mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-15 20:25:18 +03:00
feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
This commit is contained in:
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: acquiring-disk-image-with-dd-and-dcfldd
|
name: acquiring-disk-image-with-dd-and-dcfldd
|
||||||
description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
|
description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
|
||||||
|
hash verification.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- disk-imaging
|
||||||
|
- evidence-acquisition
|
||||||
|
- dd
|
||||||
|
- dcfldd
|
||||||
|
- hash-verification
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Acquiring Disk Image with dd and dcfldd
|
# Acquiring Disk Image with dd and dcfldd
|
||||||
|
|||||||
@@ -1,12 +1,21 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-active-directory-acl-abuse
|
name: analyzing-active-directory-acl-abuse
|
||||||
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
|
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
|
||||||
|
WriteOwner abuse paths
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: identity-security
|
subdomain: identity-security
|
||||||
tags: [active-directory, acl-abuse, ldap, privilege-escalation]
|
tags:
|
||||||
version: "1.0"
|
- active-directory
|
||||||
|
- acl-abuse
|
||||||
|
- ldap
|
||||||
|
- privilege-escalation
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.AA-01
|
||||||
|
- PR.AA-05
|
||||||
|
- PR.AA-06
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-android-malware-with-apktool
|
name: analyzing-android-malware-with-apktool
|
||||||
description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
|
description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
|
||||||
|
recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering]
|
tags:
|
||||||
version: "1.0"
|
- Android
|
||||||
|
- APK
|
||||||
|
- apktool
|
||||||
|
- jadx
|
||||||
|
- androguard
|
||||||
|
- mobile-malware
|
||||||
|
- static-analysis
|
||||||
|
- reverse-engineering
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Android Malware with Apktool
|
# Analyzing Android Malware with Apktool
|
||||||
|
|||||||
@@ -1,16 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-api-gateway-access-logs
|
name: analyzing-api-gateway-access-logs
|
||||||
description: >
|
description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
|
||||||
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
|
credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
|
||||||
attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
|
Use when investigating API abuse or building API-specific threat detection rules.
|
||||||
for statistical analysis of request patterns and anomaly detection. Use when
|
|
||||||
investigating API abuse or building API-specific threat detection rules.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: security-operations
|
subdomain: security-operations
|
||||||
tags: [analyzing, api, gateway, access]
|
tags:
|
||||||
version: "1.0"
|
- analyzing
|
||||||
|
- api
|
||||||
|
- gateway
|
||||||
|
- access
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- RS.MA-01
|
||||||
|
- GV.OV-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing API Gateway Access Logs
|
# Analyzing API Gateway Access Logs
|
||||||
|
|||||||
@@ -22,6 +22,11 @@ d3fend_techniques:
|
|||||||
- File Metadata Consistency Validation
|
- File Metadata Consistency Validation
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- File Content Analysis
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing APT Group with MITRE ATT&CK Navigator
|
# Analyzing APT Group with MITRE ATT&CK Navigator
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-azure-activity-logs-for-threats
|
name: analyzing-azure-activity-logs-for-threats
|
||||||
description: >
|
description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
|
||||||
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
|
operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
|
||||||
detect suspicious administrative operations, impossible travel, privilege escalation,
|
Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
|
||||||
and resource modifications. Builds KQL queries for threat hunting in Azure environments.
|
|
||||||
Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: security-operations
|
subdomain: security-operations
|
||||||
tags: [analyzing, azure, activity, logs]
|
tags:
|
||||||
version: "1.0"
|
- analyzing
|
||||||
|
- azure
|
||||||
|
- activity
|
||||||
|
- logs
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- RS.MA-01
|
||||||
|
- GV.OV-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Azure Activity Logs for Threats
|
# Analyzing Azure Activity Logs for Threats
|
||||||
|
|||||||
@@ -1,17 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-bootkit-and-rootkit-samples
|
name: analyzing-bootkit-and-rootkit-samples
|
||||||
description: >
|
description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
|
||||||
Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
|
(VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
|
||||||
Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
|
and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
|
||||||
Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
|
|
||||||
Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
|
|
||||||
persistence analysis, or pre-OS malware detection.
|
persistence analysis, or pre-OS malware detection.
|
||||||
|
|
||||||
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
|
tags:
|
||||||
|
- malware
|
||||||
|
- bootkit
|
||||||
|
- rootkit
|
||||||
|
- UEFI
|
||||||
|
- MBR-analysis
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Bootkit and Rootkit Samples
|
# Analyzing Bootkit and Rootkit Samples
|
||||||
|
|||||||
@@ -1,12 +1,28 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-browser-forensics-with-hindsight
|
name: analyzing-browser-forensics-with-hindsight
|
||||||
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
|
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
|
||||||
|
content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
|
tags:
|
||||||
version: "1.0"
|
- browser-forensics
|
||||||
|
- hindsight
|
||||||
|
- chrome-forensics
|
||||||
|
- chromium
|
||||||
|
- edge
|
||||||
|
- browsing-history
|
||||||
|
- cookies
|
||||||
|
- downloads
|
||||||
|
- cache
|
||||||
|
- web-artifacts
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Browser Forensics with Hindsight
|
# Analyzing Browser Forensics with Hindsight
|
||||||
|
|||||||
@@ -1,12 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-campaign-attribution-evidence
|
name: analyzing-campaign-attribution-evidence
|
||||||
description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
|
description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
|
||||||
|
group is responsible for a cyber operation. This skill covers collecting and weighting attr
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
|
tags:
|
||||||
version: "1.0"
|
- threat-intelligence
|
||||||
|
- cti
|
||||||
|
- ioc
|
||||||
|
- mitre-attack
|
||||||
|
- stix
|
||||||
|
- attribution
|
||||||
|
- campaign-analysis
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Campaign Attribution Evidence
|
# Analyzing Campaign Attribution Evidence
|
||||||
|
|
||||||
|
|||||||
@@ -18,6 +18,11 @@ author: mahipal
|
|||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
atlas_techniques:
|
atlas_techniques:
|
||||||
- AML.T0052
|
- AML.T0052
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Certificate Transparency for Phishing
|
# Analyzing Certificate Transparency for Phishing
|
||||||
|
|
||||||
|
|||||||
@@ -20,6 +20,11 @@ nist_ai_rmf:
|
|||||||
- MEASURE-2.7
|
- MEASURE-2.7
|
||||||
- MAP-5.1
|
- MAP-5.1
|
||||||
- MANAGE-2.4
|
- MANAGE-2.4
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-cobalt-strike-beacon-configuration
|
name: analyzing-cobalt-strike-beacon-configuration
|
||||||
description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
|
description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
|
||||||
|
malleable profiles, and operator tradecraft.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
|
tags:
|
||||||
version: "1.0"
|
- cobalt-strike
|
||||||
|
- beacon
|
||||||
|
- c2
|
||||||
|
- malware-analysis
|
||||||
|
- config-extraction
|
||||||
|
- threat-hunting
|
||||||
|
- red-team-tools
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
# Analyzing Cobalt Strike Beacon Configuration
|
# Analyzing Cobalt Strike Beacon Configuration
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-cobaltstrike-malleable-c2-profiles
|
name: analyzing-cobaltstrike-malleable-c2-profiles
|
||||||
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
|
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
|
||||||
|
C2 indicators, detect evasion techniques, and generate network detection signatures.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools]
|
tags:
|
||||||
version: "1.0"
|
- cobalt-strike
|
||||||
|
- malleable-c2
|
||||||
|
- c2-detection
|
||||||
|
- beacon-analysis
|
||||||
|
- network-signatures
|
||||||
|
- threat-hunting
|
||||||
|
- red-team-tools
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
# Analyzing CobaltStrike Malleable C2 Profiles
|
# Analyzing CobaltStrike Malleable C2 Profiles
|
||||||
|
|
||||||
|
|||||||
@@ -1,17 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-command-and-control-communication
|
name: analyzing-command-and-control-communication
|
||||||
description: >
|
description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
|
||||||
Analyzes malware command-and-control (C2) communication protocols to understand beacon
|
data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
|
||||||
patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
|
threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
|
||||||
and custom protocol C2 analysis for detection development and threat intelligence.
|
command-and-control infrastructure mapping.
|
||||||
Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
|
|
||||||
engineering, or command-and-control infrastructure mapping.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, C2, command-and-control, beacon, protocol-analysis]
|
tags:
|
||||||
|
- malware
|
||||||
|
- C2
|
||||||
|
- command-and-control
|
||||||
|
- beacon
|
||||||
|
- protocol-analysis
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Command-and-Control Communication
|
# Analyzing Command-and-Control Communication
|
||||||
|
|||||||
@@ -1,18 +1,29 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-cyber-kill-chain
|
name: analyzing-cyber-kill-chain
|
||||||
description: >
|
description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
|
||||||
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
|
an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
|
||||||
which phases an adversary has completed, where defenses succeeded or failed, and what controls
|
phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
|
||||||
would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
|
gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
|
||||||
building prevention-focused security controls, or mapping detection gaps to kill chain phases.
|
|
||||||
Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
|
|
||||||
or Lockheed Martin kill chain framework.
|
or Lockheed Martin kill chain framework.
|
||||||
|
|
||||||
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
|
tags:
|
||||||
|
- kill-chain
|
||||||
|
- Lockheed-Martin
|
||||||
|
- MITRE-ATT&CK
|
||||||
|
- intrusion-analysis
|
||||||
|
- defense-in-depth
|
||||||
|
- NIST-CSF
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: team-cybersecurity
|
author: team-cybersecurity
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Cyber Kill Chain
|
# Analyzing Cyber Kill Chain
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-disk-image-with-autopsy
|
name: analyzing-disk-image-with-autopsy
|
||||||
description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
|
description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
|
||||||
|
build investigation timelines.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- autopsy
|
||||||
|
- disk-analysis
|
||||||
|
- sleuth-kit
|
||||||
|
- file-recovery
|
||||||
|
- artifact-analysis
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Disk Image with Autopsy
|
# Analyzing Disk Image with Autopsy
|
||||||
|
|||||||
@@ -23,6 +23,11 @@ atlas_techniques:
|
|||||||
- AML.T0024
|
- AML.T0024
|
||||||
- AML.T0056
|
- AML.T0056
|
||||||
- AML.T0086
|
- AML.T0086
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
|
- DE.AE-06
|
||||||
---
|
---
|
||||||
# Analyzing DNS Logs for Exfiltration
|
# Analyzing DNS Logs for Exfiltration
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-docker-container-forensics
|
name: analyzing-docker-container-forensics
|
||||||
description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
|
description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
|
||||||
|
identify malicious activity and evidence.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- docker
|
||||||
|
- container-forensics
|
||||||
|
- container-security
|
||||||
|
- image-analysis
|
||||||
|
- runtime-investigation
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Docker Container Forensics
|
# Analyzing Docker Container Forensics
|
||||||
|
|||||||
@@ -17,6 +17,11 @@ author: mahipal
|
|||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
atlas_techniques:
|
atlas_techniques:
|
||||||
- AML.T0052
|
- AML.T0052
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Email Headers for Phishing Investigation
|
# Analyzing Email Headers for Phishing Investigation
|
||||||
|
|||||||
@@ -1,12 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-ethereum-smart-contract-vulnerabilities
|
name: analyzing-ethereum-smart-contract-vulnerabilities
|
||||||
description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
|
description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
|
||||||
|
integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: blockchain-security
|
subdomain: blockchain-security
|
||||||
tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit]
|
tags:
|
||||||
version: "1.0"
|
- ethereum
|
||||||
|
- solidity
|
||||||
|
- smart-contract
|
||||||
|
- slither
|
||||||
|
- mythril
|
||||||
|
- blockchain
|
||||||
|
- defi
|
||||||
|
- audit
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.DS-01
|
||||||
|
- PR.DS-02
|
||||||
|
- ID.RA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Ethereum Smart Contract Vulnerabilities
|
# Analyzing Ethereum Smart Contract Vulnerabilities
|
||||||
|
|||||||
@@ -1,12 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-golang-malware-with-ghidra
|
name: analyzing-golang-malware-with-ghidra
|
||||||
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
|
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
|
||||||
|
and type reconstruction in stripped Go binaries.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly]
|
tags:
|
||||||
version: "1.0"
|
- golang
|
||||||
|
- ghidra
|
||||||
|
- reverse-engineering
|
||||||
|
- malware-analysis
|
||||||
|
- binary-analysis
|
||||||
|
- go-malware
|
||||||
|
- disassembly
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
# Analyzing Golang Malware with Ghidra
|
# Analyzing Golang Malware with Ghidra
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,23 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-heap-spray-exploitation
|
name: analyzing-heap-spray-exploitation
|
||||||
description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
|
description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
|
||||||
|
shellcode landing zones, and suspicious large allocations in process virtual address space.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis]
|
tags:
|
||||||
version: "1.0"
|
- malware-analysis
|
||||||
|
- memory-forensics
|
||||||
|
- heap-spray
|
||||||
|
- volatility3
|
||||||
|
- exploit-analysis
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
# Analyzing Heap Spray Exploitation
|
# Analyzing Heap Spray Exploitation
|
||||||
|
|
||||||
|
|||||||
@@ -22,6 +22,11 @@ author: mahipal
|
|||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
atlas_techniques:
|
atlas_techniques:
|
||||||
- AML.T0052
|
- AML.T0052
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Indicators of Compromise
|
# Analyzing Indicators of Compromise
|
||||||
|
|
||||||
|
|||||||
@@ -26,6 +26,11 @@ nist_ai_rmf:
|
|||||||
- MANAGE-2.4
|
- MANAGE-2.4
|
||||||
- GOVERN-6.2
|
- GOVERN-6.2
|
||||||
- MAP-5.1
|
- MAP-5.1
|
||||||
|
nist_csf:
|
||||||
|
- PR.PS-01
|
||||||
|
- PR.AA-05
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-09
|
||||||
---
|
---
|
||||||
# Analyzing iOS App Security with Objection
|
# Analyzing iOS App Security with Objection
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-kubernetes-audit-logs
|
name: analyzing-kubernetes-audit-logs
|
||||||
description: >
|
description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
|
||||||
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
|
privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
|
||||||
access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
|
Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
|
||||||
threat detection rules from audit event patterns. Use when investigating Kubernetes
|
|
||||||
cluster compromise or building k8s-specific SIEM detection rules.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: container-security
|
subdomain: container-security
|
||||||
tags: [analyzing, kubernetes, audit, logs]
|
tags:
|
||||||
version: "1.0"
|
- analyzing
|
||||||
|
- kubernetes
|
||||||
|
- audit
|
||||||
|
- logs
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.PS-01
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Kubernetes Audit Logs
|
# Analyzing Kubernetes Audit Logs
|
||||||
|
|||||||
@@ -1,18 +1,29 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-linux-audit-logs-for-intrusion
|
name: analyzing-linux-audit-logs-for-intrusion
|
||||||
description: >
|
description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
|
||||||
Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
|
access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
|
||||||
to detect intrusion attempts, unauthorized access, privilege escalation, and
|
and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
|
||||||
suspicious system activity. Covers audit rule configuration, log querying,
|
|
||||||
timeline reconstruction, and integration with SIEM platforms. Activates for
|
|
||||||
requests involving auditd analysis, Linux audit log investigation, ausearch
|
|
||||||
queries, aureport summaries, or host-based intrusion detection on Linux.
