mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 22:24:56 +03:00
mukul975
107 lines
2.6 KiB
Markdown
107 lines
2.6 KiB
Markdown
# Detecting Email Forwarding Rules Attack - Hunt Template
|
|
|
|
## Hunt Metadata
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| Hunt ID | TH-DETECT-YYYY-MM-DD-NNN |
|
|
| Analyst | |
|
|
| Date Started | |
|
|
| Date Completed | |
|
|
| Status | [ ] In Progress / [ ] Complete |
|
|
| Priority | [ ] Critical / [ ] High / [ ] Medium / [ ] Low |
|
|
|
|
## Hypothesis
|
|
|
|
> **Statement**: [Formulate a clear, testable hypothesis]
|
|
>
|
|
> **Basis**: [ ] Threat Intel / [ ] ATT&CK Gap / [ ] Anomaly / [ ] Incident Follow-up
|
|
|
|
## Target Techniques
|
|
|
|
- [ ] T1114.003 - Email Forwarding Rule
|
|
- [ ] T1114.002 - Remote Email Collection
|
|
- [ ] T1098.002 - Additional Email Delegate Permissions
|
|
|
|
## Data Sources
|
|
|
|
- [ ] Sysmon Event Logs
|
|
- [ ] Windows Security Event Logs
|
|
- [ ] EDR Telemetry (Platform: _____________)
|
|
- [ ] SIEM (Platform: _____________)
|
|
- [ ] Network Logs (Proxy/Firewall/DNS)
|
|
- [ ] Cloud Audit Logs
|
|
- [ ] Email Gateway Logs
|
|
- [ ] Application Logs
|
|
|
|
## Queries Executed
|
|
|
|
### Query 1: [Description]
|
|
```
|
|
[Query text]
|
|
```
|
|
**Results**: [Count] events | **Execution Time**: [Duration]
|
|
|
|
### Query 2: [Description]
|
|
```
|
|
[Query text]
|
|
```
|
|
**Results**: [Count] events | **Execution Time**: [Duration]
|
|
|
|
## Findings
|
|
|
|
| # | Timestamp | Host | User | Technique | Evidence Summary | Risk | Verdict |
|
|
|---|-----------|------|------|-----------|-----------------|------|---------|
|
|
| 1 | | | | | | | TP / FP / BTP |
|
|
| 2 | | | | | | | TP / FP / BTP |
|
|
| 3 | | | | | | | TP / FP / BTP |
|
|
|
|
## IOCs Discovered
|
|
|
|
### Network IOCs
|
|
| Type | Value | Context | Confidence |
|
|
|------|-------|---------|-----------|
|
|
| IP | | | |
|
|
| Domain | | | |
|
|
| URL | | | |
|
|
|
|
### Host IOCs
|
|
| Type | Value | Context | Confidence |
|
|
|------|-------|---------|-----------|
|
|
| SHA256 | | | |
|
|
| Filename | | | |
|
|
| Registry Key | | | |
|
|
| Scheduled Task | | | |
|
|
|
|
## Hunt Results Summary
|
|
|
|
| Metric | Count |
|
|
|--------|-------|
|
|
| Total Events Analyzed | |
|
|
| Anomalies Identified | |
|
|
| True Positives | |
|
|
| False Positives | |
|
|
| Benign True Positives | |
|
|
| New IOCs Discovered | |
|
|
| Detection Rules Created | |
|
|
| Detection Rules Updated | |
|
|
|
|
## Hypothesis Outcome
|
|
|
|
- [ ] **Confirmed**: Evidence supports the hypothesis
|
|
- [ ] **Partially Confirmed**: Some evidence found, further investigation needed
|
|
- [ ] **Refuted**: No evidence found
|
|
- [ ] **Inconclusive**: Insufficient data
|
|
|
|
## Recommendations
|
|
|
|
1. **Immediate Actions**: [Containment, remediation steps]
|
|
2. **Detection Improvements**: [New rules, tuning recommendations]
|
|
3. **Visibility Gaps**: [Missing data sources, coverage needs]
|
|
4. **Security Hardening**: [Configuration changes, policy updates]
|
|
5. **Follow-up Hunts**: [Related hypotheses to investigate]
|
|
|
|
## Analyst Notes
|
|
|
|
[Free-form notes, observations, and lessons learned]
|