|
41 | 41 | "* Powershell: https://attack.mitre.org/techniques/T1086/ \n", |
42 | 42 | "* NTFS File Attributes: https://attack.mitre.org/techniques/T1096/\n", |
43 | 43 | "* File Permissions Modification: https://attack.mitre.org/techniques/T1222/ \n", |
44 | | - "* Indicator Blocking: https://attack.mitre.org/techniques/T1054/\n", |
| 44 | + "* Indicator Removal from Host: https://attack.mitre.org/techniques/T1070/\n", |
45 | 45 | "\n", |
46 | 46 | "*Consider: What extra threat information, in addition to the techniques, would be helpful at building detections?*" |
47 | 47 | ] |
|
57 | 57 | "1. Making sure to have the APT1/APT3 layer in the navigator and the new custom layer in the navigator, hit the plus to create a new layer.\n", |
58 | 58 | "2. Adjust the formula and scoring so that you get prioritized detections. How would you weight these different sets of intelligence? What are your top techniques?" |
59 | 59 | ] |
60 | | - }, |
61 | | - { |
62 | | - "cell_type": "markdown", |
63 | | - "metadata": {}, |
64 | | - "source": [ |
65 | | - "# Formulate our detection strategy\n", |
66 | | - "\n", |
67 | | - "Let's assume we want to detect the techniques used in the recent Blue Panda campaign. How would we see which techniques we could cover given our data sources?\n", |
68 | | - "\n", |
69 | | - "1. Keeping your prioritization heatmap in the navigator, open up your data sources layer.\n", |
70 | | - "2. Create a new layer that shows you, of your prioritized techniques:\n", |
71 | | - " * Which can be detected given current data collection\n", |
72 | | - " * Where you have gaps.\n", |
73 | | - "\n", |
74 | | - "*Consider: What data sources might you want to add to increase coverage?*" |
75 | | - ] |
76 | 60 | } |
77 | 61 | ], |
78 | 62 | "metadata": { |
|
0 commit comments