Initial commit

skills/incident-response/detection-sigma/assets/.gitkeep

@@ -0,0 +1,9 @@
+# Assets Directory
+
+Place files that will be used in the output Claude produces:
+- Templates
+- Configuration files
+- Images/logos
+- Boilerplate code
+
+These files are NOT loaded into context but copied/modified in output.

skills/incident-response/detection-sigma/assets/compliance-rules/iso27001-logging.yml

@@ -0,0 +1,110 @@
+title: ISO 27001 A.12.4 - Event Logging and Monitoring
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements ISO/IEC 27001:2013 Annex A.12.4 event logging requirements.
+  Monitors user activities, exceptions, faults, and security events as
+  required by A.12.4.1 (Event logging).
+references:
+    - https://www.iso.org/standard/54534.html
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - iso27001.a.12.4.1  # Event logging
+    - iso27001.a.12.4.3  # Administrator and operator logs
+    - iso27001.a.9.2.1   # User registration and de-registration
+logsource:
+    category: authentication
+    product: windows
+detection:
+    selection_user_activity:
+        EventID:
+            - 4624  # User logons
+            - 4625  # Failed logons
+            - 4634  # Logoffs
+    selection_admin_activity:
+        EventID:
+            - 4624  # Successful logon
+        TargetUserName|contains:
+            - 'admin'
+            - 'Administrator'
+            - 'root'
+    selection_account_mgmt:
+        EventID:
+            - 4720  # User account created
+            - 4726  # User account deleted
+            - 4738  # User account changed
+    condition: selection_user_activity or selection_admin_activity or selection_account_mgmt
+falsepositives:
+    - None - required logging per ISO 27001
+level: informational
+fields:
+    - UserID
+    - DateTime
+    - EventType
+    - SystemActivity
+    - DeviceIdentity
+    - Location
+    - Outcome
+
+# ISO 27001:2013 Annex A.12.4 - Logging and Monitoring
+#
+# A.12.4.1 Event logging
+# Event logs shall record:
+# - User IDs
+# - System activities
+# - Dates, times and details of key events (e.g. log-on, log-off)
+# - Device identity or location if possible
+# - Records of successful and rejected system access attempts
+# - Records of successful and rejected data and other resource access attempts
+# - Changes to system configuration
+# - Use of privileges
+# - Use of system utilities and applications
+# - Files accessed and the kind of access
+# - Network addresses and protocols
+# - Alarms raised by the access control system
+# - Activation and de-activation of protection systems
+#
+# A.12.4.2 Protection of log information
+# Detection for unauthorized log access/modification:
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\Logs\'
+#         EventType: 'Delete'
+# tags:
+#     - iso27001.a.12.4.2
+#
+# A.12.4.3 Administrator and operator logs
+# System administrator and operator activities shall be logged:
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         User|contains:
+#             - 'admin'
+#             - 'root'
+# tags:
+#     - iso27001.a.12.4.3
+#
+# A.9.2.1 User registration and de-registration
+# logsource:
+#     category: authentication
+# detection:
+#     selection:
+#         EventID:
+#             - 4720  # Account created
+#             - 4726  # Account deleted
+# tags:
+#     - iso27001.a.9.2.1
+#
+# A.9.4.1 Information access restriction
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\Confidential\'
+# tags:
+#     - iso27001.a.9.4.1

skills/incident-response/detection-sigma/assets/compliance-rules/nist-800-53-audit.yml

@@ -0,0 +1,98 @@
+title: NIST 800-53 AU-2/AU-12 - Audit Event Generation
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements NIST SP 800-53 Rev. 5 audit event generation requirements.
+  Monitors security-relevant events as defined in AU-2 (Audit Events) and
+  AU-12 (Audit Generation) controls.
+references:
+    - https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - nist-800-53.au-2   # Audit Events
+    - nist-800-53.au-3   # Content of Audit Records
+    - nist-800-53.au-12  # Audit Generation
+    - nist-800-53.ac-2   # Account Management
+    - nist-800-53.ia-2   # Identification and Authentication
+logsource:
+    category: authentication
+    product: windows
+detection:
+    selection_authentication:
+        EventID:
+            - 4624  # Successful logon
+            - 4625  # Failed logon
+            - 4634  # Logoff
+            - 4648  # Logon using explicit credentials
+    selection_account_mgmt:
+        EventID:
+            - 4720  # Account created
+            - 4722  # Account enabled
+            - 4723  # Password change attempted
+            - 4724  # Password reset
+            - 4725  # Account disabled
+            - 4726  # Account deleted
+            - 4738  # Account modified
+    selection_privilege_use:
+        EventID:
+            - 4672  # Special privileges assigned
+            - 4673  # Sensitive privilege use
+            - 4674  # Privileged operation
+    condition: selection_authentication or selection_account_mgmt or selection_privilege_use
+falsepositives:
+    - None - these are required audit events per NIST 800-53
+level: low  # Informational logging
+fields:
+    - EventTime
+    - EventType
+    - Outcome
+    - SubjectIdentity
+    - ObjectIdentity
+    - SourceAddress
+
+# NIST 800-53 Rev. 5 Audit Requirements:
+#
+# AU-2: Audit Events
+# - Successful and unsuccessful account logon events
+# - Account management events
+# - Object access
+# - Policy change
+# - Privilege functions
+# - Process tracking
+# - System events
+#
+# AU-3: Content of Audit Records
+# Required fields in each audit record:
+# - Date and time of the event
+# - Component where event occurred
+# - Type of event
+# - User/subject identity
+# - Outcome (success/failure)
+#
+# AU-12: Audit Generation
+# - Provide audit record generation for defined events
+# - Allow authorized users to select events to be audited
+# - Generate audit records for events with required content
+#
+# Additional NIST 800-53 Detection Rules:
+#
+# SI-4: System Monitoring
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         CommandLine|contains:
+#             - 'mimikatz'
+#             - 'credential dump'
+# tags:
+#     - nist-800-53.si-4
+#
+# AC-6: Least Privilege
+# detection:
+#     selection:
+#         EventID: 4672  # Special privileges assigned
+#         PrivilegeList|contains: 'SeDebugPrivilege'
+# tags:
+#     - nist-800-53.ac-6

