zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
skills/incident-response/ir-velociraptor/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

133
skills/incident-response/ir-velociraptor/assets/artifact-template.yaml Normal file
View File

@@ -0,0 +1,133 @@
---
# Velociraptor Artifact Template
# Use this template to create custom forensic artifacts for incident response
name: Custom.IR.TemplateArtifact
description: |
Provide a comprehensive description of what this artifact collects and why.
## Use Cases
- Specific scenario 1
- Specific scenario 2
- Specific scenario 3
## Expected Output
Describe what data will be collected and its format.
## MITRE ATT&CK Mapping
- T1XXX.XXX: Technique Name
# Author information (optional but recommended)
author: Your Name <email@domain.com>
# Artifact type: CLIENT, SERVER, CLIENT_EVENT, SERVER_EVENT
type: CLIENT
# Parameters allow artifact customization
parameters:
- name: SearchPath
default: "C:/Users/**/AppData/**"
type: string
description: |
Directory path or glob pattern to search.
Supports wildcards: * (any characters), ** (recursive)
- name: DaysBack
default: 7
type: int
description: Number of days to look back for modifications
- name: FilePattern
default: "*.exe"
type: string
description: File extension or pattern to match
- name: IncludeHashes
default: Y
type: bool
description: Calculate SHA256 hash for each file
- name: MaxFileSize
default: 104857600
type: int
description: Maximum file size to hash (bytes, default 100MB)
# Optional: Check before running (OS, tool presence, etc.)
precondition: |
SELECT OS FROM info() WHERE OS = 'windows'
# Sources define the VQL queries to execute
sources:
# Main query source
- name: FileCollection
query: |
-- Calculate time threshold
LET StartTime = timestamp(epoch=now() - DaysBack * 86400)
-- Collect files matching criteria
LET MatchingFiles = SELECT FullPath,
Size,
timestamp(epoch=Mtime) AS ModifiedTime,
timestamp(epoch=Ctime) AS CreatedTime,
timestamp(epoch=Atime) AS AccessedTime
FROM glob(globs=SearchPath + "/" + FilePattern)
WHERE NOT IsDir
AND Mtime > StartTime
AND Size < MaxFileSize
-- Conditionally add hashes
SELECT FullPath,
Size,
ModifiedTime,
CreatedTime,
AccessedTime,
if(condition=IncludeHashes,
then=hash(path=FullPath, accessor="file").SHA256,
else="<not computed>") AS SHA256
FROM MatchingFiles
ORDER BY ModifiedTime DESC
# Optional: Additional query source for related data
- name: FileMetadata
query: |
-- Example: Get additional metadata for PE files
SELECT FullPath,
parse_pe(file=FullPath) AS PEInfo
FROM glob(globs=SearchPath + "/**/*.exe")
WHERE PEInfo
# Optional: Report template for formatted output
reports:
- type: CLIENT
template: |
# {{ .ArtifactName }} Results
**Description:** {{ .Description }}
**Client:** {{ .ClientId }}
**Hostname:** {{ .Hostname }}
**Collection Time:** {{ .CollectionTime }}
## Summary
Total Files Found: {{ len .Rows }}
## Detailed Results
{{ range .Rows }}
### {{ .FullPath }}
- **Size:** {{ .Size }} bytes
- **Modified:** {{ .ModifiedTime }}
- **SHA256:** {{ .SHA256 }}
---
{{ end }}
# Optional: External documentation references
references:
- https://docs.velociraptor.app/docs/vql/
- https://attack.mitre.org/
# Optional: Required external tools or binaries
tools:
- name: ExampleTool
url: https://example.com/tool.exe
serve_locally: true

357
skills/incident-response/ir-velociraptor/assets/ci-config-template.yml Normal file
View File

@@ -0,0 +1,357 @@
# Security-Enhanced CI/CD Pipeline Template
#
# This template demonstrates security best practices for CI/CD pipelines.
# Adapt this template to your specific security tool and workflow needs.
#
# Key Security Features:
# - SAST (Static Application Security Testing)
# - Dependency vulnerability scanning
# - Secrets detection
# - Infrastructure-as-Code security scanning
# - Container image scanning
# - Security artifact uploading for compliance
name: Security Scan Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run weekly security scans on Sunday at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch: # Allow manual trigger
# Security: Restrict permissions to minimum required
permissions:
contents: read
security-events: write # For uploading SARIF results
pull-requests: write # For commenting on PRs
env:
# Configuration
SECURITY_SCAN_FAIL_ON: 'critical,high' # Fail build on these severities
REPORT_DIR: 'security-reports'
jobs:
# Job 1: Static Application Security Testing (SAST)
sast-scan:
name: SAST Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better analysis
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Run SAST Scanner
run: |
# Example: Using Semgrep for SAST
pip install semgrep
semgrep --config=auto \
--json \
--output ${{ env.REPORT_DIR }}/sast-results.json \
. || true
# Alternative: Bandit for Python projects
# pip install bandit
# bandit -r . -f json -o ${{ env.REPORT_DIR }}/bandit-results.json
- name: Process SAST Results
run: |
# Parse results and fail on critical/high severity
python3 -c "
import json
import sys
with open('${{ env.REPORT_DIR }}/sast-results.json') as f:
results = json.load(f)
critical = len([r for r in results.get('results', []) if r.get('extra', {}).get('severity') == 'ERROR'])
high = len([r for r in results.get('results', []) if r.get('extra', {}).get('severity') == 'WARNING'])
print(f'Critical findings: {critical}')
print(f'High findings: {high}')
if critical > 0:
print('❌ Build failed: Critical security issues found')
sys.exit(1)
elif high > 0:
print('⚠️ Warning: High severity issues found')
# Optionally fail on high severity
# sys.exit(1)
else:
print('✅ No critical security issues found')
"
- name: Upload SAST Results
if: always()
uses: actions/upload-artifact@v4
with:
name: sast-results
path: ${{ env.REPORT_DIR }}/sast-results.json
retention-days: 30
# Job 2: Dependency Vulnerability Scanning
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Scan Python Dependencies
if: hashFiles('requirements.txt') != ''
run: |
pip install safety
safety check \
--json \
--output ${{ env.REPORT_DIR }}/safety-results.json \
|| true
- name: Scan Node Dependencies
if: hashFiles('package.json') != ''
run: |
npm audit --json > ${{ env.REPORT_DIR }}/npm-audit.json || true
- name: Process Dependency Results
run: |
# Check for critical vulnerabilities
if [ -f "${{ env.REPORT_DIR }}/safety-results.json" ]; then
critical_count=$(python3 -c "import json; data=json.load(open('${{ env.REPORT_DIR }}/safety-results.json')); print(len([v for v in data.get('vulnerabilities', []) if v.get('severity', '').lower() == 'critical']))")
echo "Critical vulnerabilities: $critical_count"
if [ "$critical_count" -gt "0" ]; then
echo "❌ Build failed: Critical vulnerabilities in dependencies"
exit 1
fi
fi
- name: Upload Dependency Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: dependency-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 3: Secrets Detection
secrets-scan:
name: Secrets Detection
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history to scan all commits
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_ENABLE_SUMMARY: true
- name: Alternative - TruffleHog Scan
if: false # Set to true to enable
run: |
pip install truffleHog
trufflehog --json --regex --entropy=True . \
> ${{ env.REPORT_DIR }}/trufflehog-results.json || true
- name: Upload Secrets Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: secrets-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 4: Container Image Scanning
container-scan:
name: Container Image Security Scan
runs-on: ubuntu-latest
if: hashFiles('Dockerfile') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker Image
run: |
docker build -t app:${{ github.sha }} .
- name: Run Trivy Scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: app:${{ github.sha }}
format: 'sarif'
output: '${{ env.REPORT_DIR }}/trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy Results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: '${{ env.REPORT_DIR }}/trivy-results.sarif'
- name: Upload Container Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: container-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 5: Infrastructure-as-Code Security Scanning
iac-scan:
name: IaC Security Scan
runs-on: ubuntu-latest
if: hashFiles('**/*.tf', '**/*.yaml', '**/*.yml') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov
run: |
pip install checkov
checkov -d . \
--output json \
--output-file ${{ env.REPORT_DIR }}/checkov-results.json \
--quiet \
|| true
- name: Run tfsec (for Terraform)
if: hashFiles('**/*.tf') != ''
run: |
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
tfsec . \
--format json \
--out ${{ env.REPORT_DIR }}/tfsec-results.json \
|| true
- name: Process IaC Results
run: |
# Fail on critical findings
if [ -f "${{ env.REPORT_DIR }}/checkov-results.json" ]; then
critical_count=$(python3 -c "import json; data=json.load(open('${{ env.REPORT_DIR }}/checkov-results.json')); print(data.get('summary', {}).get('failed', 0))")
echo "Failed checks: $critical_count"
if [ "$critical_count" -gt "0" ]; then
echo "⚠️ Warning: IaC security issues found"
# Optionally fail the build
# exit 1
fi
fi
- name: Upload IaC Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: iac-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 6: Security Report Generation and Notification
security-report:
name: Generate Security Report
runs-on: ubuntu-latest
needs: [sast-scan, dependency-scan, secrets-scan]
if: always()
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download All Scan Results
uses: actions/download-artifact@v4
with:
path: all-results/
- name: Generate Consolidated Report
run: |
# Consolidate all security scan results
mkdir -p consolidated-report
cat > consolidated-report/security-summary.md << 'EOF'
# Security Scan Summary
**Scan Date**: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
**Commit**: ${{ github.sha }}
**Branch**: ${{ github.ref_name }}
## Scan Results
### SAST Scan
See artifacts: `sast-results`
### Dependency Scan
See artifacts: `dependency-scan-results`
### Secrets Scan
See artifacts: `secrets-scan-results`
### Container Scan
See artifacts: `container-scan-results`
### IaC Scan
See artifacts: `iac-scan-results`
---
For detailed results, download scan artifacts from this workflow run.
EOF
- name: Comment on PR (if applicable)
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('consolidated-report/security-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: report
});
- name: Upload Consolidated Report
if: always()
uses: actions/upload-artifact@v4
with:
name: consolidated-security-report
path: consolidated-report/
retention-days: 90
# Security Best Practices Demonstrated:
#
# 1. ✅ Minimal permissions (principle of least privilege)
# 2. ✅ Multiple security scan types (defense in depth)
# 3. ✅ Fail-fast on critical findings
# 4. ✅ Secrets detection across full git history
# 5. ✅ Container image scanning before deployment
# 6. ✅ IaC scanning for misconfigurations
# 7. ✅ Artifact retention for compliance audit trail
# 8. ✅ SARIF format for GitHub Security integration
# 9. ✅ Scheduled scans for continuous monitoring
# 10. ✅ PR comments for developer feedback
#
# Compliance Mappings:
# - SOC 2: CC6.1, CC6.6, CC7.2 (Security monitoring and logging)
# - PCI-DSS: 6.2, 6.5 (Secure development practices)
# - NIST: SA-11 (Developer Security Testing)
# - OWASP: Integrated security testing throughout SDLC

210
skills/incident-response/ir-velociraptor/assets/hunt-template.yaml Normal file
View File

@@ -0,0 +1,210 @@
# Velociraptor Hunt Configuration Template
# Use this template to create hunts for organization-wide threat hunting
hunt_description: |
# Hunt: [Descriptive Name]
## Objective
Describe the goal of this hunt (e.g., detect lateral movement, find webshells)
## Hypothesis
What threat or activity are you looking for?
## Timeline
Start Date: YYYY-MM-DD
Expected Duration: X days
Priority: High/Medium/Low
## Artifacts
List of artifacts to collect:
- Artifact.Name.One
- Artifact.Name.Two
## Expected Findings
What constitutes a positive match?
## Triage Criteria
How to prioritize results for investigation?
# Hunt Configuration
configuration:
# Artifact to run across endpoints
artifact: Windows.Detection.SuspiciousProcess
# Artifact parameters (if any)
parameters:
ProcessPattern: "(?i)(powershell|cmd|wscript)"
CommandLinePattern: "(?i)(bypass|hidden|encodedcommand)"
# Target selection
target:
# Option 1: Include all clients
include_all: true
# Option 2: Specific client labels
include_labels:
- "Production-Servers"
- "High-Value-Assets"
# Option 3: Exclude certain clients
exclude_labels:
- "Test-Systems"
# Option 4: Operating system filter
os_condition: "Windows"
# Option 5: Custom VQL condition
client_condition: |
SELECT client_id FROM clients()
WHERE os_info.system = "windows"
AND last_seen_at > now() - 3600
# Resource limits to prevent endpoint impact
resource_limits:
# Maximum CPU usage percentage
cpu_limit: 50
# Maximum number of rows to return per client
max_rows: 10000
# Maximum execution time per client (seconds)
max_execution_time: 600
# Operations per second limit (for filesystem operations)
ops_per_second: 100
# Collection timeout
timeout: 3600 # 1 hour
# Hunt scheduling
schedule:
# Start immediately
start_time: "now"
# Or schedule for specific time (RFC3339 format)
# start_time: "2024-01-15T02:00:00Z"
# Expiration (auto-stop after this time)
expiration: 86400 # 24 hours from start
# Client rolling deployment
rolling_deployment:
# Enable gradual rollout
enabled: true
# Number of clients to run on initially
initial_clients: 10
# Percentage to add every X minutes
increment_percentage: 10
increment_interval: 300 # 5 minutes
# Analysis Guidelines
analysis:
positive_indicators:
- "Process running from temp directory"
- "Obfuscated command line parameters"
- "Unusual parent-child process relationships"
triage_priority:
critical:
- "Known malicious process names"
- "Connections to known C2 infrastructure"
high:
- "Living-off-the-land binaries with suspicious arguments"
- "PowerShell execution with bypass flags"
medium:
- "Unusual process execution times"
- "Processes running as SYSTEM from user directories"
investigation_steps:
- "Review full process tree"
- "Check network connections"
- "Examine file system timeline"
- "Correlate with other hunt results"
- "Check threat intelligence feeds"
# Post-Hunt Actions
post_hunt:
# Notification settings
notifications:
- type: email
recipients:
- ir-team@company.com
on_complete: true
on_match: true
- type: slack
webhook: "https://hooks.slack.com/services/..."
channel: "#security-alerts"
# Automatic follow-up collections
follow_up_artifacts:
- name: Windows.Forensics.Timeline
condition: "positive_match"
parameters:
StartDate: "hunt_start_time"
- name: Windows.Memory.Acquisition
condition: "critical_match"
parameters:
TargetPath: "C:/ir-evidence/"
# Reporting
reports:
- type: summary
format: html
include_statistics: true
- type: detailed
format: json
include_all_results: true
# Documentation
metadata:
created_by: "analyst@company.com"
created_date: "2024-01-15"
last_modified: "2024-01-15"
version: "1.0"
# Compliance and audit trail
approval:
requested_by: "IR Team Lead"
approved_by: "CISO"
approval_date: "2024-01-14"
ticket_reference: "INC-12345"
# MITRE ATT&CK mapping
mitre_attack:
tactics:
- "TA0002: Execution"
- "TA0005: Defense Evasion"
techniques:
- "T1059.001: PowerShell"
- "T1027: Obfuscated Files or Information"
# Sample VQL for hunt creation via command line
sample_commands: |
# Create hunt from artifact
velociraptor --config server.config.yaml query "
SELECT hunt_id FROM hunt(
artifact='Windows.Detection.SuspiciousProcess',
description='Hunt for suspicious process execution',
include_labels=['Production-Servers'],
cpu_limit=50,
timeout=3600
)
"
# Monitor hunt progress
velociraptor --config server.config.yaml query "
SELECT hunt_id, state, total_clients_scheduled,
total_clients_with_results, total_clients_with_errors
FROM hunt_status()
WHERE hunt_id = 'H.1234567890'
"
# Export hunt results
velociraptor --config server.config.yaml query "
SELECT * FROM hunt_results(hunt_id='H.1234567890')
" --format json > hunt_results.json

270
skills/incident-response/ir-velociraptor/assets/offline-collector-config.yaml Normal file
View File

@@ -0,0 +1,270 @@
# Velociraptor Offline Collector Configuration
# Configuration for creating standalone collectors that don't require server connection
# Collector metadata
collector_info:
name: "IR-Collector-Incident-Response"
version: "1.0"
description: |
Offline collector for incident response evidence gathering.
Collects key artifacts without requiring Velociraptor server.
created_by: "IR Team"
created_date: "2024-01-15"
incident_reference: "INC-12345"
# Target platform
# Options: windows, linux, macos, all
target_platform: windows
# Artifacts to collect
artifacts:
# System Information
- name: Generic.Client.Info
description: "Basic system information"
# Process Information
- name: Windows.System.Pslist
description: "Running processes"
parameters:
CalculateHashes: "Y"
# Network Connections
- name: Windows.Network.NetstatEnriched
description: "Network connections with process context"
# Persistence Mechanisms
- name: Windows.Persistence.PermanentRuns
description: "Registry Run keys and startup locations"
- name: Windows.System.TaskScheduler
description: "Scheduled tasks"
- name: Windows.System.Services
description: "Windows services"
# Event Logs
- name: Windows.EventLogs.EvtxHunter
description: "Security-relevant event logs"
parameters:
EvtxGlob: "C:/Windows/System32/winevt/Logs/{Security,System,Application}.evtx"
# Filter for last 7 days
DateAfter: "{{subtract (now) (duration \"168h\")}}"
# File System Timeline
- name: Windows.Forensics.Timeline
description: "Filesystem timeline"
parameters:
# Limit to key directories
PathGlob: |
C:/Users/*/AppData/**
C:/Windows/Temp/**
C:/ProgramData/**
DateAfter: "{{subtract (now) (duration \"168h\")}}"
# Prefetch Analysis
- name: Windows.Forensics.Prefetch
description: "Program execution artifacts"
# USB Device History
- name: Windows.Forensics.USBDevices
description: "USB device connection history"
# Browser History (if needed)
# - name: Windows.Browsers.Chrome
# description: "Chrome browser history"
# Registry Forensics
# - name: Windows.Registry.RecentDocs
# description: "Recently accessed files from registry"
# Collection Configuration
collection_config:
# Output options
output:
# Compression format: zip, tar
format: zip
# Output filename template
filename_template: "collection-{{.Hostname}}-{{.Now.Unix}}.zip"
# Encryption (optional)
# encryption:
# enabled: true
# public_key_file: "collector-public.pem"
# Output location
output_directory: "."
# Resource limits
resource_limits:
# Maximum CPU usage (percentage)
cpu_limit: 70
# Maximum memory usage (MB)
max_memory: 2048
# I/O operations per second limit
ops_per_second: 500
# Maximum collection time (seconds)
max_execution_time: 3600
# Maximum output size (bytes, 0 = unlimited)
max_output_size: 10737418240 # 10GB
# Progress reporting
progress:
# Show progress bar
show_progress: true
# Log file location
log_file: "collector.log"
# Log level: DEBUG, INFO, WARN, ERROR
log_level: INFO
# Artifact execution options
execution:
# Run artifacts in parallel (faster but more resource intensive)
parallel: false
# Number of concurrent artifacts (if parallel enabled)
max_parallel: 3
# Continue on artifact errors
continue_on_error: true
# Timeout per artifact (seconds)
artifact_timeout: 600
# Pre-collection Checks
pre_collection:
# Verify requirements before starting
checks:
# Minimum free disk space (bytes)
min_disk_space: 5368709120 # 5GB
# Check for admin/root privileges
require_admin: true
# Verify OS compatibility
verify_os: true
# Warnings (not blocking)
warnings:
# Warn if antivirus is active
warn_av_active: true
# Warn if disk space is limited
warn_disk_space_threshold: 10737418240 # 10GB
# Post-collection Actions
post_collection:
# Automatic uploads (if network available)
# uploads:
# - type: smb
# path: "\\\\evidence-server\\ir-collections\\"
# credentials_file: "smb-creds.json"
#
# - type: s3
# bucket: "ir-evidence-bucket"
# region: "us-east-1"
# credentials_file: "aws-creds.json"
# Hash the output file
generate_hash: true
hash_algorithms:
- sha256
- md5
# Generate collection report
generate_report: true
report_format: html
# Cleanup options
cleanup:
# Delete temp files after collection
delete_temp_files: true
# Secure delete collector binary after execution (optional)
# secure_delete_collector: false
# Deployment Options
deployment:
# Create executable for easy deployment
executable:
# Embed configuration in binary
embed_config: true
# Self-extracting executable
self_extracting: true
# Icon file (optional)
# icon_file: "collector-icon.ico"
# Code signing (optional)
# signing:
# certificate_file: "code-signing-cert.pfx"
# password_file: "cert-password.txt"
# Packaging
package:
# Include README with instructions
include_readme: true
# Include hash verification file
include_hashes: true
# Include deployment script
# include_deployment_script: true
# Usage Instructions (embedded in collector)
usage_instructions: |
VELOCIRAPTOR OFFLINE COLLECTOR
This collector gathers forensic artifacts for incident response.
No network connection or Velociraptor server required.
REQUIREMENTS:
- Administrator/root privileges
- Minimum 5GB free disk space
- Windows 7/Server 2008 R2 or later
USAGE:
collector.exe [OPTIONS]
OPTIONS:
--output DIR Output directory (default: current directory)
--verbose Enable verbose logging
--help Show this help message
EXAMPLE:
# Run with default settings
collector.exe
# Specify output directory
collector.exe --output C:\\Evidence\\
OUTPUT:
Collection results saved to: collection-[hostname]-[timestamp].zip
IMPORTANT:
- Preserve chain of custody
- Document collection time and collector version
- Securely transfer collection to analysis system
- Do not run on production systems without approval
For support: ir-team@company.com
# Sample command to create collector from this config
sample_command: |
velociraptor --config server.config.yaml artifacts collect \
Windows.System.Pslist \
Windows.Network.NetstatEnriched \
Windows.Persistence.PermanentRuns \
Windows.EventLogs.EvtxHunter \
Windows.Forensics.Timeline \
--output collector.zip \
--cpu_limit 70 \
--progress

355
skills/incident-response/ir-velociraptor/assets/rule-template.yaml Normal file
View File

@@ -0,0 +1,355 @@
# Security Rule Template
#
# This template demonstrates how to structure security rules/policies.
# Adapt this template to your specific security tool (Semgrep, OPA, etc.)
#
# Rule Structure Best Practices:
# - Clear rule ID and metadata
# - Severity classification
# - Framework mappings (OWASP, CWE)
# - Remediation guidance
# - Example vulnerable and fixed code
rules:
# Example Rule 1: SQL Injection Detection
- id: sql-injection-string-concatenation
metadata:
name: "SQL Injection via String Concatenation"
description: "Detects potential SQL injection vulnerabilities from string concatenation in SQL queries"
severity: "HIGH"
category: "security"
subcategory: "injection"
# Security Framework Mappings
owasp:
- "A03:2021 - Injection"
cwe:
- "CWE-89: SQL Injection"
mitre_attack:
- "T1190: Exploit Public-Facing Application"
# Compliance Standards
compliance:
- "PCI-DSS 6.5.1: Injection flaws"
- "NIST 800-53 SI-10: Information Input Validation"
# Confidence and Impact
confidence: "HIGH"
likelihood: "HIGH"
impact: "HIGH"
# References
references:
- "https://owasp.org/www-community/attacks/SQL_Injection"
- "https://cwe.mitre.org/data/definitions/89.html"
- "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
# Languages this rule applies to
languages:
- python
- javascript
- java
- go
# Detection Pattern (example using Semgrep-style syntax)
pattern-either:
- pattern: |
cursor.execute($SQL + $VAR)
- pattern: |
cursor.execute(f"... {$VAR} ...")
- pattern: |
cursor.execute("..." + $VAR + "...")
