valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'develop' of https://gitlab.com/krakow2600/atomic-threat-coverage into develop

Browse Source
This commit is contained in:
Yugoslavskiy Daniil 2019-03-25 00:29:57 +01:00
commit d408a58eeb
9 changed files with 207 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -4,4 +4,5 @@
*.idea
_*
# Ignore local configuration
config.yml
config.yml
Atomic_Threat_Coverage_test

49
data_needed/DN_0038_517_the_audit_log_was_cleared.yaml Normal file
View File

@ -0,0 +1,49 @@
title: DN_0038_517_the_audit_log_was_cleared
description: >
Event 517 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy.
loggingpolicy:
- none
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102#security-monitoring-recommendations
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Eventlog
fields:
- EventID
- Hostname # redundant
- Computer
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" />
<EventRecordID>1087729</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="2644" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid>
<SubjectUserName>dadmin</SubjectUserName>
<SubjectDomainName>CONTOSO</SubjectDomainName>
<SubjectLogonId>0x55cd1d</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>

59
data_needed/DN_0044_1000_application_crashed.yaml Normal file
View File

@ -0,0 +1,59 @@
title: DN_0044_1000_application_crashed
description: >
This is a very generic error and it doesn't tell much about what caused it. Some applications may fail with this error when the system is left unstable by another faulty program.
loggingpolicy:
- none
references:
- https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html
category: OS Logs
platform: Windows
type: Windows Log
channel: Application
provider: Application Error
fields:
- EventID
- Hostname # redundant
- Computer
- FaultingApplicationName
- FaultingModuleName
- ExceptionCode
- FaultOffset
- FaultingProcessId
- FaultingApplicationStartTime
- FaultingApplicationPath
- FaultingModulePath
- ReportId
- FaultingPackageFullName
- FaultingPackage-relativeApplicationID
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-01T15:49:38.973342200Z" />
<EventRecordID>6724</EventRecordID>
<Channel>Application</Channel>
<Computer>WD0000.eu.windows.com</Computer>
<Security />
</System>
- <EventData>
<Data>IntelAudioService.exe</Data>
<Data>1.0.46.0</Data>
<Data>59afa72c</Data>
<Data>KERNELBASE.dll</Data>
<Data>10.0.17134.441</Data>
<Data>428de48c</Data>
<Data>e06d7363</Data>
<Data>000000000003a388</Data>
<Data>1240</Data>
<Data>01d49e823bbf0b3b</Data>
<Data>C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe</Data>
<Data>C:\WINDOWS\System32\KERNELBASE.dll</Data>
<Data>6220b181-a7a0-4c44-9046-d8ce090d3a86</Data>
<Data />
<Data />
</EventData>
</Event>

68
data_needed/DN_0045_1001_windows_error_reporting.yaml Normal file
View File

@ -0,0 +1,68 @@
title: DN_0045_1001_windows_error_reporting
description: >
When application fails, the result is recorded as an informational event in the Application log by Windows Error Reporting as event 1001.
loggingpolicy:
- none
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11)
- https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1
category: OS Logs
platform: Windows
type: Windows Log
channel: Application
provider: Windows Error Reporting
fields:
- EventID
- Hostname # redundant
- Computer
- EventName
- Response
- CabId
- ProblemSignature
- AttachedFiles
- Thesefilesmaybeavailablehere
- AnalysisSymbol
- RecheckingForSolution
- ReportId
- ReportStatus
- HashedBucket
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-08T14:01:18.909425000Z" />
<EventRecordID>11279</EventRecordID>
<Channel>Application</Channel>
<Computer>WD00000.eu.windows.com</Computer>
<Security />
</System>
- <EventData>
<Data>2005798148961969216</Data>
<Data>5</Data>
<Data>StoreAgentScanForUpdatesFailure0</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>Update;</Data>
<Data>8024402c</Data>
<Data>16299</Data>
<Data>847</Data>
<Data>Windows.Desktop</Data>
<Data />
<Data />
<Data />
<Data />
<Data />
<Data>\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER81F.tmp.WERInternalMetadata.xml</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_ba86f388d190af6963dbd95b33715448fcb6fd5_00000000_27442451</Data>
<Data />
<Data>0</Data>
<Data>0885fc8a-5383-4c50-b209-7c570832b8bf</Data>
<Data>268435556</Data>
<Data>e7b725b96c0bab97abd606ca1003a440</Data>
</EventData>
</Event>

3
scripts/config.default.yml
View File

@ -4,7 +4,8 @@ confluence_space_name: "ATC" # SPACE KEY. GO TO: SPACE TOOLS -> Overview -> Spac
confluence_space_home_page_name: 'ATC Home' # SPACE HOME. GO TO: SPACE TOOLS -> Overview -> Space Details -> Home page
confluence_name_of_root_directory: 'Atomic Threat Coverage'
md_name_of_root_directory: '../Atomic_Threat_Coverage'
detection_rules_directory: '../detection_rules'
detection_rules_directories:
- '../detection_rules'
triggers_directory: '../triggers/atomic-red-team/atomics'
confluence_rest_api_url: 'https://atomicthreatcoverage.atlassian.net/wiki/rest/api/'
# to get sample viewpage url go to 'Page Information' for any page from your confluence

14
scripts/es_index_export.py
View File

@ -74,13 +74,13 @@ def main(**kwargs):
dn_titles = ATCutils.main_dn_calculatoin_func(path)
alert_dns = [data for data in dn_list if data['title'] in dn_titles]
if len(alert_dns) < 1:
alert_dns = [{'category': '-',
'platform': '-',
'provider': '-',
'type': '-',
'channel': '-',
'title': '-',
'loggingpolicy': ['-']}]
alert_dns = [{'category': 'not defined',
'platform': 'not defined',
'provider': 'not defined',
'type': 'not defined',
'channel': 'not defined',
'title': 'not defined',
'loggingpolicy': ['not defined']}]
logging_policies = []
for dn in alert_dns:
# If there are logging policies in DN that we havent added yet - add them

2
scripts/init_confluence.py
View File

@ -65,7 +65,7 @@ def main(c_auth=None):
raise Exception("Could not create or update the page. " +
"Is the parent name correct?")
print("Done!")
return True
if __name__ == "__main__":
main()

14
scripts/populateconfluence.py
View File

@ -8,7 +8,7 @@ from triggers import Triggers
from enrichment import Enrichment
from responseaction import ResponseAction
from responseplaybook import ResponsePlaybook
# from pdb import set_trace as bp
from pdb import set_trace as bp
from attack_mapping import te_mapping # , ta_mapping
# Import ATC Utils
@ -103,7 +103,7 @@ class PopulateConfluence:
from init_confluence import main as init_main
init_main(self.auth)
return init_main(self.auth)
def triggers(self, tg_path):
"""Populate Triggers"""
@ -215,8 +215,14 @@ class PopulateConfluence:
if dr_path:
dr_list = glob.glob(dr_path + '*.yml')
else:
dr_list = glob.glob(ATCconfig.get(
'detection_rules_directory') + '/*.yml')
dr_dirs = ATCconfig.get('detection_rules_directories')
# check if config provides multiple directories for detection rules
if isinstance(dr_dirs, list):
dr_list = []
for directory in dr_dirs:
dr_list += glob.glob(directory + '/*.yml')
elif isinstance(dr_dirs, str):
dr_list = glob.glob(dr_dirs + '/*.yml')
for dr_file in dr_list:
try:

12
scripts/populatemarkdown.py
View File

@ -8,7 +8,7 @@ from loggingpolicy import LoggingPolicy
from enrichment import Enrichment
from responseaction import ResponseAction
from responseplaybook import ResponsePlaybook
# from pdb import set_trace as bp
from pdb import set_trace as bp
# Import ATC Utils
from atcutils import ATCutils
@ -155,8 +155,14 @@ class PopulateMarkdown:
if dr_path:
dr_list = glob.glob(dr_path + '*.yml')
else:
dr_list = glob.glob(ATCconfig.get(
'detection_rules_directory') + '/*.yml')
dr_dirs = ATCconfig.get('detection_rules_directories')
# check if config provides multiple directories for detection rules
if isinstance(dr_dirs, list):
dr_list = []
for directory in dr_dirs:
dr_list += glob.glob(directory + '/*.yml')
elif isinstance(dr_dirs, str):
dr_list = glob.glob(dr_dirs + '/*.yml')
for dr_file in dr_list:
try: