Giters

akinsWin / content

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Workbooks by Author

Author Count
DNIF 413
community 129
Total 542

Workbooks by Directory

Directory Count
/Basic Security Monitoring/Network Traffic Analysis 25
/Basic Security Monitoring/Authentication Attacks 8
/Basic Security Monitoring/Threat Alerts 7
/Basic Security Monitoring/Configuration Monitoring 1
/Investigate/User 5
/Investigate/Host 7
/Investigate/Object 4
/Cloud Security/Amazon Web Services 13
/Cloud Security/Azure 31
/Advanced Threat Detection/Windows Process Monitoring 131
/Advanced Threat Detection/IAM Monitoring 3
/Advanced Threat Detection/Network Traffic Analysis 24
/Advanced Threat Detection/Windows Audit Monitoring 2
/Advanced Threat Detection/Webserver Exploits 13
/Advanced Threat Detection/Windows Registry Monitoring 5
/Advanced Threat Detection/Email Monitoring 1
/Advanced Threat Detection/DNS Monitoring 6
/Advanced Threat Detection/Threat Monitoring 2
/Advanced Threat Detection/Linux Process Monitoring 36
/Advanced Threat Detection/Documents Monitoring 4
/Advanced Threat Detection/Proxy Monitoring 31
/Advanced Threat Detection/Windows Network Monitoring 1
/Visualization/OFFICE Monitoring 13
/Visualization/IAM Monitoring 6
/Visualization/NTA Monitoring 17
/Visualization/Firewall Monitoring 13
/Visualization/Threat Alerts Monitoring 9
/Visualization/Cloud Monitoring 16
/Visualization/Signal Monitoring 8
/Visualization/Authentication Monitoring 8
/Reports/FIREWALL 29
/Compliance/Common/Monthly 6
/Compliance/Common/Weekly 8
/Compliance/Common/Daily 6
/Compliance/SOX/Monthly 1
/Compliance/SOX/Daily 1
/Compliance/HIPAA/Monthly 4
/Compliance/HIPAA/Weekly 4
/Compliance/HIPAA/Daily 4
/Compliance/FISMA/Monthly 4
/Compliance/FISMA/Weekly 3
/Compliance/FISMA/Daily 7
/Compliance/PCI/Monthly 5
/Compliance/PCI/Weekly 5
/Compliance/PCI/Daily 5
Total 542

/Basic Security Monitoring/Network Traffic Analysis

Workbook Author Tactic Technique Severity Confidence
RPC from the Internet DNIF Initial Access Exploit Public-Facing Application 5 Low
RDP from the Internet DNIF Lateral Movement Remote Services 5 Low
SSH from the Internet DNIF Initial Access Exploit Public-Facing Application 5 Low
Outlier FTP connection patterns by a user DNIF Lateral Movement Lateral Tool Transfer 4 Medium
High Denied Traffic Within Short Span Of Time DNIF Impact Network Denial of Service 8 High
SMTP to the Internet DNIF Exfiltration Exfiltration Over Alternative Protocol 5 Low
VNC from the Internet DNIF Initial Access Exploit Public-Facing Application 5 Low
FTP Activity to the Internet DNIF Exfiltration Exfiltration Over Alternative Protocol 5 Low
SMTP on Port 26 TCP DNIF Exfiltration Exfiltration Over Alternative Protocol 5 Low
TCP Port 8000 Activity to the Internet DNIF Command and Control Commonly Used Port 5 Low
PPTP Activity DNIF Command and Control Commonly Used Port 5 Low
IPSEC NAT Traversal Port Activity DNIF Command and Control Commonly Used Port 5 Low
IRC Protocol Activity to the Internet DNIF Exfiltration Exfiltration Over Alternative Protocol 5 Low
Telnet Port Activity DNIF Lateral Movement Remote Services 5 Low
Detect Outbound SMB Traffic DNIF Command and Control Protocol Tunneling 5 Low
Suspicious Remote Desktop Network Activity DNIF Lateral movement Remote Services 5 Low
Clients Connecting to Multiple DNS Servers DNIF Exfiltration Exfiltration Over Alternative Protocol 3 Low
Distributed DOS Attack DNIF Impact Network Denial of Service 8 High
Proxy Port Activity to the Internet DNIF Command and Control Commonly Used Port 5 Low
Protocol or Port Mismatch DNIF Command and Control Non-Standard port 5 Low
Detect Large Outbound ICMP Packets DNIF Command and Control Non-Application Layer Protocol 5 Low
Anomalous DNS Bytes Observed From Same Source DNIF Impact Network Denial of Service 6 Medium
Cryptocurrency mining network communication DNIF Impact Resource Hijacking 3 Medium
RDP to the Internet DNIF Exfiltration Exfiltration Over Alternative Protocol 5 Low
Tor Activity to the Internet DNIF Command and Control Proxy 5 Low

/Basic Security Monitoring/Authentication Attacks

Workbook Author Tactic Technique Severity Confidence
User Connected to Large Number of Systems DNIF Persistence Valid Accounts 6 Medium
User Created and Deleted in Short Time DNIF Persistence Account Manipulation 7 High
Brute Force Access DNIF Credential Access Brute Force 5 High
Abnormal VPN Login Attempts for a User DNIF Initial Access External Remote Services 7 High
Slow Bruteforce Attack DNIF Credential Access Brute Force 5 Medium
Concurrent Logins from multiple Sources DNIF Initial Access Valid Accounts 5 Low
Logins to Same System from Multiple Sources DNIF Initial Access Valid Accounts 7 High
Abnormal SSH Login Attempts for a User DNIF Initial Access External Remote Services 7 High