# What to report when found
message: |
Potential SQL injection vulnerability detected. SQL query is constructed using
string concatenation or f-strings with user input. This allows attackers to
inject malicious SQL code.
Use parameterized queries instead:
- Python: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
- JavaScript: db.query("SELECT * FROM users WHERE id = $1", [userId])
See: https://owasp.org/www-community/attacks/SQL_Injection
# Suggested fix (auto-fix if supported)
fix: |
Use parameterized queries with placeholders
# Example vulnerable code
examples:
- vulnerable: |
# Vulnerable: String concatenation
user_id = request.GET['id']
query = "SELECT * FROM users WHERE id = " + user_id
cursor.execute(query)
- fixed: |
# Fixed: Parameterized query
user_id = request.GET['id']
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
# Example Rule 2: Hardcoded Secrets Detection
- id: hardcoded-secret-credential
metadata:
name: "Hardcoded Secret or Credential"
description: "Detects hardcoded secrets, API keys, passwords, or tokens in source code"
severity: "CRITICAL"
category: "security"
subcategory: "secrets"
owasp:
- "A07:2021 - Identification and Authentication Failures"
cwe:
- "CWE-798: Use of Hard-coded Credentials"
- "CWE-259: Use of Hard-coded Password"
compliance:
- "PCI-DSS 8.2.1: Use of strong cryptography"
- "SOC 2 CC6.1: Logical access controls"
- "GDPR Article 32: Security of processing"
confidence: "MEDIUM"
likelihood: "HIGH"
impact: "CRITICAL"
references:
- "https://cwe.mitre.org/data/definitions/798.html"
- "https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password"
languages:
- python
- javascript
- java
- go
- ruby
pattern-either:
- pattern: |
password = "..."
- pattern: |
api_key = "..."
- pattern: |
secret = "..."
- pattern: |
token = "..."
pattern-not: |
$VAR = ""
message: |
Potential hardcoded secret detected. Hardcoding credentials in source code
is a critical security vulnerability that can lead to unauthorized access
if the code is exposed.
Use environment variables or a secrets management system instead:
- Python: os.environ.get('API_KEY')
- Node.js: process.env.API_KEY
- Secrets Manager: AWS Secrets Manager, HashiCorp Vault, etc.
See: https://cwe.mitre.org/data/definitions/798.html
examples:
- vulnerable: |
# Vulnerable: Hardcoded API key
api_key = "sk-1234567890abcdef"
api.authenticate(api_key)
- fixed: |
# Fixed: Environment variable
import os
api_key = os.environ.get('API_KEY')
if not api_key:
raise ValueError("API_KEY environment variable not set")
api.authenticate(api_key)
# Example Rule 3: XSS via Unsafe HTML Rendering
- id: xss-unsafe-html-rendering
metadata:
name: "Cross-Site Scripting (XSS) via Unsafe HTML"
description: "Detects unsafe HTML rendering that could lead to XSS vulnerabilities"
severity: "HIGH"
category: "security"
subcategory: "xss"
owasp:
- "A03:2021 - Injection"
cwe:
- "CWE-79: Cross-site Scripting (XSS)"
- "CWE-80: Improper Neutralization of Script-Related HTML Tags"
compliance:
- "PCI-DSS 6.5.7: Cross-site scripting"
- "NIST 800-53 SI-10: Information Input Validation"
confidence: "HIGH"
likelihood: "MEDIUM"
impact: "HIGH"
references:
- "https://owasp.org/www-community/attacks/xss/"
- "https://cwe.mitre.org/data/definitions/79.html"
- "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
languages:
- javascript
- typescript
- jsx
- tsx
pattern-either:
- pattern: |
dangerouslySetInnerHTML={{__html: $VAR}}
- pattern: |
innerHTML = $VAR
message: |
Potential XSS vulnerability detected. Setting HTML content directly from
user input without sanitization can allow attackers to inject malicious
JavaScript code.
