Skip to content

Commit

Permalink
Merge branch 'develop' into 'master'
Browse files Browse the repository at this point in the history 
update DN md template, fix #153

See merge request krakow2600/atomic-threat-coverage!96
  • Loading branch information
@yugoslavskiy
yugoslavskiy committed Jan 14, 2020
2 parents 877269f + 3dae842 commit ea6cda3
Show file tree
Hide file tree
Showing 496 changed files with 17,281 additions and 1,523 deletions.
2 changes: 1 addition & 1 deletion Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@
| Description | Some text description here. It will be merged into one line. |
| Data Needed |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| Detection Rule | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[Suspicious XOR Encoded PowerShell Command Line](../Detection_Rules/powershell_xor_commandline.md)</li><li>[Hiding files with attrib.exe](../Detection_Rules/win_attrib_hiding_files.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |
| Detection Rule | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[Suspicious XOR Encoded PowerShell Command Line](../Detection_Rules/win_powershell_xor_commandline.md)</li><li>[Hiding files with attrib.exe](../Detection_Rules/win_attrib_hiding_files.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0001_4688_windows_process_creation |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, not including command line |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
Expand Down
3 changes: 1 addition & 2 deletions ..._Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0002_4688_windows_process_creation_with_commandline |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0003_1_windows_sysmon_process_creation |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line |
| Logging Policy | <ul><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
5 changes: 2 additions & 3 deletions Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
| Title | DN_0004_4624_windows_account_logon |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | An account was successfully logged on |
| Logging Policy | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Logging Policy | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0005_7045_windows_service_insatalled |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A service was installed in the system |
| Logging Policy | <ul><li> Not existing </li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[None](None)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
Expand Down
3 changes: 1 addition & 2 deletions ...ge/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Explicit modification of file creation timestamp by a process |
| Logging Policy | <ul><li> Not existing </li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0007_3_windows_sysmon_network_connection |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | TCP/UDP connections made by a process |
| Logging Policy | <ul><li>[LP_0005_windows_sysmon_network_connection](../Logging_Policies/LP_0005_windows_sysmon_network_connection.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li>[LP_0005_windows_sysmon_network_connection](../Logging_Policies/LP_0005_windows_sysmon_network_connection.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions ...t_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0008_4_windows_sysmon_sysmon_service_state_changed |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Sysmon service changed status |
| Logging Policy | <ul><li> Not existing </li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0009_5_windows_sysmon_process_terminated |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Process has been terminated |
| Logging Policy | <ul><li> Not existing </li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0010_6_windows_sysmon_driver_loaded |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information |
| Logging Policy | <ul><li> Not existing </li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0011_7_windows_sysmon_image_loaded |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The image loaded event logs when a module is loaded in a specific process |
| Logging Policy | <ul><li>[LP_0006_windows_sysmon_image_loaded](../Logging_Policies/LP_0006_windows_sysmon_image_loaded.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li>[LP_0006_windows_sysmon_image_loaded](../Logging_Policies/LP_0006_windows_sysmon_image_loaded.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0012_8_windows_sysmon_CreateRemoteThread |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The CreateRemoteThread event detects when a process creates a thread in another process |
| Logging Policy | <ul><li> Not existing </li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0013_9_windows_sysmon_RawAccessRead |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation |
| Logging Policy | <ul><li> Not existing </li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
3 changes: 1 addition & 2 deletions Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
| Title | DN_0014_10_windows_sysmon_ProcessAccess |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process |
| Logging Policy | <ul><li>[LP_0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP_0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| Logging Policy | <ul><li>[LP_0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP_0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
Expand Down
Loading

0 comments on commit ea6cda3

Please sign in to comment.