing Application.html -------------------------------------------------------------------------------- /HTML/GSPBC-1054 - Discovery - Password Policy Discovery.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1054 - Discovery - Password Policy Discovery.html -------------------------------------------------------------------------------- /HTML/GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.html -------------------------------------------------------------------------------- /HTML/GSPBC-1056 - Reconnaissance - Gather Victim Host Information.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1056 - Reconnaissance - Gather Victim Host Information.html -------------------------------------------------------------------------------- /HTML/GSPBC-1057 - Defense Evasion - Valid Accounts.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1057 - Defense Evasion - Valid Accounts.html -------------------------------------------------------------------------------- /HTML/GSPBC-1058 - Persistence - Modify Authentication Process.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1058 - Persistence - Modify Authentication Process.html -------------------------------------------------------------------------------- /HTML/GSPBC-1059 - Discovery - Browser Bookmark Discovery.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1059 - Discovery - Browser Bookmark Discovery.html -------------------------------------------------------------------------------- /HTML/GSPBC-1062 - Command and Control - Application Layer Protocol.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1062 - Command and Control - Application Layer Protocol.html -------------------------------------------------------------------------------- /HTML/GSPBC-1063 - Execution - Scheduled Task or Job.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1063 - Execution - Scheduled Task or Job.html -------------------------------------------------------------------------------- /HTML/GSPBC-1064 - Persistence - Event Triggered Execution.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1064 - Persistence - Event Triggered Execution.html -------------------------------------------------------------------------------- /HTML/GSPBC-1066 - Initial Access - Replication Through Removable Media.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1066 - Initial Access - Replication Through Removable Media.html -------------------------------------------------------------------------------- /HTML/GSPBC-1067 - Persistence - Scheduled Task or Job.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1067 - Persistence - Scheduled Task or Job.html -------------------------------------------------------------------------------- /HTML/GSPBC-1068 - Credential Access - Network Sniffing.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1068 - Credential Access - Network Sniffing.html -------------------------------------------------------------------------------- /HTML/GSPBC-1069 - Command and Control - Communication Through Removable Media.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1069 - Command and Control - Communication Through Removable Media.html -------------------------------------------------------------------------------- /HTML/GSPBC-1071 - Exfiltration - Exfiltration Over Web Services.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1071 - Exfiltration - Exfiltration Over Web Services.html -------------------------------------------------------------------------------- /HTML/GSPBC-1074 - Reconnaissance - Search Open Websites and Domains.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/HTML/GSPBC-1074 - Reconnaissance - Search Open Websites and Domains.html -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/LICENSE -------------------------------------------------------------------------------- /Markdown/GSPBC - 1071 - Exfiltration - Exfiltration Over Web Services.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC - 1071 - Exfiltration - Exfiltration Over Web Services.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1000 - Impact - Data Encrypted For Impact - Ransomware.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1001 - Initial Access - Exploit Enterprise Resources - Mobile Device SIM Attacks.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1002 - Credential Access - Spearphishing - Phishing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1002 - Credential Access - Spearphishing - Phishing.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1003 - Exfiltration - Automated Exfiltration - Data Theft.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1004 - Lateral Movement - Pass the Hash.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1004 - Lateral Movement - Pass the Hash.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1005 - Persistence - Create Account - Backdoor User Accounts.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1006 - Initial Access - Trusted Relationship - Vendor Access to Infrastructure.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1007 - Persistence - Browser Extensions - Malicious Browser Extensions.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1008 - Money Mule Scams - CEO Fraud.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1008 - Money Mule Scams - CEO Fraud.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1009 - Persistence - Web Shells.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1009 - Persistence - Web Shells.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1010 - Device Theft - Device Loss.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1010 - Device Theft - Device Loss.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1011 - Initial Access - Drive By Compromise.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1011 - Initial Access - Drive By Compromise.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1012 - Initial Access - External Remote Services - Unauthorized VPN and VDI Access.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1013 - Impact - Defacement.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1013 - Impact - Defacement.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1014 - Impact - Inhibit System Recovery - Disabling Volume Shadow Service.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1015 - Defense Evasion - Disabling Security Software.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1015 - Defense Evasion - Disabling Security Software.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1016 - Defense Evasion - Install Root Certificate.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1016 - Defense Evasion - Install Root Certificate.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1017 - Credential Access - Password Spraying.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1017 - Credential Access - Password Spraying.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1018 - Collection - Email Collection - Cloud Email Compromise.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1019 - Persistence - BITS Jobs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1019 - Persistence - BITS Jobs.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1020 - Persistence - Pre-OS Boot.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1020 - Persistence - Pre-OS Boot.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1021 - Privilege Escalation - Group Policy Modification.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1021 - Privilege Escalation - Group Policy Modification.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1022 - Defense Evasion - Process Injection.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1022 - Defense Evasion - Process Injection.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1023 - Privilege Escalation - Exploitation for Privilege Escalation.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1024 - Credential Access - OS Credential Dumping.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1024 - Credential Access - OS Credential Dumping.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1025 - Credential Access - Unsecured Credentials.