fix toc

playbook-generator/generator.py

@@ -63,7 +63,7 @@ def generate_toc(self):
                 }
             )
 
-        with open(os.path.join(os.getcwd(), "playbook", "_toc.yaml"), "w") as f:
+        with open(os.path.join(os.getcwd(), "playbook", "_toc.yml"), "w") as f:
             toc = {
                 "format": "jb-article",
                 "root": "intro",

playbook/tactics.ipynb

@@ -2,7 +2,7 @@
  "cells": [
   {
    "cell_type": "markdown",
-   "id": "3ecc00a6",
+   "id": "c9ada3b6",
    "metadata": {},
    "source": "| ID      | Name | Description |\n| -------- | --------- | --------- |\n| TA0001 | Initial Access | The adversary is trying to get into your network.|\n| TA0002 | Execution | The adversary is trying to run malicious code.|\n| TA0003 | Persistence | The adversary is trying to maintain their foothold.|\n| TA0004 | Privilege Escalation | The adversary is trying to gain higher-level permissions.|\n| TA0005 | Defense Evasion | The adversary is trying to avoid being detected.|\n| TA0006 | Credential Access | The adversary is trying to steal account names and passwords.|\n| TA0007 | Discovery | The adversary is trying to figure out your environment.|\n| TA0008 | Lateral Movement | The adversary is trying to move through your environment.|\n| TA0009 | Collection | The adversary is trying to gather data of interest to their goal.|\n| TA0010 | Exfiltration | The adversary is trying to steal data.|\n| TA0011 | Command and Control | The adversary is trying to communicate with compromised systems to control them.|\n| TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.|"
   }

playbook/tactics/collection/T1005.ipynb

@@ -2,19 +2,19 @@
  "cells": [
   {
    "cell_type": "markdown",
-   "id": "da787ac2",
+   "id": "8decad8f",
    "metadata": {},
    "source": "# T1005 - Data from Local System\nAdversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n"
   },
   {
    "cell_type": "markdown",
-   "id": "34a817c9",
+   "id": "142d0798",
    "metadata": {},
    "source": "## Atomic Tests"
   },
   {
    "cell_type": "markdown",
-   "id": "bbe2d20e",
+   "id": "8553ba21",
    "metadata": {},
    "source": [
     "### Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)",
@@ -28,42 +28,42 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "51cc5460",
+   "id": "4db95418",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1005 -TestNumbers 1"
   },
   {
    "cell_type": "markdown",
-   "id": "2b9f455a",
+   "id": "24edec4b",
    "metadata": {},
    "source": "#### Cleanup: \n```powershell\nRemove-Item -Path  $outputZip\\data.zip -Force\n```"
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "b5fce9cc",
+   "id": "052a6d58",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1005 -TestNumbers 1 -Cleanup"
   },
   {
    "cell_type": "markdown",
-   "id": "41a1521e",
+   "id": "c2dc14b6",
    "metadata": {},
    "source": "### Atomic Test #2 - Find and dump sqlite databases (Linux)\nAn adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.\n\n**Supported Platforms:** linux\n\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `bash`!\n##### Description: Check if running on a Debian based machine.\n\n##### Check Prereq Commands:\n```bash\nif [ -x \"$(command -v sqlite3)\" ]; then echo \"sqlite3 is installed\"; else echo \"sqlite3 is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v curl)\" ]; then echo \"curl is installed\"; else echo \"curl is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v strings)\" ]; then echo \"strings is installed\"; else echo \"strings is NOT installed\"; exit 1; fi\n\n```\n##### Get Prereq Commands:\n```bash\nif grep -iq \"debian\\|ubuntu\\|kali\\|mint\" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi\nif grep -iq \"rhel\\|fedora\\|centos\" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi\n\n```"
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "658a6128",
+   "id": "24a2a915",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1005 -TestNumbers 2 -GetPreReqs"
   },
   {
    "cell_type": "markdown",
-   "id": "56877846",
+   "id": "f4695018",
    "metadata": {},
    "source": [
     "#### Attack Commands: Run with `bash`\n",
@@ -73,34 +73,34 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "67253660",
+   "id": "d44bfbb6",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1005 -TestNumbers 2"
   },
   {
    "cell_type": "markdown",
-   "id": "fd27bf4c",
+   "id": "974dacc7",
    "metadata": {},
    "source": "#### Cleanup: \n```bash\nrm -f $HOME/.art\nrm -f $HOME/gta.db\nrm -f $HOME/sqlite_dump.sh \n```"
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "71caa7ef",
+   "id": "57b87ee6",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1005 -TestNumbers 2 -Cleanup"
   },
   {
    "cell_type": "markdown",
-   "id": "c5fb70bd",
+   "id": "c29cabe5",
    "metadata": {},
    "source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nFor network infrastructure devices, collect AAA logging to monitor `show` commands that view configuration files. "
   },
   {
    "cell_type": "markdown",
-   "id": "7a908eea",
+   "id": "88a5e206",
    "metadata": {},
    "source": "\n## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real.  Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer.  This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content.\n#### Use Case\nA defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.\n"
   }

