From 9da3392c991c2badcb88a715e791a55654c1c567 Mon Sep 17 00:00:00 2001 From: "@" <@> Date: Sun, 27 Sep 2020 11:14:21 -0500 Subject: [PATCH] restructure of directory contents --- README.md | 26 +++++++++---------- Collection.md => Tactics/Collection.md | 0 .../CommandAndControl.md | 0 .../CredentialAccess.md | 0 .../DefenseEvasion.md | 0 Discovery.md => Tactics/Discovery.md | 0 Execution.md => Tactics/Execution.md | 4 +-- Exfiltration.md => Tactics/Exfiltration.md | 0 Impact.md => Tactics/Impact.md | 0 InitialAccess.md => Tactics/InitialAccess.md | 0 .../LateralMovement.md | 0 Persistence.md => Tactics/Persistence.md | 0 .../PrivilegeEscalation.md | 0 13 files changed, 15 insertions(+), 15 deletions(-) rename Collection.md => Tactics/Collection.md (100%) rename CommandAndControl.md => Tactics/CommandAndControl.md (100%) rename CredentialAccess.md => Tactics/CredentialAccess.md (100%) rename DefenseEvasion.md => Tactics/DefenseEvasion.md (100%) rename Discovery.md => Tactics/Discovery.md (100%) rename Execution.md => Tactics/Execution.md (94%) rename Exfiltration.md => Tactics/Exfiltration.md (100%) rename Impact.md => Tactics/Impact.md (100%) rename InitialAccess.md => Tactics/InitialAccess.md (100%) rename LateralMovement.md => Tactics/LateralMovement.md (100%) rename Persistence.md => Tactics/Persistence.md (100%) rename PrivilegeEscalation.md => Tactics/PrivilegeEscalation.md (100%) diff --git a/README.md b/README.md index 301ea97..d3e6051 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # ATT&CK Mapped SentinelOne Queries -MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity +[MITRE ATT&CK](https://attack.mitre.org/) mapped queries for SentinelOne Deep Visiblity This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections. @@ -7,29 +7,29 @@ This project aims to document SentinelOne Deep Visibility queries for detecting ## Tactics (COMPLETED) -[Privilege Escalation](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/PrivilegeEscalation.md) +[Privilege Escalation](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/PrivilegeEscalation.md) -[Initial Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/InitialAccess.md) +[Initial Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/InitialAccess.md) -[Persistence](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Persistence.md) +[Persistence](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Persistence.md) -[Execution](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Execution.md) +[Execution](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Execution.md) -[Lateral Movement](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/LateralMovement.md) +[Lateral Movement](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/LateralMovement.md) ## Tactics (IN PROGRESS) -[Defense Evasion](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/DefenseEvasion.md) +[Defense Evasion](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/DefenseEvasion.md) -[Impact](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Impact.md) +[Impact](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Impact.md) -[Discovery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Discovery.md) +[Discovery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Discovery.md) -[Command and Control](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CommandAndControl.md) +[Command and Control](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/CommandAndControl.md) -[Collection](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Collection.md) +[Collection](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Collection.md) -[Exfiltration](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Exfiltration.md) +[Exfiltration](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Exfiltration.md) -[Credential Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CredentialAccess.md) \ No newline at end of file +[Credential Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/CredentialAccess.md) \ No newline at end of file diff --git a/Collection.md b/Tactics/Collection.md similarity index 100% rename from Collection.md rename to Tactics/Collection.md diff --git a/CommandAndControl.md b/Tactics/CommandAndControl.md similarity index 100% rename from CommandAndControl.md rename to Tactics/CommandAndControl.md diff --git a/CredentialAccess.md b/Tactics/CredentialAccess.md similarity index 100% rename from CredentialAccess.md rename to Tactics/CredentialAccess.md diff --git a/DefenseEvasion.md b/Tactics/DefenseEvasion.md similarity index 100% rename from DefenseEvasion.md rename to Tactics/DefenseEvasion.md diff --git a/Discovery.md b/Tactics/Discovery.md similarity index 100% rename from Discovery.md rename to Tactics/Discovery.md diff --git a/Execution.md b/Tactics/Execution.md similarity index 94% rename from Execution.md rename to Tactics/Execution.md index 006be3e..4cd639c 100644 --- a/Execution.md +++ b/Tactics/Execution.md @@ -26,12 +26,12 @@ The tests for this technique overlap heavily with [T1566.001 Spearphishing Attac ### T1106 Native API Atomics: [T1106](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md) -There aren't any combination of available indicator types to query to find malicious uses of WinAPI for process execution, though this test can be detected through [T1027.004 Compile After Delivery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/DefenseEvasion.md#t1027004-compile-after-delivery) +There aren't any combination of available indicator types to query to find malicious uses of WinAPI for process execution, though this test can be detected through [T1027.004 Compile After Delivery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/DefenseEvasion.md#t1027004-compile-after-delivery) ### T1059.001 PowerShell Atomics: [T1059.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md) -Most of the Atomic Tests in this case are detected by their download cradles with [T1566.001 Test 1](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/InitialAccess.md#t1566001-spearphishing-attachment) or `IndicatorName = "ObfuscatedPSCommand"`, if not other LOLBAS detection methods for later portion of command execution. +Most of the Atomic Tests in this case are detected by their download cradles with [T1566.001 Test 1](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/InitialAccess.md#t1566001-spearphishing-attachment) or `IndicatorName = "ObfuscatedPSCommand"`, if not other LOLBAS detection methods for later portion of command execution. ### T1053.005 Scheduled Tasks Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md) diff --git a/Exfiltration.md b/Tactics/Exfiltration.md similarity index 100% rename from Exfiltration.md rename to Tactics/Exfiltration.md diff --git a/Impact.md b/Tactics/Impact.md similarity index 100% rename from Impact.md rename to Tactics/Impact.md diff --git a/InitialAccess.md b/Tactics/InitialAccess.md similarity index 100% rename from InitialAccess.md rename to Tactics/InitialAccess.md diff --git a/LateralMovement.md b/Tactics/LateralMovement.md similarity index 100% rename from LateralMovement.md rename to Tactics/LateralMovement.md diff --git a/Persistence.md b/Tactics/Persistence.md similarity index 100% rename from Persistence.md rename to Tactics/Persistence.md diff --git a/PrivilegeEscalation.md b/Tactics/PrivilegeEscalation.md similarity index 100% rename from PrivilegeEscalation.md rename to Tactics/PrivilegeEscalation.md