Fix/cleanup doc links (#14)

* fix markdown doc image links * remove unused files/dirs * fix markdown doc image links * remove unused files/dirs * fix: remove demo/docs folder duplicate * cleanup directory structure * first pass at repo cleanup * fix: remove yaml pre-commit (doesn’t like multidoc files) * fix readme link * fix: remove duplicated images * directory cleanup * more dir cleanup * more cleanup * added readmes in subdirectories * add support folder to resources summary * fix ssh-key analytic filters * add new gcp rule * broaden ssh key audit filter for consistency with upstream * fix typo in public access rule * fix typo, missing mapping, added gcp priv group add analytic * fixed mapping for new rule * add readme to analytics folder * tweak title of vpc controls rule * add heatmap and svg of sigma rules * added control number for release * wip of sigma rule doc * s/CTID/Center for Threat-Informed Defense * s/CTID/Center for Threat-Informed Defense part deux * marked in progress docs as in progress
center-for-threat-informed-defense · Jul 19, 2022 · bdcad82 · bdcad82
1 parent 1a7d11f
commit bdcad82
Show file tree

Hide file tree

Showing 71 changed files with 502 additions and 162 deletions.
diff --git a/.coveragerc b/.coveragerc
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,7 +2,6 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.1.0
     hooks:
-      - id: check-yaml
       - id: end-of-file-fixer
       - id: trailing-whitespace
       - id: debug-statements

diff --git a/README.md b/README.md
@@ -2,9 +2,14 @@
 
 Cloud Analytics helps defenders detect attacks to their cloud infrastructure by developing behavioral analytics to detect attacks to cloud platforms and a blueprint for how others can create and use cloud analytics effectively.
 
-## Blueprint Document Draft
+## Resources
 
-A draft of the [Blueprint document is available in the repository](DRAFT_Analytics_Blueprint.pdf)
+| Resource | Description |
+|----------|-------------|
+| [Blueprint Document](/docs/DRAFT_Analytics_Blueprint.pdf) | Best practices and lessons learned for developing cloud analytics. |
+| [Analytics](/analytics/README.md) | Analytics generated in Sigma format for the project. |
+| [Adversary Emulation Tips](/emulation/README.md) | Documentation on reproducing adversary emulation events for the project. |
+| [Support Resources](/support/README.md) | Resources not part of final deliverable, but potentially useful. |
 
 ## Questions and Feedback
 
@@ -14,7 +19,7 @@ Also see the guidance for contributors if are you interested in contributing or
 
 ## Notice
 
-Copyright 2021 MITRE Engenuity. Approved for public release. Document number XXXXX
+Copyright 2022 MITRE Engenuity. Approved for public release. Document number CT0053
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

