This repository was archived by the owner on Aug 19, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathcapes-config.conf
More file actions
1 lines (1 loc) · 50.7 KB
/
capes-config.conf
File metadata and controls
1 lines (1 loc) · 50.7 KB
1
{"datatypes": ["url", "other", "user-agent", "regexp", "mail_subject", "registry", "mail", "autonomous-system", "domain", "ip", "uri_path", "filename", "hash", "file", "fqdn"], "case_templates": [{"titlePrefix": "[Account Discovery]", "createdAt": 1539481106273, "metrics": {}, "createdBy": "admin", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Discovery", "order": 8}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": null, "order": 6}, "killChainPhase": {"string": "Reconnaissance", "order": 9}, "suricataAlertSignature": {"string": null, "order": 7}, "kibanaShortenedURL": {"string": null, "order": 5}}, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to reaccess by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\n[Account Discovery](https://attack.mitre.org/wiki/Technique/T1087) is the tactic used by adversaries attempting to get a listing of local system or domain accounts.", "severity": 2, "tlp": 2, "status": "Ok", "name": "Account Enumeration", "updatedBy": "admin", "updatedAt": 1539483629444, "_type": "caseTemplate", "_routing": "AWZwOXdlYn0G3B_OOjvJ", "_parent": null, "_id": "AWZwOXdlYn0G3B_OOjvJ", "_version": 8, "id": "AWZwOXdlYn0G3B_OOjvJ"}, {"titlePrefix": "[Remote System Discovery]", "metrics": {}, "createdAt": 1539479995468, "createdBy": "admin", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Discovery", "order": 8}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": null, "order": 6}, "killChainPhase": {"string": "Reconnaissance", "order": 9}, "suricataAlertSignature": {"string": null, "order": 7}, "kibanaShortenedURL": {"string": null, "order": 5}}, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "description": "**REPLACE WITH CASE SPECIFIC DETAILS** \n\n[Remote System Discovery](https://attack.mitre.org/wiki/Technique/T1063) used by adversaries will likely be an attempt to get a listing of other systems by IP address, hostname, or other logical identifiers on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Other examples could also include [System Service Discovery](https://attack.mitre.org/wiki/Technique/T1007), [System Network Connections Discovery](https://attack.mitre.org/wiki/Technique/T1049), [System Network Configuration Discovery](https://attack.mitre.org/wiki/Technique/T1016), [Network Service Scanning ](https://attack.mitre.org/wiki/Technique/T1046), [Network Share Discovery](https://attack.mitre.org/wiki/Technique/T1135), or [System Information Discovery](https://attack.mitre.org/wiki/Technique/T1082).", "severity": 2, "tlp": 2, "status": "Ok", "name": "Network Enumeration", "updatedBy": "admin", "updatedAt": 1539483723258, "_type": "caseTemplate", "_routing": "AWZwKIRTYn0G3B_OOe5v", "_parent": null, "_id": "AWZwKIRTYn0G3B_OOe5v", "_version": 4, "id": "AWZwKIRTYn0G3B_OOe5v"}, {"metrics": {}, "createdBy": "admin", "titlePrefix": "[Phishing]", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Initial Access", "order": 8}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": null, "order": 6}, "killChainPhase": {"string": "Delivery", "order": 9}, "suricataAlertSignature": {"string": null, "order": 7}, "kibanaShortenedURL": {"string": null, "order": 5}}, "createdAt": 1539471683331, "name": "Phishing", "description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services. Examples could include [Spearphishing Attachments](https://attack.mitre.org/wiki/Technique/T1193), [Spearphishing Links](https://attack.mitre.org/wiki/Technique/T1192), and [Spearphishing via Service](https://attack.mitre.org/wiki/Technique/T1194)", "severity": 2, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "tlp": 2, "status": "Ok", "updatedBy": "admin", "updatedAt": 1539483800002, "_type": "caseTemplate", "_routing": "AWZvqa8KYn0G3B_ON6tA", "_parent": null, "_id": "AWZvqa8KYn0G3B_ON6tA", "_version": 7, "id": "AWZvqa8KYn0G3B_ON6tA"}, {"titlePrefix": "[Drive-by