Skip to content

Commit

Permalink
deploy: b857231
Browse files Browse the repository at this point in the history
  • Loading branch information
cyberbuff committed Feb 28, 2023
1 parent 3ea82d4 commit 2ca9073
Show file tree
Hide file tree
Showing 1,797 changed files with 310,001 additions and 301,984 deletions.
7 changes: 3 additions & 4 deletions _sources/tactics.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,9 @@
"cells": [
{
"cell_type": "markdown",
"id": "9d96ebdd",
"metadata": {},
"source": [
"| ID | Name | Description |\n| -------- | --------- | --------- |\n| TA0001 | Initial Access | The adversary is trying to get into your network.|\n| TA0002 | Execution | The adversary is trying to run malicious code.|\n| TA0003 | Persistence | The adversary is trying to maintain their foothold.|\n| TA0004 | Privilege Escalation | The adversary is trying to gain higher-level permissions.|\n| TA0005 | Defense Evasion | The adversary is trying to avoid being detected.|\n| TA0006 | Credential Access | The adversary is trying to steal account names and passwords.|\n| TA0007 | Discovery | The adversary is trying to figure out your environment.|\n| TA0008 | Lateral Movement | The adversary is trying to move through your environment.|\n| TA0009 | Collection | The adversary is trying to gather data of interest to their goal.|\n| TA0010 | Exfiltration | The adversary is trying to steal data.|\n| TA0011 | Command and Control | The adversary is trying to communicate with compromised systems to control them.|\n| TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.|\n| TA0042 | Resource Development | The adversary is trying to establish resources they can use to support operations.|\n| TA0043 | Reconnaissance | The adversary is trying to gather information they can use to plan future operations.|"
]
"source": "| ID | Name | Description |\n| -------- | --------- | --------- |\n| TA0001 | Initial Access | The adversary is trying to get into your network.|\n| TA0002 | Execution | The adversary is trying to run malicious code.|\n| TA0003 | Persistence | The adversary is trying to maintain their foothold.|\n| TA0004 | Privilege Escalation | The adversary is trying to gain higher-level permissions.|\n| TA0005 | Defense Evasion | The adversary is trying to avoid being detected.|\n| TA0006 | Credential Access | The adversary is trying to steal account names and passwords.|\n| TA0007 | Discovery | The adversary is trying to figure out your environment.|\n| TA0008 | Lateral Movement | The adversary is trying to move through your environment.|\n| TA0009 | Collection | The adversary is trying to gather data of interest to their goal.|\n| TA0010 | Exfiltration | The adversary is trying to steal data.|\n| TA0011 | Command and Control | The adversary is trying to communicate with compromised systems to control them.|\n| TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.|"
}
],
"metadata": {
Expand All @@ -23,5 +22,5 @@
}
},
"nbformat": 4,
"nbformat_minor": 4
"nbformat_minor": 5
}
12 changes: 5 additions & 7 deletions _sources/tactics/collection.ipynb

Large diffs are not rendered by default.

26 changes: 9 additions & 17 deletions _sources/tactics/collection/T1005.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -2,35 +2,27 @@
"cells": [
{
"cell_type": "markdown",
"id": "36fe224e",
"metadata": {},
"source": [
"# T1005 - Data from Local System",
"\n",
"Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n"
]
"source": "# T1005 - Data from Local System\nAdversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n"
},
{
"cell_type": "markdown",
"id": "6bedfa7a",
"metadata": {},
"source": [
"## Atomic Tests:\nCurrently, no tests are available for this technique."
]
"source": "## Atomic Tests:\nCurrently, no tests are available for this technique."
},
{
"cell_type": "markdown",
"id": "1ce41692",
"metadata": {},
"source": [
"## Detection",
"\n",
"Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
]
"source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
},
{
"cell_type": "markdown",
"id": "433eb407",
"metadata": {},
"source": [
"## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content.\n#### Use Case\nA defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."
]
"source": "\n## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content.\n#### Use Case\nA defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.\n"
}
],
"metadata": {
Expand All @@ -48,5 +40,5 @@
}
},
"nbformat": 4,
"nbformat_minor": 4
"nbformat_minor": 5
}
26 changes: 9 additions & 17 deletions _sources/tactics/collection/T1025.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -2,35 +2,27 @@
"cells": [
{
"cell_type": "markdown",
"id": "7e328d76",
"metadata": {},
"source": [
"# T1025 - Data from Removable Media",
"\n",
"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media."
]
"source": "# T1025 - Data from Removable Media\nAdversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media."
},
{
"cell_type": "markdown",
"id": "9c87d6a7",
"metadata": {},
"source": [
"## Atomic Tests:\nCurrently, no tests are available for this technique."
]
"source": "## Atomic Tests:\nCurrently, no tests are available for this technique."
},
{
"cell_type": "markdown",
"id": "9b363b5b",
"metadata": {},
"source": [
"## Detection",
"\n",
"Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
]
"source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
},
{
"cell_type": "markdown",
"id": "01c17807",
"metadata": {},
"source": [
"## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.\n#### Use Case\nA defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."
]
"source": "\n## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.\n#### Use Case\nA defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.\n"
}
],
"metadata": {
Expand All @@ -48,5 +40,5 @@
}
},
"nbformat": 4,
"nbformat_minor": 4
"nbformat_minor": 5
}
Loading

0 comments on commit 2ca9073

Please sign in to comment.