center-for-threat-informed-defense / summiting-the-pyramid Goto Github PK

Change levels 2/3 to reflect applications within adversary control and outside adversary control, respectively. Ensure all materials within all pages reflect this change.

Need to redo the readme so it points to our materials available for Participant feedback and each new merge should update it if there are new materials to review.

Improved analytic writeup for access token manipulation

Improved Analytics pages need to be modified to align with 2D model.

Looking to organizing git repo to push to participants through Sphinx

In the first blog post, several of the ADFind images can be replaced with text. Since we need to add in data sources to the image content anyways (as they weren't originally a part of the methodology), might as well replace the rest of the images at the same time.

Hoping to make it clearer what is required to develop and render repo content locally.

Adding in a new post about analytic evadability and how boolean logic in an analytic relates to the overall score.

Adding in a new improved analytic

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml

Go through GitHub and remove "interface" from level 7 references. Will rename just to kernel.

I try to apply this in relation with my project Avred (related to Antivirus signatures), and it got me thinking.

If an AV has a signature of a tool, it will be Level 2. But is it A, U, or K?

The AV itself will be an userspace application, but its usually protected by the OS, and acting upon OS file write events, so it's "secure" like K.
Same if an AV or EDR is doing disk- or in-memory scanning with yara rules, what exactly is the data source? What if executed on-demand for hunting? What if the yara scanner is downloaded and executed manually and interactive by the user?

After deliberation, we will be focusing primarily on robustness and how an observable might be more evadable. The terms "evadability" and "evasiveness" should be replaced with robustness or other terms which better explain a behavior.

Need to add the existing analytics that have been improved according to the StP methodology

Exploring using the print to pdf functionality to create a PDF deliverable. Latex was giving problems and the output doesn't really match what a user on the website would see.

Have the scored analytics CSV available for download on the GitHub website

Fixing the original analytic score

The current leveling display is a bit crowded and difficult to read. Looking into a new way to showcase the observables in each level.

Observable

PowerShell EventID 4104 ScriptBlockText

Observable Placement

Level 2, Column A

Research

When detecting for specific values in ScriptBlockText, we're basically looking for a string representation of another observable. For example, this could be a registry key, config file, file, or process name. However, it is easy for an adversary to alter values in ScriptBlockText...they can mangle strings, split into multiple values, permutate or do operations like XOR so that the output value is as desired, but the actual text in the script is obfuscated.

Additional Notes

See https://github.com/center-for-threat-informed-defense/summiting-the-pyramid/blob/main/docs/analytics/service_registry_permissions_weakness_check.rst for additional information

Contributed By

michael5486, RobertSchull

LOE2 has scored new analytics and reviewed previous analytics to ensure alignment with methodology and levels updates.

Refactor Scheduled Tasks improved analytic page to 2D model

Add new template for users looking to contribute new observable

Looks like we could have a glossary on the web site if desired? https://sublime-and-sphinx-guide.readthedocs.io/en/latest/glossary.html

Refactor the AMSI Evasion Improved Analytic Page to 2D model

Updating scored analytic spreadsheet to 2D methodology