Use one of these safe alternatives:
- React: Use {userInput} for automatic escaping
- DOMPurify: const clean = DOMPurify.sanitize(dirty);
- Framework-specific sanitizers
See: https://owasp.org/www-community/attacks/xss/
examples:
- vulnerable: |
// Vulnerable: Unsanitized HTML
function UserComment({ comment }) {
return <div dangerouslySetInnerHTML={{__html: comment}} />;
}
- fixed: |
// Fixed: Sanitized with DOMPurify
import DOMPurify from 'dompurify';
function UserComment({ comment }) {
const sanitized = DOMPurify.sanitize(comment);
return <div dangerouslySetInnerHTML={{__html: sanitized}} />;
}
# Example Rule 4: Insecure Cryptography
- id: weak-cryptographic-algorithm
metadata:
name: "Weak Cryptographic Algorithm"
description: "Detects use of weak or deprecated cryptographic algorithms"
severity: "HIGH"
category: "security"
subcategory: "cryptography"
owasp:
- "A02:2021 - Cryptographic Failures"
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
- "CWE-326: Inadequate Encryption Strength"
compliance:
- "PCI-DSS 4.1: Use strong cryptography"
- "NIST 800-53 SC-13: Cryptographic Protection"
- "GDPR Article 32: Security of processing"
confidence: "HIGH"
likelihood: "MEDIUM"
impact: "HIGH"
references:
- "https://cwe.mitre.org/data/definitions/327.html"
- "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/"
languages:
- python
- javascript
- java
pattern-either:
- pattern: |
hashlib.md5(...)
- pattern: |
hashlib.sha1(...)
- pattern: |
crypto.createHash('md5')
- pattern: |
crypto.createHash('sha1')
message: |
Weak cryptographic algorithm detected (MD5 or SHA1). These algorithms are
considered cryptographically broken and should not be used for security purposes.
Use strong alternatives:
- For hashing: SHA-256, SHA-384, or SHA-512
- For password hashing: bcrypt, argon2, or PBKDF2
- Python: hashlib.sha256()
- Node.js: crypto.createHash('sha256')
See: https://cwe.mitre.org/data/definitions/327.html
examples:
- vulnerable: |
# Vulnerable: MD5 hash
import hashlib
hash_value = hashlib.md5(data).hexdigest()
- fixed: |
# Fixed: SHA-256 hash
import hashlib
hash_value = hashlib.sha256(data).hexdigest()
# Rule Configuration
configuration:
# Global settings
enabled: true
severity_threshold: "MEDIUM" # Report findings at MEDIUM severity and above
# Performance tuning
max_file_size_kb: 1024
exclude_patterns:
- "test/*"
- "tests/*"
- "node_modules/*"
- "vendor/*"
- "*.min.js"
# False positive reduction
confidence_threshold: "MEDIUM" # Only report findings with MEDIUM confidence or higher
# Rule Metadata Schema
# This section documents the expected structure for rules
metadata_schema:
required:
- id: "Unique identifier for the rule (kebab-case)"
- name: "Human-readable rule name"
- description: "What the rule detects"
- severity: "CRITICAL | HIGH | MEDIUM | LOW | INFO"
- category: "security | best-practice | performance"
optional:
- subcategory: "Specific type (injection, xss, secrets, etc.)"
- owasp: "OWASP Top 10 mappings"
- cwe: "CWE identifier(s)"
- mitre_attack: "MITRE ATT&CK technique(s)"
- compliance: "Compliance standard references"
- confidence: "Detection confidence level"
- likelihood: "Likelihood of exploitation"
- impact: "Potential impact if exploited"
- references: "External documentation links"
# Usage Instructions:
#
# 1. Copy this template when creating new security rules
# 2. Update metadata fields with appropriate framework mappings
# 3. Customize detection patterns for your tool (Semgrep, OPA, etc.)
# 4. Provide clear remediation guidance in the message field
# 5. Include both vulnerable and fixed code examples
# 6. Test rules on real codebases before deployment
#
# Best Practices:
# - Map to multiple frameworks (OWASP, CWE, MITRE ATT&CK)
# - Include compliance standard references
# - Provide actionable remediation guidance
# - Show code examples (vulnerable vs. fixed)
# - Tune confidence levels to reduce false positives
# - Exclude test directories to reduce noise