|
queries, aureport summaries, or host-based intrusion detection on Linux.
|
||||||
|
|
||||||
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: incident-response
|
subdomain: incident-response
|
||||||
tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics]
|
tags:
|
||||||
|
- auditd
|
||||||
|
- ausearch
|
||||||
|
- aureport
|
||||||
|
- linux-security
|
||||||
|
- intrusion-detection
|
||||||
|
- HIDS
|
||||||
|
- forensics
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.MA-01
|
||||||
|
- RS.MA-02
|
||||||
|
- RS.AN-03
|
||||||
|
- RC.RP-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Linux Audit Logs for Intrusion
|
# Analyzing Linux Audit Logs for Intrusion
|
||||||
|
|||||||
@@ -1,17 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-linux-elf-malware
|
name: analyzing-linux-elf-malware
|
||||||
description: >
|
description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
|
||||||
Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets,
|
and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
|
||||||
cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud
|
reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
|
||||||
infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of
|
Linux server compromise assessment, or container malware analysis.
|
||||||
x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis,
|
|
||||||
ELF binary investigation, Linux server compromise assessment, or container malware analysis.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, Linux, ELF, reverse-engineering, server-malware]
|
tags:
|
||||||
|
- malware
|
||||||
|
- Linux
|
||||||
|
- ELF
|
||||||
|
- reverse-engineering
|
||||||
|
- server-malware
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Linux ELF Malware
|
# Analyzing Linux ELF Malware
|
||||||
|
|||||||
@@ -1,12 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-linux-kernel-rootkits
|
name: analyzing-linux-kernel-rootkits
|
||||||
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
|
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
|
||||||
|
rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
|
||||||
|
tampered system structures.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics]
|
tags:
|
||||||
version: "1.0"
|
- rootkit
|
||||||
|
- linux
|
||||||
|
- kernel
|
||||||
|
- volatility3
|
||||||
|
- memory-forensics
|
||||||
|
- malware-analysis
|
||||||
|
- rkhunter
|
||||||
|
- forensics
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Linux Kernel Rootkits
|
# Analyzing Linux Kernel Rootkits
|
||||||
|
|||||||
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-linux-system-artifacts
|
name: analyzing-linux-system-artifacts
|
||||||
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
|
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
|
||||||
|
evidence of compromise or unauthorized activity.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- linux-forensics
|
||||||
|
- system-artifacts
|
||||||
|
- log-analysis
|
||||||
|
- persistence-detection
|
||||||
|
- incident-investigation
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Linux System Artifacts
|
# Analyzing Linux System Artifacts
|
||||||
|
|||||||
@@ -1,12 +1,28 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-lnk-file-and-jump-list-artifacts
|
name: analyzing-lnk-file-and-jump-list-artifacts
|
||||||
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
|
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
|
||||||
|
and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files]
|
tags:
|
||||||
version: "1.0"
|
- lnk-files
|
||||||
|
- jump-lists
|
||||||
|
- lecmd
|
||||||
|
- jlecmd
|
||||||
|
- windows-forensics
|
||||||
|
- shell-link
|
||||||
|
- user-activity
|
||||||
|
- file-access
|
||||||
|
- program-execution
|
||||||
|
- recent-files
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing LNK File and Jump List Artifacts
|
# Analyzing LNK File and Jump List Artifacts
|
||||||
|
|||||||
@@ -26,6 +26,11 @@ d3fend_techniques:
|
|||||||
- Identifier Analysis
|
- Identifier Analysis
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- Message Analysis
|
- Message Analysis
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Macro Malware in Office Documents
|
# Analyzing Macro Malware in Office Documents
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-malicious-pdf-with-peepdf
|
name: analyzing-malicious-pdf-with-peepdf
|
||||||
description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
|
description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
|
||||||
|
shellcode, and suspicious objects.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir]
|
tags:
|
||||||
version: "1.0"
|
- malware-analysis
|
||||||
|
- pdf
|
||||||
|
- peepdf
|
||||||
|
- pdfid
|
||||||
|
- pdf-parser
|
||||||
|
- static-analysis
|
||||||
|
- reverse-engineering
|
||||||
|
- dfir
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Malicious PDF with peepdf
|
# Analyzing Malicious PDF with peepdf
|
||||||
|
|||||||
@@ -17,6 +17,11 @@ author: mahipal
|
|||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
atlas_techniques:
|
atlas_techniques:
|
||||||
- AML.T0052
|
- AML.T0052
|
||||||
|
nist_csf:
|
||||||
|
- PR.AT-01
|
||||||
|
- DE.CM-09
|
||||||
|
- RS.CO-02
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Malicious URL with URLScan
|
# Analyzing Malicious URL with URLScan
|
||||||
|
|
||||||
|
|||||||
@@ -1,17 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-malware-behavior-with-cuckoo-sandbox
|
name: analyzing-malware-behavior-with-cuckoo-sandbox
|
||||||
description: >
|
description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
|
||||||
Executes malware samples in Cuckoo Sandbox to observe runtime behavior including
|
modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
|
||||||
process creation, file system modifications, registry changes, network communications,
|
classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
|
||||||
and API calls. Generates comprehensive behavioral reports for malware classification
|
analysis, or automated malware execution.
|
||||||
and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox
|
|
||||||
detonation, behavioral analysis, or automated malware execution.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis]
|
tags:
|
||||||
|
- malware
|
||||||
|
- dynamic-analysis
|
||||||
|
- sandbox
|
||||||
|
- Cuckoo
|
||||||
|
- behavioral-analysis
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Malware Behavior with Cuckoo Sandbox
|
# Analyzing Malware Behavior with Cuckoo Sandbox
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-malware-family-relationships-with-malpedia
|
name: analyzing-malware-family-relationships-with-malpedia
|
||||||
description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.
|
description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
|
||||||
|
to threat actors, and integrate YARA rules for detection across malware lineages.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
|
tags:
|
||||||
version: "1.0"
|
- malpedia
|
||||||
|
- malware-family
|
||||||
|
- yara
|
||||||
|
- threat-actor
|
||||||
|
- malware-tracking
|
||||||
|
- threat-intelligence
|
||||||
|
- variant-analysis
|
||||||
|
- malware-intelligence
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Malware Family Relationships with Malpedia
|
# Analyzing Malware Family Relationships with Malpedia
|
||||||
|
|
||||||
|
|||||||
@@ -1,6 +1,10 @@
|
|||||||
---
|
---
|
||||||
{}
|
name: analyzing-malware-persistence-with-autoruns
|
||||||
---tags:
|
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
|
||||||
|
keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
|
||||||
|
domain: cybersecurity
|
||||||
|
subdomain: malware-analysis
|
||||||
|
tags:
|
||||||
- autoruns
|
- autoruns
|
||||||
- persistence
|
- persistence
|
||||||
- malware-analysis
|
- malware-analysis
|
||||||
@@ -9,4 +13,113 @@
|
|||||||
- registry
|
- registry
|
||||||
- startup
|
- startup
|
||||||
- incident-response
|
- incident-response
|
||||||
|
mitre_attack:
|
||||||
|
- T1547
|
||||||
|
- T1053
|
||||||
|
- T1543
|
||||||
|
- T1546
|
||||||
version: '1.0'
|
version: '1.0'
|
||||||
|
author: mahipal
|
||||||
|
license: Apache-2.0
|
||||||
|
d3fend_techniques:
|
||||||
|
- Executable Denylisting
|
||||||
|
- Execution Isolation
|
||||||
|
- File Metadata Consistency Validation
|
||||||
|
- Content Format Conversion
|
||||||
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
|
---
|
||||||
|
# Analyzing Malware Persistence with Autoruns
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
|
||||||
|
|
||||||
|
|
||||||
|
## When to Use
|
||||||
|
|
||||||
|
- When investigating security incidents that require analyzing malware persistence with autoruns
|
||||||
|
- When building detection rules or threat hunting queries for this domain
|
||||||
|
- When SOC analysts need structured procedures for this analysis type
|
||||||
|
- When validating security monitoring coverage for related attack techniques
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
- Sysinternals Autoruns (GUI) and Autorunsc (CLI)
|
||||||
|
- Administrative privileges on target system
|
||||||
|
- Python 3.9+ for automated analysis
|
||||||
|
- VirusTotal API key for reputation checks
|
||||||
|
- Clean baseline export for comparison
|
||||||
|
|
||||||
|
## Workflow
|
||||||
|
|
||||||
|
### Step 1: Automated Persistence Scanning
|
||||||
|
|
||||||
|
```python
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
"""Automate Autoruns-based persistence analysis."""
|
||||||
|
import subprocess
|
||||||
|
import csv
|
||||||
|
import json
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
|
||||||
|
cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
|
||||||
|
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
|
||||||
|
with open(csv_path, 'w') as f:
|
||||||
|
f.write(result.stdout)
|
||||||
|
return parse_and_flag(csv_path)
|
||||||
|
|
||||||
|
|
||||||
|
def parse_and_flag(csv_path):
|
||||||
|
suspicious = []
|
||||||
|
with open(csv_path, 'r', errors='replace') as f:
|
||||||
|
for row in csv.DictReader(f):
|
||||||
|
reasons = []
|
||||||
|
signer = row.get("Signer", "")
|
||||||
|
if not signer or signer == "(Not verified)":
|
||||||
|
reasons.append("Unsigned binary")
|
||||||
|
if not row.get("Description") and not row.get("Company"):
|
||||||
|
reasons.append("Missing metadata")
|
||||||
|
path = row.get("Image Path", "").lower()
|
||||||
|
for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
|
||||||
|
if sp in path:
|
||||||
|
reasons.append(f"Suspicious path")
|
||||||
|
launch = row.get("Launch String", "").lower()
|
||||||
|
for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
|
||||||
|
if kw in launch:
|
||||||
|
reasons.append(f"LOLBin: {kw}")
|
||||||
|
if reasons:
|
||||||
|
row["reasons"] = reasons
|
||||||
|
suspicious.append(row)
|
||||||
|
return suspicious
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if len(sys.argv) > 1:
|
||||||
|
results = parse_and_flag(sys.argv[1])
|
||||||
|
print(f"[!] {len(results)} suspicious entries")
|
||||||
|
for r in results:
|
||||||
|
print(f" {r.get('Entry','')} - {r.get('Image Path','')}")
|
||||||
|
for reason in r.get('reasons', []):
|
||||||
|
print(f" - {reason}")
|
||||||
|
```
|
||||||
|
|
||||||
|
## Validation Criteria
|
||||||
|
|
||||||
|
- All ASEP categories scanned and cataloged
|
||||||
|
- Unsigned entries flagged for investigation
|
||||||
|
- Suspicious paths and LOLBin launch strings highlighted
|
||||||
|
- Baseline comparison identifies new persistence mechanisms
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns)
|
||||||
|
- [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/)
|
||||||
|
- [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2)
|
||||||
|
- [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/)
|
||||||
|
|||||||
@@ -21,6 +21,11 @@ d3fend_techniques:
|
|||||||
- Process Analysis
|
- Process Analysis
|
||||||
- System Call Filtering
|
- System Call Filtering
|
||||||
- Restore Software
|
- Restore Software
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Malware Sandbox Evasion Techniques
|
# Analyzing Malware Sandbox Evasion Techniques
|
||||||
|
|||||||
@@ -1,18 +1,32 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-memory-dumps-with-volatility
|
name: analyzing-memory-dumps-with-volatility
|
||||||
description: >
|
description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
|
||||||
Analyzes RAM memory dumps from compromised systems using the Volatility framework to
|
injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
|
||||||
identify malicious processes, injected code, network connections, loaded modules, and
|
forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
|
||||||
extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates
|
detection, or memory-resident malware investigation.
|
||||||
for requests involving memory forensics, RAM analysis, volatile data examination,
|
|
||||||
process injection detection, or memory-resident malware investigation.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
|
tags:
|
||||||
mitre_attack: ["T1055", "T1003", "T1059", "T1620"]
|
- malware
|
||||||
|
- memory-forensics
|
||||||
|
- Volatility
|
||||||
|
- RAM-analysis
|
||||||
|
- incident-response
|
||||||
|
mitre_attack:
|
||||||
|
- T1055
|
||||||
|
- T1003
|
||||||
|
- T1059
|
||||||
|
- T1620
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Memory Dumps with Volatility
|
# Analyzing Memory Dumps with Volatility
|
||||||
|
|||||||
@@ -1,16 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-memory-forensics-with-lime-and-volatility
|
name: analyzing-memory-forensics-with-lime-and-volatility
|
||||||
description: >
|
description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
|
||||||
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module
|
3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
|
||||||
and analysis with Volatility 3 framework. Extracts process lists, network connections,
|
memory images. Use when performing incident response on compromised Linux systems.
|
||||||
bash history, loaded kernel modules, and injected code from Linux memory images.
|
|
||||||
Use when performing incident response on compromised Linux systems.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: security-operations
|
subdomain: security-operations
|
||||||
tags: [analyzing, memory, forensics, with]
|
tags:
|
||||||
version: "1.0"
|
- analyzing
|
||||||
|
- memory
|
||||||
|
- forensics
|
||||||
|
- with
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- RS.MA-01
|
||||||
|
- GV.OV-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Memory Forensics with LiME and Volatility
|
# Analyzing Memory Forensics with LiME and Volatility
|
||||||
|
|||||||
@@ -1,12 +1,28 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-mft-for-deleted-file-recovery
|
name: analyzing-mft-for-deleted-file-recovery
|
||||||
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
|
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
|
||||||
|
entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir]
|
tags:
|
||||||
version: "1.0"
|
- mft
|
||||||
|
- ntfs
|
||||||
|
- deleted-files
|
||||||
|
- file-recovery
|
||||||
|
- mftecmd
|
||||||
|
- usn-journal
|
||||||
|
- logfile
|
||||||
|
- mft-slack-space
|
||||||
|
- file-system-forensics
|
||||||
|
- dfir
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing MFT for Deleted File Recovery
|
# Analyzing MFT for Deleted File Recovery
|
||||||
|
|||||||
@@ -21,6 +21,11 @@ d3fend_techniques:
|
|||||||
- Application Protocol Command Analysis
|
- Application Protocol Command Analysis
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- File Content Analysis
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
# Analyzing Network Covert Channels in Malware
|
# Analyzing Network Covert Channels in Malware
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +1,23 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-network-flow-data-with-netflow
|
name: analyzing-network-flow-data-with-netflow
|
||||||
description: >-
|
description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
|
||||||
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data
|
patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
|
||||||
exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
|
to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
|
||||||
records, builds traffic baselines, and applies statistical analysis to identify flows
|
|
||||||
with abnormal byte counts, connection durations, and periodic timing patterns.
|
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: network-security
|
subdomain: network-security
|
||||||
tags: [analyzing, network, flow, data]
|
tags:
|
||||||
version: "1.0"
|
- analyzing
|
||||||
|
- network
|
||||||
|
- flow
|
||||||
|
- data
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- DE.CM-01
|
||||||
|
- ID.AM-03
|
||||||
|
- PR.DS-02
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,18 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-network-packets-with-scapy
|
name: analyzing-network-packets-with-scapy
|
||||||
description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing
|
description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
|
||||||
|
traffic anomaly detection in authorized security testing
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: network-security
|
subdomain: network-security
|
||||||
tags:
|
tags:
|
||||||
- scapy
|
- scapy
|
||||||
- packet-analysis
|
- packet-analysis
|
||||||
- network-forensics
|
- network-forensics
|
||||||
- protocol-dissection
|
- protocol-dissection
|
||||||
- pcap
|
- pcap
|
||||||
- traffic-analysis
|
- traffic-analysis
|
||||||
version: "1.0"
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- DE.CM-01
|
||||||
|
- ID.AM-03
|
||||||
|
- PR.DS-02
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Network Packets with Scapy
|
# Analyzing Network Packets with Scapy
|
||||||
|
|||||||
@@ -1,19 +1,32 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-network-traffic-for-incidents
|
name: analyzing-network-traffic-for-incidents
|
||||||
description: >
|
description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
|
||||||
Analyzes network traffic captures and flow data to identify adversary activity during
|
command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
|
||||||
security incidents, including command-and-control communications, lateral movement,
|
and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
|
||||||
data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow
|
PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
|
||||||
analysis techniques. Activates for requests involving network traffic analysis,
|
|
||||||
packet capture investigation, PCAP analysis, network forensics, C2 traffic detection,
|
'
|
||||||
or exfiltration detection.
|
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: incident-response
|
subdomain: incident-response
|
||||||
tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
|
tags:
|
||||||
mitre_attack: ["T1071", "T1095", "T1573", "T1572"]
|
- network-forensics
|
||||||
|
- PCAP-analysis
|
||||||
|
- Wireshark
|
||||||
|
- Zeek
|
||||||
|
- traffic-analysis
|
||||||
|
mitre_attack:
|
||||||
|
- T1071
|
||||||
|
- T1095
|
||||||
|
- T1573
|
||||||
|
- T1572
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.MA-01
|
||||||
|
- RS.MA-02
|
||||||
|
- RS.AN-03
|
||||||
|
- RC.RP-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Network Traffic for Incidents
|
# Analyzing Network Traffic for Incidents
|
||||||
|
|||||||
@@ -1,17 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-network-traffic-of-malware
|
name: analyzing-network-traffic-of-malware
|
||||||
description: >
|
description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
|
||||||
Analyzes network traffic generated by malware during sandbox execution or live incident
|
C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
|
||||||
response to identify C2 protocols, data exfiltration channels, payload downloads, and
|
Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
|
||||||
lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests
|
malware detection.
|
||||||
involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or
|
|
||||||
network-based malware detection.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, network-analysis, PCAP, Wireshark, C2-detection]
|
tags:
|
||||||
|
- malware
|
||||||
|
- network-analysis
|
||||||
|
- PCAP
|
||||||
|
- Wireshark
|
||||||
|
- C2-detection
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Network Traffic of Malware
|
# Analyzing Network Traffic of Malware
|
||||||
|
|||||||
@@ -1,15 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-network-traffic-with-wireshark
|
name: analyzing-network-traffic-with-wireshark
|
||||||
description: >
|
description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
|
||||||
Captures and analyzes network packet data using Wireshark and tshark to identify
|
diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
|
||||||
malicious traffic patterns, diagnose protocol issues, extract artifacts, and
|
|
||||||
support incident response investigations on authorized network segments.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: network-security
|
subdomain: network-security
|
||||||
tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap]
|
tags:
|
||||||
version: "1.0"
|
- network-security
|
||||||
|
- wireshark
|
||||||
|
- packet-analysis
|
||||||
|
- traffic-analysis
|
||||||
|
- pcap
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- DE.CM-01
|
||||||
|
- ID.AM-03
|
||||||
|
- PR.DS-02
|
||||||
---
|
---
|
||||||
# Analyzing Network Traffic with Wireshark
|
# Analyzing Network Traffic with Wireshark
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-office365-audit-logs-for-compromise
|
name: analyzing-office365-audit-logs-for-compromise
|
||||||
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
|
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
|
||||||
|
suspicious OAuth app grants, and other indicators of account compromise.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: cloud-security
|
subdomain: cloud-security
|
||||||
tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC]
|
tags:
|
||||||
version: "1.0"
|
- Office365
|
||||||
|
- Microsoft-Graph
|
||||||
|
- audit-logs
|
||||||
|
- email-compromise
|
||||||
|
- inbox-rules
|
||||||
|
- OAuth
|
||||||
|
- BEC
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Office 365 Audit Logs for Compromise
|
# Analyzing Office 365 Audit Logs for Compromise
|
||||||
|
|||||||
@@ -23,6 +23,11 @@ nist_ai_rmf:
|
|||||||
- MANAGE-2.4
|
- MANAGE-2.4
|
||||||
- MANAGE-3.1
|
- MANAGE-3.1
|
||||||
- MEASURE-3.1
|
- MEASURE-3.1
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Outlook PST for Email Forensics
|
# Analyzing Outlook PST for Email Forensics
|
||||||
|
|||||||
@@ -1,16 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-packed-malware-with-upx-unpacker
|
name: analyzing-packed-malware-with-upx-unpacker
|
||||||
description: >
|
description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
|
||||||
Identifies and unpacks UPX-packed and other packed malware samples to expose the original
|
static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression.
|
||||||
executable code for static analysis. Covers both standard UPX unpacking and handling
|
Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
|
||||||
modified UPX headers that prevent automated decompression. Activates for requests involving
|
|
||||||
malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, unpacking, UPX, packing, static-analysis]
|
tags:
|
||||||
|
- malware
|
||||||
|
- unpacking
|
||||||
|
- UPX
|
||||||
|
- packing
|
||||||
|
- static-analysis
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Packed Malware with UPX Unpacker
|
# Analyzing Packed Malware with UPX Unpacker
|
||||||
|
|||||||
@@ -1,17 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-pdf-malware-with-pdfid
|
name: analyzing-pdf-malware-with-pdfid
|
||||||
description: >
|
description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
|
||||||
Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded
|
exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads
|
||||||
JavaScript, shellcode, exploits, and suspicious objects without opening the document.
|
for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation,
|
||||||
Determines the attack vector and extracts embedded payloads for further analysis.
|
or suspicious attachment triage.
