mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
Add MITRE Fight Fraud Framework (F3 v1.1) mappings to fraud-relevant skills
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing, account takeover, banking malware, BEC, identity/KYC, payment/card fraud, money-mule/cash-out, ransomware extortion, DFIR, threat intel) - Map each skill to F3 v1.1 tactics + precise technique IDs, including the two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and Monetization (FA0002) - All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle (github.com/center-for-threat-informed-defense/fight-fraud-framework): 0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs - mitre_f3 kept as a separate block from mitre_attack (F3 redefines several ATT&CK tactics for the fraud context) - Add docs/mitre-f3-mapping.md schema reference - Update README: F3 as the 6th framework, dedicated F3 section + badge
This commit is contained in:
@@ -30,6 +30,33 @@ mitre_attack:
|
||||
- T1566.002
|
||||
- T1608.005
|
||||
- T1596.003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- resource-development
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
---
|
||||
# Analyzing Certificate Transparency for Phishing
|
||||
|
||||
|
||||
@@ -26,6 +26,38 @@ mitre_attack:
|
||||
- T1566.001
|
||||
- T1566.002
|
||||
- T1598.003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- stealth
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Analyzing Email Headers for Phishing Investigation
|
||||
|
||||
@@ -34,6 +34,29 @@ mitre_attack:
|
||||
- T1105
|
||||
- T1041
|
||||
- T1567
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
---
|
||||
# Analyzing Indicators of Compromise
|
||||
|
||||
|
||||
@@ -29,6 +29,29 @@ mitre_attack:
|
||||
- T1059.004
|
||||
- T1620
|
||||
- T1574.006
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
- reconnaissance
|
||||
techniques:
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Analyzing Linux ELF Malware
|
||||
|
||||
@@ -28,6 +28,24 @@ mitre_attack:
|
||||
- T1573.001
|
||||
- T1573.002
|
||||
- T1027
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
- positioning
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Analyzing Ransomware Encryption Mechanisms
|
||||
|
||||
@@ -27,6 +27,28 @@ mitre_attack:
|
||||
- T1486
|
||||
- T1567.002
|
||||
- T1591
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
- reconnaissance
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1029
|
||||
name: Gather Customer Information
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1025.003
|
||||
name: 'Electronic Funds Transfer: Wire Transfer'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Analyzing Ransomware Leak Site Intelligence
|
||||
|
||||
|
||||
@@ -33,6 +33,24 @@ mitre_attack:
|
||||
- T1048
|
||||
- T1567.002
|
||||
- T1486
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Analyzing Ransomware Network Indicators
|
||||
|
||||
@@ -28,6 +28,32 @@ nist_csf:
|
||||
mitre_attack:
|
||||
- T1657
|
||||
- T1486
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
- stealth
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017
|
||||
name: Conversion to Physical Monetary Instruments
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1045
|
||||
name: Structuring
|
||||
tactic: stealth
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Analyzing Ransomware Payment Wallets
|
||||
|
||||
@@ -31,6 +31,33 @@ mitre_attack:
|
||||
- T1566.002
|
||||
- T1598.003
|
||||
- T1583.006
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Analyzing TLS Certificate Transparency Logs
|
||||
|
||||
@@ -30,6 +30,33 @@ mitre_attack:
|
||||
- T1566.002
|
||||
- T1598.003
|
||||
- T1583.006
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- resource-development
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
---
|
||||
# Analyzing Typosquatting Domains with DNSTwist
|
||||
|
||||
|
||||
@@ -29,6 +29,29 @@ mitre_attack:
|
||||
- T1611
|
||||
- T1613
|
||||
- T1078.004
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- defense-impairment
|
||||
techniques:
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: T1531
|
||||
name: Account Access Removal
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Auditing Kubernetes Cluster RBAC
|
||||
|
||||
@@ -28,6 +28,32 @@ mitre_attack:
|
||||
- T1484.002
|
||||
- T1078.004
|
||||
- T1110.003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1110.003
|
||||
name: 'Brute Force: Password Spraying'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1550
|
||||
name: Use Alternate Authentication Material
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Building Identity Federation with SAML Azure AD
