-
Notifications
You must be signed in to change notification settings - Fork 1
/
command_sample.yml
32 lines (31 loc) · 1.56 KB
/
command_sample.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Command should contain the full commandline being documented.
# Description should describe what the commandline is doing and how it is doing it - NOT documenting the tool being abused (that is done in tool documentation)
# killchain should include any relevant Cyber Killchain Phases
# MITRE Tactics/Techniques should be documented with new tactics as individual array-keys
# OS should contain any relevant Operating Systems
# References should contain a list of references for this specific command-line
# Risk should contain (Low|Medium|High|Critical) based on the potential consequences of this particular command)
# Risk Reason should contain the reasoning for the assigned risk
# Fidelity should contain (Low|Medium|High) based upon the potential false-positives or noise from alerting on this particular commandline
# Fidelity Reason should describe why the fidelity is rated as such - is the command rare for most orgs, is this particular sequence of arguments rare or common, is it a common tool that happens to be abused, etc.
# tool should contain the name of the primary tool in use, without extensions
# ThreatActors should contain Group ID from MITRE with relevant references for each group - then we will do a join in the future on an actors_collection data-sequence which contains additional Actor details such as Alias, etc.
- command:
description:
killchain:
- Actions on Objectives
mitre:
tactic1:
- technique1
os:
- Windows
references:
- url1
risk:
risk_reason:
fidelity:
fidelity_reason:
tool:
threatactors:
N/A:
- N/A