skills/incident-response/detection-sigma/assets/compliance-rules/pci-dss-monitoring.yml

@@ -0,0 +1,72 @@
+title: PCI-DSS 10.2 - Audit Trail Monitoring
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements PCI-DSS requirement 10.2 automated audit trails for security events.
+  Monitors critical security-relevant events required by PCI-DSS.
+references:
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - pci-dss.10.2.1  # Access to cardholder data
+    - pci-dss.10.2.2  # Administrative actions
+    - pci-dss.10.2.4  # Invalid access attempts
+    - pci-dss.10.2.5  # Authentication mechanism use
+    - pci-dss.10.2.7  # System-level object creation/deletion
+logsource:
+    category: authentication  # Adjust based on specific requirement
+    product: windows
+detection:
+    selection_failed_logon:
+        EventID: 4625  # Failed logon (10.2.4)
+    selection_admin_logon:
+        EventID: 4624  # Successful logon
+        TargetUserName|contains:  # Administrative accounts (10.2.2)
+            - 'admin'
+            - 'Administrator'
+    selection_account_mgmt:
+        EventID:  # Account management (10.2.5, 10.2.7)
+            - 4720  # Account created
+            - 4722  # Account enabled
+            - 4724  # Password reset
+            - 4726  # Account deleted
+            - 4738  # Account changed
+    condition: selection_failed_logon or selection_admin_logon or selection_account_mgmt
+falsepositives:
+    - Legitimate administrative activity must be logged per PCI-DSS
+level: medium
+fields:
+    - ComputerName
+    - TargetUserName
+    - WorkstationName
+    - IpAddress
+    - Timestamp
+
+# PCI-DSS 10.2 Requirements:
+#
+# 10.2.1 - All individual user accesses to cardholder data
+# 10.2.2 - All actions taken by individuals with root or administrative privileges
+# 10.2.3 - Access to all audit trails
+# 10.2.4 - Invalid logical access attempts
+# 10.2.5 - Use of identification and authentication mechanisms
+# 10.2.6 - Initialization of audit logs
+# 10.2.7 - Creation and deletion of system-level objects
+#
+# Additional PCI-DSS Detection Rules:
+#
+# File Access to Cardholder Data (10.2.1):
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\cardholder-data\'
+#
+# Service Creation (10.2.7):
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         Image|endswith: '\sc.exe'
+#         CommandLine|contains: 'create'

skills/incident-response/detection-sigma/assets/rule-templates/credential-access.yml

@@ -0,0 +1,73 @@
+title: Credential Access via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects credential theft/dumping using [specific technique/tool]
+references:
+    - https://attack.mitre.org/tactics/TA0006/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.credential_access
+    - attack.t1003  # Replace with specific technique
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+    condition: selection
+falsepositives:
+    - Legitimate password reset tools
+    - Security assessment tools (authorized)
+level: critical
+fields:
+    - User
+    - CommandLine
+    - TargetImage
+    - GrantedAccess
+
+# Common Credential Access Techniques:
+#
+# T1003.001 - LSASS Memory Dump
+# logsource:
+#     category: process_access
+# detection:
+#     selection:
+#         TargetImage|endswith: '\lsass.exe'
+#         GrantedAccess|contains:
+#             - '0x1010'
+#             - '0x1410'
+#             - '0x147a'
+#             - '0x143a'
+#
+# T1003.002 - Security Account Manager (SAM)
+# detection:
+#     selection:
+#         Image|endswith: '\reg.exe'
+#         CommandLine|contains|all:
+#             - 'save'
+#             - 'HKLM\SAM'
+#
+# T1558.003 - Kerberoasting
+# logsource:
+#     category: authentication
+# detection:
+#     selection:
+#         EventID: 4769
+#         ServiceName: '*$'
+#         TicketEncryptionType: '0x17'
+#
+# T1110 - Brute Force
+# detection:
+#     selection:
+#         EventID: 4625  # Failed logon
+#     condition: selection | count(TargetUserName) by SourceIp > 10
+#
+# T1555 - Credentials from Password Stores
+# detection:
+#     selection:
+#         Image|endswith:
+#             - '\vaultcmd.exe'
+#             - '\cmdkey.exe'
+#         CommandLine|contains: '/list'

skills/incident-response/detection-sigma/assets/rule-templates/lateral-movement.yml