Compromise]", "metrics": {}, "createdBy": "admin", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Initial Access", "order": 8}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": null, "order": 6}, "killChainPhase": {"string": "Exploitation", "order": 9}, "suricataAlertSignature": {"string": null, "order": 7}, "kibanaShortenedURL": {"string": null, "order": 5}}, "description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\nA [drive-by compromise](https://attack.mitre.org/wiki/Technique/T1189) is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. This can happen in several ways.", "createdAt": 1539471674838, "name": "Drive-by Compromise", "severity": 2, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "tlp": 2, "status": "Ok", "updatedBy": "admin", "updatedAt": 1539483864045, "_type": "caseTemplate", "_routing": "AWZvqY3cYn0G3B_ON6qM", "_parent": null, "_id": "AWZvqY3cYn0G3B_ON6qM", "_version": 6, "id": "AWZvqY3cYn0G3B_ON6qM"}, {"metrics": {}, "createdBy": "admin", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Initial Access", "order": 8}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": null, "order": 6}, "killChainPhase": {"string": "Delivery", "order": 9}, "suricataAlertSignature": {"string": null, "order": 7}, "kibanaShortenedURL": {"string": null, "order": 5}}, "createdAt": 1539470434470, "description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\n[Attack a Public-Facing Application](https://attack.mitre.org/wiki/Technique/T1190) is the use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites but can include databases (like SQL), standard services (like SMB or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion. For websites and databases, the OWASP top 10 gives a good list of the top 10 most common web-based vulnerabilities.", "titlePrefix": "[Attack Public-Facing Application]", "severity": 2, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "tlp": 2, "status": "Ok", "name": "Attack Public-Facing Application", "updatedBy": "admin", "updatedAt": 1539483925312, "_type": "caseTemplate", "_routing": "AWZvlqCvYn0G3B_ON1Pq", "_parent": null, "_id": "AWZvlqCvYn0G3B_ON1Pq", "_version": 9, "id": "AWZvlqCvYn0G3B_ON1Pq"}, {"metrics": {}, "createdBy": "admin", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Persistence", "order": 7}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": "Host Logs (Sysmon, OSSEC (incl. Wazuh), osquery, etc.)", "order": 6}, "killChainPhase": {"string": "Installation", "order": 8}, "kibanaShortenedURL": {"string": null, "order": 5}}, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "createdAt": 1539474998775, "titlePrefix": "[Scheduled Task]", "severity": 2, "tlp": 2, "status": "Ok", "description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\n[Scheduled Tasks](https://attack.mitre.org/wiki/Technique/T1053) is the use of utilities such as `at` and `schtasks`, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. Examples could also include [Local Job Scheduling](https://attack.mitre.org/wiki/Technique/T1168).", "name": "Unknown Scheduled Task", "updatedBy": "admin", "updatedAt": 1539483985581, "_type": "caseTemplate", "_routing": "AWZv3EYFYn0G3B_OOJK-", "_parent": null, "_id": "AWZv3EYFYn0G3B_OOJK-", "_version": 8, "id": "AWZv3EYFYn0G3B_OOJK-"}, {"createdAt": 1539475198871, "metrics": {}, "createdBy": "admin", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Persistence", "order": 7}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": "Host Logs (Sysmon, OSSEC (incl. Wazuh), osquery, etc.)", "order": 6}, "killChainPhase": {"string": "Installation", "order": 8}, "kibanaShortenedURL": {"string": null, "order": 5}}, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "titlePrefix": "[Unknown Account]", "severity": 2, "tlp": 2, "status": "Ok", "description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\n[Create Account](https://attack.mitre.org/wiki/Technique/T1136) is when adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. The net user commands can be used to create a local or domain account.", "name": "Unknown Account", "updatedBy": "admin", "updatedAt": 1539484045313, "_type": "caseTemplate", "_routing": "AWZv31OeYn0G3B_OOKCw", "_parent": null, "_id": "AWZv31OeYn0G3B_OOKCw", "_version": 7, "id": "AWZv31OeYn0G3B_OOKCw"}, {"description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\n[Service Execution](https://attack.mitre.org/wiki/Technique/T1035) is when adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.", "metrics": {}, "createdBy": "admin", "titlePrefix": "[Unknown Service]", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Persistence", "order": 7}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": "Host Logs (Sysmon, OSSEC (incl. Wazuh), osquery, etc.)", "order": 6}, "killChainPhase": {"string": "Installation", "order": 8}, "kibanaShortenedURL": {"string": null, "order": 5}}, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes. \n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "createdAt": 1539474795426, "name": "Unknown Service", "severity": 2, "tlp": 2, "status": "Ok", "updatedBy": "admin", "updatedAt": 1539484097353, "_type": "caseTemplate", "_routing": "AWZv2SulYn0G3B_OOIQI", "_parent": null, "_id": "AWZv2SulYn0G3B_OOIQI", "_version": 7, "id": "AWZv2SulYn0G3B_OOIQI"}, {"metrics": {}, "createdBy": "admin", "customFields": {"incidentResponders": {"string": null, "order": 1}, "mattermostChannelName": {"string": null, "order": 2}, "hackMDNoteURL": {"string": null, "order": 4}, "aTTCKPhase": {"string": "Execution", "order": 8}, "mumbleRoomName": {"string": null, "order": 3}, "eventDetectionMethod": {"string": null, "order": 6}, "killChainPhase": {"string": "Exploitation", "order": 9}, "suricataAlertSignature": {"string": null, "order": 7}, "kibanaShortenedURL": {"string": null, "order": 5}}, "tasks": [{"title": "Notify Shift Lead", "description": "Notify the Shift Lead of an observed event.", "order": 0}, {"title": "Notify Intelligence Team", "description": "Notify the Intelligence Team that an event has been observed. Share contextual information as it is discovered.", "order": 1}, {"title": "Create Collaboration Channels", "description": "Create collaboration channels for Mattermost, Mumble, HackMD, etc. These should be updated on the Details tab under Additional Information.", "order": 2}, {"title": "Input Responder Information", "description": "Update the Details under Additional Information with the names of the responders.", "order": 3}, {"title": "Update Kibana URL", "description": "Update the Additional Information section in the Details tab with the shortened Kibana URL.\n\nIn Kibana, this is collected by selecting the `Share` menu in the top left of the screen and clicking the `Shorten URL` hyperlink.", "order": 4}, {"title": "Identify the Aggressor", "description": "Identify the `attacker` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes. This can be a remote host of malware detected on the removable media.\n\nThis should be recorded as an `Observable`, marked as `Sighted`, and (likely) marked as an `IOC`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 5}, {"title": "Identify the Victim", "description": "Identify the `victim` of an event. Profile and perform analysis on this entity IAW local policies and procedures. Store your findings in the Task Notes.\n\nThis should be recorded as an `Observable` and marked as `Sighted`. Tags should be updated as appropriate. \n\nIf there are other Cases that have observed this entity (an Eye icon next to the entity), this event could be part of a larger campaign and should potentially be rolled up into a campaign Case.", "order": 6}, {"title": "Update Case Details", "description": "Use the Task Notes to update the specific findings of the Case.