Skip to main content

AC3 Threat Sightings

A threat sighting collects the behavior of a real threats and the observables used during its engagement (TTPs). Along with the context and the IOCs, all the activity is described in a way that is actionable for blue teamers (into a YAML File).

Among the information that a threat sighting may have is full commandlines, API Calls, file system activity, network activity, etc.

Blue teamers need to know all the details of the intrusions to finally, with that information, generate actionable measures that allow the creation of active and passive countermeasures.


Disclaimer

Threat Sightings are not a Trellix Product


Security Product Awareness

Because AV products work with pattern matching features, these tend to key in on STRINGS that are common in relation to activity observed or reported publicly.

Therefore when you GIT CLONE the repo, it is possible that your AV solution produces a detection of alleged malware.


This means your AV is under the assumption that malware exists, but in reality it is simply using its legacy pattern matcher features. Because threat sightings are YAML content in clear text, AV products will exhibit this behavior.

Goal#

The goal of Threat Sightings is to help Blue Teamers understand every step taken by a threat during an attack with two clear ideas.

  1. In a format that allows the analyst to understand what happened during an intrusion with a simple reading
  2. Easy to interpret by programming languages to automate tasks

Writing principles#

  • We balance human read-ability and machine read-ability
    • we envision these Threat Sighting to be consumed by humans
    • we envision these Threat Sighting to be consumed by machines/scripts
  • We capture Observables that are as close to the actual execution as posible
    • Capturing full command-line arguments is key
    • Capturing Process Hiararchy as part of the Observables is key
  • We do not include PII data in the Threat Sightings.
    • command-line might have user names or server names, or passwords, etc -> none of that gets into the Threat Sighting
  • We peer-review changes to the Threat Sightings.
  • We peer-review changes in the schema for Threat Sightings.

Contributing#

If you want contribute, please read the following section about how to contribute.

References#

ATT&CK MITRE - https://attack.mitre.org/

ATT&CK MITRE Sightings - https://attack.mitre.org/resources/sightings/

Sigma Rules - https://github.com/SigmaHQ/sigma

LOLBAS Project - https://lolbas-project.github.io/