|
||||||
Activates for requests involving PDF malware analysis, malicious document analysis,
|
|
||||||
PDF exploit investigation, or suspicious attachment triage.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, PDF-analysis, document-malware, PDFiD, static-analysis]
|
tags:
|
||||||
|
- malware
|
||||||
|
- PDF-analysis
|
||||||
|
- document-malware
|
||||||
|
- PDFiD
|
||||||
|
- static-analysis
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing PDF Malware with PDFiD
|
# Analyzing PDF Malware with PDFiD
|
||||||
|
|||||||
@@ -1,6 +1,10 @@
|
|||||||
---
|
---
|
||||||
{}
|
name: analyzing-persistence-mechanisms-in-linux
|
||||||
---tags:
|
description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
|
||||||
|
hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
|
||||||
|
domain: cybersecurity
|
||||||
|
subdomain: threat-hunting
|
||||||
|
tags:
|
||||||
- linux-persistence
|
- linux-persistence
|
||||||
- crontab
|
- crontab
|
||||||
- systemd
|
- systemd
|
||||||
@@ -8,4 +12,61 @@
|
|||||||
- auditd
|
- auditd
|
||||||
- threat-hunting
|
- threat-hunting
|
||||||
- incident-response
|
- incident-response
|
||||||
|
mitre_attack:
|
||||||
|
- T1053.003
|
||||||
|
- T1543.002
|
||||||
|
- T1574.006
|
||||||
|
- T1546.004
|
||||||
version: '1.0'
|
version: '1.0'
|
||||||
|
author: mahipal
|
||||||
|
license: Apache-2.0
|
||||||
|
d3fend_techniques:
|
||||||
|
- Executable Denylisting
|
||||||
|
- Execution Isolation
|
||||||
|
- File Metadata Consistency Validation
|
||||||
|
- Process Termination
|
||||||
|
- Content Format Conversion
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- DE.AE-07
|
||||||
|
- ID.RA-05
|
||||||
|
---
|
||||||
|
|
||||||
|
# Analyzing Persistence Mechanisms in Linux
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
|
||||||
|
|
||||||
|
|
||||||
|
## When to Use
|
||||||
|
|
||||||
|
- When investigating security incidents that require analyzing persistence mechanisms in linux
|
||||||
|
- When building detection rules or threat hunting queries for this domain
|
||||||
|
- When SOC analysts need structured procedures for this analysis type
|
||||||
|
- When validating security monitoring coverage for related attack techniques
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
- Root or sudo access on target Linux system (or forensic image)
|
||||||
|
- auditd configured with file watch rules on persistence paths
|
||||||
|
- Python 3.8+ with standard library (os, subprocess, json)
|
||||||
|
- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
|
||||||
|
|
||||||
|
## Steps
|
||||||
|
|
||||||
|
1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
|
||||||
|
2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
|
||||||
|
3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
|
||||||
|
4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
|
||||||
|
5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions
|
||||||
|
6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline
|
||||||
|
7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms
|
||||||
|
|
||||||
|
## Expected Output
|
||||||
|
|
||||||
|
- JSON report of all persistence mechanisms found with risk scores
|
||||||
|
- Timeline of persistence installation from auditd correlation
|
||||||
|
- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
|
||||||
|
- Remediation commands for each detected persistence mechanism
|
||||||
|
|||||||
@@ -27,6 +27,11 @@ nist_ai_rmf:
|
|||||||
- GOVERN-1.1
|
- GOVERN-1.1
|
||||||
- MEASURE-2.7
|
- MEASURE-2.7
|
||||||
- MANAGE-3.1
|
- MANAGE-3.1
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- DE.AE-07
|
||||||
|
- ID.RA-05
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing PowerShell Empire Artifacts
|
# Analyzing PowerShell Empire Artifacts
|
||||||
|
|||||||
@@ -1,16 +1,23 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-powershell-script-block-logging
|
name: analyzing-powershell-script-block-logging
|
||||||
description: >-
|
description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
|
||||||
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated
|
payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
|
||||||
commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
|
analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
|
||||||
reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
|
|
||||||
commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
|
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: security-operations
|
subdomain: security-operations
|
||||||
tags: [analyzing, powershell, script, block]
|
tags:
|
||||||
version: "1.0"
|
- analyzing
|
||||||
|
- powershell
|
||||||
|
- script
|
||||||
|
- block
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- RS.MA-01
|
||||||
|
- GV.OV-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-prefetch-files-for-execution-history
|
name: analyzing-prefetch-files-for-execution-history
|
||||||
description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.
|
description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
|
||||||
|
files for forensic investigation.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, prefetch, windows-artifacts, execution-history, timeline-analysis, evidence-collection]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- prefetch
|
||||||
|
- windows-artifacts
|
||||||
|
- execution-history
|
||||||
|
- timeline-analysis
|
||||||
|
- evidence-collection
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Prefetch Files for Execution History
|
# Analyzing Prefetch Files for Execution History
|
||||||
|
|||||||
@@ -1,17 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-ransomware-encryption-mechanisms
|
name: analyzing-ransomware-encryption-mechanisms
|
||||||
description: >
|
description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to
|
||||||
Analyzes encryption algorithms, key management, and file encryption routines used by
|
assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
|
||||||
ransomware families to assess decryption feasibility, identify implementation weaknesses,
|
and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery
|
||||||
and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes.
|
assessment, or ransomware decryption feasibility.
|
||||||
Activates for requests involving ransomware cryptanalysis, encryption analysis, key
|
|
||||||
recovery assessment, or ransomware decryption feasibility.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: malware-analysis
|
subdomain: malware-analysis
|
||||||
tags: [malware, ransomware, encryption, cryptanalysis, reverse-engineering]
|
tags:
|
||||||
|
- malware
|
||||||
|
- ransomware
|
||||||
|
- encryption
|
||||||
|
- cryptanalysis
|
||||||
|
- reverse-engineering
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Ransomware Encryption Mechanisms
|
# Analyzing Ransomware Encryption Mechanisms
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-ransomware-leak-site-intelligence
|
name: analyzing-ransomware-leak-site-intelligence
|
||||||
description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
|
description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence
|
||||||
|
on group tactics, and assess sector-specific ransomware risk for proactive defense.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [ransomware, leak-site, data-leak, extortion, threat-intelligence, monitoring, dls, victim-tracking]
|
tags:
|
||||||
version: "1.0"
|
- ransomware
|
||||||
|
- leak-site
|
||||||
|
- data-leak
|
||||||
|
- extortion
|
||||||
|
- threat-intelligence
|
||||||
|
- monitoring
|
||||||
|
- dls
|
||||||
|
- victim-tracking
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Ransomware Leak Site Intelligence
|
# Analyzing Ransomware Leak Site Intelligence
|
||||||
|
|
||||||
|
|||||||
@@ -21,6 +21,11 @@ d3fend_techniques:
|
|||||||
- Application Protocol Command Analysis
|
- Application Protocol Command Analysis
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- File Content Analysis
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- DE.AE-07
|
||||||
|
- ID.RA-05
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Ransomware Network Indicators
|
# Analyzing Ransomware Network Indicators
|
||||||
|
|||||||
@@ -1,18 +1,28 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-ransomware-payment-wallets
|
name: analyzing-ransomware-payment-wallets
|
||||||
description: >
|
description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
|
||||||
Traces ransomware cryptocurrency payment flows using blockchain analysis tools
|
WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges,
|
||||||
such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
|
and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis,
|
||||||
wallet clusters, tracks fund movement through mixers and exchanges, and supports
|
cryptocurrency forensics, or blockchain intelligence gathering.
|
||||||
law enforcement attribution. Activates for requests involving ransomware payment
|
|
||||||
tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain
|
'
|
||||||
intelligence gathering.
|
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: ransomware-defense
|
subdomain: ransomware-defense
|
||||||
tags: [ransomware, blockchain, cryptocurrency, forensics, threat-intelligence, bitcoin]
|
tags:
|
||||||
|
- ransomware
|
||||||
|
- blockchain
|
||||||
|
- cryptocurrency
|
||||||
|
- forensics
|
||||||
|
- threat-intelligence
|
||||||
|
- bitcoin
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.DS-11
|
||||||
|
- RS.MA-01
|
||||||
|
- RC.RP-01
|
||||||
|
- PR.IR-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Ransomware Payment Wallets
|
# Analyzing Ransomware Payment Wallets
|
||||||
|
|||||||
@@ -31,6 +31,11 @@ nist_ai_rmf:
|
|||||||
- MANAGE-2.2
|
- MANAGE-2.2
|
||||||
- GOVERN-1.1
|
- GOVERN-1.1
|
||||||
- GOVERN-4.2
|
- GOVERN-4.2
|
||||||
|
nist_csf:
|
||||||
|
- GV.SC-01
|
||||||
|
- GV.SC-03
|
||||||
|
- GV.SC-06
|
||||||
|
- GV.SC-07
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing SBOM for Supply Chain Vulnerabilities
|
# Analyzing SBOM for Supply Chain Vulnerabilities
|
||||||
|
|||||||
@@ -1,8 +1,267 @@
|
|||||||
---
|
---
|
||||||
{}
|
name: analyzing-security-logs-with-splunk
|
||||||
---tags:
|
description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
|
||||||
|
through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy
|
||||||
|
logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis,
|
||||||
|
security event correlation, or log-based incident investigation.
|
||||||
|
|
||||||
|
'
|
||||||
|
domain: cybersecurity
|
||||||
|
subdomain: incident-response
|
||||||
|
tags:
|
||||||
- splunk
|
- splunk
|
||||||
- SPL
|
- SPL
|
||||||
- SIEM
|
- SIEM
|
||||||
- log-analysis
|
- log-analysis
|
||||||
- security-monitoring
|
- security-monitoring
|
||||||
|
mitre_attack:
|
||||||
|
- T1070
|
||||||
|
- T1562
|
||||||
|
- T1059
|
||||||
|
version: 1.0.0
|
||||||
|
author: mahipal
|
||||||
|
license: Apache-2.0
|
||||||
|
atlas_techniques:
|
||||||
|
- AML.T0070
|
||||||
|
- AML.T0066
|
||||||
|
- AML.T0082
|
||||||
|
d3fend_techniques:
|
||||||
|
- Executable Denylisting
|
||||||
|
- Execution Isolation
|
||||||
|
- File Metadata Consistency Validation
|
||||||
|
- Content Format Conversion
|
||||||
|
- File Content Analysis
|
||||||
|
nist_ai_rmf:
|
||||||
|
- MEASURE-2.7
|
||||||
|
- MAP-5.1
|
||||||
|
- MANAGE-2.4
|
||||||
|
- MANAGE-3.1
|
||||||
|
- MEASURE-3.1
|
||||||
|
nist_csf:
|
||||||
|
- RS.MA-01
|
||||||
|
- RS.MA-02
|
||||||
|
- RS.AN-03
|
||||||
|
- RC.RP-01
|
||||||
|
---
|
||||||
|
|
||||||
|
# Analyzing Security Logs with Splunk
|
||||||
|
|
||||||
|
## When to Use
|
||||||
|
|
||||||
|
- Investigating a security incident that requires correlation across multiple log sources
|
||||||
|
- Hunting for adversary activity using known TTPs and IOCs
|
||||||
|
- Building detection rules for specific attack patterns
|
||||||
|
- Reconstructing an incident timeline from disparate log sources
|
||||||
|
- Analyzing authentication anomalies, lateral movement, or data exfiltration patterns
|
||||||
|
|
||||||
|
**Do not use** for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis.
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
- Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed
|
||||||
|
- Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway
|
||||||
|
- Splunk CIM (Common Information Model) data models configured for normalized field names
|
||||||
|
- SPL proficiency at intermediate level or higher
|
||||||
|
- Role-based access with `search` and `accelerate_search` capabilities in Splunk
|
||||||
|
|
||||||
|
## Workflow
|
||||||
|
|
||||||
|
### Step 1: Scope the Investigation in Splunk
|
||||||
|
|
||||||
|
Define search parameters based on incident triage data:
|
||||||
|
|
||||||
|
```spl
|
||||||
|
| Set initial investigation scope
|
||||||
|
index=windows OR index=firewall OR index=proxy
|
||||||
|
earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00"
|
||||||
|
(host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
|
||||||
|
| stats count by index, sourcetype, host
|
||||||
|
| sort -count
|
||||||
|
```
|
||||||
|
|
||||||
|
This query establishes which log sources contain relevant data for the investigation timeframe and affected assets.