|
||||
|
||||
@@ -34,6 +34,33 @@ mitre_attack:
|
||||
- T1078
|
||||
- T1531
|
||||
- T1087
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- defense-impairment
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1042
|
||||
name: Reactivate Account
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Building Identity Governance Lifecycle Process
|
||||
|
||||
@@ -19,6 +19,30 @@ mitre_attack:
|
||||
- T1598.003
|
||||
- T1204.001
|
||||
- T1534
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
version: '1.0'
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -30,6 +30,28 @@ mitre_attack:
|
||||
- T1489
|
||||
- T1078
|
||||
- T1021.002
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Building Ransomware Playbook with CISA Framework
|
||||
|
||||
@@ -23,6 +23,28 @@ mitre_attack:
|
||||
- T1489
|
||||
- T1566
|
||||
- T1059.001
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
version: '1.0'
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -23,6 +23,38 @@ mitre_attack:
|
||||
- T1204.001
|
||||
- T1114
|
||||
- T1056.003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -35,6 +35,37 @@ mitre_attack:
|
||||
- T1566.004
|
||||
- T1204.001
|
||||
- T1589
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1029
|
||||
name: Gather Customer Information
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Conducting Social Engineering Penetration Test
|
||||
|
||||
@@ -38,6 +38,37 @@ mitre_attack:
|
||||
- T1589
|
||||
- T1591
|
||||
- T1598
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1034
|
||||
name: Interactive Voice Response Mapping
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: F1029
|
||||
name: Gather Customer Information
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1040
|
||||
name: Phone Number Spoofing
|
||||
tactic: stealth
|
||||
source: f3
|
||||
- id: F1040.002
|
||||
name: 'Phone Number Spoofing: Official Phone Number Spoofing'
|
||||
tactic: stealth
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Conducting Social Engineering Pretext Call
|
||||
|
||||
@@ -33,6 +33,37 @@ mitre_attack:
|
||||
- T1598.002
|
||||
- T1204.002
|
||||
- T1204.001
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1585
|
||||
name: Establish Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Conducting Spearphishing Simulation Campaign
|
||||
|
||||
|
||||
@@ -28,6 +28,28 @@ mitre_attack:
|
||||
- T1078.004
|
||||
- T1133
|
||||
- T1021.007
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Configuring Identity-Aware Proxy with Google IAP
|
||||
|
||||
@@ -26,6 +26,28 @@ mitre_attack:
|
||||
- T1557.001
|
||||
- T1040
|
||||
- T1078.002
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1110.003
|
||||
name: 'Brute Force: Password Spraying'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
# Configuring LDAP Security Hardening
|
||||
|
||||
|
||||
@@ -28,6 +28,28 @@ mitre_attack:
|
||||
- T1539
|
||||
- T1606.001
|
||||
- T1212
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
# Configuring OAuth 2.0 Authorization Flow
|
||||
|
||||
|
||||
@@ -30,6 +30,29 @@ mitre_attack:
|
||||
- T1083
|
||||
- T1490
|
||||
- T1485
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
- positioning
|
||||
- stealth
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1070
|
||||
name: Indicator Removal
|
||||
tactic: stealth
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Deploying Decoy Files for Ransomware Detection
|
||||
|
||||
@@ -32,6 +32,23 @@ mitre_attack:
|
||||
- T1083
|
||||
- T1490
|
||||
- T1485
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017
|
||||
name: Conversion to Physical Monetary Instruments
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1025.003
|
||||
name: 'Electronic Funds Transfer: Wire Transfer'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Deploying Ransomware Canary Files
|
||||
|
||||
|
||||
@@ -37,6 +37,32 @@ mitre_attack:
|
||||
- T1110.004
|
||||
- T1078
|
||||
- T1021
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110.003
|
||||
name: 'Brute Force: Password Spraying'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Detecting Anomalous Authentication Patterns
|
||||
|
||||
@@ -26,6 +26,33 @@ mitre_attack:
|
||||
- T1538
|
||||
- T1098.001
|
||||
- T1526
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- defense-impairment
|
||||
techniques:
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1586.003
|
||||
name: 'Compromise Accounts: Cloud Accounts'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.001
|
||||
name: 'Account Manipulation: Account Linking'
|
||||
tactic: defense-impairment