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1025 - Credential Access - Unsecured Credentials.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1026 - Defense Evasion - Obfuscated Files or Information.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1027 - Impact - Disk Wipe.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1027 - Impact - Disk Wipe.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1028 - Persistence - Office Application Startup.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1028 - Persistence - Office Application Startup.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1029 - Execution - User Execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1029 - Execution - User Execution.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1030 - Reconnaissance - Active Scanning.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1030 - Reconnaissance - Active Scanning.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1031 - Persistence - Hijack Execution Flow.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1031 - Persistence - Hijack Execution Flow.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1032 - Resource Development - Compromise Accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1032 - Resource Development - Compromise Accounts.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1033 - Credential Access - Input Capture.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1033 - Credential Access - Input Capture.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1034 - Execution - Native API.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1034 - Execution - Native API.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1035 - Credential Access - Credentials from Password Stores.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1035 - Credential Access - Credentials from Password Stores.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1036 - Defense Evasion - Indirect Command Execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1036 - Defense Evasion - Indirect Command Execution.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1037 - Execution - Deploy Container.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1037 - Execution - Deploy Container.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1038 - Credential Access - Steal Web Session Cookies.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1038 - Credential Access - Steal Web Session Cookies.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1039 - Lateral Movement - Use Alternate Authentication Material.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1040 - Discovery - Process Discovery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1040 - Discovery - Process Discovery.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1041 - Persistence - Boot or Logon Autostart Execution.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1042 - Lateral Movement - Replication Through Removable Media.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1042 - Lateral Movement - Replication Through Removable Media.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1043 - Execution - Exploitation for Client Execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1043 - Execution - Exploitation for Client Execution.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1044 - Lateral Movement - Taint Shared Content.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1044 - Lateral Movement - Taint Shared Content.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1045 - Privilege Escalation - Create or Modify System Process.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1045 - Privilege Escalation - Create or Modify System Process.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1046 - Defense Evasion - Subvert Trust Controls.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1046 - Defense Evasion - Subvert Trust Controls.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1047 - Defense Evasion - Domain Policy Modification.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1047 - Defense Evasion - Domain Policy Modification.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1048 - Credential Access - Brute Force.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1048 - Credential Access - Brute Force.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1049 - Impact - Resource Hijacking.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1049 - Impact - Resource Hijacking.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1050 - Initial Access - Hardware Additions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1050 - Initial Access - Hardware Additions.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1052 - Defense Evasion - Impair Defenses.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1052 - Defense Evasion - Impair Defenses.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1053 - Initial Access - Exploit Public-Facing Application.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1053 - Initial Access - Exploit Public-Facing Application.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1054 - Discovery - Password Policy Discovery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1054 - Discovery - Password Policy Discovery.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1056 - Reconnaissance - Gather Victim Host Information.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1056 - Reconnaissance - Gather Victim Host Information.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1057 - Defense Evasion - Valid Accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1057 - Defense Evasion - Valid Accounts.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1058 - Persistence - Modify Authentication Process.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1058 - Persistence - Modify Authentication Process.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1059 - Discovery - Browser Bookmark Discovery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1059 - Discovery - Browser Bookmark Discovery.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1062 - Command and Control - Application Layer Protocol.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1062 - Command and Control - Application Layer Protocol.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1063 - Execution - Scheduled Task or Job.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1063 - Execution - Scheduled Task or Job.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1064 - Persistence - Event Triggered Execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1064 - Persistence - Event Triggered Execution.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1066 - Initial Access - Replication Through Removable Media.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1066 - Initial Access - Replication Through Removable Media.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1067 - Persistence - Scheduled Task or Job.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1067 - Persistence - Scheduled Task or Job.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1068 - Credential Access - Network Sniffing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1068 - Credential Access - Network Sniffing.md -------------------------------------------------------------------------------- /Markdown/GSPBC-1069 - Command and Control - Communication Through Removable Media.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/Markdown/GSPBC-1069 - Command and Control - Communication Through Removable Media.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/README.md -------------------------------------------------------------------------------- /images/GSPBC-1000.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/images/GSPBC-1000.png -------------------------------------------------------------------------------- /presentation-20191101-1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_cirt-playbook-battle-cards/HEAD/presentation-20191101-1.pdf --------------------------------------------------------------------------------