|
||||||
|
|
||||||
|
### Step 2: Analyze Authentication Events
|
||||||
|
|
||||||
|
Investigate suspicious authentication patterns using Windows Security Event Logs:
|
||||||
|
|
||||||
|
```spl
|
||||||
|
| Detect brute force and credential stuffing
|
||||||
|
index=windows sourcetype="WinEventLog:Security" EventCode=4625
|
||||||
|
earliest=-24h
|
||||||
|
| stats count as failed_attempts, values(src_ip) as source_ips,
|
||||||
|
dc(src_ip) as unique_sources by TargetUserName
|
||||||
|
| where failed_attempts > 10
|
||||||
|
| sort -failed_attempts
|
||||||
|
|
||||||
|
| Detect pass-the-hash (Logon Type 9 - NewCredentials)
|
||||||
|
index=windows sourcetype="WinEventLog:Security" EventCode=4624
|
||||||
|
Logon_Type=9
|
||||||
|
| table _time, host, TargetUserName, src_ip, LogonProcessName
|
||||||
|
|
||||||
|
| Detect lateral movement via RDP
|
||||||
|
index=windows sourcetype="WinEventLog:Security" EventCode=4624
|
||||||
|
Logon_Type=10
|
||||||
|
| stats count, values(host) as targets by TargetUserName, src_ip
|
||||||
|
| where count > 3
|
||||||
|
| sort -count
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 3: Trace Process Execution
|
||||||
|
|
||||||
|
Use Sysmon logs to reconstruct process execution chains:
|
||||||
|
|
||||||
|
```spl
|
||||||
|
| Process creation with parent chain (Sysmon Event ID 1)
|
||||||
|
index=sysmon EventCode=1 host="WKSTN-042"
|
||||||
|
earliest="2025-11-15T14:00:00" latest="2025-11-15T15:00:00"
|
||||||
|
| table _time, ParentImage, ParentCommandLine, Image, CommandLine, User, Hashes
|
||||||
|
| sort _time
|
||||||
|
|
||||||
|
| Detect suspicious PowerShell execution
|
||||||
|
index=sysmon EventCode=1 Image="*\\powershell.exe"
|
||||||
|
(CommandLine="*-enc*" OR CommandLine="*-encodedcommand*"
|
||||||
|
OR CommandLine="*downloadstring*" OR CommandLine="*iex*")
|
||||||
|
| table _time, host, User, ParentImage, CommandLine
|
||||||
|
| sort _time
|
||||||
|
|
||||||
|
| Detect LSASS credential dumping
|
||||||
|
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
|
||||||
|
GrantedAccess=0x1010
|
||||||
|
| table _time, host, SourceImage, SourceUser, GrantedAccess
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 4: Analyze Network Activity
|
||||||
|
|
||||||
|
Correlate network logs with endpoint events:
|
||||||
|
|
||||||
|
```spl
|
||||||
|
| Detect C2 beaconing pattern
|
||||||
|
index=proxy OR index=firewall dest_ip="185.220.101.42"
|
||||||
|
| timechart span=1m count by src_ip
|
||||||
|
| where count > 0
|
||||||
|
|
||||||
|
| Detect DNS tunneling (high query volume to single domain)
|
||||||
|
index=dns
|
||||||
|
| rex field=query "(?<subdomain>[^\.]+)\.(?<domain>[^\.]+\.[^\.]+)$"
|
||||||
|
| stats count, avg(len(query)) as avg_query_len by domain, src_ip
|
||||||
|
| where count > 500 AND avg_query_len > 40
|
||||||
|
| sort -count
|
||||||
|
|
||||||
|
| Detect large data transfers (potential exfiltration)
|
||||||
|
index=proxy action=allowed
|
||||||
|
| stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_host
|
||||||
|
| eval total_MB=round(total_bytes/1024/1024,2)
|
||||||
|
| where total_MB > 100
|
||||||
|
| sort -total_MB
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 5: Build the Incident Timeline
|
||||||
|
|
||||||
|
Reconstruct a unified timeline across all log sources:
|
||||||
|
|
||||||
|
```spl
|
||||||
|
| Unified incident timeline
|
||||||
|
index=windows OR index=sysmon OR index=proxy OR index=firewall
|
||||||
|
(host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
|
||||||
|
earliest="2025-11-15T14:00:00" latest="2025-11-15T16:00:00"
|
||||||
|
| eval event_summary=case(
|
||||||
|
sourcetype=="WinEventLog:Security" AND EventCode==4624, "Logon: ".TargetUserName." from ".src_ip,
|
||||||
|
sourcetype=="WinEventLog:Security" AND EventCode==4625, "Failed logon: ".TargetUserName,
|
||||||
|
sourcetype=="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode==1,
|
||||||
|
"Process: ".Image." by ".User,
|
||||||
|
sourcetype=="proxy", "Web: ".http_method." ".url,
|
||||||
|
1==1, sourcetype.": ".EventCode)
|
||||||
|
| table _time, sourcetype, host, event_summary
|
||||||
|
| sort _time
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 6: Create Detection Rules
|
||||||
|
|
||||||
|
Convert investigation findings into persistent Splunk correlation searches:
|
||||||
|
|
||||||
|
```spl
|
||||||
|
| Correlation search: PowerShell spawned by Office applications
|
||||||
|
index=sysmon EventCode=1
|
||||||
|
Image="*\\powershell.exe"
|
||||||
|
(ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe"
|
||||||
|
OR ParentImage="*\\outlook.exe")
|
||||||
|
| eval severity="high"
|
||||||
|
| eval mitre_technique="T1059.001"
|
||||||
|
| collect index=notable_events
|
||||||
|
```
|
||||||
|
|
||||||
|
## Key Concepts
|
||||||
|
|
||||||
|
| Term | Definition |
|
||||||
|
|------|------------|
|
||||||
|
| **SPL (Search Processing Language)** | Splunk's query language for searching, filtering, transforming, and visualizing machine data |
|
||||||
|
| **CIM (Common Information Model)** | Splunk's field normalization standard that maps vendor-specific field names to common names for cross-source queries |
|
||||||
|
| **Notable Event** | An event in Splunk Enterprise Security flagged for analyst review based on a correlation search match |
|
||||||
|
| **Data Model** | Structured representation of indexed data in Splunk enabling accelerated searches and pivot-based analysis |
|
||||||
|
| **Sourcetype** | Classification label in Splunk that defines the format and parsing rules for a specific log type |
|
||||||
|
| **Correlation Search** | Scheduled Splunk search that runs continuously and generates notable events when conditions are met |
|
||||||
|
| **Timechart** | SPL command that creates time-series visualizations for identifying patterns, anomalies, and trends |
|
||||||
|
|
||||||
|
## Tools & Systems
|
||||||
|
|
||||||
|
- **Splunk Enterprise Security (ES)**: Premium SIEM application providing correlation searches, risk-based alerting, and investigation workbench
|
||||||
|
- **Splunk SOAR**: Orchestration platform integrated with Splunk ES for automated response playbooks
|
||||||
|
- **Sysmon**: Microsoft system monitoring tool providing detailed process, network, and file change telemetry ingested into Splunk
|
||||||
|
- **Splunk Attack Analyzer**: Automated threat analysis that detonates suspicious files and URLs, feeding results into Splunk
|
||||||
|
- **BOSS of the SOC (BOTS)**: SANS/Splunk training dataset for practicing incident investigation SPL queries
|
||||||
|
|
||||||
|
## Common Scenarios
|
||||||
|
|
||||||
|
### Scenario: Investigating Credential Stuffing Leading to Account Takeover
|
||||||
|
|
||||||
|
**Context**: Security operations receives an alert for multiple successful logins to a single account from geographically dispersed IP addresses within a 30-minute window.
|
||||||
|
|
||||||
|
**Approach**:
|
||||||
|
1. Query Event ID 4624 for the affected account to map all login sources and times
|
||||||
|
2. Correlate login IPs against threat intelligence feeds using a Splunk lookup table
|
||||||
|
3. Check proxy logs for suspicious activity from the authenticated sessions
|
||||||
|
4. Search for lateral movement from the compromised account (Event ID 4624 Type 3 to other hosts)
|
||||||
|
5. Build a timeline showing credential stuffing attempts, successful login, and post-compromise activity
|
||||||
|
6. Create a correlation search to detect similar patterns on other accounts
|
||||||
|
|
||||||
|
**Pitfalls**:
|
||||||
|
- Searching only the last 24 hours when the credential stuffing may have occurred over weeks
|
||||||
|
- Not checking for VPN logs that may show the same account authenticating from impossible travel distances
|
||||||
|
- Failing to normalize timestamps across log sources in different time zones
|
||||||
|
|
||||||
|
## Output Format
|
||||||
|
|
||||||
|
```
|
||||||
|
SPLUNK INVESTIGATION REPORT
|
||||||
|
============================
|
||||||
|
Incident: INC-2025-1547
|
||||||
|
Analyst: [Name]
|
||||||
|
Investigation Period: 2025-11-14 00:00 UTC - 2025-11-16 00:00 UTC
|
||||||
|
|
||||||
|
SEARCH SCOPE
|
||||||
|
Indexes: windows, sysmon, proxy, firewall, dns
|
||||||
|
Hosts: WKSTN-042, SRV-FILE01
|
||||||
|
Users: jsmith, svc-backup
|
||||||
|
Source IPs: 10.1.5.42, 10.1.10.15
|
||||||
|
|
||||||
|
KEY FINDINGS
|
||||||
|
1. [timestamp] - Initial compromise via phishing (Sysmon Event 1)
|
||||||
|
2. [timestamp] - C2 established (proxy logs, beacon pattern detected)
|
||||||
|
3. [timestamp] - Credential theft (Sysmon Event 10, LSASS access)
|
||||||
|
4. [timestamp] - Lateral movement to SRV-FILE01 (Event 4624 Type 3)
|
||||||
|
5. [timestamp] - Data staging and exfiltration (proxy bytes_out anomaly)
|
||||||
|
|
||||||
|
SPL QUERIES USED
|
||||||
|
[numbered list of key queries with descriptions]
|
||||||
|
|
||||||
|
DETECTION GAPS IDENTIFIED
|
||||||
|
- No Sysmon deployed on SRV-FILE01 (blind spot)
|
||||||
|
- Proxy logs missing SSL inspection for C2 domain
|
||||||
|
- PowerShell ScriptBlock logging not enabled
|
||||||
|
|
||||||
|
RECOMMENDED DETECTIONS
|
||||||
|
1. Correlation search for Office-spawned PowerShell
|
||||||
|
2. Threshold alert for LSASS access patterns
|
||||||
|
3. Behavioral rule for beacon-interval network traffic
|
||||||
|
```
|
||||||
|
|||||||
@@ -1,12 +1,25 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-slack-space-and-file-system-artifacts
|
name: analyzing-slack-space-and-file-system-artifacts
|
||||||
description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
|
description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
|
||||||
|
and reconstruct file activity on NTFS volumes.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, slack-space, ntfs, mft, usn-journal, alternate-data-streams, file-system-analysis]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- slack-space
|
||||||
|
- ntfs
|
||||||
|
- mft
|
||||||
|
- usn-journal
|
||||||
|
- alternate-data-streams
|
||||||
|
- file-system-analysis
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Slack Space and File System Artifacts
|
# Analyzing Slack Space and File System Artifacts
|
||||||
|
|||||||
@@ -28,6 +28,11 @@ d3fend_techniques:
|
|||||||
- Restore Object
|
- Restore Object
|
||||||
- Electromagnetic Radiation Hardening
|
- Electromagnetic Radiation Hardening
|
||||||
- RF Shielding
|
- RF Shielding
|
||||||
|
nist_csf:
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.AN-03
|
||||||
|
- ID.RA-01
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
# Analyzing Supply Chain Malware Artifacts
|
# Analyzing Supply Chain Malware Artifacts
|
||||||
|
|
||||||
|
|||||||
@@ -21,6 +21,11 @@ d3fend_techniques:
|
|||||||
- File Metadata Consistency Validation
|
- File Metadata Consistency Validation
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- File Content Analysis
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Threat Actor TTPs with MITRE ATT&CK
|
# Analyzing Threat Actor TTPs with MITRE ATT&CK
|
||||||
|
|
||||||
|
|||||||
@@ -33,6 +33,11 @@ d3fend_techniques:
|
|||||||
- Identifier Analysis
|
- Identifier Analysis
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- Message Analysis
|
- Message Analysis
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Threat Actor TTPs with MITRE Navigator
|
# Analyzing Threat Actor TTPs with MITRE Navigator
|
||||||
|
|
||||||
|
|||||||
@@ -1,17 +1,31 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-threat-intelligence-feeds
|
name: analyzing-threat-intelligence-feeds
|
||||||
description: >
|
description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
|
||||||
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators,
|
and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data
|
||||||
adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds,
|
into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect,
|
||||||
evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with
|
Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
|
||||||
campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant
|
|
||||||
Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [STIX, TAXII, MITRE-ATT&CK, IOC, ThreatConnect, Recorded-Future, MISP, CTI, NIST-CSF]
|
tags:
|
||||||
|
- STIX
|
||||||
|
- TAXII
|
||||||
|
- MITRE-ATT&CK
|
||||||
|
- IOC
|
||||||
|
- ThreatConnect
|
||||||
|
- Recorded-Future
|
||||||
|
- MISP
|
||||||
|
- CTI
|
||||||
|
- NIST-CSF
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Threat Intelligence Feeds
|
# Analyzing Threat Intelligence Feeds
|
||||||
|
|
||||||
|
|||||||
@@ -20,6 +20,11 @@ d3fend_techniques:
|
|||||||
- Identifier Analysis
|
- Identifier Analysis
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- Message Analysis
|
- Message Analysis
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -18,6 +18,11 @@ license: Apache-2.0
|
|||||||
atlas_techniques:
|
atlas_techniques:
|
||||||
- AML.T0073
|
- AML.T0073
|
||||||
- AML.T0052
|
- AML.T0052
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- RS.MA-01
|
||||||
|
- GV.OV-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing TLS Certificate Transparency Logs
|
# Analyzing TLS Certificate Transparency Logs
|
||||||
|
|||||||
@@ -19,6 +19,11 @@ license: Apache-2.0
|
|||||||
atlas_techniques:
|
atlas_techniques:
|
||||||
- AML.T0073
|
- AML.T0073
|
||||||
- AML.T0052
|
- AML.T0052
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Analyzing Typosquatting Domains with DNSTwist
|
# Analyzing Typosquatting Domains with DNSTwist
|
||||||
|
|
||||||
|
|||||||
@@ -26,6 +26,10 @@ d3fend_techniques:
|
|||||||
- Platform Monitoring
|
- Platform Monitoring
|
||||||
- Firmware Verification
|
- Firmware Verification
|
||||||
- Firmware Embedded Monitoring Code
|
- Firmware Embedded Monitoring Code
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- PR.PS-01
|
||||||
|
- PR.PS-02
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing UEFI Bootkit Persistence
|
# Analyzing UEFI Bootkit Persistence
|
||||||
|
|||||||
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-usb-device-connection-history
|
name: analyzing-usb-device-connection-history
|
||||||
description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.