/Basic Security Monitoring/Threat Alerts

Workbook Author Tactic Technique Severity Confidence
Threat Detected on Web DNIF Unclassified Unclassified 5 Medium
Threat Detected on Authentication DNIF Credential Access Brute Force 7 Medium
Threat Detected on  Host - File DNIF Execution User Execution 5 Medium
Threat Detected on Host  - URL DNIF Execution User Execution 5 Medium
Threat detected on Network DNIF Unclassified Unclassified 5 Medium
Threat Detected on IAM DNIF Persistence Account Manipulation 7 Medium
Threat Detected on Email DNIF Initial Access Phishing 5 Medium

/Basic Security Monitoring/Configuration Monitoring

Workbook Author Tactic Technique Severity Confidence
Failed Config Changes by Same User DNIF Defense Evasion Impair Defenses 6 Medium

/Investigate/User

Workbook Author Tactic Technique Severity Confidence
Recent Login Failures DNIF
Systems Accessed by User DNIF
Source Countries for User DNIF
Recent Logins DNIF
Accounts Created by User DNIF

/Investigate/Host

Workbook Author Tactic Technique Severity Confidence
Recent Login Failures DNIF
Traffic Volume to IP DNIF
Host accessed by Users DNIF
Sources talking to IP DNIF
Traffic Volume from IP DNIF
Recent Threats on Host DNIF
Login Failures from IP DNIF

/Investigate/Object

Workbook Author Tactic Technique Severity Confidence
Domain accessed by Users DNIF
File Hash seen on Hosts DNIF
URL accessed by Users DNIF
Executable seen on Hosts DNIF

/Cloud Security/Amazon Web Services

Workbook Author Tactic Technique Severity Confidence
AWS GuardDuty Important Change community Defense Evasion Impair Defenses 5 Low
Changes made to AWS CloudTrail logs DNIF Defense Evasion Indicator Removal on Host 5 Medium
AWS RDS Master Password Change community Exfiltration Automated Exfiltration 5 Low
AWS IAM Backdoor Users Keys community Persistence Account Manipulation 5 Low
AWS Config Disabling Channel Recorder community Defense Evasion Impair Defenses 5 Low
Restore Public AWS RDS Instance community Exfiltration Automated Exfiltration 5 Low
Monitor AWS Credential abuse or hijacking DNIF Discovery Account Discovery 5 Medium
AWS EC2 Download Userdata community Exfiltration Automated Exfiltration 5 Medium
AWS EC2 VM Export Failure community Exfiltration Transfer Data to Cloud Account 5 Low
AWS EC2 Startup Shell Script Change community Execution Command and Scripting Interpreter 5 Medium
AWS CloudTrail Important Change community Defense Evasion Impair Defenses 5 Medium
AWS Root Credentials community Defense Evasion Valid Accounts 5 Medium
Changes to internet facing AWS RDS Database instances DNIF Persistence Account Manipulation 5 Medium

/Cloud Security/Azure

Workbook Author Tactic Technique Severity Confidence
Azure Event Hub Deletion DNIF Defense Evasion Impair Defenses 5 Low
Azure Diagnostic Settings Deletion DNIF Defense Evasion Impair Defenses 5 Low
Security Rule has been Created or Updated DNIF Defense Evasion Impair Defenses 5 Low
Azure Privilege Identity Management Role Modified DNIF Persistence Valid Accounts 5 Low
Azure Automation Account Created DNIF Persistence Valid Accounts 5 Low
Azure Key Vault Modified DNIF Credential Access Unsecured Credentials 5 Low
Azure Automation Runbook Deleted DNIF Impact Unclassified 5 Low
Network Security Group was Deleted DNIF Defense Evasion Impair Defenses 5 Low
Azure Automation Webhook Created DNIF Persistence Unclassified 5 Low
Azure Blob Container Access Level Modification DNIF Discovery Exploit Public-Facing Application 5 Low
Azure Command Execution on Virtual Machine DNIF Execution Command and Scripting Interpreter 5 Low
Network Security Group has been Created or Updated DNIF Persistence Valid Accounts 5 Low
Azure Application Credential Modification DNIF Defense Evasion Use Alternate Authentication Material 5 Low
Virtual Network Subnet Deleted DNIF Impact Data Destruction 5 Low
Possible Consent Grant Attack via Azure-Registered Application DNIF Credential Access Steal Application Access Token 5 Low
Azure Service Principal Addition DNIF Defense Evasion Use Alternate Authentication Material 5 Low
Azure Resource Group Deletion DNIF Impact Data Destruction 5 Low
Azure Firewall Policy Deletion DNIF Defense Evasion Impair Defenses 5 Low
Azure Storage Account Key Regenerated DNIF Credential Access Steal Application Access Token 5 Low
Local Network Gateway Deleted DNIF Impact Data Destruction 5 Low
User Added as Owner for Azure Application DNIF Persistence Account Manipulation 5 Low
Azure Network Watcher Deletion DNIF Defense Evasion Impair Defenses 5 Low
User Added as Owner for Azure Service Principal DNIF Persistence Account Manipulation 5 Low
Azure Automation Runbook Created or Modified DNIF Persistence Unclassified 5 Low
Multi-Factor Authentication Disabled for an Azure User DNIF Persistence Account Manipulation 5 Low
Virtual Network Peering Deleted DNIF Impact Data Destruction 5 Low
Azure Conditional Access Policy Modified DNIF Persistence Account Manipulation 5 Low
Virtual Network Deleted DNIF Defense Evasion Impair Defenses 5 Low
Virtual Network Gateway Connection Deleted DNIF Impact Data Destruction 5 Low
Security Rule was Deleted DNIF Defense Evasion Impair Defenses 5 Low
Azure Event Hub Authorization Rule Created or Updated DNIF Collection Data from Cloud Storage Object 5 Low