playbook/tactics/collection/T1025.ipynb

@@ -2,25 +2,25 @@
  "cells": [
   {
    "cell_type": "markdown",
-   "id": "5d98619e",
+   "id": "c3a59dd9",
    "metadata": {},
    "source": "# T1025 - Data from Removable Media\nAdversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media."
   },
   {
    "cell_type": "markdown",
-   "id": "55064e91",
+   "id": "f98e3b02",
    "metadata": {},
    "source": "## Atomic Tests:\nCurrently, no tests are available for this technique."
   },
   {
    "cell_type": "markdown",
-   "id": "f2f033e1",
+   "id": "e253568b",
    "metadata": {},
    "source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
   },
   {
    "cell_type": "markdown",
-   "id": "f2ef753a",
+   "id": "9fdbdaf3",
    "metadata": {},
    "source": "\n## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real.  Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer.  This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.\n#### Use Case\nA defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.\n"
   }

playbook/tactics/collection/T1039.ipynb

@@ -2,33 +2,33 @@
  "cells": [
   {
    "cell_type": "markdown",
-   "id": "6b0db6f9",
+   "id": "7a332cfb",
    "metadata": {},
    "source": "# T1039 - Data from Network Shared Drive\nAdversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information."
   },
   {
    "cell_type": "markdown",
-   "id": "499a5a9e",
+   "id": "ae73d289",
    "metadata": {},
    "source": "## Atomic Tests"
   },
   {
    "cell_type": "markdown",
-   "id": "782d5a00",
+   "id": "409d8eb7",
    "metadata": {},
    "source": "### Atomic Test #1 - Copy a sensitive File over Administrative share with copy\nCopy from sensitive File from the c$ of another LAN computer with copy cmd\nhttps://twitter.com/SBousseaden/status/1211636381086339073\n**Supported Platforms:** windows\n\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: Administrative share must exist on #{remote}\n\n##### Check Prereq Commands:\n```cmd\nif (Test-Path \"\\\\127.0.0.1\\C$\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```cmd\nWrite-Host 'Please Enable \"C$\" share on 127.0.0.1'\n\n```\n##### Description: \"\\\\#{remote}\\C$\\#{share_file}\" must exist on #{remote}\n\n##### Check Prereq Commands:\n```cmd\nif (Test-Path \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```cmd\nOut-File -FilePath \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\"\n\n```"
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "ad235431",
+   "id": "08dc2813",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1039 -TestNumbers 1 -GetPreReqs"
   },
   {
    "cell_type": "markdown",
-   "id": "fbf4fc15",
+   "id": "6515d249",
    "metadata": {},
    "source": [
     "#### Attack Commands: Run with `command_prompt`\n",
@@ -38,42 +38,42 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "ca19259a",
+   "id": "33773ab7",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1039 -TestNumbers 1"
   },
   {
    "cell_type": "markdown",
-   "id": "7d84598a",
+   "id": "bd609ab5",
    "metadata": {},
    "source": "#### Cleanup: \n```cmd\ndel \\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\ndel %TEMP%\\Easter_egg.password```"
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "0e9b237a",
+   "id": "a6857e4c",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1039 -TestNumbers 1 -Cleanup"
   },
   {
    "cell_type": "markdown",
-   "id": "f90f4f75",
+   "id": "705dd721",
    "metadata": {},
    "source": "### Atomic Test #2 - Copy a sensitive File over Administrative share with Powershell\nCopy from sensitive File from the c$ of another LAN computer with powershell\nhttps://twitter.com/SBousseaden/status/1211636381086339073\n**Supported Platforms:** windows\n\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: Administrative share must exist on #{remote}\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"\\\\127.0.0.1\\C$\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nWrite-Host 'Please Enable \"C$\" share on 127.0.0.1'\n\n```\n##### Description: \"\\\\#{remote}\\C$\\#{share_file}\" must exist on #{remote}\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nOut-File -FilePath \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\"\n\n```"
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "c642438d",
+   "id": "20adf137",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1039 -TestNumbers 2 -GetPreReqs"
   },
   {
    "cell_type": "markdown",
-   "id": "4b11794c",
+   "id": "05d8aab1",
    "metadata": {},
    "source": [
     "#### Attack Commands: Run with `powershell`\n",
@@ -83,34 +83,34 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "274d4c8d",
+   "id": "a7ad84b4",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1039 -TestNumbers 2"
   },
   {
    "cell_type": "markdown",
-   "id": "f246382f",
+   "id": "85d22a1b",
    "metadata": {},
    "source": "#### Cleanup: \n```powershell\nRemove-Item -Path \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\"\nRemove-Item -Path \"$Env:TEMP\\Easter_egg.password\"```"
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "1661c259",
+   "id": "577b758f",
    "metadata": {},
    "outputs": [],
    "source": "Invoke-AtomicTest T1039 -TestNumbers 2 -Cleanup"
   },
   {
    "cell_type": "markdown",
-   "id": "1a1b4554",
+   "id": "a5efdf18",
    "metadata": {},
    "source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
   },
   {
    "cell_type": "markdown",
-   "id": "83294e37",
+   "id": "5186ee34",
    "metadata": {},
    "source": "\n## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real.  Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer.  This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.\n#### Use Case\nA defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.\n"
   }