|
description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
|
||||||
|
media usage and potential data exfiltration.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, usb-forensics, removable-media, registry-analysis, data-exfiltration, device-history]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- usb-forensics
|
||||||
|
- removable-media
|
||||||
|
- registry-analysis
|
||||||
|
- data-exfiltration
|
||||||
|
- device-history
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing USB Device Connection History
|
# Analyzing USB Device Connection History
|
||||||
|
|||||||
@@ -1,16 +1,23 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-web-server-logs-for-intrusion
|
name: analyzing-web-server-logs-for-intrusion
|
||||||
description: >-
|
description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
|
||||||
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion,
|
web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
|
||||||
directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based
|
enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
|
||||||
pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution,
|
|
||||||
and statistical anomaly detection for request frequency and response size outliers.
|
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: security-operations
|
subdomain: security-operations
|
||||||
tags: [analyzing, web, server, logs]
|
tags:
|
||||||
version: "1.0"
|
- analyzing
|
||||||
|
- web
|
||||||
|
- server
|
||||||
|
- logs
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- RS.MA-01
|
||||||
|
- GV.OV-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,19 +1,29 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-windows-amcache-artifacts
|
name: analyzing-windows-amcache-artifacts
|
||||||
description: >
|
description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
|
||||||
Parses and analyzes the Windows Amcache.hve registry hive to extract evidence
|
installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
|
||||||
of program execution, application installation, and driver loading for digital
|
Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests
|
||||||
forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline
|
involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
|
||||||
Explorer for artifact extraction, SHA-1 hash correlation with threat intel,
|
|
||||||
and timeline reconstruction. Activates for requests involving Amcache forensics,
|
'
|
||||||
program execution evidence, Windows artifact analysis, or application compatibility
|
|
||||||
cache investigation.
|
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [amcache, windows-forensics, program-execution, AmcacheParser, eric-zimmerman, timeline-analysis, DFIR]
|
tags:
|
||||||
|
- amcache
|
||||||
|
- windows-forensics
|
||||||
|
- program-execution
|
||||||
|
- AmcacheParser
|
||||||
|
- eric-zimmerman
|
||||||
|
- timeline-analysis
|
||||||
|
- DFIR
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Windows Amcache Artifacts
|
# Analyzing Windows Amcache Artifacts
|
||||||
|
|||||||
@@ -25,6 +25,11 @@ d3fend_techniques:
|
|||||||
- Biometric Authentication
|
- Biometric Authentication
|
||||||
- Strong Password Policy
|
- Strong Password Policy
|
||||||
- Restore User Account Access
|
- Restore User Account Access
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
|
- DE.AE-06
|
||||||
---
|
---
|
||||||
# Analyzing Windows Event Logs in Splunk
|
# Analyzing Windows Event Logs in Splunk
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-windows-lnk-files-for-artifacts
|
name: analyzing-windows-lnk-files-for-artifacts
|
||||||
description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.
|
description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers
|
||||||
|
for forensic timeline reconstruction.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, lnk-files, windows-artifacts, shortcut-analysis, timeline-reconstruction, evidence-collection]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- lnk-files
|
||||||
|
- windows-artifacts
|
||||||
|
- shortcut-analysis
|
||||||
|
- timeline-reconstruction
|
||||||
|
- evidence-collection
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Windows LNK Files for Artifacts
|
# Analyzing Windows LNK Files for Artifacts
|
||||||
|
|||||||
@@ -1,13 +1,28 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-windows-prefetch-with-python
|
name: analyzing-windows-prefetch-with-python
|
||||||
description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns.
|
description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
|
||||||
|
detect renamed or masquerading binaries, and identify suspicious program execution patterns.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
|
tags:
|
||||||
mitre_attack: ["T1059", "T1204", "T1036"]
|
- digital-forensics
|
||||||
version: "1.0"
|
- windows
|
||||||
|
- prefetch
|
||||||
|
- execution-history
|
||||||
|
- incident-response
|
||||||
|
- malware-analysis
|
||||||
|
mitre_attack:
|
||||||
|
- T1059
|
||||||
|
- T1204
|
||||||
|
- T1036
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
# Analyzing Windows Prefetch with Python
|
# Analyzing Windows Prefetch with Python
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,24 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-windows-registry-for-artifacts
|
name: analyzing-windows-registry-for-artifacts
|
||||||
description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.
|
description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
|
||||||
|
evidence of system compromise.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [forensics, windows-registry, artifact-analysis, regripper, registry-explorer, evidence-collection]
|
tags:
|
||||||
version: "1.0"
|
- forensics
|
||||||
|
- windows-registry
|
||||||
|
- artifact-analysis
|
||||||
|
- regripper
|
||||||
|
- registry-explorer
|
||||||
|
- evidence-collection
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Windows Registry for Artifacts
|
# Analyzing Windows Registry for Artifacts
|
||||||
|
|||||||
@@ -1,12 +1,29 @@
|
|||||||
---
|
---
|
||||||
name: analyzing-windows-shellbag-artifacts
|
name: analyzing-windows-shellbag-artifacts
|
||||||
description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.
|
description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable
|
||||||
|
media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags
|
||||||
|
Explorer.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: digital-forensics
|
subdomain: digital-forensics
|
||||||
tags: [shellbags, windows-registry, sbecmd, shellbags-explorer, folder-access, user-activity, removable-media, network-shares, bagmru, dfir]
|
tags:
|
||||||
version: "1.0"
|
- shellbags
|
||||||
|
- windows-registry
|
||||||
|
- sbecmd
|
||||||
|
- shellbags-explorer
|
||||||
|
- folder-access
|
||||||
|
- user-activity
|
||||||
|
- removable-media
|
||||||
|
- network-shares
|
||||||
|
- bagmru
|
||||||
|
- dfir
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.AN-01
|
||||||
|
- RS.AN-03
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Analyzing Windows Shellbag Artifacts
|
# Analyzing Windows Shellbag Artifacts
|
||||||
|
|||||||
@@ -1,15 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: auditing-aws-s3-bucket-permissions
|
name: auditing-aws-s3-bucket-permissions
|
||||||
description: >
|
description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,
|
||||||
Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets,
|
misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
|
||||||
overly permissive ACLs, misconfigured bucket policies, and missing encryption settings
|
data access controls.
|
||||||
using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls.
|
|
||||||
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: cloud-security
|
subdomain: cloud-security
|
||||||
tags: [cloud-security, aws, s3, bucket-permissions, data-protection, access-control]
|
tags:
|
||||||
version: "1.0"
|
- cloud-security
|
||||||
|
- aws
|
||||||
|
- s3
|
||||||
|
- bucket-permissions
|
||||||
|
- data-protection
|
||||||
|
- access-control
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Auditing AWS S3 Bucket Permissions
|
# Auditing AWS S3 Bucket Permissions
|
||||||
|
|||||||
@@ -1,15 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: auditing-azure-active-directory-configuration
|
name: auditing-azure-active-directory-configuration
|
||||||
description: >
|
description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,
|
||||||
Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky
|
overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
|
||||||
authentication policies, overly permissive role assignments, stale accounts, conditional
|
Microsoft Graph API, and ScoutSuite.
|
||||||
access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.
|
|
||||||
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: cloud-security
|
subdomain: cloud-security
|
||||||
tags: [cloud-security, azure, entra-id, active-directory, iam-audit, conditional-access]
|
tags:
|
||||||
version: "1.0"
|
- cloud-security
|
||||||
|
- azure
|
||||||
|
- entra-id
|
||||||
|
- active-directory
|
||||||
|
- iam-audit
|
||||||
|
- conditional-access
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Auditing Azure Active Directory Configuration
|
# Auditing Azure Active Directory Configuration
|
||||||
|
|||||||
@@ -21,6 +21,11 @@ nist_ai_rmf:
|
|||||||
- GOVERN-1.1
|
- GOVERN-1.1
|
||||||
- GOVERN-4.2
|
- GOVERN-4.2
|
||||||
- MAP-2.3
|
- MAP-2.3
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Auditing Cloud with CIS Benchmarks
|
# Auditing Cloud with CIS Benchmarks
|
||||||
|
|||||||
@@ -1,15 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: auditing-gcp-iam-permissions
|
name: auditing-gcp-iam-permissions
|
||||||
description: >
|
description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,
|
||||||
Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings,
|
service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
|
||||||
primitive role usage, service account key proliferation, and cross-project access risks
|
|
||||||
using gcloud CLI, Policy Analyzer, and IAM Recommender.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: cloud-security
|
subdomain: cloud-security
|
||||||
tags: [cloud-security, gcp, iam, permissions-audit, service-accounts, policy-analyzer]
|
tags:
|
||||||
version: "1.0"
|
- cloud-security
|
||||||
|
- gcp
|
||||||
|
- iam
|
||||||
|
- permissions-audit
|
||||||
|
- service-accounts
|
||||||
|
- policy-analyzer
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Auditing GCP IAM Permissions
|
# Auditing GCP IAM Permissions
|
||||||
|
|||||||
@@ -1,15 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: auditing-kubernetes-cluster-rbac
|
name: auditing-kubernetes-cluster-rbac
|
||||||
description: >
|
description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous
|
||||||
Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles,
|
ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
|
||||||
wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and
|
|
||||||
privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: cloud-security
|
subdomain: cloud-security
|
||||||
tags: [cloud-security, kubernetes, rbac, access-control, eks, gke, aks]
|
tags:
|
||||||
version: "1.0"
|
- cloud-security
|
||||||
|
- kubernetes
|
||||||
|
- rbac
|
||||||
|
- access-control
|
||||||
|
- eks
|
||||||
|
- gke
|
||||||
|
- aks
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Auditing Kubernetes Cluster RBAC
|
# Auditing Kubernetes Cluster RBAC
|
||||||
|
|||||||
@@ -1,15 +1,27 @@
|
|||||||
---
|
---
|
||||||
name: auditing-terraform-infrastructure-for-security
|
name: auditing-terraform-infrastructure-for-security
|
||||||
description: >
|
description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and
|
||||||
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov,
|
OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults
|
||||||
tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public
|
before cloud deployment.
|
||||||
resource exposure, missing encryption, and insecure defaults before cloud deployment.
|
|
||||||
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: cloud-security
|
subdomain: cloud-security
|
||||||
tags: [cloud-security, terraform, infrastructure-as-code, checkov, tfsec, policy-as-code]
|
tags:
|
||||||
version: "1.0"
|
- cloud-security
|
||||||
|
- terraform
|
||||||
|
- infrastructure-as-code
|
||||||
|
- checkov
|
||||||
|
- tfsec
|
||||||
|
- policy-as-code
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Auditing Terraform Infrastructure for Security
|
# Auditing Terraform Infrastructure for Security
|
||||||
|
|||||||
@@ -1,18 +1,29 @@
|
|||||||
---
|
---
|
||||||
name: auditing-tls-certificate-transparency-logs
|
name: auditing-tls-certificate-transparency-logs
|
||||||
description: >
|
description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains
|
||||||
Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance,
|
via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying
|
||||||
discover subdomains via CT data, and alert on suspicious certificate activity for owned domains.
|
based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the
|
||||||
Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring
|
external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain
|
||||||
pipelines that catch rogue certificates, track CA behavior, and map the external attack surface.
|
discovery via certificates, or certificate issuance alerting.
|
||||||
Activates for requests involving certificate transparency monitoring, CT log auditing,
|
|
||||||
subdomain discovery via certificates, or certificate issuance alerting.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [certificate-transparency, CT-logs, crt-sh, subdomain-discovery, TLS-monitoring, RFC-6962]
|
tags:
|
||||||
|
- certificate-transparency
|
||||||
|
- CT-logs
|
||||||
|
- crt-sh
|
||||||
|
- subdomain-discovery
|
||||||
|
- TLS-monitoring
|
||||||
|
- RFC-6962
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mukul975
|
author: mukul975
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Auditing TLS Certificate Transparency Logs
|
# Auditing TLS Certificate Transparency Logs
|
||||||
|
|
||||||
|
|||||||
@@ -1,18 +1,32 @@
|
|||||||
---
|
---
|
||||||
name: automating-ioc-enrichment
|
name: automating-ioc-enrichment
|
||||||
description: >
|
description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using
|
||||||
Automates the enrichment of raw indicators of compromise with multi-source threat intelligence
|
SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use
|
||||||
context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time
|
when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing
|
||||||
and standardize enrichment outputs. Use when building automated enrichment workflows integrated
|
from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
|
||||||
with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates
|
|
||||||
for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
|
|
||||||
pipelines, or automated IOC processing.
