Incident Response Process and Playbooks | Goal: Playbooks to be Mapped to MITRE Attack Techniques

This adds a rough step-based plan for a generic approach to investigating data for an incident, based on the NIST guide.

I created this for work and thought it might be an idea to incorporate this here. It also covers partially both Analyze Evidence.md and Collect Evidence.md so maybe we could discuss how to merge that properly if this plan provides value :)

• https://github.com/austinsonger/Incident-Playbook/blob/main/Playbooks/MITRE-ATTACK/Exfiltration/T1052%20-%20Exfiltration%20Over%20Physical%20Medium/T1052.001%20-%20Exfiltration%20over%20USB.md

Checklist

• [ ] Investigate
• [ ] Remediate
• [ ] Communicate
• [ ] Recover

This change removes the || true to make codespell a mandatory test and reverts three word changes (hda, keep-alives, keypair) and adds those words to the --ignore-words-list.

Describe the Question

$ codespell

./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:164: Virtural ==> Virtual
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:165: Virtural ==> Virtual
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:245: pass-thru ==> pass-through, pass through, passthrough
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:246: pass-thru ==> pass-through, pass through, passthrough
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:247: pass-thru ==> pass-through, pass through, passthrough
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:248: pass-thru ==> pass-through, pass through, passthrough
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:293: inluding ==> including
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:344: aci ==> acpi
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:345: aci ==> acpi
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1282: coNETion ==> connection
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1283: coNETion ==> connection
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1284: coNETion ==> connection
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1285: coNETion ==> connection
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1344: Instal ==> Install
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1345: Instal ==> Install
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1346: Instal ==> Install
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1347: Instal ==> Install
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1582: sais ==> says
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1583: sais ==> says
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2428: Paradym ==> Paradigm
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2429: Paradym ==> Paradigm
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2690: SER ==> SET
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2691: SER ==> SET
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2897: disgnostics ==> diagnostics
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3002: Composit ==> Composite
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3003: Composit ==> Composite
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3330: TE ==> THE, BE, WE, TO
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3331: TE ==> THE, BE, WE, TO
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3630: Messanger ==> Messenger
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3631: Messanger ==> Messenger
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4738: bre ==> be, brie
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4739: bre ==> be, brie
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4844: Messenging ==> Messaging
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4845: Messenging ==> Messaging
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5245: contol ==> control
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5259: authenication ==> authentication
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5260: managment ==> management
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5261: managment ==> management
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5261: managment ==> management
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5270: Uninterruptable ==> Uninterruptible
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5271: Uninterruptable ==> Uninterruptible
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5280: Contol ==> Control
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5284: provids ==> provides, proves
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5285: provids ==> provides, proves
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5606: Pass-Thru ==> pass-through, pass through, passthrough
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5607: Pass-Thru ==> pass-through, pass through, passthrough
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5686: WAN ==> WANT
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5687: WAN ==> WANT
./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:6694: Inferface ==> Interface
./SIEM/Event-Codes-and-API-Event-Actions/Windows/AUTORUNS.md:20: hda ==> had
./SIEM/Event-Codes-and-API-Event-Actions/Windows/AUTORUNS.md:20: HDA ==> HAD
./SIEM/Event-Codes-and-API-Event-Actions/Windows/Event-Codes.md:393: occured ==> occurred
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:37: FO ==> OF, FOR
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:365: occured ==> occurred
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:368: occured ==> occurred
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:368: attemtping ==> attempting
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:391: firware ==> firmware
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:403: ND ==> AND, 2ND
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:580: Keep-alives ==> Keep-alive
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:580: keep-alives ==> keep-alive
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:646: onthe ==> on the
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:648: keypair ==> key pair
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:1331: Keypair ==> Key pair
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:1982: FO ==> OF, FOR
./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:1983: FO ==> OF, FOR
./SIEM/Event-Codes-and-API-Event-Actions/Linux/Linux-Message-Dictionary.md:191: Usersapce ==> Userspace
./Playbooks/MITRE-ATTACK/Impact/T1491-Defacement-(T1491.001,T1491.002).md:308: occurr ==> occur
./Playbooks/MITRE-ATTACK/Exfiltration/T1052.001 - Exfiltration over USB.md:13: feasable ==> feasible
./Playbooks/Actions/01. Prepare (Pre-Event)/README.md:9: thats ==> that's

Additional context Add any other context about the problem here.

Path: "Incident-Response/Incident-Response-Phases/01. Investigate/ Update Investigative Plan and Incident File.md"

Unknown character at beginning of ' Update Investigative Plan and Incident File.md' is causing an invalid file name error after git clone on Windows systems with OneDrive enabled. Suggest renaming of file to remove initial unknown character.

Path: "Automations/SOAR-Automations/Rapid7 Insightconnect /README.md"

Space after 'Rapid7 Insightconnect' is causing an invalid path error during git clone on Windows systems. Suggest removal of space after 'Insightconnect'

Hope again that it's good. Sadly not so much to do without going into to much detail for each operating system, which might be good idea for a later time. But for now it should give some good guidance :)

Fixes #71

Describe the change you'd like A clear and concise description of what you want to happen.

./Incident-Response/Tools/Loki should be resynced from https://github.com/Neo23x0/Loki to resolve 14 of the 31 undefined name errors raised in our GitHub Actions.

Additional context Add any other context or screenshots about the feature request here.

We propose these changes because identity is not the same thing as equality in Python...

$ python3

>>> windows = "window"
>>> windows += "s"
>>> windows == "windows"
True
>>> windows is "windows"
<stdin>:1: SyntaxWarning: "is" with a literal. Did you mean "=="?
False

An alternative to this PR would be to grab and up-to-date copy of https://github.com/Neo23x0/Loki which seems to pass Travis CI tests on Python 3.8.

Add basic Python 3 compatibility to ./Incident-Response/Tools/Loki/tools/

Fixes flake8 E999 Syntax Errors in our GitHub Actions. https://github.com/austinsonger/Incident-Playbook/actions

futurize -f lib2to3.fixes.fix_except -f libfuturize.fixes.fix_print_with_import -w ./tools/vt-checker.py ./tools/vt-checker-hosts.py

austinsonger/Incident-Playbook now has a Chat Room on Gitter

@austinsonger has just created a chat room. You can visit it here: https://gitter.im/Incident-Playbook/community.

This pull-request adds this badge to your README.md:

If my aim is a little off, please let me know.

Happy chatting.

PS: Click here if you would prefer not to receive automatic pull-requests from Gitter in future.

• https://github.com/austinsonger/Incident-Playbook/blob/main/Playbooks/MITRE-ATTACK/Execution/T1059.001%20-%20PowerShell.md

Checklist

• [ ] Investigate
• [ ] Remediate
• [ ] Communicate
• [ ] Recover

• https://github.com/austinsonger/Incident-Playbook/blob/main/Playbooks/MITRE-ATTACK/Execution/T1059%20Command%20and%20Scripting%20Interpreter.md

Checklist

• [ ] Investigate
• [ ] Remediate
• [ ] Communicate
• [ ] Recover