OSCD Sprint #2: Backlog
This time we decided to detail the backlog to bite-size tasks with Estimated Time to Complete (ETC). For most of the tasks ETC is around 20-30 minutes. You can find these tasks in the GitHub issues listed in the tables below.
Also, we listed the knowledge required to solve these tasks. You can find details on that and other important topics in the OSCD How-To.
It worth mentioning that the backlog does not limit contributions. You are welcome to contribute your private analytics (Atomic Tests, Sigma Rules, TheHive Responders) that are outside of the defined scope.
Threat Detection
One of the most critical issues of the Sigma Project ruleset is the lack of ability to detect indicators of CMD/PowerShell commands obfuscation. This is our main focus for the Threat Detection part of the sprint.Also, there are a few tasks to develop Sigma rules for published Threat Detection researches and Threat Simulation tools.
| GitHub Issue (list of tasks inside) | Required Knowledge | |
|---|---|---|
| Windows: Invoke-Obfuscation | Regexes, Sigma Rules | < 30 min |
| Windows: Invoke-DOSfuscation | Regexes, Sigma Rules | ~ 1 hour |
| Windows: LOLBAS | Sigma Rules | < 30 min |
| Windows: Lateral Movement | Splunk queries, Sigma Rules | < 30 min |
| Windows: PowerShell Abuse | Kibana queries, Sigma Rules | < 30 min |
| Windows: Privilege Escalation | Kibana queries, Sigma Rules | < 30 min |
| Windows: ART cross-coverage | Atomic Red Team Tests, Sigma Rules | ~ 1 hour[*] |
| macOS: ART cross-coverage | Atomic Red Team Tests, Sigma Rules | ~ 1 hour |
| Linux: ART cross-coverage | Atomic Red Team Tests, Sigma Rules | ~ 1 hour[*] |
Adversary Simulation
We analyzed the actual coverage of Sigma rules by Atomic Red Team tests and developed a list of tests that are absent, and at the same time could be developed during the sprint.| GitHub Issue (list of tasks inside) | Required Knowledge | |
|---|---|---|
| Atomic Red Team tests for Windows | Atomic Red Team Tests, Sigma Rules | ~ 1 hour[*] |
| Atomic Red Team test for Linux | Atomic Red Team Tests, Sigma Rules | ~ 30 min |
Incident Response
The listed GitHub issues are independent tasks that include the development of one TheHive Responder with multiple Response Actions. These tasks are the most complex ones, that take a lot of time to complete (up to 16 hours if knowledge requirements met). It is recommended to work on them in groups of two-three specialists. Companions could be found in the comments to a specific GitHub Issue.| GitHub Issue | Required Knowledge | |
|---|---|---|
| Palo Alto NGFW | Python, TheHive Responders | ~ 16 hours |
| Carbon Black Predictive Security Cloud | Python, TheHive Responders | ~ 8 hours |
| Duo Security | Python, TheHive Responders | ~ 4 hours |
| Azure Active Directory | Python, TheHive Responders | ~ 4 hours |
| Google Gmail | Python, TheHive Responders | ~ 8 hours |
[*] ETC for most of the tasks. Those tasks that could take more time commented separately in the GitHub issue.