|
pipelines, or automated IOC processing.
|
||||||
|
|
||||||
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [SOAR, enrichment, IOC, Cortex-XSOAR, Splunk-SOAR, VirusTotal, automation, CTI, NIST-CSF]
|
tags:
|
||||||
|
- SOAR
|
||||||
|
- enrichment
|
||||||
|
- IOC
|
||||||
|
- Cortex-XSOAR
|
||||||
|
- Splunk-SOAR
|
||||||
|
- VirusTotal
|
||||||
|
- automation
|
||||||
|
- CTI
|
||||||
|
- NIST-CSF
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: team-cybersecurity
|
author: team-cybersecurity
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Automating IOC Enrichment
|
# Automating IOC Enrichment
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: building-adversary-infrastructure-tracking-system
|
name: building-adversary-infrastructure-tracking-system
|
||||||
description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.
|
description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS
|
||||||
|
data, and IP enrichment to map and monitor threat actor command-and-control networks.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [infrastructure-tracking, passive-dns, c2, whois, threat-actor, pivoting, threat-intelligence, domain-analysis]
|
tags:
|
||||||
version: "1.0"
|
- infrastructure-tracking
|
||||||
|
- passive-dns
|
||||||
|
- c2
|
||||||
|
- whois
|
||||||
|
- threat-actor
|
||||||
|
- pivoting
|
||||||
|
- threat-intelligence
|
||||||
|
- domain-analysis
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Building Adversary Infrastructure Tracking System
|
# Building Adversary Infrastructure Tracking System
|
||||||
|
|
||||||
|
|||||||
@@ -22,6 +22,11 @@ d3fend_techniques:
|
|||||||
- Identifier Analysis
|
- Identifier Analysis
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- Message Analysis
|
- Message Analysis
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Building Attack Pattern Library from CTI Reports
|
# Building Attack Pattern Library from CTI Reports
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +1,29 @@
|
|||||||
---
|
---
|
||||||
name: building-automated-malware-submission-pipeline
|
name: building-automated-malware-submission-pipeline
|
||||||
description: >
|
description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and
|
||||||
Builds an automated malware submission and analysis pipeline that collects suspicious files from
|
email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM
|
||||||
endpoints and email gateways, submits them to sandbox environments and multi-engine scanners,
|
integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.
|
||||||
and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware
|
|
||||||
analysis beyond manual sandbox submissions for high-volume alert triage.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: soc-operations
|
subdomain: soc-operations
|
||||||
tags: [soc, malware-analysis, sandbox, automation, virustotal, cuckoo, any-run, pipeline]
|
tags:
|
||||||
version: "1.0"
|
- soc
|
||||||
|
- malware-analysis
|
||||||
|
- sandbox
|
||||||
|
- automation
|
||||||
|
- virustotal
|
||||||
|
- cuckoo
|
||||||
|
- any-run
|
||||||
|
- pipeline
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
|
- DE.AE-06
|
||||||
---
|
---
|
||||||
# Building Automated Malware Submission Pipeline
|
# Building Automated Malware Submission Pipeline
|
||||||
|
|
||||||
|
|||||||
@@ -21,6 +21,10 @@ d3fend_techniques:
|
|||||||
- Application Protocol Command Analysis
|
- Application Protocol Command Analysis
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- File Content Analysis
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- GV.OV-02
|
||||||
|
- DE.AE-07
|
||||||
---
|
---
|
||||||
# Building C2 Infrastructure with Sliver Framework
|
# Building C2 Infrastructure with Sliver Framework
|
||||||
|
|
||||||
|
|||||||
@@ -25,6 +25,11 @@ atlas_techniques:
|
|||||||
- AML.T0070
|
- AML.T0070
|
||||||
- AML.T0066
|
- AML.T0066
|
||||||
- AML.T0082
|
- AML.T0082
|
||||||
|
nist_csf:
|
||||||
|
- PR.IR-01
|
||||||
|
- ID.AM-08
|
||||||
|
- GV.SC-06
|
||||||
|
- DE.CM-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Building Cloud SIEM with Sentinel
|
# Building Cloud SIEM with Sentinel
|
||||||
|
|||||||
@@ -22,6 +22,11 @@ d3fend_techniques:
|
|||||||
- File Metadata Consistency Validation
|
- File Metadata Consistency Validation
|
||||||
- Content Format Conversion
|
- Content Format Conversion
|
||||||
- File Content Analysis
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
|
- DE.AE-06
|
||||||
---
|
---
|
||||||
|
|
||||||
# Building Detection Rules with Splunk SPL
|
# Building Detection Rules with Splunk SPL
|
||||||
|
|||||||
@@ -26,6 +26,11 @@ d3fend_techniques:
|
|||||||
- Hardware-based Process Isolation
|
- Hardware-based Process Isolation
|
||||||
- Web Session Access Mediation
|
- Web Session Access Mediation
|
||||||
- Process Suspension
|
- Process Suspension
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
|
- DE.AE-06
|
||||||
---
|
---
|
||||||
# Building Detection Rules with Sigma
|
# Building Detection Rules with Sigma
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: building-devsecops-pipeline-with-gitlab-ci
|
name: building-devsecops-pipeline-with-gitlab-ci
|
||||||
description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
|
description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,
|
||||||
|
dependency scanning, and secret detection.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: devsecops
|
subdomain: devsecops
|
||||||
tags: [gitlab-ci, devsecops, sast, dast, container-scanning, dependency-scanning, secret-detection, cicd-security]
|
tags:
|
||||||
version: "1.0"
|
- gitlab-ci
|
||||||
|
- devsecops
|
||||||
|
- sast
|
||||||
|
- dast
|
||||||
|
- container-scanning
|
||||||
|
- dependency-scanning
|
||||||
|
- secret-detection
|
||||||
|
- cicd-security
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.PS-01
|
||||||
|
- GV.SC-07
|
||||||
|
- ID.IM-04
|
||||||
|
- PR.PS-04
|
||||||
---
|
---
|
||||||
|
|
||||||
# Building DevSecOps Pipeline with GitLab CI
|
# Building DevSecOps Pipeline with GitLab CI
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: building-identity-federation-with-saml-azure-ad
|
name: building-identity-federation-with-saml-azure-ad
|
||||||
description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO to cloud applications.
|
description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)
|
||||||
|
for seamless cross-domain authentication and SSO to cloud applications.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: identity-access-management
|
subdomain: identity-access-management
|
||||||
tags: [saml, azure-ad, entra-id, federation, identity, sso, adfs, hybrid-identity]
|
tags:
|
||||||
version: "1.0"
|
- saml
|
||||||
|
- azure-ad
|
||||||
|
- entra-id
|
||||||
|
- federation
|
||||||
|
- identity
|
||||||
|
- sso
|
||||||
|
- adfs
|
||||||
|
- hybrid-identity
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- PR.AA-01
|
||||||
|
- PR.AA-02
|
||||||
|
- PR.AA-05
|
||||||
|
- PR.AA-06
|
||||||
---
|
---
|
||||||
|
|
||||||
# Building Identity Federation with SAML Azure AD
|
# Building Identity Federation with SAML Azure AD
|
||||||
|
|||||||
@@ -22,6 +22,11 @@ nist_ai_rmf:
|
|||||||
- GOVERN-1.1
|
- GOVERN-1.1
|
||||||
- GOVERN-1.7
|
- GOVERN-1.7
|
||||||
- MAP-1.1
|
- MAP-1.1
|
||||||
|
nist_csf:
|
||||||
|
- PR.AA-01
|
||||||
|
- PR.AA-02
|
||||||
|
- PR.AA-05
|
||||||
|
- PR.AA-06
|
||||||
---
|
---
|
||||||
|
|
||||||
# Building Identity Governance Lifecycle Process
|
# Building Identity Governance Lifecycle Process
|
||||||
|
|||||||
@@ -1,16 +1,28 @@
|
|||||||
---
|
---
|
||||||
name: building-incident-response-dashboard
|
name: building-incident-response-dashboard
|
||||||
description: >
|
description: 'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership
|
||||||
Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC
|
with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response
|
||||||
analysts and leadership with situational awareness during active incidents, tracking affected
|
timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.
|
||||||
systems, containment status, IOC spread, and response timeline. Use when IR teams need unified
|
|
||||||
visibility during incident coordination and post-incident reporting.
|
'
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: soc-operations
|
subdomain: soc-operations
|
||||||
tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics]
|
tags:
|
||||||
version: "1.0"
|
- soc
|
||||||
|
- dashboard
|
||||||
|
- incident-response
|
||||||
|
- splunk
|
||||||
|
- visualization
|
||||||
|
- situational-awareness
|
||||||
|
- metrics
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
|
- RS.MA-01
|
||||||
|
- DE.AE-06
|
||||||
---
|
---
|
||||||
# Building Incident Response Dashboard
|
# Building Incident Response Dashboard
|
||||||
|
|
||||||
|
|||||||
@@ -1,19 +1,31 @@
|
|||||||
---
|
---
|
||||||
name: building-incident-response-playbook
|
name: building-incident-response-playbook
|
||||||
description: >
|
description: 'Designs and documents structured incident response playbooks that define step-by-step procedures for specific
|
||||||
Designs and documents structured incident response playbooks that define step-by-step
|
incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
|
||||||
procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL
|
criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident
|
||||||
frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices,
|
response procedure documentation, response runbook development, or SOAR playbook design.
|
||||||
and integration with SOAR platforms. Activates for requests involving IR playbook creation,
|
|
||||||
incident response procedure documentation, response runbook development, or SOAR playbook
|
'
|
||||||
design.
|
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: incident-response
|
subdomain: incident-response
|
||||||
tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures]
|
tags:
|
||||||
mitre_attack: ["T1190", "T1566", "T1078"]
|
- IR-playbook
|
||||||
|
- runbook
|
||||||
|
- NIST-800-61
|
||||||
|
- SOAR-integration
|
||||||
|
- response-procedures
|
||||||
|
mitre_attack:
|
||||||
|
- T1190
|
||||||
|
- T1566
|
||||||
|
- T1078
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- RS.MA-01
|
||||||
|
- RS.MA-02
|
||||||
|
- RS.AN-03
|
||||||
|
- RC.RP-01
|
||||||
---
|
---
|
||||||
|
|
||||||
# Building Incident Response Playbooks
|
# Building Incident Response Playbooks
|
||||||
|
|||||||
@@ -1,6 +1,10 @@
|
|||||||
---
|
---
|
||||||
{}
|
name: building-incident-timeline-with-timesketch
|
||||||
---tags:
|
description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source
|
||||||
|
event data for attack chain reconstruction and investigation documentation.
|
||||||
|
domain: cybersecurity
|
||||||
|
subdomain: incident-response
|
||||||
|
tags:
|
||||||
- timesketch
|
- timesketch
|
||||||
- timeline-analysis
|
- timeline-analysis
|
||||||
- forensic-timeline
|
- forensic-timeline
|
||||||
@@ -8,4 +12,256 @@
|
|||||||
- dfir
|
- dfir
|
||||||
- incident-investigation
|
- incident-investigation
|
||||||
- collaborative-forensics
|
- collaborative-forensics
|
||||||
|
mitre_attack:
|
||||||
|
- T1070
|
||||||
|
- T1059
|
||||||
|
- T1053
|
||||||
version: '1.0'
|
version: '1.0'
|
||||||
|
author: mahipal
|
||||||
|
license: Apache-2.0
|
||||||
|
d3fend_techniques:
|
||||||
|
- Executable Denylisting
|
||||||
|
- Execution Isolation
|
||||||
|
- File Metadata Consistency Validation
|
||||||
|
- Content Format Conversion
|
||||||
|
- File Content Analysis
|
||||||
|
nist_csf:
|
||||||
|
- RS.MA-01
|
||||||
|
- RS.MA-02
|
||||||
|
- RS.AN-03
|
||||||
|
- RC.RP-01
|
||||||
|
---
|
||||||
|
|
||||||
|
# Building Incident Timeline with Timesketch
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
Timesketch is an open-source collaborative forensic timeline analysis tool developed by Google that enables security teams to visualize and analyze chronological data from multiple sources during incident investigations. It ingests logs and artifacts from endpoints, servers, and cloud services, normalizes them into a unified searchable timeline, and provides powerful analysis capabilities including built-in analyzers, tagging, sketch annotations, and story building. Timesketch integrates with Plaso (log2timeline) for artifact parsing and supports direct CSV/JSONL ingestion for rapid timeline construction during active incidents.