diff --git a/analytics/README.md b/analytics/README.md
@@ -0,0 +1,30 @@
+# Analytics
+
+## List of Analytics
+
+
+
+| Analytic                                                     | Description                                                  | ATT&CK TTP                                                   |
+| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
+| Autoscaling Threshold Exceeded (Azure)                       | Sigma correlation rule that identifies when the number of instances in the resource group is greater than the threshold | Resource Hijacking (T1496)                                   |
+| Guest User Privilege Escalation (Azure)                      | Identifies when a guest user has privileges escalated to Global Administrator. | Valid Accounts (T1078)                                       |
+| Guest User Privilege Escalation then Storage Blob Access Modified (Azure) | Sigma correlation rule that identifies the sequence of events when privileges of a guest user are escalated, and the same guest user makes a storage container for public access. | Valid Accounts (T1078), Modify Cloud Compute Infrastructure (T1578) |
+| Role Elevated Outside of PIM (Azure)                         | Identifies when a privileged role assignment has been made outside of the Privileged Identity Management tool. | Domain Policy Modification (T1484)                           |
+| Service Principal Privilege Escalation (Azure)               | Identifies when a service principal has privileges escalated to Global Administrator. | Valid Accounts (T1078)                                       |
+| Storage Blob Access Modified (Azure)                         | Identifies when a previously existing storage container has access control modified to enable public access. | Modify Cloud Compute Infrastructure (T1578)                  |
+| Multi-Factor Authentication Failure Threshold Exceeded (Azure) | Identifies when a user has failed multifactor authentication within a time window more than a pre-defined threshold. | Credential Access: Multi-Factor Authentication Request Generation (T1621) |
+| Autoscaling Threshold Exceeded (GCP)                         | Sigma correlation rule that identifies when autoscaling events have exceeded a pre-threshold. | Resource Hijacking (T1496)                                   |
+| Permissions Granted Over Service Account (GCP)               | Identifies when permissions granted to principal to impersonate or create keys for a service account. | Domain Policy Modification: Domain Trust Modification (T1484.002) |
+| SSH Key Added (GCP)                                          | Identifies when an SSH key is added to an instance.          | Account Manipulation: Additional Cloud Credentials (T1098.001) |
+| Google Storage Bucket Access Modified (GCP)                  | Identifies when a previously existing storage container has access control modified to enable public access. | Modify Cloud Compute Infrastructure (T1578)                  |
+| Google VPC Service Controls Violation for Storage Bucket Access (GCP) | Identifies when a Storage Bucket access attempt has been blocked by VPC Service Controls. | Valid Accounts: Cloud Accounts (T1078.004), Exfiltration: Transfer Data to Cloud Account (T1537) |
+| Workspace Login Marked Suspicious (GCP)                      | Identifies when a workspace login is marked suspicious.      | Valid Accounts: Cloud Accounts (T1078.004)                   |
+| Workspace User Added to Privileged Group (GCP)               | Identifies when a user is added to a privileged group.       | Valid Accounts: Cloud Accounts (T1078.004), Account Manipulation: Additional Cloud Roles (T1098.003) |
+
+## ATT&CK Mapping
+
+
+
+ATT&CK Navigator heatmap of sigma rules.
+
+![](cloud_analytics_sigma_rules_heatmap.svg)
diff --git a/analytics/azure_autoscaling_threshold_exceeded.yml b/analytics/azure_autoscaling_threshold_exceeded.yml
@@ -2,7 +2,7 @@ title: Azure Autoscaling Threshold Exceeded
 id: bebf2bb1-cdc0-4dd3-9cd9-d77fa4739cf7
 name: autoscaling_event
 description: Identifies when the number of instances in the resource group is greater than the threshold.
-author: CTID MITRE, Michael Butt
+author: Center for Threat-Informed Defense, Michael Butt
 status: experimental
 date: 2022/06/07
 logsource:

diff --git a/analytics/azure_guest_user_priv_escalation.yml b/analytics/azure_guest_user_priv_escalation.yml
@@ -2,7 +2,7 @@ title: Azure Guest User Privilege Escalation
 id: ab2a0702-9e32-400e-b410-897993bad169
 name: azure_guest_user_priv_esc
 description: Identifies when a guest user has privileges escalated to Global Administrator.
-author: CTID MITRE, Michael Butt
+author: Center for Threat-Informed Defense, Michael Butt
 status: experimental
 date: 2022/06/07
 logsource:

diff --git a/analytics/azure_role_elevated_outside_pim.yml b/analytics/azure_role_elevated_outside_pim.yml
@@ -1,7 +1,7 @@
 title: Role Elevated Outside of PIM
 id: abd97f2e-bfb3-4aa5-b55e-0480c70a736e
 description: Identifies when a privileged role assignment has been made outside of the Privileged Identity Management tool.
-author: CTID MITRE, Michael Butt
+author: Center for Threat-Informed Defense, Michael Butt
 status: experimental
 date: 2022/06/07
 references:

diff --git a/analytics/azure_service_principal_priv_escalation.yml b/analytics/azure_service_principal_priv_escalation.yml
@@ -1,7 +1,7 @@
 title: Service Principal Privilege Escalation
 id: a6cca0de-5f89-4949-8a2d-20982510cf9f
 description: Identifies when a service principal has privileges escalated to Global Administrator.
-author: CTID MITRE, Michael Butt
+author: Center for Threat-Informed Defense, Michael Butt
 status: experimental
 date: 2022/06/07
 references:

diff --git a/analytics/azure_storage_container_modified_for_public_access.yml b/analytics/azure_storage_container_modified_for_public_access.yml
@@ -2,7 +2,7 @@ title: Azure Storage Blob Access Modified
 id: b3ffe973-457d-4a00-bb5f-4ceb1cda5308
 name: azure_storage_mod_public
 description: Identifies when a previously existing storage container has access control modified to enable public access
-author: CTID MITRE, Michael Butt
+author: Center for Threat-Informed Defense, Michael Butt
 status: experimental
 date: 2022/05/17
 references: