Initial commit

skills/incident-response/detection-sigma/assets/rule-templates/credential-access.yml

@@ -0,0 +1,73 @@
+title: Credential Access via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects credential theft/dumping using [specific technique/tool]
+references:
+    - https://attack.mitre.org/tactics/TA0006/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.credential_access
+    - attack.t1003  # Replace with specific technique
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+    condition: selection
+falsepositives:
+    - Legitimate password reset tools
+    - Security assessment tools (authorized)
+level: critical
+fields:
+    - User
+    - CommandLine
+    - TargetImage
+    - GrantedAccess
+
+# Common Credential Access Techniques:
+#
+# T1003.001 - LSASS Memory Dump
+# logsource:
+#     category: process_access
+# detection:
+#     selection:
+#         TargetImage|endswith: '\lsass.exe'
+#         GrantedAccess|contains:
+#             - '0x1010'
+#             - '0x1410'
+#             - '0x147a'
+#             - '0x143a'
+#
+# T1003.002 - Security Account Manager (SAM)
+# detection:
+#     selection:
+#         Image|endswith: '\reg.exe'
+#         CommandLine|contains|all:
+#             - 'save'
+#             - 'HKLM\SAM'
+#
+# T1558.003 - Kerberoasting
+# logsource:
+#     category: authentication
+# detection:
+#     selection:
+#         EventID: 4769
+#         ServiceName: '*$'
+#         TicketEncryptionType: '0x17'
+#
+# T1110 - Brute Force
+# detection:
+#     selection:
+#         EventID: 4625  # Failed logon
+#     condition: selection | count(TargetUserName) by SourceIp > 10
+#
+# T1555 - Credentials from Password Stores
+# detection:
+#     selection:
+#         Image|endswith:
+#             - '\vaultcmd.exe'
+#             - '\cmdkey.exe'
+#         CommandLine|contains: '/list'

skills/incident-response/detection-sigma/assets/rule-templates/lateral-movement.yml

@@ -0,0 +1,69 @@
+title: Lateral Movement via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects lateral movement activity using [specific technique/tool]
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.lateral_movement
+    - attack.t1021  # Replace with specific technique
+logsource:
+    category: process_creation  # or network_connection, authentication
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+        # Examples:
+        # ParentImage|endswith: '\services.exe'
+        # CommandLine|contains: 'psexec'
+        # LogonType: 3  # Network logon
+    filter_legitimate:
+        # Add filters for known false positives
+        # User|contains: 'SVC_'
+    condition: selection and not filter_legitimate
+falsepositives:
+    - Legitimate administrative activity
+    - Scheduled tasks
+    - IT operations
+level: high
+fields:
+    - ComputerName
+    - User
+    - SourceIp
+    - DestinationIp
+    - CommandLine
+
+# Common Lateral Movement Techniques:
+#
+# T1021.001 - Remote Desktop Protocol (RDP)
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 10  # RemoteInteractive
+#
+# T1021.002 - SMB/Windows Admin Shares
+# detection:
+#     selection:
+#         EventID: 5140
+#         ShareName|endswith:
+#             - 'ADMIN$'
+#             - 'C$'
+#
+# T1021.006 - Windows Remote Management (WinRM)
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 3
+#         AuthenticationPackageName: 'Negotiate'
+#         ProcessName|endswith: '\wsmprovhost.exe'
+#
+# T1550.002 - Pass the Hash
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 3
+#         LogonProcessName: 'NtLmSsp'
+#         AuthenticationPackageName: 'NTLM'

skills/incident-response/detection-sigma/assets/rule-templates/persistence.yml

@@ -0,0 +1,68 @@
+title: Persistence Mechanism via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects persistence establishment using [specific technique]
+references:
+    - https://attack.mitre.org/tactics/TA0003/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.persistence
+    - attack.t1053  # Replace with specific technique
+logsource:
+    category: process_creation  # or registry_event, file_event
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+    condition: selection
+falsepositives:
+    - Software installation
+    - System updates
+    - Legitimate scheduled tasks
+level: medium
+fields:
+    - User
+    - CommandLine
+    - Image
+    - TargetObject
+
+# Common Persistence Techniques:
+#
+# T1053.005 - Scheduled Task
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         Image|endswith: '\schtasks.exe'
+#         CommandLine|contains: '/create'
+#
+# T1547.001 - Registry Run Keys / Startup Folder
+# logsource:
+#     category: registry_event
+# detection:
+#     selection:
+#         TargetObject|contains:
+#             - '\Software\Microsoft\Windows\CurrentVersion\Run'
+#             - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
+#
+# T1543.003 - Windows Service
+# detection:
+#     selection:
+#         Image|endswith: '\sc.exe'
+#         CommandLine|contains: 'create'
+#
+# T1547.004 - Winlogon Helper DLL
+# logsource:
+#     category: registry_event
+# detection:
+#     selection:
+#         TargetObject|contains:
+#             - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
+#             - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
+#
+# T1136.001 - Create Account (Local Account)
+# detection:
+#     selection:
+#         EventID: 4720  # User account created

skills/incident-response/detection-sigma/assets/rule-templates/privilege-escalation.yml

@@ -0,0 +1,65 @@
+title: Privilege Escalation via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects privilege escalation attempts using [specific technique]
+references:
+    - https://attack.mitre.org/tactics/TA0004/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.privilege_escalation
+    - attack.t1068  # Replace with specific technique
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+        # IntegrityLevel: 'High'
+        # ParentIntegrityLevel: 'Medium'
+    condition: selection
+falsepositives:
+    - Legitimate software updates
+    - System administration tools
+level: high
+fields:
+    - User
+    - IntegrityLevel
+    - CommandLine
+    - ParentImage
+
+# Common Privilege Escalation Techniques:
+#
+# T1055 - Process Injection
+# detection:
+#     selection:
+#         EventID: 8  # CreateRemoteThread
+#         TargetImage|endswith:
+#             - '\lsass.exe'
+#             - '\explorer.exe'
+#
+# T1134 - Access Token Manipulation
+# detection:
+#     selection:
+#         EventID: 4703  # Token adjusted
+#         EnabledPrivilegeList|contains:
+#             - 'SeDebugPrivilege'
+#             - 'SeTakeOwnershipPrivilege'
+#
+# T1548.002 - Bypass User Account Control
+# detection:
+#     selection:
+#         ParentImage|endswith:
+#             - '\fodhelper.exe'
+#             - '\eventvwr.exe'
+#         IntegrityLevel: 'High'
+#         ParentIntegrityLevel: 'Medium'
+#
+# T1068 - Exploitation for Privilege Escalation
+# detection:
+#     selection:
+#         CommandLine|contains:
+#             - 'JuicyPotato'
+#             - 'PrintSpoofer'
+#             - 'GodPotato'