/Advanced Threat Detection/Windows Process Monitoring

Workbook Author Tactic Technique Severity Confidence
Renamed SysInternals Debug View community Defense Evasion Masquerading 5 Low
Suspicious Csc.exe Source File Folder community Execution User Execution 5 Low
DTRACK Process Creation community Execution User Execution 5 Low
Suspicious Csc exe Source File Folder community Execution User Execution 5 Medium
ZOHO Dctask64 Process Injection community Defense Evasion Process Injection 5 Low
Suspicious Process Start Locations community Defense Evasion Masquerading 5 Medium
Renamed SysInternals Debug View community Defense Evasion Masquerading 5 Low
Devtoolslauncherexe Executes Specified Binary community Defense Evasion Signed Binary Proxy Execution 5 Medium
Detect PsExec With accepteula Flag DNIF Execution System Services 5 Low
Suspicious Outbound RDP Connections community Lateral Movement Remote Services 5 Medium
Deleting Shadow Copies DNIF Impact Inhibit System Recovery 8 High
Suspicious wevtutil Usage DNIF Defense Evasion Indicator Removal on Host 5 Low
Ping Hex IP community Defense Evasion Obfuscated Files or Information 3 Medium
Malicious PowerShell Process - Connect To Internet With Hidden Window DNIF Execution Command and Scripting Interpreter 5 Medium
WMI Modules Loaded community Execution Windows Management Instrumentation 5 Medium
Certutil Encode community Defense Evasion Obfuscated Files or Information 5 Low
RedMimicry Winnti Playbook Execute community Defense Evasion Signed Binary Proxy Execution 5 Low
PowerShell Encoded Character Syntax community Defense Evasion Obfuscated Files or Information 5 Medium
Screen Capture using Scripting Interpretor DNIF Collection Screen Capture 5 Medium
Possible Applocker Bypass community Defense Evasion Signed Binary Proxy Execution 5 Low
Remote Process Instantiation via WMI DNIF Execution Windows Management Instrumentation 5 Low
Modification of Boot Configuration community Impact Inhibit System Recovery 5 Medium
Lazarus Session Highjacker community Defense Evasion Masquerading 5 Low
DNS Tunnel Technique from MuddyWater community Command and Control Application Layer Protocol 5 Low
Process Execution via WMI DNIF Execution Windows Management Instrumentation 5 Low
Fireball Archer Install community Defense Evasion Signed Binary Proxy Execution 5 Medium
VBA DLL Loaded Via Microsoft Word community Execution User Execution 5 Medium
Remote Access Software Usage with Powershell DNIF Command and Control Remote Access Software 5 Medium
Windows Security Account Manager Stopped DNIF Impact Service Stop 5 Low
Net exe Execution community Lateral Movement Remote Services 6 Medium
SMOKEDHAM Backdoor DNIF Initial Access Supply Chain Compromise 4 Low
Processes launching netsh DNIF Defence Evasion Impair Defences 5 Low
Bypass UAC via Fodhelper exe community Privilege Escalation Abuse Elevation Control Mechanism 5 Medium
Suspicious Rundll32 Activity community Defense Evasion Masquerading 6 Medium
Modify Registry To Store Logon Credentials DNIF Defense Evasion Modify Registry 5 Medium
Hiding Files And Directories With Attrib exe DNIF Defence Evasion Hide Artifacts 5 Low
System Information Discovery Detection DNIF Discovery System Information Discovery 5 Low
USN Journal Deletion DNIF Defense Evasion Indicator Removal on Host 5 Low
Detect mshta exe running scripts in command-line arguments DNIF Defense Evasion Signed Binary Proxy Execution 5 Medium
Advanced IP Scanner community Discovery Network Service Scanning 5 Medium
Windows Network Enumeration community Discovery Remote System Discovery 5 Low
Suspicious Esentutl Use community Defense Evasion Signed Binary Proxy Execution 5 Low
In-memory PowerShell community Execution Command and Scripting Interpreter 5 Low
Stop Windows Service community Impact Service Stop 5 Low
Schtasks scheduling job on remote system DNIF Privilege Escalation Scheduled Task/Job 5 Low
Audio Capture via PowerShell community Collection Audio Capture 5 Medium
Impacket Lateralization Detection community Lateral Movement Remote Services 5 Low
Trickbot Malware Recon Activity community Discovery Domain Trust Discovery 5 Low
Child Processes of Spoolsv exe DNIF Privilege Escalation Exploitation for Privilege Escalation 5 Medium
Reconnaissance Activity with Net Command community Discovery System Information Discovery 5 Low
Mimikatz Detection LSASS Access community Credential Access OS Credential Dumping 5 Medium
WMI Persistence - Command Line Event Consumer community Privilege Escalation Event Triggered Execution 5 Medium
Suspicious Use of CSharp Interactive Console community Defense Evasion Trusted Developer Utilities Proxy Execution 5 Low
Squirrel Lolbin community Defense Evasion Signed Binary Proxy Execution 5 Low
Suspicious XOR Encoded PowerShell Command Line community Execution Command and Scripting Interpreter 5 Low
CLR DLL Loaded Via Office Applications community Execution User Execution 5 Medium
Shadow Copies Deletion Using Operating Systems Utilities community Impact Inhibit System Recovery 5 Medium
Command Line Execution with Suspicious URL and AppData Strings community Execution Command and Scripting Interpreter 5 Medium
Enumeration of Local Shares DNIF Discovery Network Share Discovery 3 Low
Tap Installer Execution community Exfiltration Exfiltration Over Alternative Protocol 3 Medium
RDP Over Reverse SSH Tunnel community Lateral Movement Remote Services 5 Low
Load of dbghelp or dbgcore DLL from Suspicious Process community Credential Access OS Credential Dumping 5 Medium
Script Execution via WMI DNIF Execution Windows Management Instrumentation 5 Low
Executable Masquerading as a Document DNIF Defense Evasion Masquerading 5 Low
Suspicious Commandline Escape community Defense Evasion Deobfuscate/Decode Files or Information 5 Low
Suspicious Program Location Process Starts community Defense Evasion Masquerading 4 Medium
Windows Mangement Instrumentation DLL Loaded Via Microsoft Word community Execution Windows Management Instrumentation 5 Medium
Domain Trust Discovery community Discovery Domain Trust Discovery 5 Low
Active Directory Parsing DLL Loaded Via Office Applications community Execution User Execution 5 Medium
Malicious PowerShell Process - Execution Policy Bypass DNIF Execution Command and Scripting Interpreter 5 Low
Sc exe Manipulating Windows Services DNIF Persistence Create or Modify System Process 5 Low
Unload Sysmon Filter Driver DNIF Defense Evasion Impair Defenses 5 Low
Detect Use of cmd exe to Launch Script Interpreters DNIF Execution Command and Scripting Interpreter 5 Low
Suspicious Eventlog Clear or Configuration Using Wevtutil community Defense Evasion Indicator Removal on Host 5 Medium
Enumeration using SMB and Powershell DNIF Discovery Network Share Discovery 5 Medium
Executables Started in Suspicious Folder community Defense Evasion Masquerading 5 Medium
Activity Related to NTDS Domain Hash Retrieval community Credential Access OS Credential Dumping 5 Medium
Suspicious writes to System Volume Information DNIF Defense Evasion Masquerading 5 Low
Detection Of Malicious Automated Collection DNIF Collection Automated Collection 5 Medium
Windows hosts file modification DNIF Discovery Remote System Discovery 5 Low
Ryuk Ransomware Files Detected DNIF Impact Data Encrypted for Impact 5 Low
PowerShell DownloadFile community Command and Control Ingress Tool Transfer 5 Low
Process Dump via Comsvcs DLL community Credential Access OS Credential Dumping 6 Medium
Netsh Program Allowed with Suspcious Location community Defense Evasion Impair Defenses 4 Medium
Harvesting of Wifi Credentials Using netsh exe community Credential Access Network Sniffing 5 Medium
Suspicious LNK file launching a process DNIF Initial Access Phishing 5 Medium
Suspicious Double Extension community Initial Access Phishing 5 Low
Dump LSASS via comsvcs DLL DNIF Credential Access OS Credential Dumping 5 Medium
Renamed PowerShell community Defense Evasion Masquerading 5 Medium
Malicious PowerShell Process - Encoded Command DNIF Execution Command and Scripting Interpreter 6 Low
Create local admin accounts using net exe DNIF Persistence Create Account: Local Account 10 High
Microsoft Office Product Spawning Windows Shell community Execution User Execution 5 Low
XSL Script Processing community Defense Evasion XSL Script Processing 5 Medium
Possible App Whitelisting Bypass via WinDbg CDB as a Shellcode Runner community Defense Evasion Trusted Developer Utilities Proxy Execution 5 Low
Schtasks used for forcing a reboot DNIF Execution Scheduled Task/Job 5 Low
Suspicious AdFind Execution community Discovery Domain Trust Discovery 5 Medium
DTRACK Process Creation community Persistence Create or Modify System Process 5 Low
Possible Compromised PasswordState Software DNIF Initial Access Supply Chain Compromise 5 Medium
Create or delete windows shares using net exe DNIF Execution Command and Scripting Interpreter 5 Low
Judgement Panda Exfil Activity community Collection Archive Collected Data 5 Low
WMI Backdoor Exchange Transport Agent community Privilege Escalation Event Triggered Execution 5 Low
Reg exe Manipulating Windows Services Registry Keys DNIF Persistence Hijack Execution Flow 5 Low
DNS RCE CVE-2020-1350 community Execution System Services 5 Medium
Koadic Execution community Execution Command and Scripting Interpreter 5 Low
Svchost DLL Search Order Hijack community Persistence Hijack Execution Flow 5 Low
Creation of Shadow Copy with wmic and powershell DNIF Impact Inhibit System Recovery 8 High
Explorer Root Flag Process Tree Break community Defense Evasion Masquerading 5 Medium
Detect Outlook exe writing a zip file DNIF Initial access Phishing 5 Medium
In Browser Crypto Mining DNIF Impact Resource Hijacking 5 Medium
File with Samsam Ransomware Extension DNIF Impact Data Encrypted for Imapact 5 Low
Rundll32 Internet Connection community Defense Evasion Signed Binary Proxy Execution 5 Low
Batch File Write to System32 DNIF Execution User Execution 5 Medium
Registry Keys for Creating SHIM Databases DNIF Persistence Event Triggered Execution 5 Low
Creation of Shadow Copy using ntdsutil or vsadmib DNIF Impact Inhibit System recovery 8 High
Unsigned Image Loaded Into LSASS Process community Credential Access OS Credential Dumping 5 Low
Create Remote Thread into LSASS DNIF Credential Access OS Credential Dumping: LSASS Memory 7 Medium
Possible Process Hollowing Image Loading community Persistence Hijack Execution Flow 5 Low
dotNET DLL Loaded Via Office Applications community Execution User Execution 5 Medium
Copying Sensitive Files with Credential Data community Credential Access OS Credential Dumping 5 Medium
Grabbing Sensitive Hives via Reg Utility community Credential Access OS Credential Dumping 5 Medium
Fax Service DLL Search Order Hijack community Persistence Hijack Execution Flow 5 Medium
Suspicious Rundll32 Activity community Defense Evasion Masquerading 6 Medium
Enumeration of Remote Shares DNIF Discovery Network Share Discovery 3 Low
Suspicious writes to Windows Recycle Bin DNIF Defense Evasion Masquerading 5 Low
Suspicious Debugger Registration Cmdline community Privilege Escalation Event Triggered Execution 5 Low
Remote PowerShell Session community Execution Command and Scripting Interpreter 6 Medium
PowerShell Execution community Execution Command and Scripting Interpreter 5 Low
Remote Email collection detection via Powershell DNIF Collection Email Collection 5 Medium
ZxShell Malware community Defense Evasion Signed Binary Proxy Execution 5 Low
Active Directory Kerberos DLL Loaded Via Office Applications community Execution User Execution 5 Medium
Detect Credential Dumping through LSASS access DNIF Credential Access OS Credential Dumping 10 High

/Advanced Threat Detection/IAM Monitoring

Workbook Author Tactic Technique Severity Confidence
Account Deletion Anomaly DNIF
Same User Enabled And Disabled In A Short Time DNIF Persistence Account Manipulation 7 High
Account Creation Anomaly DNIF Persistence Create Account 5 Low

/Advanced Threat Detection/Network Traffic Analysis

Workbook Author Tactic Technique Severity Confidence
Publicly Accessible RDP Service DNIF Initial Access External Remote Services 6 Medium
Multiple Compressed Files sent over HTTP with abnormal requests DNIF Collection Archive Collected Data 6 Medium
Credential access detected from DCE-RPC DNIF Credential Access Exploitation for Credential Access 6 Medium
Kerberos Network Traffic RC4 Ticket Encryption DNIF Credential Access Steal or Forge Kerberos Tickets 6 Medium
DCE-RPC Group Discovery DNIF Discovery Permission Groups Discovery 5 Medium
DCE-RPC Account Discovery detection DNIF Discovery Account Discovery 5 Medium
Executable from Webdav DNIF Command and Control Ingress Tool Transfer 6 Medium
External SMB Communication detected DNIF Exfiltration Exfiltration Over Alternative Protocol 3 Low
Outlier Pattern Detected on Data Transfers DNIF Exfiltration Exfiltration Over Alternative Protocol 6 Medium
SMB Connections to Admin Shares DNIF Exfiltration Exfiltration Over Alternative Protocol 7 High
Suspicious PsExec Execution DNIF Lateral Movement Remote Services 6 Medium
DCE-RPC Network Discovery Detection DNIF Discovery Network Sniffing 5 Medium
Port scanning detection DNIF Discovery Network Service Scanning 6 Medium
Executable Download Directly From IP DNIF Execution User Execution 6 Medium
Remote Task Creation via ATSVC Named Pipe DNIF Persistence Scheduled Task/Job 5 Medium
Transferring Files with Credential Data via Network Shares DNIF Credential Access OS Credential Dumping 7 High
Possible Impacket SecretDump Remote Activity DNIF Credential Access OS Credential Dumping 6 Medium
FTP Bruteforcing DNIF Credential Access Brute Force 6 Medium
WebDav Put Request DNIF Exfiltration Exfiltration Over Alternative Protocol 6 Medium
Suspicious Access to Sensitive File Extensions DNIF Collection Data from Local System 6 Medium
Detection of Expired Certificates DNIF Unclassified Unclassified 6 Medium
DCE-RPC Domain Discovery detection DNIF Discovery Domain Trust Discovery 5 Medium
Domain User Enumeration Network Recon DNIF Discovery Account Discovery 4 Medium
Potential Exfiltration of Compressed Files DNIF Collection Data from Local System 6 Medium

/Advanced Threat Detection/Windows Audit Monitoring

Workbook Author Tactic Technique Severity Confidence
Suspicious Network Shares Accessed from SrcIP DNIF Collection Data from Network Shared Drive 5 Medium
Suspicious Network Shares Accessed by User DNIF Collection Data from Network Shared Drive 6 Medium

/Advanced Threat Detection/Webserver Exploits

Workbook Author Tactic Technique Severity Confidence
Multiple Suspicious Resp Codes Caused by Single Client community Initial Access Exploit Public-Facing Application 5 Low
CVE-2020-0688 Exchange Exploitation via Web Log community Initial Access Exploit Public-Facing Application 5 Low
Citrix Netscaler Attack CVE-2019-19781 community Initial Access Exploit Public-Facing Application 5 Low
Valid Request Forbidden DNIF Unclassified Unclassified 6 Medium
SQL Query Injection in UserAgent OR URL DNIF Initial Access Exploit Public-Facing Application 7 High
Oracle WebLogic Exploit community Persistence Server Software Component 5 Low
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 community Initial Access Exploit Public-Facing Application 5 Low
Pulse Secure Attack CVE-2019-11510 community Initial Access Exploit Public-Facing Application 5 Low
CVE-2020-0688 Exploitation Attempt community Initial Access Exploit Public-Facing Application 5 Low
Confluence Exploitation CVE-2019-3398 community Initial Access Exploit Public-Facing Application 5 Low
Unusual URL Redirection DNIF Execution User Execution 7 High
CVE-2020-5902 F5 BIG-IP Exploitation Attempt community Initial Access Exploit Public-Facing Application 5 Low
Script Injection Dectected  In UserAgent DNIF Initial Access Exploit Public-Facing Application 8 High

/Advanced Threat Detection/Windows Registry Monitoring

Workbook Author Tactic Technique Severity Confidence
Registry Keys Used For Persistence DNIF Persistence Boot or Logon Autostart Execution 5 Low
Suspicious MS Office Registry Modifications DNIF Defense Evasion Modify Registry 2 Low
Disabling Remote User Account Control DNIF Privilege Escalation Abuse Elevation Control Mechanism 5 Low
Suspicious Reg Modified on a System DNIF Defense Evasion Modify Registry 5 Medium
Suspicious Changes to File Associations DNIF Persistence Event Triggered Execution 5 Low

/Advanced Threat Detection/Email Monitoring

Workbook Author Tactic Technique Severity Confidence
Outlier Pattern Detected for Outbound Emails DNIF Exfiltration Exfiltration Over Web Service 4 Medium

/Advanced Threat Detection/DNS Monitoring

Workbook Author Tactic Technique Severity Confidence
Cobalt Strike DNS Beaconing community Command and Control Application Layer Protocol 5 Low
Telegram Bot API Request community Command and Control Web Service 5 Low
Wannacry Killswitch Domain community Command and Control Application Layer Protocol 5 Low
High DNS requests From  Same Source DNIF Impact Network Denial of Service 8 High
DNS NXDOMAIN Flood DNIF Impact Network Denial of Service 5 Medium
Suspicious DNS Query with B64 Encoded String community Command and Control Application Layer Protocol 5 Low

/Advanced Threat Detection/Threat Monitoring

Workbook Author Tactic Technique Severity Confidence
Multiple Threat Detected From Same Source DNIF Unclassified Unclassified 8 High
Same Threat Detected on Multiple Hosts DNIF Unclassified Unclassified 8 High

/Advanced Threat Detection/Linux Process Monitoring

Workbook Author Tactic Technique Severity Confidence
Hping Process Activity DNIF Discovery System Information Discovery 4 Low
Netcat Network Activity DNIF Discovery System Network Connections Discovery 5 Low
Setuid Bit Set via chmod DNIF Privilege Escalation Abuse Elevation Control Mechanism 5 Low
Virtual Machine Fingerprinting DNIF Discovery System Information Discovery 5 Low
Persistence via Kernel Module Modification DNIF Persistence Kernel Modules and Extensions 5 Low
Network Sniffing via Tcpdump DNIF Credential Access Network Sniffing 5 Low
Enumeration of Kernel Modules DNIF Discovery System Information Discovery 5 Low
Base64 Encoding-Decoding Activity DNIF Defense Evasion Obfuscated Files or Information 5 Low
Attempt to Disable IPTables or Firewall DNIF Defense Evasion Disabling Security Tools 5 Low
Attempt to Disable Syslog Service DNIF Defense Evasion Disabling Security Tools 5 Low
Interactive Terminal Spawned via Python DNIF Execution Command and Scripting Interpreter 5 Low
Unusual Process Execution - Temp DNIF Defense Evasion Masquerading 5 Low
File Deletion via Shred DNIF Defense Evasion File Deletion 5 Low
Hex Encoding-Decoding Activity DNIF Defense Evasion Obfuscated Files or Information 5 Low
System Log File Deletion DNIF Defense Evasion Indicator Removal on Host 5 Low
Sudoers File Modification DNIF Privilege Escalation Abuse Elevation Control Mechanism 5 Low
Creation of Hidden Files and Directories DNIF Defense Evasion Hidden Files and Directories 5 Low
Strace Process Activity DNIF Privilege Escalation Exploitation for Privilege Escalation 3 Low
Setgid Bit Set via chmod DNIF Privilege Escalation Abuse Elevation Control Mechanism 3 Low
Kernel Module Removal DNIF Defense Evasion Kernel Modules and Extensions 5 Low
Timestomping using Touch Command DNIF Defense Evasion Timestomp 5 Low
Connection to External Network via Telnet DNIF Lateral Movement Remote Services 5 Low
Interactive Terminal Spawned via Perl DNIF Execution Command and Scripting Interpreter 5 Low
Nping Process Activity DNIF Discovery System Network Connections Discovery 3 Low
Deletion of Bash Command Line History DNIF Defense Evasion Clear Command History 5 Low
Potential Disabling of SELinux DNIF Defense Evasion Disabling Security Tools 5 Low
User Discovery via Whoami DNIF Discovery System Owner/User Discovery 5 Low
Connection to Internal Network via Telnet DNIF Lateral Movement Remote Services 5 Low
Base64 Encoding or Decoding Activity DNIF Defense Evasion Obfuscated Files or Information 5 Low
Nmap Process Activity DNIF Discovery System Network Connections Discovery 3 Low
Socat Process Activity DNIF Persistence Event Triggered Execution 5 Low
Base16 or Base32 Encoding or Decoding Activity DNIF Defense Evasion Obfuscated Files or Information 5 Low
File Permission Modification in Writable Directory DNIF Defense Evasion File and Directory Permissions Modification 5 Low
Potential DNS Tunneling via Iodine DNIF Command and Control Application Layer Protocol 5 Low
Potential Shell via Web Server DNIF Persistence Web Shell 5 Low
Mknod Process Activity DNIF Privilege Escalation Process Injection 5 Low

/Advanced Threat Detection/Documents Monitoring

Workbook Author Tactic Technique Severity Confidence
Suspicious File Download Activity by IP DNIF Exfiltration Exfiltration Over Web Service 5 Medium
Suspicious File Access Activity by User DNIF Discovery File and Directory Discovery 5 Medium
Suspicious File Delete Activity by User DNIF Impact Data Destruction 5 Medium
Suspicious File Download Activity by User DNIF Exfiltration Exfiltration Over Web Service 5 Medium