\n\nThis should be a shared Task with the entire response team (Intelligence, Incident Response, Hunt Operators, Leaders, etc.)", "order": 7}, {"title": "Contain the Intrusion", "description": "Remove the adversaries freedom to operate and prevent new and re-infections to systems. This should also remove the adversaries ability to re-access by closing the mechanism they used for their initial intrusion.", "order": 8}, {"title": "Evict the Adversary", "description": "Remove the adversary's access and persistence to the contested environment.", "order": 9}, {"title": "Update the TLP", "description": "As details about the event are discovered, update the event TLP as appropriate using the [US-CERT's TLP decision matrix](https://www.us-cert.gov/tlp). on the Details tab under Additional Information.", "order": 10}, {"title": "Update the ATT&CK Phase", "description": "As details about the event are discovered, update the [ATT&CK Phase](https://attack.mitre.org/wiki/Main_Page) on the Details tab under Additional Information.", "order": 11}, {"title": "Update the Kill Chain Phase", "description": "As details about the event are discovered, update the [Kill Chain Phase](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) on the Details tab under Additional Information.", "order": 12}, {"title": "Return Systems to Operation", "description": "Once the systems have been properly restored, return them to operation.", "order": 13}, {"title": "Improve Security Countermeasures", "description": "Implement new, or enhance existing, security countermeasures. This could also include new network or host visibility requirements.", "order": 14}, {"title": "Generate Cyber Action Report", "description": "As appropriate, generate a CAR to provide additional contextual information for the Case.", "order": 15}], "name": "Malware Infection", "description": "**REPLACE WITH CASE SPECIFIC DETAILS**\n\nThe [Execution tactic](https://attack.mitre.org/wiki/Execution) represents techniques that result in the execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with initial access as the means of executing code once access is obtained, and lateral movement to expand access to remote systems on a network. Examples could include [User Execution](https://attack.mitre.org/wiki/Technique/T1204).", "severity": 2, "titlePrefix": "[Malware Infection]", "createdAt": 1539474203921, "tlp": 2, "status": "Ok", "updatedBy": "admin", "updatedAt": 1539484120967, "_type": "caseTemplate", "_routing": "AWZv0CUZYn0G3B_OOFrZ", "_parent": null, "_id": "AWZv0CUZYn0G3B_OOFrZ", "_version": 10, "id": "AWZv0CUZYn0G3B_OOFrZ"}], "custom_fields": [{"name": "Mattermost Channel Name", "reference": "mattermostChannelName", "description": "The name of the Mattermost chat channel within CAPES.", "type": "string", "options": []}, {"name": "Suricata Alert Signature", "reference": "suricataAlertSignature", "description": "The Suricata Alert field is \"alert.signature\" from RockNSM in the \"Suricata.*\" Index.", "type": "string", "options": []}, {"name": "Kill Chain Phase", "reference": "killChainPhase", "description": "Identify the position on the Kill Chain", "type": "string", "options": ["Reconnaissance", "Weaponization", "Delivery", "Exploitation", "Installation", "Command & Control", "Actions on Objective"]}, {"name": "Event Detection Method", "reference": "eventDetectionMethod", "description": "How was this event detected?", "type": "string", "options": ["Bro Alert (Notice, Intel framework, etc.)", "Bro Hunting", "Customer Reported", "Host Logs (Sysmon, OSSEC (incl. Wazuh), osquery, etc.)", "Suricata"]}, {"name": "Kibana Shortened URL", "reference": "kibanaShortenedURL", "description": "The shortened URL from the Kibana search.", "type": "string", "options": []}, {"name": "Mumble Room Name", "reference": "mumbleRoomName", "description": "The name of the Mumble room within CAPES.", "type": "string", "options": []}, {"name": "ATT&CK Phase", "reference": "aTTCKPhase", "description": "The phase of the event based on MITRE's ATT&CK matrix.", "type": "string", "options": ["Initial Access", "Execution", "Persistence", "Privilege Escalation", "Defense Evasion", "Credential Access", "Discovery", "Lateral Movement", "Collection", "Exfiltration", "Command & Control"]}, {"name": "HackMD Note URL", "reference": "hackMDNoteURL", "description": "The HackMD collaboration note URL", "type": "string", "options": []}, {"name": "Incident Responders", "reference": "incidentResponders", "description": "The names of the responders working on this event.", "type": "string", "options": []}], "metrics": [{}]}