Incident Response Process and Playbooks | Goal: Playbooks to be Mapped to MITRE Attack Techniques

Overview

Join the chat at https://gitter.im/Incident-Playbook/community

PURPOSE OF PROJECT

That this project will be created by the SOC/Incident Response Community

  • Develop a Catalog of Incident Response Playbook for every MITRE Technique (that possible, to make one for).
  • Develop a Catalog of Incident Response Playbook for uncommon incidents.
  • Develop a Catalog of Exercise Scenarios that can be used for training purposes.
  • Develop a Catalog of tools used for Incident Response [Plus Reviews for the different tools].
  • Develop a Catalog of Incident Response Automations.
  • Develop a Catalog of Checklists [For Before, During, After Incidents].
  • Develop a Catalog of Roles that a organization can use, to build their own program.
  • Develop a Catalog of Event Codes and API Actions that you can/will see in a SIEM Detections.


Incident Response Phases

This project will use a modified Incident Response Process of mixing SANS Incident Response Process and NIST Incident Response Process.

NOTE: The common "preparation" phase will not be part of this Incident Response Process, but on each playbook will include a (P) Preparation at the beginning of each playbook.

More than one phase can be running in parallel.

  1. Investigate
  2. Remediate (contain, eradicate)
  3. Communicate
  4. Recover
  5. Lessons Learned

If you have any changes that you think would be good for this incident response process please create a issue description what you want to change to this incident response process.

Inspiration For This Project

Just felt like there was something missing for Incident Response and a centrally place for playbooks, SIEM Processes, Forensics and other processes around Incident Response.

Comments
  • Create Investigation Plan.md

    Create Investigation Plan.md

    This adds a rough step-based plan for a generic approach to investigating data for an incident, based on the NIST guide.

    I created this for work and thought it might be an idea to incorporate this here. It also covers partially both Analyze Evidence.md and Collect Evidence.md so maybe we could discuss how to merge that properly if this plan provides value :)

    opened by japhlange 1
  • [New-Playbook] T1052.001 - Exfiltration over USB

    [New-Playbook] T1052.001 - Exfiltration over USB

    • https://github.com/austinsonger/Incident-Playbook/blob/main/Playbooks/MITRE-ATTACK/Exfiltration/T1052%20-%20Exfiltration%20Over%20Physical%20Medium/T1052.001%20-%20Exfiltration%20over%20USB.md

    Checklist

    • [ ] Investigate
    • [ ] Remediate
    • [ ] Communicate
    • [ ] Recover
    Help Wanted New-Playbook Exfiltration Priority:HIGH 
    opened by austinsonger 1
  • Make codespell a mandatory test

    Make codespell a mandatory test

    This change removes the || true to make codespell a mandatory test and reverts three word changes (hda, keep-alives, keypair) and adds those words to the --ignore-words-list.

    opened by cclauss 0
  • [QUESTION] Typos discovered by codespell

    [QUESTION] Typos discovered by codespell

    Describe the Question

    $ codespell

    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:164: Virtural ==> Virtual
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:165: Virtural ==> Virtual
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:245: pass-thru ==> pass-through, pass through, passthrough
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:246: pass-thru ==> pass-through, pass through, passthrough
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:247: pass-thru ==> pass-through, pass through, passthrough
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:248: pass-thru ==> pass-through, pass through, passthrough
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:293: inluding ==> including
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:344: aci ==> acpi
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:345: aci ==> acpi
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1282: coNETion ==> connection
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1283: coNETion ==> connection
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1284: coNETion ==> connection
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1285: coNETion ==> connection
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1344: Instal ==> Install
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1345: Instal ==> Install
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1346: Instal ==> Install
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1347: Instal ==> Install
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1582: sais ==> says
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:1583: sais ==> says
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2428: Paradym ==> Paradigm
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2429: Paradym ==> Paradigm
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2690: SER ==> SET
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2691: SER ==> SET
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:2897: disgnostics ==> diagnostics
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3002: Composit ==> Composite
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3003: Composit ==> Composite
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3330: TE ==> THE, BE, WE, TO
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3331: TE ==> THE, BE, WE, TO
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3630: Messanger ==> Messenger
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:3631: Messanger ==> Messenger
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4738: bre ==> be, brie
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4739: bre ==> be, brie
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4844: Messenging ==> Messaging
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:4845: Messenging ==> Messaging
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5245: contol ==> control
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5259: authenication ==> authentication
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5260: managment ==> management
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5261: managment ==> management
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5261: managment ==> management
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5270: Uninterruptable ==> Uninterruptible
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5271: Uninterruptable ==> Uninterruptible
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5280: Contol ==> Control
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5284: provids ==> provides, proves
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5285: provids ==> provides, proves
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5606: Pass-Thru ==> pass-through, pass through, passthrough
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5607: Pass-Thru ==> pass-through, pass through, passthrough
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5686: WAN ==> WANT
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:5687: WAN ==> WANT
    ./SIEM/Event-Codes-and-API-Event-Actions/ServicePorts.md:6694: Inferface ==> Interface
    ./SIEM/Event-Codes-and-API-Event-Actions/Windows/AUTORUNS.md:20: hda ==> had
    ./SIEM/Event-Codes-and-API-Event-Actions/Windows/AUTORUNS.md:20: HDA ==> HAD
    ./SIEM/Event-Codes-and-API-Event-Actions/Windows/Event-Codes.md:393: occured ==> occurred
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:37: FO ==> OF, FOR
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:365: occured ==> occurred
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:368: occured ==> occurred
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:368: attemtping ==> attempting
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:391: firware ==> firmware
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:403: ND ==> AND, 2ND
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:580: Keep-alives ==> Keep-alive
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:580: keep-alives ==> keep-alive
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:646: onthe ==> on the
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:648: keypair ==> key pair
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:1331: Keypair ==> Key pair
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:1982: FO ==> OF, FOR
    ./SIEM/Event-Codes-and-API-Event-Actions/Cisco/ASA.md:1983: FO ==> OF, FOR
    ./SIEM/Event-Codes-and-API-Event-Actions/Linux/Linux-Message-Dictionary.md:191: Usersapce ==> Userspace
    ./Playbooks/MITRE-ATTACK/Impact/T1491-Defacement-(T1491.001,T1491.002).md:308: occurr ==> occur
    ./Playbooks/MITRE-ATTACK/Exfiltration/T1052.001 - Exfiltration over USB.md:13: feasable ==> feasible
    ./Playbooks/Actions/01. Prepare (Pre-Event)/README.md:9: thats ==> that's
    

    Additional context Add any other context about the problem here.

    Question 
    opened by cclauss 0
  • Bug: ' Update Investigative Plan and Incident File.md' file name invalid on OneDrive

    Bug: ' Update Investigative Plan and Incident File.md' file name invalid on OneDrive

    Path: "Incident-Response/Incident-Response-Phases/01. Investigate/ Update Investigative Plan and Incident File.md"

    Unknown character at beginning of ' Update Investigative Plan and Incident File.md' is causing an invalid file name error after git clone on Windows systems with OneDrive enabled. Suggest renaming of file to remove initial unknown character.

    opened by co-devs 0
  • Bug: 'Rapid7 Insightconnect ' folder name invalid on Windows

    Bug: 'Rapid7 Insightconnect ' folder name invalid on Windows

    Path: "Automations/SOAR-Automations/Rapid7 Insightconnect /README.md"

    Space after 'Rapid7 Insightconnect' is causing an invalid path error during git clone on Windows systems. Suggest removal of space after 'Insightconnect'

    opened by co-devs 0
  • T1052.001

    T1052.001

    Hope again that it's good. Sadly not so much to do without going into to much detail for each operating system, which might be good idea for a later time. But for now it should give some good guidance :)

    Fixes #71

    opened by sn0b4ll 0
  • [IncidentResponseChange] ./Incident-Response/Tools/Loki should be resynced

    [IncidentResponseChange] ./Incident-Response/Tools/Loki should be resynced

    Describe the change you'd like A clear and concise description of what you want to happen.

    ./Incident-Response/Tools/Loki should be resynced from https://github.com/Neo23x0/Loki to resolve 14 of the 31 undefined name errors raised in our GitHub Actions.

    Additional context Add any other context or screenshots about the feature request here.

    Incident Response Change 
    opened by cclauss 0
  • Use ==/!= to compare constant literals (str, bytes, int, float, tuple)

    Use ==/!= to compare constant literals (str, bytes, int, float, tuple)

    We propose these changes because identity is not the same thing as equality in Python...

    $ python3

    >>> windows = "window"
    >>> windows += "s"
    >>> windows == "windows"
    True
    >>> windows is "windows"
    <stdin>:1: SyntaxWarning: "is" with a literal. Did you mean "=="?
    False
    
    opened by cclauss 0
  • Use print() function in both Python 2 and Python 3

    Use print() function in both Python 2 and Python 3

    opened by cclauss 0
  • Add a Gitter chat badge to README.md

    Add a Gitter chat badge to README.md

    austinsonger/Incident-Playbook now has a Chat Room on Gitter

    @austinsonger has just created a chat room. You can visit it here: https://gitter.im/Incident-Playbook/community.

    This pull-request adds this badge to your README.md:

    Gitter

    If my aim is a little off, please let me know.

    Happy chatting.

    PS: Click here if you would prefer not to receive automatic pull-requests from Gitter in future.

    opened by gitter-badger 0
  • [New-Playbook] T1059.001 - PowerShell

    [New-Playbook] T1059.001 - PowerShell

    • https://github.com/austinsonger/Incident-Playbook/blob/main/Playbooks/MITRE-ATTACK/Execution/T1059.001%20-%20PowerShell.md

    Checklist

    • [ ] Investigate
    • [ ] Remediate
    • [ ] Communicate
    • [ ] Recover
    Help Wanted New-Playbook Execution Priority:MEDIUM 
    opened by austinsonger 0
  • [New-Playbook] T1059 - Command and Scripting Interpreter

    [New-Playbook] T1059 - Command and Scripting Interpreter

    • https://github.com/austinsonger/Incident-Playbook/blob/main/Playbooks/MITRE-ATTACK/Execution/T1059%20Command%20and%20Scripting%20Interpreter.md

    Checklist

    • [ ] Investigate
    • [ ] Remediate
    • [ ] Communicate
    • [ ] Recover
    Help Wanted New-Playbook Execution Priority:MEDIUM 
    opened by austinsonger 0
Owner
Austin Songer
Certified Ethical Hacker (CEH), Certified Security Analyst (ESCA) Project+ Bash, Python
Austin Songer
(Pre-)compromise operations for MITRE CALDERA

(Pre-)compromise operations for CALDERA Extend your CALDERA operations over the entire adversary killchain. In contrast to MITRE's access plugin, cald

Diederik Bakker 3 Aug 22, 2022
A code base for python programs the goal is to integrate all the useful and essential functions

Base Dev EN This GitHub will be available in French and English FR Ce GitHub sera disponible en français et en anglais Author License Screen EN ???? D

Pikatsuto 1 Mar 7, 2022
run-js Goal: The Easiest Way to Run JavaScript in Python

run-js Goal: The Easiest Way to Run JavaScript in Python features Stateless Async JS Functions No Intermediary Files Functional Programming CommonJS a

Daniel J. Dufour 9 Aug 16, 2022
The goal of this program was to find the most common color in my living room.

The goal of this program was to find the most common color in my living room. I found a dataset online with colors names and their corr

null 1 Nov 9, 2021
Coursework project for DIP class. The goal is to use vision to guide the Dashgo robot through two traffic cones in bright color.

Coursework project for DIP class. The goal is to use vision to guide the Dashgo robot through two traffic cones in bright color.

Yueqian Liu 3 Oct 24, 2022
This alerts you when the avalanche score a goal

This alerts you when the avalanche score a goal

Davis Burrill 1 Jan 15, 2022
Bootstraparse is a personal project started with a specific goal in mind: creating static html pages for direct display from a markdown-like file

Bootstraparse is a personal project started with a specific goal in mind: creating static html pages for direct display from a markdown-like file

null 1 Jun 15, 2022
Yunqi Chen 7 Oct 30, 2022
Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.

wmiexec-RegOut Modify version of impacket wmiexec.py,wmipersist.py. Got output(data,response) from registry, don't need SMB connection, but I'm in the

小离 228 Jan 4, 2023
Blender addon for executing the operator in response to the received OSC message.

I/F Joiner 受信したOSCメッセージに応じてオペレータ(bpy.ops)を実行するアドオンです. OSC通信に対応したコントローラやアプリをインストールしたスマートフォンを使用してBlenderを操作することが可能になります. 同時開発しているAndroidコントローラ化アプリMocopa

simasimataiyo 6 Oct 2, 2022
Stack BOF Protection Bypass Techniques

Stack Buffer Overflow - Protection Bypass Techniques

ommadawn46 18 Dec 28, 2022
ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Checkmarx 36 Nov 2, 2022
Process RunGap output file of a workout and load data into Apple Numbers Spreadsheet and my website with API calls

BSD 3-Clause License Copyright (c) 2020, Mike Bromberek All rights reserved. ProcessWorkout Exercise data is exported in JSON format to iCloud using

Mike Bromberek 1 Jan 3, 2022
Download and process GOES-16 and GOES-17 data from NOAA's archive on AWS using Python.

Download and display GOES-East and GOES-West data GOES-East and GOES-West satellite data are made available on Amazon Web Services through NOAA's Big

Brian Blaylock 88 Dec 16, 2022
These are After Effects and Python files that were made in the process of creating the video for the contest.

spirograph These are After Effects and Python files that were made in the process of creating the video for the contest. In the python file you can qu

null 91 Dec 7, 2022
Python PID Controller and Process Simulator (FOPDT) with GUI.

PythonPID_Simulator Python PID Controller and Process Simulator (FOPDT) with GUI. Run the File. Then select Model Values and Tune PID.. Hit Refresh to

null 19 Oct 14, 2022
A Python package to request and process seismic waveform data from Hi-net.

HinetPy is a Python package to simplify tedious data request, download and format conversion tasks related to NIED Hi-net. NIED Hi-net | Source Code |

Dongdong Tian 65 Dec 9, 2022
Snakemake worflow to process and filter long read data from Oxford Nanopore Technologies.

Nanopore-Workflow Snakemake workflow to process and filter long read data from Oxford Nanopore Technologies. It is designed to compare whole human gen

null 5 May 13, 2022
A fast Python in-process signal/event dispatching system.

Blinker Blinker provides a fast dispatching system that allows any number of interested parties to subscribe to events, or "signals". Signal receivers

jason kirtland 1.4k Dec 31, 2022