|
||||||
|
|
||||||
|
|
||||||
|
## When to Use
|
||||||
|
|
||||||
|
- When deploying or configuring building incident timeline with timesketch capabilities in your environment
|
||||||
|
- When establishing security controls aligned to compliance requirements
|
||||||
|
- When building or improving security architecture for this domain
|
||||||
|
- When conducting security assessments that require this implementation
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
- Familiarity with incident response concepts and tools
|
||||||
|
- Access to a test or lab environment for safe execution
|
||||||
|
- Python 3.8+ with required dependencies installed
|
||||||
|
- Appropriate authorization for any testing activities
|
||||||
|
|
||||||
|
## Architecture and Components
|
||||||
|
|
||||||
|
### Core Components
|
||||||
|
- **Timesketch Server**: Web application with REST API for timeline management
|
||||||
|
- **OpenSearch/Elasticsearch**: Backend storage and search engine for timeline events
|
||||||
|
- **PostgreSQL**: Metadata storage for sketches, stories, and user data
|
||||||
|
- **Redis**: Task queue management for background processing
|
||||||
|
- **Celery Workers**: Asynchronous processing of timeline uploads and analyzers
|
||||||
|
|
||||||
|
### Data Flow
|
||||||
|
```
|
||||||
|
Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso)
|
||||||
|
| |
|
||||||
|
v v
|
||||||
|
CSV/JSONL --> Timesketch Importer --> OpenSearch Index
|
||||||
|
|
|
||||||
|
v
|
||||||
|
Timesketch Web UI
|
||||||
|
(Search, Analyze, Story)
|
||||||
|
```
|
||||||
|
|
||||||
|
## Deployment
|
||||||
|
|
||||||
|
### Docker Deployment (Recommended)
|
||||||
|
```bash
|
||||||
|
# Clone Timesketch repository
|
||||||
|
git clone https://github.com/google/timesketch.git
|
||||||
|
cd timesketch
|
||||||
|
|
||||||
|
# Run deployment helper script
|
||||||
|
cd docker
|
||||||
|
sudo docker compose up -d
|
||||||
|
|
||||||
|
# Default access: https://localhost:443
|
||||||
|
# Admin credentials generated during first run
|
||||||
|
```
|
||||||
|
|
||||||
|
### System Requirements
|
||||||
|
- Minimum 8 GB RAM (16+ GB recommended for large investigations)
|
||||||
|
- 4 CPU cores minimum
|
||||||
|
- SSD storage for OpenSearch indices
|
||||||
|
- Docker and Docker Compose installed
|
||||||
|
|
||||||
|
## Data Ingestion Methods
|
||||||
|
|
||||||
|
### Method 1: Plaso Integration (Comprehensive)
|
||||||
|
```bash
|
||||||
|
# Process disk image with log2timeline
|
||||||
|
log2timeline.py --storage-file evidence.plaso /path/to/disk/image
|
||||||
|
|
||||||
|
# Process Windows event logs
|
||||||
|
log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/
|
||||||
|
|
||||||
|
# Process multiple evidence sources
|
||||||
|
log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \
|
||||||
|
--storage-file full_analysis.plaso /path/to/mounted/image/
|
||||||
|
|
||||||
|
# Import Plaso file into Timesketch
|
||||||
|
timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso
|
||||||
|
```
|
||||||
|
|
||||||
|
### Method 2: CSV Import (Quick Ingestion)
|
||||||
|
```csv
|
||||||
|
message,datetime,timestamp_desc,source,hostname
|
||||||
|
"User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01"
|
||||||
|
"PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042"
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Import CSV directly
|
||||||
|
timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv
|
||||||
|
```
|
||||||
|
|
||||||
|
### Method 3: JSONL Import (Structured Data)
|
||||||
|
```json
|
||||||
|
{"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Method 4: Sigma Rule Integration
|
||||||
|
```bash
|
||||||
|
# Upload Sigma rules for automated detection
|
||||||
|
timesketch_importer --sigma-rules /path/to/sigma/rules/
|
||||||
|
```
|
||||||
|
|
||||||
|
## Analysis Workflow
|
||||||
|
|
||||||
|
### Step 1: Create Investigation Sketch
|
||||||
|
```
|
||||||
|
1. Log into Timesketch web interface
|
||||||
|
2. Create new sketch (investigation case)
|
||||||
|
3. Add relevant timelines to the sketch
|
||||||
|
4. Set sketch description and tags
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 2: Run Built-in Analyzers
|
||||||
|
Timesketch includes analyzers that automatically identify:
|
||||||
|
- **Browser Search Analyzer**: Extracts search queries from browser history
|
||||||
|
- **Chain of Events Analyzer**: Links related events (download -> execute)
|
||||||
|
- **Domain Analyzer**: Extracts and categorizes domain names
|
||||||
|
- **Feature Extraction Analyzer**: Identifies IPs, URLs, hashes
|
||||||
|
- **Geo Location Analyzer**: Maps events to geographic locations
|
||||||
|
- **Similarity Scorer**: Finds similar events across timelines
|
||||||
|
- **Sigma Analyzer**: Matches events against Sigma detection rules
|
||||||
|
- **Account Finder**: Identifies user account activity patterns
|
||||||
|
- **Tagger**: Applies labels based on predefined rules
|
||||||
|
|
||||||
|
### Step 3: Search and Filter
|
||||||
|
```
|
||||||
|
# Search examples in Timesketch query language
|
||||||
|
|
||||||
|
# Find all events related to specific user
|
||||||
|
source_short:Security AND message:"john.admin"
|
||||||
|
|
||||||
|
# Find PowerShell execution events
|
||||||
|
data_type:"windows:evtx:record" AND event_identifier:4104
|
||||||
|
|
||||||
|
# Find lateral movement indicators
|
||||||
|
source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3"
|
||||||
|
|
||||||
|
# Find events within specific time range
|
||||||
|
datetime:[2025-01-15T00:00:00 TO 2025-01-15T23:59:59]
|
||||||
|
|
||||||
|
# Find file creation events
|
||||||
|
data_type:"fs:stat" AND timestamp_desc:"Creation Time"
|
||||||
|
|
||||||
|
# Search with tags
|
||||||
|
tag:"suspicious" OR tag:"lateral_movement"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 4: Build Investigation Story
|
||||||
|
```
|
||||||
|
1. Create new story within the sketch
|
||||||
|
2. Add search views that support each finding
|
||||||
|
3. Annotate key events with investigator notes
|
||||||
|
4. Link events to MITRE ATT&CK techniques
|
||||||
|
5. Document the attack narrative chronologically
|
||||||
|
6. Export story for inclusion in incident report
|
||||||
|
```
|
||||||
|
|
||||||
|
## Advanced Features
|
||||||
|
|
||||||
|
### Collaborative Investigation
|
||||||
|
- Multiple analysts work on the same sketch simultaneously
|
||||||
|
- Comments and annotations persist on events
|
||||||
|
- Saved searches shared across the team
|
||||||
|
- Investigation stories document findings in context
|
||||||
|
|
||||||
|
### API Automation
|
||||||
|
```python
|
||||||
|
from timesketch_api_client import config
|
||||||
|
from timesketch_api_client import client as ts_client
|
||||||
|
|
||||||
|
# Connect to Timesketch
|
||||||
|
ts = ts_client.TimesketchApi(
|
||||||
|
host_uri="https://timesketch.local",
|
||||||
|
username="analyst",
|
||||||
|
password="password"
|
||||||
|
)
|
||||||
|
|
||||||
|
# Get sketch
|
||||||
|
sketch = ts.get_sketch(1)
|
||||||
|
|
||||||
|
# Search events
|
||||||
|
search = sketch.explore(
|
||||||
|
query_string='event_identifier:4624 AND LogonType:3',
|
||||||
|
return_fields='datetime,message,hostname,source_short'
|
||||||
|
)
|
||||||
|
|
||||||
|
# Add tags to events
|
||||||
|
for event in search.get('objects', []):
|
||||||
|
sketch.tag_event(event['_id'], ['lateral_movement'])
|
||||||
|
```
|
||||||
|
|
||||||
|
### Integration with Dissect
|
||||||
|
```bash
|
||||||
|
# Use Dissect for faster artifact parsing (alternative to Plaso)
|
||||||
|
target-query -f timesketch://timesketch.local/case-001 \
|
||||||
|
targets/hostname/ -q "windows.evtx" --limit 0
|
||||||
|
```
|
||||||
|
|
||||||
|
## Key Data Sources for Timeline Building
|
||||||
|
|
||||||
|
| Source | Parser | Evidence Value |
|
||||||
|
|--------|--------|---------------|
|
||||||
|
| Windows Event Logs (.evtx) | winevtx | Authentication, process execution, services |
|
||||||
|
| Prefetch Files | prefetch | Program execution history |
|
||||||
|
| MFT ($MFT) | mft | File system activity |
|
||||||
|
| Registry Hives | winreg | System configuration, persistence |
|
||||||
|
| Browser History | chrome/firefox | Web activity, downloads |
|
||||||
|
| Syslog | syslog | Linux/network device events |
|
||||||
|
| CloudTrail Logs | jsonl | AWS API activity |
|
||||||
|
| Azure Activity Logs | jsonl | Azure resource operations |
|
||||||
|
| Firewall Logs | csv/jsonl | Network connections |
|
||||||
|
| Proxy Logs | csv/jsonl | HTTP/HTTPS traffic |
|
||||||
|
|
||||||
|
## MITRE ATT&CK Mapping
|
||||||
|
|
||||||
|
| Technique | Timeline Indicators |
|
||||||
|
|-----------|-------------------|
|
||||||
|
| Initial Access (TA0001) | First malicious event, phishing email receipt |
|
||||||
|
| Execution (T1059) | PowerShell/CMD events, process creation |
|
||||||
|
| Persistence (TA0003) | Registry modifications, scheduled tasks, services |
|
||||||
|
| Lateral Movement (TA0008) | Remote logons, SMB connections, RDP sessions |
|
||||||
|
| Exfiltration (TA0010) | Large data transfers, cloud storage uploads |
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Timesketch Official Documentation](https://timesketch.org/)
|
||||||
|
- [Timesketch GitHub Repository](https://github.com/google/timesketch)
|
||||||
|
- [CISA Timesketch Resource](https://www.cisa.gov/resources-tools/services/timesketch)
|
||||||
|
- [Hunt and Hackett: Scalable Forensics with Dissect and Timesketch](https://www.huntandhackett.com/blog/scalable-forensics-timeline-analysis-using-dissect-and-timesketch)
|
||||||
|
- [Plaso (log2timeline) Documentation](https://plaso.readthedocs.io/)
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: building-ioc-defanging-and-sharing-pipeline
|
name: building-ioc-defanging-and-sharing-pipeline
|
||||||
description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing and distribute them in STIX format through TAXII feeds and threat intelligence platforms.
|
description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing
|
||||||
|
and distribute them in STIX format through TAXII feeds and threat intelligence platforms.
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [ioc, defanging, threat-sharing, stix, pipeline, indicator, automation, threat-intelligence]
|
tags:
|
||||||
version: "1.0"
|
- ioc
|
||||||
|
- defanging
|
||||||
|
- threat-sharing
|
||||||
|
- stix
|
||||||
|
- pipeline
|
||||||
|
- indicator
|
||||||
|
- automation
|
||||||
|
- threat-intelligence
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Building IOC Defanging and Sharing Pipeline
|
# Building IOC Defanging and Sharing Pipeline
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,26 @@
|
|||||||
---
|
---
|
||||||
name: building-ioc-enrichment-pipeline-with-opencti
|
name: building-ioc-enrichment-pipeline-with-opencti
|
||||||
description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O
|
description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its
|
||||||
|
native data model. This skill covers building an automated IOC enrichment pipeline using O
|
||||||
domain: cybersecurity
|
domain: cybersecurity
|
||||||
subdomain: threat-intelligence
|
subdomain: threat-intelligence
|
||||||
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, opencti, enrichment, virustotal]
|
tags:
|
||||||
version: "1.0"
|
- threat-intelligence
|
||||||
|
- cti
|
||||||
|
- ioc
|
||||||
|
- mitre-attack
|
||||||
|
- stix
|
||||||
|
- opencti
|
||||||
|
- enrichment
|
||||||
|
- virustotal
|
||||||
|
version: '1.0'
|
||||||
author: mahipal
|
author: mahipal
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
|
nist_csf:
|
||||||
|
- ID.RA-01
|
||||||
|
- ID.RA-05
|
||||||
|
- DE.CM-01
|
||||||
|
- DE.AE-02
|
||||||
---
|
---
|
||||||
# Building IOC Enrichment Pipeline with OpenCTI
|
# Building IOC Enrichment Pipeline with OpenCTI
|
||||||
|
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user