otrf / threathunter-playbook Goto Github PK
View Code? Open in Web Editor NEWA community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
License: MIT License
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
License: MIT License
Modification of query to exclude Azure sync via Azure AD Connect in hybrid environment.
MordorUtils function 'registerMordorSQLTableis still not updated to
registerSDSQLTable`
sd_file = "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip"
registerSDSQLTable(spark, sd_file, "sdTable")
While reading the playbook page for Remote SCM handle failures, I noticed that while every SQL query on the page is filtering out SubjectLogonID 0x3e4, the Sigma rules appear to be inverted to only show results where SubjectLogonID=0x3e4, which from my understanding of the article seems to be backwards.
Both referenced Sigma rules are written this way: https://github.com/OTRF/ThreatHunter-Playbook/blob/master/signatures/sigma/win_scm_database_privileged_operation.yml
and https://github.com/OTRF/ThreatHunter-Playbook/blob/master/signatures/sigma/win_scm_database_handle_failure.yml
Relevant snippet:
detection:
selection:
EventID: 4674
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
PrivilegeList: 'SeTakeOwnershipPrivilege'
SubjectLogonId: "0x3e4"
condition: selection
Possible change:
detection:
selection:
EventID: 4674
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
PrivilegeList: 'SeTakeOwnershipPrivilege'
filter:
SubjectLogonId: "0x3e4"
condition: selection and not filter
Hi, just want to say I am not familiar with jupyter noebook so this is more of a question than an issue at this point. Dockerfile build was successful without errors, looks like the default is to 8888. Able to connect fine, but it just looks like a blank jupyter instance. Am I missing something, I was expecting notebooks etc to all be populated, not sure what to expect. Is there more getting started documentation?
I believe there could be an additional item which might be easier (with potentially less noise) for bypass_whitelisting_msbuild.md.
I am thinking of Sysmon Event ID =3 with Image=msbuild.exe. My environment contains a significant amount of Event ID =1 since we work in a development environment.
Current: GPLv3
Proposed: MIT
Collaboration of the project is expanding and GPLv3 is not compatible with other ones that make it easier to collaborate.
OSSEM is not organized by:
The Threat Hunter Playbook is pointing to the OSSEM project only. We need to update the links to the respective GitHub sub-modules.
Mordor -> Security Datasets mapping
This resource URL is returning 404 not found: https://sqrrl.com/media/Common-Techniques-for-Hunting.pdf
Several rules were created here and contributed to the Sigma project. Initially the idea was to keep the rules in this repo and at the same time contribute them to Sigma. However, we never got around to update the links to the sigma project.
Example:
Link for T1075_mimikatz_inmem_pth.xml is not working.
Docs link: https://threathunterplaybook.com/introduction.html
Needs to be moved to the top of the README so that it is accessible right away without scrolling through the README.
The TargetFileName
element should be TargetFilename
. Changing it will allow sysmon.exe to consume the config.
T0000_wmimplant.xml has the following rule which is not supported:
<Details condition="is">Win32_OSRecoveryConfiguration</Details>
Due to a design flaw in the Sysmon 3.40 schema, the Details element is not supported. A viable replacement for this rule would be the following:
<TargetObject condition="contains">SYSTEM\CurrentControlSet\Control\CrashControl</TargetObject>
So I've been examining this hunt/detection and I have attempted to recreate the conditions for this hunt and while doing so I have encountered a possible incorrect logic presented in this hunt.
I may be wrong and if so I'd be happy to learn how to get the desired result.
TL: DR;
1.ParentImage OR ParentProcessName are not the Accessibility program (as suggested in the hunt), but rather the process "winlogon.exe"
2.ParentProcessName is not a field that exists in the event 4688 - "Creator Process Name" is, and only exists since Win10 according to this:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
What I used:
The scenario is this:
I used IFEO to set cmd.exe as a debugger to sethc.exe, then, I used the Sticky-Keys, and other methods to invoke sethc.exe and while reviewing the logs (both Evt and Sysmon) none of them contains the had sethc.exe as a parent of cmd.exe
In addition, if those accessibility features do have a debugger set to them, The analytic proposed shouldn't work since it won't execute the accessibility program.
Am I missing something?
If you need additional details I'd be happy to provide,
looking forward to your answer,
Sahar.
Cyb3rWard0g, how can I contact you directly regarding this project?
Man in the Browser technique is missing from the Windows Collection Tactic column in the map. See link form ore details.
WARNING: Uploaded layer version (4.2) does not match Navigator's layer version (4.3).
The layer configuration may not be fully restored.
Can you still upload the file > https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/metrics/HuntTeam_HeatMap.xlsx
I still prefer this precious gem over the convoluted current Mitre ATT&CK version. Thanks.
The URL for Decompress Dataset is incorrect, had to use the following instead.
https://github.com/OTRF/Security-Datasets/raw/master/datasets/compound/apt29/day1/apt29_evals_day1_manual.zip
Btw, great work to you and the team. Standby for heavy use of OTRF tools in upcoming revision of Gray Hat Hacking book, in Jan.
In the Documentation there is a link for the standardize event fields and combine them with data dictionaries.
Here the original text:
We could easily standardize its event fields and combine them with data dictionaries as shown in here by the OSSEM project.
The Link behind "here" doesn't work anymore:
https://github.com/hunters-forge/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-1.md#data-dictionary
In the Local private data objects paragraph, there are some mismatched double quotes that have put everything in italic and attached together.
There are many ProcessCreate closing tags that have a "]" in them - e.g. T0000_bitsadmin.xml
It would be good to have an idea of what fields and events are used the most for all analytics in the project.
Hey Roberto,
thanks for all the references!
The page mentioned above references this file, but the link is dead.
The sentence in question is "Translate useful fields to a YAML file as shown here."
Furthermore, in the section References
, there is an )
too much.
Thanks again!
Matthias
Python is a type infer language, which means we don't have to specify the type of variable in Python. Let's see how to assign a variable in python.
For more
https://techwithpie.blogspot.com/2021/08/Pythonvariables.html
You may add this link in your article. This will increase user experience.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.