|
||||
source: f3
|
||||
---
|
||||
# Detecting AWS CloudTrail Anomalies
|
||||
|
||||
|
||||
@@ -27,6 +27,32 @@ mitre_attack:
|
||||
- T1552
|
||||
- T1078.004
|
||||
- T1589.001
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Detecting AWS Credential Exposure with TruffleHog
|
||||
|
||||
@@ -44,6 +44,38 @@ mitre_attack:
|
||||
- T1114.002
|
||||
- T1657
|
||||
- T1078.004
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- stealth
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005.006
|
||||
name: 'Account Manipulation: Change of Payment Details'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1022
|
||||
name: Delete Relevant Emails
|
||||
tactic: stealth
|
||||
source: f3
|
||||
- id: F1025.003
|
||||
name: 'Electronic Funds Transfer: Wire Transfer'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Detecting Business Email Compromise with AI
|
||||
|
||||
|
||||
@@ -39,6 +39,38 @@ mitre_attack:
|
||||
- T1114.002
|
||||
- T1657
|
||||
- T1078.004
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- monetization
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1036
|
||||
name: New Vendor Setup
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.006
|
||||
name: 'Account Manipulation: Change of Payment Details'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1025.003
|
||||
name: 'Electronic Funds Transfer: Wire Transfer'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1022
|
||||
name: Delete Relevant Emails
|
||||
tactic: stealth
|
||||
source: f3
|
||||
---
|
||||
# Detecting Business Email Compromise
|
||||
|
||||
|
||||
@@ -29,6 +29,33 @@ mitre_attack:
|
||||
- T1537
|
||||
- T1580
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- defense-impairment
|
||||
techniques:
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1586.003
|
||||
name: 'Compromise Accounts: Cloud Accounts'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: defense-impairment
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Detecting Compromised Cloud Credentials
|
||||
|
||||
@@ -32,6 +32,33 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- positioning
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1555.003
|
||||
name: 'Credentials from Password Stores: Credentials from Web Browsers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1110.002
|
||||
name: 'Brute Force: Password Cracking'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Detecting Credential Dumping Techniques
|
||||
|
||||
@@ -29,6 +29,29 @@ mitre_attack:
|
||||
- T1537
|
||||
- T1580
|
||||
- T1071
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- resource-development
|
||||
- monetization
|
||||
techniques:
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1586.003
|
||||
name: 'Compromise Accounts: Cloud Accounts'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1583.003
|
||||
name: 'Acquire Infrastructure: Virtual Private Network or Server'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Detecting Cryptomining in Cloud
|
||||
|
||||
@@ -47,6 +47,34 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1566
|
||||
- T1598
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- stealth
|
||||
- monetization
|
||||
techniques:
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1031
|
||||
name: Impersonate Account Holder
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1040
|
||||
name: Phone Number Spoofing
|
||||
tactic: stealth
|
||||
source: f3
|
||||
- id: F1034
|
||||
name: Interactive Voice Response Mapping
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: F1025.003
|
||||
name: 'Electronic Funds Transfer: Wire Transfer'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Detecting Deepfake Audio in Vishing Attacks
|
||||
|
||||
@@ -31,6 +31,33 @@ mitre_attack:
|
||||
- T1036
|
||||
- T1078
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- execution
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1453
|
||||
name: Abuse Accessibility Features
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1003
|
||||
name: Abuse SMS verification
|
||||
tactic: execution
|
||||
source: f3
|
||||
- id: T1113
|
||||
name: Screen Capture
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1002.001
|
||||
name: 'Abuse of Public-Facing API: Mobile API Abuse'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
---
|
||||
# Detecting Mobile Malware Behavior
|
||||
|
||||
|
||||
@@ -32,6 +32,36 @@ mitre_attack:
|
||||
- T1530
|
||||
- T1537
|
||||
- T1580
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1185
|
||||
name: Browser Session Hijacking
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Detecting OAuth Token Theft
|
||||
|
||||
@@ -33,6 +33,33 @@ mitre_attack:
|
||||
- T1534
|
||||
- T1036
|
||||
- T1027
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Detecting QR Code Phishing with Email Security
|
||||
|
||||
|
||||
@@ -31,6 +31,29 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1486
|
||||
- T1490
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
- positioning
|
||||
- stealth
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1070
|
||||
name: Indicator Removal
|
||||
tactic: stealth
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Detecting Ransomware Encryption Behavior
|
||||
|
||||
@@ -32,6 +32,29 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1650
|
||||
name: Acquire Access
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Detecting Ransomware Precursors in Network Traffic
|
||||
|
||||
|
||||
@@ -26,6 +26,38 @@ mitre_attack:
|
||||
- T1566.002
|
||||
- T1204.001
|
||||
- T1204.002
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- stealth
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1031
|
||||
name: Impersonate Account Holder
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
---
|
||||
# Detecting Spearphishing with Email Gateway
|
||||
|
||||
|
||||
@@ -33,6 +33,33 @@ mitre_attack:
|
||||
- T1003.002
|
||||
- T1003.003
|
||||
- T1003.006
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- positioning
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1555.003
|
||||
name: 'Credentials from Password Stores: Credentials from Web Browsers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Detecting T1003 Credential Dumping with EDR
|
||||
|
||||
@@ -31,6 +31,38 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1078
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Executing Phishing Simulation Campaign
|
||||
|
||||
|
||||
@@ -18,6 +18,37 @@ mitre_attack:
|
||||
- T1119
|
||||
- T1070
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- positioning
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1555.003
|
||||
name: 'Credentials from Password Stores: Credentials from Web Browsers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
version: '1.0'
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -30,6 +30,28 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110.003
|
||||
name: 'Brute Force: Password Spraying'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Hunting Credential Stuffing Attacks
|
||||
|
||||
@@ -32,6 +32,33 @@ mitre_attack:
|
||||
- T1082
|
||||
- T1083
|
||||
- T1566
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1031
|
||||
name: Impersonate Account Holder
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Hunting For Spearphishing Indicators
|
||||
|
||||
@@ -26,6 +26,33 @@ mitre_attack:
|
||||
- T1598
|
||||
- T1534
|
||||
- T1036
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1031
|
||||
name: Impersonate Account Holder
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Implementing Anti-Phishing Training Program
|
||||
|
||||
|
||||
@@ -31,6 +31,29 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1486
|
||||
- T1490
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1531
|
||||
name: Account Access Removal
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Anti-Ransomware Group Policy
|
||||
|
||||
@@ -26,6 +26,29 @@ mitre_attack:
|
||||
- T1110
|
||||
- T1556
|
||||
- T1098
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- defense-impairment
|
||||
techniques:
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1110.003
|
||||
name: 'Brute Force: Password Spraying'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: defense-impairment
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Azure AD Privileged Identity Management
|
||||
|
||||
@@ -33,6 +33,37 @@ mitre_attack:
|
||||
- T1557
|
||||
- T1071
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- execution
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1185
|
||||
name: Browser Session Hijacking
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1007
|
||||
name: Adversary-in-the-Browser
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1007.002
|
||||
name: 'Adversary-in-the-Browser: Malicious Browser Extension'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1007.003
|
||||
name: 'Adversary-in-the-Browser: Malicious JavaScript Injection'
|
||||
tactic: execution
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Browser Isolation for Zero Trust
|
||||
|
||||
@@ -30,6 +30,33 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1555.005
|
||||
name: 'Credentials from Password Stores: Password Managers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Delinea Secret Server for PAM
|
||||
|
||||
@@ -31,6 +31,33 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1566
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- stealth
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Google Workspace Admin Security
|
||||
|
||||
@@ -27,6 +27,38 @@ mitre_attack:
|
||||
- T1534
|
||||
- T1036
|
||||
- T1027
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1031
|
||||
name: Impersonate Account Holder
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
---
|
||||
# Implementing Google Workspace Phishing Protection
|
||||
|
||||
|
||||
@@ -25,6 +25,32 @@ mitre_attack:
|
||||
- T1110
|
||||
- T1556
|
||||
- T1098
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Google Workspace SSO Configuration
|
||||
|
||||
@@ -30,6 +30,38 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- stealth
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1005.004
|
||||
name: 'Account Manipulation: Change Account Details'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing HashiCorp Vault Dynamic Secrets
|
||||
|
||||
@@ -38,6 +38,34 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1486
|
||||
- T1490
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- initial-access
|
||||
- monetization
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Implementing Honeypot for Ransomware Detection
|
||||
|
||||
|
||||
@@ -26,6 +26,33 @@ mitre_attack:
|
||||
- T1110
|
||||
- T1556
|
||||
- T1098
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- initial-access
|
||||
- defense-impairment
|
||||
techniques:
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1042
|
||||
name: Reactivate Account
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Implementing Identity Governance with SailPoint
|
||||
|
||||
|
||||
@@ -31,6 +31,37 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1566
|
||||
- T1598
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- reconnaissance
|
||||
techniques:
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1111
|
||||
name: Multi-Factor Authentication Interception
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Implementing Identity Verification for Zero Trust
|
||||
|
||||
@@ -26,6 +26,34 @@ mitre_attack:
|
||||
- T1598
|
||||
- T1534
|
||||
- T1036
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- reconnaissance
|
||||
- stealth
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
---
|
||||
# Implementing Mimecast Targeted Attack Protection
|
||||
|
||||
|
||||
@@ -27,6 +27,33 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005.004
|
||||
name: 'Account Manipulation: Change Account Details'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Implementing PAM for Database Access
|
||||
|
||||
|
||||
@@ -30,6 +30,35 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1566
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1111
|
||||
name: Multi-Factor Authentication Interception
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Passwordless Auth with Microsoft Entra
|
||||
|
||||
@@ -26,6 +26,33 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Implementing Privileged Access Management with CyberArk
|
||||
|
||||
|
||||
@@ -28,6 +28,38 @@ mitre_attack:
|
||||
- T1534
|
||||
- T1036
|
||||
- T1027
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- stealth
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1029
|
||||
name: Gather Customer Information
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: F1005.006
|
||||
name: 'Account Manipulation: Change of Payment Details'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
---
|
||||
# Implementing Proofpoint Email Security Gateway
|
||||
|
||||
|
||||
@@ -42,6 +42,28 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1531
|
||||
name: Account Access Removal
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Implementing Ransomware Backup Strategy
|
||||
|
||||
|
||||
@@ -31,6 +31,28 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1486
|
||||
- T1490
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017
|
||||
name: Conversion to Physical Monetary Instruments
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Ransomware Kill Switch Detection
|
||||
|
||||
@@ -27,6 +27,33 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1553
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006.003
|
||||
name: 'Account Takeover: Password Reset'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Implementing SAML SSO with Okta
|
||||
|
||||
|
||||
@@ -25,6 +25,33 @@ mitre_attack:
|
||||
- T1110
|
||||
- T1556
|
||||
- T1098
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.004
|
||||
name: 'Account Manipulation: Change Account Details'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1042
|
||||
name: Reactivate Account
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing SCIM Provisioning with Okta
|
||||
|
||||
@@ -36,6 +36,33 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1610
|
||||
- T1611
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- resource-development
|
||||
- initial-access
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1195
|
||||
name: Supply Chain Compromise
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1608
|
||||
name: Stage Capabilities
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1608.006
|
||||
name: 'Stage Capabilities: SEO Poisoning'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1070
|
||||
name: Indicator Removal
|
||||
tactic: stealth
|
||||
source: attack
|
||||
---
|
||||
# Implementing Sigstore for Software Signing
|
||||
|
||||
|
||||
@@ -23,6 +23,34 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1566
|
||||
- T1598
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
|
||||
|
||||
@@ -28,6 +28,33 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Implementing Zero Trust with HashiCorp Boundary
|
||||
|
||||
@@ -23,6 +23,39 @@ mitre_attack:
|
||||
- T1685.005
|
||||
- T1566
|
||||
- T1598
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
- stealth
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
version: '1.0'
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -25,6 +25,33 @@ mitre_attack:
|
||||
- T1119
|
||||
- T1070
|
||||
- T1486
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- stealth
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1070
|
||||
name: Indicator Removal
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Investigating Ransomware Attack Artifacts
|
||||
|
||||
@@ -29,6 +29,36 @@ mitre_attack:
|
||||
- T1537
|
||||
- T1580
|
||||
- T1566
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110.003
|
||||
name: 'Brute Force: Password Spraying'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
---
|
||||
|
||||
# Managing Cloud Identity with Okta
|
||||
|
||||
@@ -41,6 +41,33 @@ mitre_attack:
|
||||
- T1593
|
||||
- T1589
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1650
|
||||
name: Acquire Access
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1555.003
|
||||
name: 'Credentials from Password Stores: Credentials from Web Browsers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1029
|
||||
name: Gather Customer Information
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
---
|
||||
# Monitoring Dark Web Sources
|
||||
|
||||
|
||||
@@ -26,6 +26,34 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1071
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- defense-impairment
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.007
|
||||
name: 'Account Manipulation: Enable Account Features'
|
||||
tactic: defense-impairment
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Performing Access Recertification with Saviynt
|
||||
|
||||
@@ -28,6 +28,36 @@ mitre_attack:
|
||||
- T1534
|
||||
- T1036
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1185
|
||||
name: Browser Session Hijacking
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Performing Adversary-in-the-Middle Phishing Detection
|
||||
|
||||
|
||||
@@ -27,6 +27,38 @@ mitre_attack:
|
||||
- T1593
|
||||
- T1589
|
||||
- T1566
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1583.008
|
||||
name: 'Acquire Infrastructure: Malvertising'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1032
|
||||
name: Impersonate Official
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1672
|
||||
name: Email Spoofing
|
||||
tactic: stealth
|
||||
source: attack
|
||||
---
|
||||
# Performing Brand Monitoring for Impersonation
|
||||
|
||||
|
||||
@@ -32,6 +32,37 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1078
|
||||
- T1021
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- positioning
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1555.003
|
||||
name: 'Credentials from Password Stores: Credentials from Web Browsers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1555.005
|
||||
name: 'Credentials from Password Stores: Password Managers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Performing Credential Access with LaZagne
|
||||
|
||||
|
||||
@@ -22,6 +22,29 @@ mitre_attack:
|
||||
- T1600
|
||||
- T1573
|
||||
- T1553
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Performing Cryptographic Audit of Application
|
||||
|
||||
|
||||
@@ -29,6 +29,34 @@ mitre_attack:
|
||||
- T1110
|
||||
- T1556
|
||||
- T1098
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- defense-impairment
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1586
|
||||
name: Compromise Accounts
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1033
|
||||
name: Insider Access Abuse
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.002
|
||||
name: 'Account Manipulation: Add Authorized User'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1005.007
|
||||
name: 'Account Manipulation: Enable Account Features'
|
||||
tactic: defense-impairment
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Performing Entitlement Review with SailPoint IdentityIQ
|
||||
|
||||
@@ -31,6 +31,32 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1555
|
||||
name: Credentials from Password Stores
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1029
|
||||
name: Gather Customer Information
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
- id: T1110.001
|
||||
name: 'Brute Force: Password Guessing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Performing Firmware Extraction with Binwalk
|
||||
|
||||
@@ -32,6 +32,41 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1078
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- resource-development
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: T1111
|
||||
name: Multi-Factor Authentication Interception
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Performing Initial Access with EvilGinx3
|
||||
|
||||
|
||||
@@ -29,6 +29,37 @@ mitre_attack:
|
||||
- T1110
|
||||
- T1556
|
||||
- T1098
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- stealth
|
||||
techniques:
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1004
|
||||
name: Access with Stolen Session Cookie
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1005.001
|
||||
name: 'Account Manipulation: Account Linking'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: T1539
|
||||
name: Steal Web Session Cookie
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1023
|
||||
name: Device Fingerprint Spoofing
|
||||
tactic: stealth
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Performing OAuth Scope Minimization Review
|
||||
|
||||
@@ -27,6 +27,37 @@ mitre_attack:
|
||||
- T1593
|
||||
- T1589
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1593.002
|
||||
name: 'Search Open Websites/Domains: Search Engines'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1650
|
||||
name: Acquire Access
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1555.003
|
||||
name: 'Credentials from Password Stores: Credentials from Web Browsers'
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1110.004
|
||||
name: 'Brute Force: Credential Stuffing'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1029
|
||||
name: Gather Customer Information
|
||||
tactic: reconnaissance
|
||||
source: f3
|
||||
---
|
||||
# Performing Paste Site Monitoring for Credentials
|
||||
|
||||
|
||||
@@ -26,6 +26,37 @@ mitre_attack:
|
||||
- T1598
|
||||
- T1534
|
||||
- T1036
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- resource-development
|
||||
- initial-access
|
||||
- reconnaissance
|
||||
techniques:
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1557
|
||||
name: Adversary-in-the-Middle
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1031
|
||||
name: Impersonate Account Holder
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
# Performing Phishing Simulation with GoPhish
|
||||
|
||||
|
||||
@@ -22,6 +22,33 @@ mitre_attack:
|
||||
- T1070
|
||||
- T1078
|
||||
- T1489
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
- stealth
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017
|
||||
name: Conversion to Physical Monetary Instruments
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1025.003
|
||||
name: 'Electronic Funds Transfer: Wire Transfer'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: T1070
|
||||
name: Indicator Removal
|
||||
tactic: stealth
|
||||
source: attack
|
||||
- id: F1006
|
||||
name: Account Takeover
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -31,6 +31,28 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1486
|
||||
- T1490
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1531
|
||||
name: Account Access Removal
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Performing Ransomware Tabletop Exercise
|
||||
|
||||
|
||||
@@ -28,6 +28,33 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- resource-development
|
||||
- reconnaissance
|
||||
- initial-access
|
||||
techniques:
|
||||
- id: T1598
|
||||
name: Phishing for Information
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1660
|
||||
name: Phishing
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
---
|
||||
|
||||
|
||||
|
||||
@@ -26,6 +26,33 @@ mitre_attack:
|
||||
- T1556
|
||||
- T1098
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
- stealth
|
||||
techniques:
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1110
|
||||
name: Brute Force
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: positioning
|
||||
source: f3
|
||||
- id: F1023
|
||||
name: Device Fingerprint Spoofing
|
||||
tactic: stealth
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Performing Service Account Credential Rotation
|
||||
|
||||
@@ -31,6 +31,29 @@ mitre_attack:
|
||||
- T1059
|
||||
- T1003
|
||||
- T1110
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
- defense-impairment
|
||||
techniques:
|
||||
- id: T1531
|
||||
name: Account Access Removal
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1005
|
||||
name: Account Manipulation
|
||||
tactic: defense-impairment
|
||||
source: f3
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
# Recovering from Ransomware Attack
|
||||
|
||||
|
||||
@@ -34,6 +34,24 @@ mitre_attack:
|
||||
- T1140
|
||||
- T1497
|
||||
- T1486
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- monetization
|
||||
- positioning
|
||||
techniques:
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: T1219
|
||||
name: Remote Access Tools
|
||||
tactic: positioning
|
||||
source: attack
|
||||
---
|
||||
# Reverse Engineering Ransomware Encryption Routine
|
||||
|
||||
|
||||
@@ -28,6 +28,32 @@ mitre_attack:
|
||||
- T1537
|
||||
- T1580
|
||||
- T1003
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- initial-access
|
||||
- positioning
|
||||
techniques:
|
||||
- id: F1006.001
|
||||
name: 'Account Takeover: Exposed API Key'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: F1006.002
|
||||
name: 'Account Takeover: Exposed Login Credential'
|
||||
tactic: initial-access
|
||||
source: f3
|
||||
- id: T1550.001
|
||||
name: 'Use Alternate Authentication Material: Application Access Token'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: T1110.003
|
||||
name: 'Brute Force: Password Spraying'
|
||||
tactic: initial-access
|
||||
source: attack
|
||||
- id: F1005.004
|
||||
name: 'Account Manipulation: Change Account Details'
|
||||
tactic: positioning
|
||||
source: f3
|
||||
---
|
||||
|
||||
# Securing AWS IAM Permissions
|
||||
|
||||
@@ -27,6 +27,28 @@ mitre_attack:
|
||||
- T1070
|
||||
- T1078
|
||||
- T1489
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1531
|
||||
name: Account Access Removal
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Testing Ransomware Recovery Procedures
|
||||
|
||||
|
||||
@@ -29,6 +29,36 @@ mitre_attack:
|
||||
- T1593
|
||||
- T1589
|
||||
- T1566
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- reconnaissance
|
||||
- resource-development
|
||||
techniques:
|
||||
- id: T1593
|
||||
name: Search Open Websites/Domains
|
||||
tactic: reconnaissance
|
||||
source: attack
|
||||
- id: T1583.001
|
||||
name: 'Acquire Infrastructure: Domains'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1583.008
|
||||
name: 'Acquire Infrastructure: Malvertising'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: T1583.003
|
||||
name: 'Acquire Infrastructure: Virtual Private Network or Server'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
- id: F1020.002
|
||||
name: 'Create Fake Materials: Fake Website'
|
||||
tactic: resource-development
|
||||
source: f3
|
||||
- id: T1608.006
|
||||
name: 'Stage Capabilities: SEO Poisoning'
|
||||
tactic: resource-development
|
||||
source: attack
|
||||
---
|
||||
# Tracking Threat Actor Infrastructure
|
||||
|
||||
|
||||
@@ -26,6 +26,28 @@ mitre_attack:
|
||||
- T1070
|
||||
- T1078
|
||||
- T1489
|
||||
mitre_f3:
|
||||
version: '1.1'
|
||||
tactics:
|
||||
- positioning
|
||||
- monetization
|
||||
techniques:
|
||||
- id: T1531
|
||||
name: Account Access Removal
|
||||
tactic: positioning
|
||||
source: attack
|
||||
- id: F1018
|
||||
name: Convert to Cryptocurrency
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1047
|
||||
name: Transfer of funds
|
||||
tactic: monetization
|
||||
source: f3
|
||||
- id: F1017.001
|
||||
name: 'Conversion to Physical Monetary Instruments: Cash'
|
||||
tactic: monetization
|
||||
source: f3
|
||||
---
|
||||
# Validating Backup Integrity for Recovery
|
||||
|
||||
|
||||
Reference in New Issue
Block a user