/Advanced Threat Detection/Proxy Monitoring

Workbook Author Tactic Technique Severity Confidence
APT40 Dropbox Tool User Agent community Exfiltration Exfiltration Over Alternative Protocol 5 Low
Windows WebDAV User Agent community Command and Control Application Layer Protocol 5 Low
Malware User Agent community Command and Control Application Layer Protocol 5 Low
Empire UserAgent URI Combo community Command and Control Application Layer Protocol 5 Low
Empty User Agent community Command and Control Application Layer Protocol 5 Low
Windows PowerShell User Agent community Command and Control Application Layer Protocol 5 Low
CobaltStrike Malleable (OCSP) Profile community Command and Control Application Layer Protocol 5 Low
Download from Suspicious TLD community Execution User Execution 5 Low
iOS Implant URL Pattern community Credential Access Unsecured Credentials 5 Low
Suspicious User Agent community Command and Control Application Layer Protocol 5 Low
Download from Suspicious Dyndns Hosts community Command and Control Dynamic Resolution 5 Low
PwnDrp Access community Command and Control Web Service 5 Low
APT User Agent community Command and Control Application Layer Protocol 5 Low
Telegram API Access community Command and Control Web Service 5 Low
Possible FIN7 DGA Command and Control Behavior DNIF Command and Control Application Layer Protocol 5 Low
CobaltStrike Malleable OneDrive Browsing Traffic Profile community Command and Control Application Layer Protocol 5 Low
Crypto Miner User Agent community Command and Control Application Layer Protocol 5 Low
Hack Tool User Agent community Credential Access Brute Force 5 Low
Download EXE from Suspicious TLD community Execution User Execution 5 Low
Bitsadmin to Uncommon TLD community Defense Evasion BITS Jobs 5 Low
Turla ComRAT community Command and Control Application Layer Protocol 5 Low
Solarwinds backdoor C2 host name detected DNIF Initial Access Supply Chain Compromise 3 Low
Halfbaked Command and Control Beacon DNIF Command and Control Application Layer Protocol 5 Low
Ingress Tool Transfer DNIF Command and Control Ingress Tool Transfer 5 Low
Excessive Failed URL Access From A Single Source DNIF Execution User Execution 4 Medium
Flash Player Update from Suspicious Location community Defense Evasion Masquerading 5 Low
Raw Paste Service Access community Command and Control Web Service 5 Low
Chafer Malware URL Pattern community Command and Control Application Layer Protocol 5 Low
Exploit Framework User Agent community Command and Control Application Layer Protocol 5 Low
CobaltStrike Malleable Amazon Browsing Traffic Profile community Command and Control Application Layer Protocol 5 Low
Public IP Reconnaissance Activity DNIF Discovery System Network Configuration Discovery 5 Low

/Advanced Threat Detection/Windows Network Monitoring

Workbook Author Tactic Technique Severity Confidence
Data writes from SMB shares DNIF Collection Data from Network Shared Drive 6 Medium

/Visualization/OFFICE Monitoring

Workbook Author Tactic Technique Severity Confidence
Mailbox Permission Changes DNIF
Office Email Activity Timeline DNIF
Multiple Account password reset detected by the same user DNIF
Top Senders DNIF
Executable File Uploaded OR Downloaded DNIF
Inbox Rule Changes DNIF
Top Users For IAM Activity DNIF
Policy Added And Deleted DNIF
Delegated Permission Grant To User DNIF
Top Threat Detected In Office DNIF
Top users Modifying files DNIF
Top Recipients DNIF
Office Authentication By Source Country DNIF

/Visualization/IAM Monitoring

Workbook Author Tactic Technique Severity Confidence
Top Systems DNIF
Top Users Creating Accounts DNIF
Account Modification Activity DNIF
IAM Activity DNIF
Accounts Creation Activity DNIF
Account Deletion Activity DNIF

/Visualization/NTA Monitoring

Workbook Author Tactic Technique Severity Confidence
MySQL Arguments DNIF
Traffic Destination by Country DNIF
TLS protocol version DNIF
Top NTA Signals DNIF
Connection activity DNIF
DNS Destination Ports DNIF
Top DNS Query DNIF
Top Network Transport DNIF
Data Transfer Acitivty DNIF
Top Ports Accessed DNIF
SSL Activity By Country Over Last Week DNIF
Top Http Hosts DNIF
FTP Activity DNIF
Traffic Sources by Country DNIF
Top 10 Applications DNIF
Top Files accessed DNIF
File MIME Type DNIF

/Visualization/Firewall Monitoring

Workbook Author Tactic Technique Severity Confidence
Allowed Traffic by App DNIF
Traffic Destinations by Country DNIF
FTP Port Activity by Time DNIF
RDP Destinations DNIF
RDP Sources DNIF
Top Destination Ports DNIF
Total Outbound Traffic DNIF
Total Inbound Traffic DNIF
Blocked Traffic by Port DNIF
FTP Destinations DNIF
FTP Sources DNIF
Traffic Sources by Country DNIF
RDP WMI Port Activity by Time DNIF

/Visualization/Threat Alerts Monitoring

Workbook Author Tactic Technique Severity Confidence
Top Systems Affected DNIF
Top Web Threats DNIF
Top Network Threats DNIF
Alerts by SourceName DNIF
Alerts by SourceType DNIF
Top Threats DNIF
Top Email Threats DNIF
Top Host Threats DNIF
Threats by Time DNIF

/Visualization/Cloud Monitoring

Workbook Author Tactic Technique Severity Confidence
Top AWS Failed Login Attempts DNIF
Network Gateway Changes DNIF
Unique Traffic Sources DNIF
Top Eventsource Distribution DNIF
S3 Bucket Policy changes DNIF
Top AWS Signals DNIF
Multiple Failed API Requests From Different Source IPs DNIF
Cloudtrail Activity DNIF
AWS Regions DNIF
Network And Security Activity Timeline DNIF
Critical EC2 Instance Has Been Stopped OR Terminated DNIF
Detected A Successful Login To AWS Console From Different Geographies DNIF
Key Pair Management configuration changes DNIF
Top Security Group Configuration changes DNIF
Created And Deleted Network And Security Events DNIF
VPC Configuration Changes DNIF

/Visualization/Signal Monitoring

Workbook Author Tactic Technique Severity Confidence
Top Suspects Hosts DNIF
Total Signal Count -Weekly DNIF
Top Hit Targets DNIF
High Severity Signals DNIF
Signal Stream Wise Distribution DNIF
Detection Technique and Tactic DNIF
Top Signals DNIF
Signal Weekly Activity DNIF

/Visualization/Authentication Monitoring

Workbook Author Tactic Technique Severity Confidence
Top Users DNIF
Authentication: Passed v Failed DNIF
Top System for Authentication Failures DNIF
Top Systems for Authentication Activity DNIF
Authentication Activity from Source DNIF
Authentication Failures by Source Country DNIF
Net Failed Logins DNIF
Authentication Activity DNIF

/Reports/FIREWALL

Workbook Author Tactic Technique Severity Confidence
Top Configuration Changes On Firewall DNIF
Top Threat Sources DNIF
Traffic Sources by Country DNIF
Firewall Threats Trend DNIF
All Destination Ports DNIF
Blocked Traffic By Port DNIF
Firewall Authentication: Passed v Failed DNIF
SSH From Internet DNIF
Threat Detected On Firewall DNIF
Communication  Observed From An Unusual Geo Location Source DNIF
Top Common Firewall Events DNIF
Top Targeted IPs DNIF
Tor Activity To The Internet DNIF
Non Https Url Accessed DNIF
Unsuccessful Logins Summary DNIF
Allowed Traffic by App DNIF
Denied Traffic DNIF
Data Egress From Top Source DNIF
Data Ingress from Top Sources DNIF
Inbound Traffic DNIF
Traffic Destinations by Country DNIF
Outbound SMB Traffic Detected DNIF
Top IAM Activity On Firewall DNIF
Top Threat Destinations DNIF
Unsuccessful Remote Login Attempts DNIF
FTP Activity to the Internet DNIF
Top Talkers DNIF
Top Users DNIF
Outbound Traffic DNIF

/Compliance/Common/Monthly

Workbook Author Tactic Technique Severity Confidence
Top Virus Sources Monthly DNIF
Top Targeted IPs Monthly DNIF
Top Virus Destinations Monthly DNIF
Unsuccessful Mail Logins Monthly DNIF
Unsuccessful Web Service Logins Monthly DNIF
Remote Access Activity Monthly DNIF

/Compliance/Common/Weekly

Workbook Author Tactic Technique Severity Confidence
Unsuccessful SSH Logins Weekly DNIF
Unsuccessful Logins Summary Weekly DNIF
Top Virus Sources Weekly DNIF
Top Virus Destinations Weekly DNIF
Unsuccessful Web Services Logins Weekly DNIF
Unsuccessful Mail Logins Weekly DNIF
Top Targeted IPs Weekly DNIF
Successful Login Attempts Weekly DNIF

/Compliance/Common/Daily

Workbook Author Tactic Technique Severity Confidence
Unsuccessful Mail Logins Daily DNIF
Top Users by Remote Access Activity Daily DNIF
Top Virus Sources Daily DNIF
Top Targeted IPs Daily DNIF
Unsuccessful Web Services Logins Daily DNIF
Top Virus Destinations Daily DNIF

/Compliance/SOX/Monthly

Workbook Author Tactic Technique Severity Confidence
Top Users for Remote Access Activity Monthly DNIF

/Compliance/SOX/Daily

Workbook Author Tactic Technique Severity Confidence
Top Users for Remote Access Activity Daily DNIF

/Compliance/HIPAA/Monthly

Workbook Author Tactic Technique Severity Confidence
Top Virus Sources And Destinations  Monthly DNIF
Outbound Traffic Monthly DNIF
Denied Traffic Monthly DNIF
Inbound Traffic Monthly DNIF

/Compliance/HIPAA/Weekly

Workbook Author Tactic Technique Severity Confidence
Denied Traffic Weekly DNIF
Top Virus Sources And Destinations Weekly DNIF
Inbound Traffic Weekly DNIF
Outbound Traffic Weekly DNIF

/Compliance/HIPAA/Daily

Workbook Author Tactic Technique Severity Confidence
Top Virus Sources And Destinations Daily DNIF
Outbound Traffic Daily DNIF
Inbound Traffic Daily DNIF
Denied Traffic Daily DNIF

/Compliance/FISMA/Monthly

Workbook Author Tactic Technique Severity Confidence
Unsuccessful TELNET Logins Monthly DNIF
Unsuccessful Logins Summary Monthly DNIF
Successful Login Attempts Monthly DNIF
Unsuccessful SSH Logins Monthly DNIF

/Compliance/FISMA/Weekly

Workbook Author Tactic Technique Severity Confidence
Successful Logins Weekly DNIF
Unsuccessful Logins Weekly DNIF
Unsuccessful TELNET Logins Weekly DNIF

/Compliance/FISMA/Daily

Workbook Author Tactic Technique Severity Confidence
Unsuccessful Logins Daily DNIF
Successful Logins Daily DNIF
Remote Access Activity Summary Daily DNIF
Unsuccessful SSH Logins Daily DNIF
Unsuccessful Logins Summary Daily DNIF
Unsuccessful Telnet Logins Daily DNIF
Successful Login Attempts Daily DNIF

/Compliance/PCI/Monthly

Workbook Author Tactic Technique Severity Confidence
PCI 5-2 Top Malware Activity Monthly DNIF
PCI 1-2-1b - Inbound Traffic Monthly DNIF
PCI 1-2-1b -Outbound Traffic Monthly DNIF
PCI 8-1 - User Account Changes Monthly DNIF
PCI 10-2 - User Accounts Additions Monthly DNIF

/Compliance/PCI/Weekly

Workbook Author Tactic Technique Severity Confidence
PCI 1-2-1b - Inbound Traffic Weekly DNIF
PCI 8-1 - User Account Changes Weekly DNIF
PCI 10-2 - User Accounts Additions Weekly DNIF
PCI 1-2-1b -Outbound Traffic Weekly DNIF
PCI 5-2 Top Malware Activity Weekly DNIF

/Compliance/PCI/Daily

Workbook Author Tactic Technique Severity Confidence
PCI 1-2-1b - Inbound Traffic Daily DNIF
PCI 1-2-1 Outbound Traffic Daily DNIF
PCI 5-2 Top Malware Activity Daily DNIF
PCI 10-2 - User Accounts Additions Daily DNIF
PCI 8-1 - User Account Changes Daily DNIF

About

License:GNU General Public License v2.0

Languages

Language:Python 87.9%Language:Dockerfile 12.1%