Skip to content

Commit

Permalink
Updated Docs
Browse files Browse the repository at this point in the history 
+ Updated Docs to show new large data set link
+ Updated data sources collected from Shire network
+ Re-run stats on every small dataset to show more sources that did not have tasks mapped to them. Stats script was not counting all of them.
  • Loading branch information
@Cyb3rWard0g
Cyb3rWard0g committed May 16, 2019
1 parent d99ca6a commit f5c5cfb
Show file tree
Hide file tree
Showing 34 changed files with 879 additions and 687 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ However, I believe that we can expedite the emulation of an adversarial techniqu
* [Available Networks](https://mordor.readthedocs.io/en/latest/network_available.html)
* Mordor Categorization
* [Small Datasets](https://mordor.readthedocs.io/en/latest/mordor_categorization.html#small-datasets)
* Large Datasets
* [Large Datasets](https://mordor.readthedocs.io/en/latest/mordor_categorization.html#large-datasets)
* Mordor Data Consumption
* [Kafkacat Style](https://mordor.readthedocs.io/en/latest/consume_mordor.html#kafkacat-style)
* [Jupyter Notebooks Style](https://mordor.readthedocs.io/en/latest/consume_mordor.html#jupyter-notebook-style)
Expand Down
Binary file modified docs/build/doctrees/environment.pickle
View file
Binary file not shown.
Binary file modified docs/build/doctrees/mordor_categorization.doctree
View file
Binary file not shown.
Binary file modified docs/build/doctrees/network_shire.doctree
View file
Binary file not shown.
11 changes: 8 additions & 3 deletions docs/build/html/_sources/mordor_categorization.rst.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ Small Datasets
* They lack of context from other techniques that happen in other tactic categories. For example, if mordor data gives you credential dumping sub-techniques, you only get that and not the potential privilege escalation activity that might have been necessary to be able to dump credentials in the first place.
* Think about them as the results of atomic testing.

Examples
********
Example
*******

* `DCSync Dataset <https://github.com/Cyb3rWard0g/mordor/blob/master/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/empire_dcsync.md>`_

Expand All @@ -23,4 +23,9 @@ Large Datasets
* They are categorized by known APT groups or custom combination of techniques produced in the mordor lab environments
* They represent events that get generated throughout the ``whole attack lifecycle`` (Initial accesss, discovery, privilege escalation, etc)
* They have a lot of context to identify relationships across several data sources produced by the execution of several adversarial techniques in one mordor file.
* This is going to be available by the end of May 2019.
* They are inspired by the `ATT&CK evaluation emulation playbooks <https://attackevals.mitre.org/evaluations.html#>`_

Example
*******

* `APT3 Dataset <https://github.com/Cyb3rWard0g/mordor/tree/master/large_datasets/apt3>`_
67 changes: 52 additions & 15 deletions docs/build/html/_sources/network_shire.rst.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ The Shire
:scale: 60%

This mordor environment was designed to replicate a very small network with the essential devices to colllect information from adversarial activities.
This environment is a windows environment.

Network Design
##############
Expand All @@ -31,27 +32,63 @@ Network Design
+-----------+-------------+---------------+-----------+---------------+---------------+
| Linux | Kali 2018.4 | Red Team C2 | kali | 10.0.10.106 | wardog |
+-----------+-------------+---------------+-----------+---------------+---------------+
| macOS | coming soon | coming soon.. | .. | .. | .. |
+-----------+-------------+---------------+-----------+---------------+---------------+

Data Sources Collected
######################

The initial events that mordor is collecting to test level of visibility are the following:

+----------+-------------------------------------+--------------------------------------------+
| Type | Log Provider | Log Name |
+==========+=====================================+============================================+
| winevent | Microsoft-Windows-Security-Auditing | Security |
+----------+-------------------------------------+--------------------------------------------+
| winevent | Microsoft-Windows-Sysmon | Microsoft-Windows-Sysmon/Operational |
+----------+-------------------------------------+--------------------------------------------+
| winevent | Microsoft-Windows-PowerShell | Microsoft-Windows-PowerShell/Operational |
+----------+-------------------------------------+--------------------------------------------+
| winevent | Powershell | Windows PowerShell |
+----------+-------------------------------------+--------------------------------------------+
| winevent | Microsoft-Windows-WMI-Activity | Microsoft-Windows-WMI-Activity/Operational |
+----------+-------------------------------------+--------------------------------------------+
+------------------------------------------------------------------------+------------------------------------------------------------+
| Log Name | Log Provider |
+========================================================================+============================================================+
| Security | Microsoft-Windows-Security-Auditing |
+------------------------------------------------------------------------+------------------------------------------------------------+
| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon |
+------------------------------------------------------------------------+------------------------------------------------------------+
| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell |
+------------------------------------------------------------------------+------------------------------------------------------------+
| Windows PowerShell | PowerShell |
+------------------------------------------------------------------------+------------------------------------------------------------+
| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-Directory-Services-SAM |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Service Control Manager |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-GroupPolicy |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-Kernel-General |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-DistributedCOM |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-Winlogon |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-DNS-Client |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-Ntfs |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-WinRM |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | e1iexpress |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-Kernel-Processor-Power |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-Power-Troubleshooter |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | Microsoft-Windows-Wininit |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | User32 |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | vmci |
+------------------------------------------------------------------------+------------------------------------------------------------+
| System | vsepflt |
+------------------------------------------------------------------------+------------------------------------------------------------+
| Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
+------------------------------------------------------------------------+------------------------------------------------------------+
| Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
+------------------------------------------------------------------------+------------------------------------------------------------+
| Microsoft-Windows-Bits-Client/Operational | Microsoft-Windows-Bits-Client |
+------------------------------------------------------------------------+------------------------------------------------------------+

Windows Security Auditing
#########################
Expand Down
19 changes: 14 additions & 5 deletions docs/build/html/mordor_categorization.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,13 @@
<ul class="current">
<li class="toctree-l1 current"><a class="current reference internal" href="#">Mordor Data Categorization</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#small-datasets">Small Datasets</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#examples">Examples</a></li>
<li class="toctree-l3"><a class="reference internal" href="#example">Example</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#large-datasets">Large Datasets</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id1">Example</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#large-datasets">Large Datasets</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="consume_mordor.html">Mordor Data Consumption</a></li>
Expand Down Expand Up @@ -175,8 +178,8 @@ <h2>Small Datasets<a class="headerlink" href="#small-datasets" title="Permalink
<li>They lack of context from other techniques that happen in other tactic categories. For example, if mordor data gives you credential dumping sub-techniques, you only get that and not the potential privilege escalation activity that might have been necessary to be able to dump credentials in the first place.</li>
<li>Think about them as the results of atomic testing.</li>
</ul>
<div class="section" id="examples">
<h3>Examples<a class="headerlink" href="#examples" title="Permalink to this headline"></a></h3>
<div class="section" id="example">
<h3>Example<a class="headerlink" href="#example" title="Permalink to this headline"></a></h3>
<ul class="simple">
<li><a class="reference external" href="https://github.com/Cyb3rWard0g/mordor/blob/master/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/empire_dcsync.md">DCSync Dataset</a></li>
</ul>
Expand All @@ -188,8 +191,14 @@ <h2>Large Datasets<a class="headerlink" href="#large-datasets" title="Permalink
<li>They are categorized by known APT groups or custom combination of techniques produced in the mordor lab environments</li>
<li>They represent events that get generated throughout the <code class="docutils literal notranslate"><span class="pre">whole</span> <span class="pre">attack</span> <span class="pre">lifecycle</span></code> (Initial accesss, discovery, privilege escalation, etc)</li>
<li>They have a lot of context to identify relationships across several data sources produced by the execution of several adversarial techniques in one mordor file.</li>
<li>This is going to be available by the end of May 2019.</li>
<li>They are inspired by the <a class="reference external" href="https://attackevals.mitre.org/evaluations.html#">ATT&amp;CK evaluation emulation playbooks</a></li>
</ul>
<div class="section" id="id1">
<h3>Example<a class="headerlink" href="#id1" title="Permalink to this headline"></a></h3>
<ul class="simple">
<li><a class="reference external" href="https://github.com/Cyb3rWard0g/mordor/tree/master/large_datasets/apt3">APT3 Dataset</a></li>
</ul>
</div>
</div>
</div>

Expand Down
1 change: 1 addition & 0 deletions docs/build/html/network_available.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
</ul>
<p class="caption"><span class="caption-text">Getting Started:</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="mordor_categorization.html">Mordor Data Categorization</a></li>
<li class="toctree-l1"><a class="reference internal" href="consume_mordor.html">Mordor Data Consumption</a></li>
</ul>
<p class="caption"><span class="caption-text">Licenses:</span></p>
Expand Down
Loading

0 comments on commit f5c5cfb

Please sign in to comment.