@@ -0,0 +1,69 @@
+title: Lateral Movement via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects lateral movement activity using [specific technique/tool]
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.lateral_movement
+    - attack.t1021  # Replace with specific technique
+logsource:
+    category: process_creation  # or network_connection, authentication
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+        # Examples:
+        # ParentImage|endswith: '\services.exe'
+        # CommandLine|contains: 'psexec'
+        # LogonType: 3  # Network logon
+    filter_legitimate:
+        # Add filters for known false positives
+        # User|contains: 'SVC_'
+    condition: selection and not filter_legitimate
+falsepositives:
+    - Legitimate administrative activity
+    - Scheduled tasks
+    - IT operations
+level: high
+fields:
+    - ComputerName
+    - User
+    - SourceIp
+    - DestinationIp
+    - CommandLine
+
+# Common Lateral Movement Techniques:
+#
+# T1021.001 - Remote Desktop Protocol (RDP)
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 10  # RemoteInteractive
+#
+# T1021.002 - SMB/Windows Admin Shares
+# detection:
+#     selection:
+#         EventID: 5140
+#         ShareName|endswith:
+#             - 'ADMIN$'
+#             - 'C$'
+#
+# T1021.006 - Windows Remote Management (WinRM)
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 3
+#         AuthenticationPackageName: 'Negotiate'
+#         ProcessName|endswith: '\wsmprovhost.exe'
+#
+# T1550.002 - Pass the Hash
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 3
+#         LogonProcessName: 'NtLmSsp'
+#         AuthenticationPackageName: 'NTLM'

skills/incident-response/detection-sigma/assets/rule-templates/persistence.yml

@@ -0,0 +1,68 @@
+title: Persistence Mechanism via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects persistence establishment using [specific technique]
+references:
+    - https://attack.mitre.org/tactics/TA0003/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.persistence
+    - attack.t1053  # Replace with specific technique
+logsource:
+    category: process_creation  # or registry_event, file_event
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+    condition: selection
+falsepositives:
+    - Software installation
+    - System updates
+    - Legitimate scheduled tasks
+level: medium
+fields:
+    - User
+    - CommandLine
+    - Image
+    - TargetObject
+
+# Common Persistence Techniques:
+#
+# T1053.005 - Scheduled Task
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         Image|endswith: '\schtasks.exe'
+#         CommandLine|contains: '/create'
+#
+# T1547.001 - Registry Run Keys / Startup Folder
+# logsource:
+#     category: registry_event
+# detection:
+#     selection:
+#         TargetObject|contains:
+#             - '\Software\Microsoft\Windows\CurrentVersion\Run'
+#             - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
+#
+# T1543.003 - Windows Service
+# detection:
+#     selection:
+#         Image|endswith: '\sc.exe'
+#         CommandLine|contains: 'create'
+#
+# T1547.004 - Winlogon Helper DLL
+# logsource:
+#     category: registry_event
+# detection:
+#     selection:
+#         TargetObject|contains:
+#             - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
+#             - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
+#
+# T1136.001 - Create Account (Local Account)
+# detection:
+#     selection:
+#         EventID: 4720  # User account created

skills/incident-response/detection-sigma/assets/rule-templates/privilege-escalation.yml

@@ -0,0 +1,65 @@
+title: Privilege Escalation via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects privilege escalation attempts using [specific technique]
+references:
+    - https://attack.mitre.org/tactics/TA0004/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.privilege_escalation
+    - attack.t1068  # Replace with specific technique
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+        # IntegrityLevel: 'High'
+        # ParentIntegrityLevel: 'Medium'
+    condition: selection
+falsepositives:
+    - Legitimate software updates
+    - System administration tools
+level: high
+fields:
+    - User
+    - IntegrityLevel
+    - CommandLine
+    - ParentImage
+
+# Common Privilege Escalation Techniques:
+#
+# T1055 - Process Injection
+# detection:
+#     selection:
+#         EventID: 8  # CreateRemoteThread
+#         TargetImage|endswith:
+#             - '\lsass.exe'
+#             - '\explorer.exe'
+#
+# T1134 - Access Token Manipulation
+# detection:
+#     selection:
+#         EventID: 4703  # Token adjusted
+#         EnabledPrivilegeList|contains:
+#             - 'SeDebugPrivilege'
+#             - 'SeTakeOwnershipPrivilege'
+#
+# T1548.002 - Bypass User Account Control
+# detection:
+#     selection:
+#         ParentImage|endswith:
+#             - '\fodhelper.exe'
+#             - '\eventvwr.exe'
+#         IntegrityLevel: 'High'
+#         ParentIntegrityLevel: 'Medium'
+#
+# T1068 - Exploitation for Privilege Escalation
+# detection:
+#     selection:
+#         CommandLine|contains:
+#             - 'JuicyPotato'
+#             - 'PrintSpoofer'
+#             - 'GodPotato'