diff --git a/.gitignore b/.gitignore
index da081b4..472f47d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,5 @@
*.idea
_*
# Ignore local configuration
-config.yml
\ No newline at end of file
+config.yml
+Atomic_Threat_Coverage_test
diff --git a/data_needed/DN_0038_517_the_audit_log_was_cleared.yaml b/data_needed/DN_0038_517_the_audit_log_was_cleared.yaml
new file mode 100644
index 0000000..ab8cf98
--- /dev/null
+++ b/data_needed/DN_0038_517_the_audit_log_was_cleared.yaml
@@ -0,0 +1,49 @@
+title: DN_0038_517_the_audit_log_was_cleared
+description: >
+ Event 517 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy.
+loggingpolicy:
+ - none
+references:
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102#security-monitoring-recommendations
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
+category: OS Logs
+platform: Windows
+type: Windows Log
+channel: Security
+provider: Microsoft-Windows-Eventlog
+fields:
+ - EventID
+ - Hostname # redundant
+ - Computer
+ - SubjectUserSid
+ - SubjectUserName
+ - SubjectDomainName
+ - SubjectLogonId
+sample: |
+ -
+ -
+
+ 1102
+ 0
+ 4
+ 104
+ 0
+ 0x4020000000000000
+
+ 1087729
+
+
+ Security
+ DC01.contoso.local
+
+
+ -
+ -
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x55cd1d
+
+
+
+
\ No newline at end of file
diff --git a/data_needed/DN_0044_1000_application_crashed.yaml b/data_needed/DN_0044_1000_application_crashed.yaml
new file mode 100644
index 0000000..3951166
--- /dev/null
+++ b/data_needed/DN_0044_1000_application_crashed.yaml
@@ -0,0 +1,59 @@
+title: DN_0044_1000_application_crashed
+description: >
+ This is a very generic error and it doesn't tell much about what caused it. Some applications may fail with this error when the system is left unstable by another faulty program.
+loggingpolicy:
+ - none
+references:
+ - https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html
+category: OS Logs
+platform: Windows
+type: Windows Log
+channel: Application
+provider: Application Error
+fields:
+ - EventID
+ - Hostname # redundant
+ - Computer
+ - FaultingApplicationName
+ - FaultingModuleName
+ - ExceptionCode
+ - FaultOffset
+ - FaultingProcessId
+ - FaultingApplicationStartTime
+ - FaultingApplicationPath
+ - FaultingModulePath
+ - ReportId
+ - FaultingPackageFullName
+ - FaultingPackage-relativeApplicationID
+sample: |
+ -
+ -
+
+ 1000
+ 2
+ 100
+ 0x80000000000000
+
+ 6724
+ Application
+ WD0000.eu.windows.com
+
+
+ -
+ IntelAudioService.exe
+ 1.0.46.0
+ 59afa72c
+ KERNELBASE.dll
+ 10.0.17134.441
+ 428de48c
+ e06d7363
+ 000000000003a388
+ 1240
+ 01d49e823bbf0b3b
+ C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe
+ C:\WINDOWS\System32\KERNELBASE.dll
+ 6220b181-a7a0-4c44-9046-d8ce090d3a86
+
+
+
+
diff --git a/data_needed/DN_0045_1001_windows_error_reporting.yaml b/data_needed/DN_0045_1001_windows_error_reporting.yaml
new file mode 100644
index 0000000..b4e0bc9
--- /dev/null
+++ b/data_needed/DN_0045_1001_windows_error_reporting.yaml
@@ -0,0 +1,68 @@
+title: DN_0045_1001_windows_error_reporting
+description: >
+ When application fails, the result is recorded as an informational event in the Application log by Windows Error Reporting as event 1001.
+loggingpolicy:
+ - none
+references:
+ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11)
+ - https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1
+category: OS Logs
+platform: Windows
+type: Windows Log
+channel: Application
+provider: Windows Error Reporting
+fields:
+ - EventID
+ - Hostname # redundant
+ - Computer
+ - EventName
+ - Response
+ - CabId
+ - ProblemSignature
+ - AttachedFiles
+ - Thesefilesmaybeavailablehere
+ - AnalysisSymbol
+ - RecheckingForSolution
+ - ReportId
+ - ReportStatus
+ - HashedBucket
+sample: |
+ -
+ -
+
+ 1001
+ 4
+ 0
+ 0x80000000000000
+
+ 11279
+ Application
+ WD00000.eu.windows.com
+
+
+ -
+ 2005798148961969216
+ 5
+ StoreAgentScanForUpdatesFailure0
+ Not available
+ 0
+ Update;
+ 8024402c
+ 16299
+ 847
+ Windows.Desktop
+
+
+
+
+
+ \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER81F.tmp.WERInternalMetadata.xml
+ C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_ba86f388d190af6963dbd95b33715448fcb6fd5_00000000_27442451
+
+ 0
+ 0885fc8a-5383-4c50-b209-7c570832b8bf
+ 268435556
+ e7b725b96c0bab97abd606ca1003a440
+
+
+
\ No newline at end of file
diff --git a/scripts/config.default.yml b/scripts/config.default.yml
index 9044e8c..f6bbfb8 100644
--- a/scripts/config.default.yml
+++ b/scripts/config.default.yml
@@ -4,7 +4,8 @@ confluence_space_name: "ATC" # SPACE KEY. GO TO: SPACE TOOLS -> Overview -> Spac
confluence_space_home_page_name: 'ATC Home' # SPACE HOME. GO TO: SPACE TOOLS -> Overview -> Space Details -> Home page
confluence_name_of_root_directory: 'Atomic Threat Coverage'
md_name_of_root_directory: '../Atomic_Threat_Coverage'
-detection_rules_directory: '../detection_rules'
+detection_rules_directories:
+ - '../detection_rules'
triggers_directory: '../triggers/atomic-red-team/atomics'
confluence_rest_api_url: 'https://atomicthreatcoverage.atlassian.net/wiki/rest/api/'
# to get sample viewpage url go to 'Page Information' for any page from your confluence
diff --git a/scripts/es_index_export.py b/scripts/es_index_export.py
index d746485..77652a4 100755
--- a/scripts/es_index_export.py
+++ b/scripts/es_index_export.py
@@ -74,13 +74,13 @@ def main(**kwargs):
dn_titles = ATCutils.main_dn_calculatoin_func(path)
alert_dns = [data for data in dn_list if data['title'] in dn_titles]
if len(alert_dns) < 1:
- alert_dns = [{'category': '-',
- 'platform': '-',
- 'provider': '-',
- 'type': '-',
- 'channel': '-',
- 'title': '-',
- 'loggingpolicy': ['-']}]
+ alert_dns = [{'category': 'not defined',
+ 'platform': 'not defined',
+ 'provider': 'not defined',
+ 'type': 'not defined',
+ 'channel': 'not defined',
+ 'title': 'not defined',
+ 'loggingpolicy': ['not defined']}]
logging_policies = []
for dn in alert_dns:
# If there are logging policies in DN that we havent added yet - add them
diff --git a/scripts/init_confluence.py b/scripts/init_confluence.py
index 5eb1f63..1b30d1c 100755
--- a/scripts/init_confluence.py
+++ b/scripts/init_confluence.py
@@ -65,7 +65,7 @@ def main(c_auth=None):
raise Exception("Could not create or update the page. " +
"Is the parent name correct?")
print("Done!")
-
+ return True
if __name__ == "__main__":
main()
diff --git a/scripts/populateconfluence.py b/scripts/populateconfluence.py
index e2e1dbc..786bdbd 100755
--- a/scripts/populateconfluence.py
+++ b/scripts/populateconfluence.py
@@ -8,7 +8,7 @@ from triggers import Triggers
from enrichment import Enrichment
from responseaction import ResponseAction
from responseplaybook import ResponsePlaybook
-# from pdb import set_trace as bp
+from pdb import set_trace as bp
from attack_mapping import te_mapping # , ta_mapping
# Import ATC Utils
@@ -103,7 +103,7 @@ class PopulateConfluence:
from init_confluence import main as init_main
- init_main(self.auth)
+ return init_main(self.auth)
def triggers(self, tg_path):
"""Populate Triggers"""
@@ -215,8 +215,14 @@ class PopulateConfluence:
if dr_path:
dr_list = glob.glob(dr_path + '*.yml')
else:
- dr_list = glob.glob(ATCconfig.get(
- 'detection_rules_directory') + '/*.yml')
+ dr_dirs = ATCconfig.get('detection_rules_directories')
+ # check if config provides multiple directories for detection rules
+ if isinstance(dr_dirs, list):
+ dr_list = []
+ for directory in dr_dirs:
+ dr_list += glob.glob(directory + '/*.yml')
+ elif isinstance(dr_dirs, str):
+ dr_list = glob.glob(dr_dirs + '/*.yml')
for dr_file in dr_list:
try:
diff --git a/scripts/populatemarkdown.py b/scripts/populatemarkdown.py
index 4483dad..03b34da 100755
--- a/scripts/populatemarkdown.py
+++ b/scripts/populatemarkdown.py
@@ -8,7 +8,7 @@ from loggingpolicy import LoggingPolicy
from enrichment import Enrichment
from responseaction import ResponseAction
from responseplaybook import ResponsePlaybook
-# from pdb import set_trace as bp
+from pdb import set_trace as bp
# Import ATC Utils
from atcutils import ATCutils
@@ -155,8 +155,14 @@ class PopulateMarkdown:
if dr_path:
dr_list = glob.glob(dr_path + '*.yml')
else:
- dr_list = glob.glob(ATCconfig.get(
- 'detection_rules_directory') + '/*.yml')
+ dr_dirs = ATCconfig.get('detection_rules_directories')
+ # check if config provides multiple directories for detection rules
+ if isinstance(dr_dirs, list):
+ dr_list = []
+ for directory in dr_dirs:
+ dr_list += glob.glob(directory + '/*.yml')
+ elif isinstance(dr_dirs, str):
+ dr_list = glob.glob(dr_dirs + '/*.yml')
for dr_file in dr_list:
try: