@blamejs/exceptd-skills 0.12.26 → 0.12.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/AGENTS.md +3 -0
  2. package/CHANGELOG.md +60 -0
  3. package/bin/exceptd.js +73 -1
  4. package/data/_indexes/_meta.json +22 -19
  5. package/data/_indexes/activity-feed.json +26 -5
  6. package/data/_indexes/catalog-summaries.json +3 -3
  7. package/data/_indexes/chains.json +994 -64
  8. package/data/_indexes/currency.json +28 -1
  9. package/data/_indexes/frequency.json +428 -124
  10. package/data/_indexes/handoff-dag.json +70 -19
  11. package/data/_indexes/jurisdiction-map.json +37 -12
  12. package/data/_indexes/section-offsets.json +282 -0
  13. package/data/_indexes/stale-content.json +2 -2
  14. package/data/_indexes/summary-cards.json +198 -0
  15. package/data/_indexes/token-budget.json +168 -3
  16. package/data/_indexes/trigger-table.json +190 -0
  17. package/data/_indexes/xref.json +145 -2
  18. package/data/attack-techniques.json +104 -19
  19. package/data/framework-control-gaps.json +498 -11
  20. package/data/playbooks/cloud-iam-incident.json +1351 -0
  21. package/data/playbooks/idp-incident.json +1259 -0
  22. package/data/playbooks/ransomware.json +1407 -0
  23. package/data/rfc-references.json +44 -0
  24. package/lib/flag-suggest.js +4 -0
  25. package/lib/playbook-runner.js +117 -10
  26. package/manifest-snapshot.json +227 -3
  27. package/manifest-snapshot.sha256 +1 -1
  28. package/manifest.json +282 -41
  29. package/package.json +1 -1
  30. package/sbom.cdx.json +7 -7
  31. package/skills/cloud-iam-incident/skill.md +419 -0
  32. package/skills/idp-incident-response/skill.md +352 -0
  33. package/skills/ransomware-response/skill.md +374 -0
package/data/_indexes/xref.json CHANGED
@@ -45,6 +45,7 @@
45
45
  "webapp-security"
46
46
  ],
47
47
  "CWE-345": [
48
+ "idp-incident-response",
48
49
  "mcp-agent-trust"
49
50
  ],
50
51
  "CWE-352": [
@@ -96,12 +97,15 @@
96
97
  ],
97
98
  "CWE-269": [
98
99
  "attack-surface-pentest",
100
+ "cloud-iam-incident",
99
101
  "container-runtime-security",
100
102
  "identity-assurance",
103
+ "idp-incident-response",
101
104
  "webapp-security"
102
105
  ],
103
106
  "CWE-732": [
104
107
  "attack-surface-pentest",
108
+ "cloud-iam-incident",
105
109
  "cloud-security",
106
110
  "container-runtime-security",
107
111
  "identity-assurance",
@@ -149,9 +153,12 @@
149
153
  "CWE-287": [
150
154
  "age-gates-child-safety",
151
155
  "api-security",
156
+ "cloud-iam-incident",
152
157
  "cloud-security",
153
158
  "identity-assurance",
159
+ "idp-incident-response",
154
160
  "ot-ics-security",
161
+ "ransomware-response",
155
162
  "sector-energy",
156
163
  "sector-financial",
157
164
  "sector-healthcare",
@@ -165,9 +172,11 @@
165
172
  "sector-telecom"
166
173
  ],
167
174
  "CWE-798": [
175
+ "cloud-iam-incident",
168
176
  "cloud-security",
169
177
  "identity-assurance",
170
178
  "ot-ics-security",
179
+ "ransomware-response",
171
180
  "sector-energy",
172
181
  "sector-financial"
173
182
  ],
@@ -182,13 +191,22 @@
182
191
  ],
183
192
  "CWE-863": [
184
193
  "api-security",
194
+ "cloud-iam-incident",
185
195
  "identity-assurance",
196
+ "idp-incident-response",
186
197
  "sector-financial",
187
198
  "webapp-security"
188
199
  ],
189
200
  "CWE-1037": [
190
201
  "ot-ics-security",
191
202
  "sector-energy"
203
+ ],
204
+ "CWE-522": [
205
+ "cloud-iam-incident",
206
+ "idp-incident-response"
207
+ ],
208
+ "CWE-284": [
209
+ "idp-incident-response"
192
210
  ]
193
211
  },
194
212
  "d3fend_refs": {
@@ -217,23 +235,31 @@
217
235
  "D3-IOPR": [
218
236
  "ai-attack-surface",
219
237
  "ai-c2-detection",
238
+ "cloud-iam-incident",
220
239
  "defensive-countermeasure-mapping",
221
240
  "dlp-gap-analysis",
222
241
  "fuzz-testing-strategy",
242
+ "idp-incident-response",
223
243
  "rag-pipeline-security",
244
+ "ransomware-response",
224
245
  "sector-telecom"
225
246
  ],
226
247
  "D3-NTA": [
227
248
  "ai-attack-surface",
228
249
  "ai-c2-detection",
229
250
  "attack-surface-pentest",
251
+ "cloud-iam-incident",
230
252
  "defensive-countermeasure-mapping",
231
253
  "dlp-gap-analysis",
254
+ "idp-incident-response",
232
255
  "rag-pipeline-security",
256
+ "ransomware-response",
233
257
  "sector-telecom"
234
258
  ],
235
259
  "D3-CBAN": [
260
+ "cloud-iam-incident",
236
261
  "defensive-countermeasure-mapping",
262
+ "idp-incident-response",
237
263
  "mcp-agent-trust",
238
264
  "supply-chain-integrity"
239
265
  ],
@@ -243,7 +269,8 @@
243
269
  "defensive-countermeasure-mapping",
244
270
  "dlp-gap-analysis",
245
271
  "mcp-agent-trust",
246
- "rag-pipeline-security"
272
+ "rag-pipeline-security",
273
+ "ransomware-response"
247
274
  ],
248
275
  "D3-EHB": [
249
276
  "defensive-countermeasure-mapping",
@@ -251,7 +278,9 @@
251
278
  "supply-chain-integrity"
252
279
  ],
253
280
  "D3-MFA": [
281
+ "cloud-iam-incident",
254
282
  "defensive-countermeasure-mapping",
283
+ "idp-incident-response",
255
284
  "mcp-agent-trust"
256
285
  ],
257
286
  "D3-CA": [
@@ -288,10 +317,14 @@
288
317
  "defensive-countermeasure-mapping"
289
318
  ],
290
319
  "D3-RPA": [
291
- "defensive-countermeasure-mapping"
320
+ "defensive-countermeasure-mapping",
321
+ "ransomware-response"
292
322
  ],
293
323
  "D3-SCP": [
294
324
  "defensive-countermeasure-mapping"
325
+ ],
326
+ "D3-CAA": [
327
+ "cloud-iam-incident"
295
328
  ]
296
329
  },
297
330
  "framework_gaps": {
@@ -545,6 +578,72 @@
545
578
  ],
546
579
  "ITU-T-X.805": [
547
580
  "sector-telecom"
581
+ ],
582
+ "OFAC-SDN-Payment-Block": [
583
+ "ransomware-response"
584
+ ],
585
+ "Insurance-Carrier-24h-Notification": [
586
+ "ransomware-response"
587
+ ],
588
+ "EU-Sanctions-Reg-2014-833-Cyber": [
589
+ "ransomware-response"
590
+ ],
591
+ "Immutable-Backup-Recovery": [
592
+ "ransomware-response"
593
+ ],
594
+ "Decryptor-Availability-Pre-Decision": [
595
+ "ransomware-response"
596
+ ],
597
+ "PHI-Exfil-Before-Encrypt-Breach-Class": [
598
+ "ransomware-response"
599
+ ],
600
+ "FedRAMP-IL5-IAM-Federated": [
601
+ "cloud-iam-incident"
602
+ ],
603
+ "CISA-Snowflake-AA24-IdP-Cloud": [
604
+ "cloud-iam-incident"
605
+ ],
606
+ "NIST-800-53-AC-2-Cross-Account": [
607
+ "cloud-iam-incident"
608
+ ],
609
+ "ISO-27017-Cloud-IAM": [
610
+ "cloud-iam-incident"
611
+ ],
612
+ "SOC2-CC6-Access-Key-Leak-Public-Repo": [
613
+ "cloud-iam-incident"
614
+ ],
615
+ "AWS-Security-Hub-Coverage-Gap": [
616
+ "cloud-iam-incident"
617
+ ],
618
+ "UK-CAF-B2-Cloud-IAM": [
619
+ "cloud-iam-incident"
620
+ ],
621
+ "AU-ISM-1546-Cloud-Service-Account": [
622
+ "cloud-iam-incident"
623
+ ],
624
+ "NIST-800-53-IA-5-Federated": [
625
+ "idp-incident-response"
626
+ ],
627
+ "ISO-27001-2022-A.5.16-Federated": [
628
+ "idp-incident-response"
629
+ ],
630
+ "SOC2-CC6-OAuth-Consent": [
631
+ "idp-incident-response"
632
+ ],
633
+ "UK-CAF-B2-IdP-Tenant": [
634
+ "idp-incident-response"
635
+ ],
636
+ "AU-ISM-1559-IdP": [
637
+ "idp-incident-response"
638
+ ],
639
+ "NIS2-Art-21-Federated-Identity": [
640
+ "idp-incident-response"
641
+ ],
642
+ "DORA-Art-19-IdP-4h": [
643
+ "idp-incident-response"
644
+ ],
645
+ "OFAC-Sanctions-Threat-Actor-Negotiation": [
646
+ "idp-incident-response"
548
647
  ]
549
648
  },
550
649
  "atlas_refs": {
@@ -559,6 +658,7 @@
559
658
  "ai-attack-surface",
560
659
  "ai-risk-management",
561
660
  "attack-surface-pentest",
661
+ "cloud-iam-incident",
562
662
  "dlp-gap-analysis",
563
663
  "identity-assurance",
564
664
  "incident-response-playbook",
@@ -636,6 +736,7 @@
636
736
  "ai-attack-surface",
637
737
  "attack-surface-pentest",
638
738
  "mcp-agent-trust",
739
+ "ransomware-response",
639
740
  "webapp-security"
640
741
  ],
641
742
  "T1190": [
@@ -680,10 +781,12 @@
680
781
  "age-gates-child-safety",
681
782
  "api-security",
682
783
  "attack-surface-pentest",
784
+ "cloud-iam-incident",
683
785
  "cloud-security",
684
786
  "email-security-anti-phishing",
685
787
  "identity-assurance",
686
788
  "incident-response-playbook",
789
+ "ransomware-response",
687
790
  "sector-energy",
688
791
  "sector-financial",
689
792
  "sector-healthcare",
@@ -694,6 +797,7 @@
694
797
  "api-security",
695
798
  "dlp-gap-analysis",
696
799
  "incident-response-playbook",
800
+ "ransomware-response",
697
801
  "sector-financial",
698
802
  "sector-healthcare"
699
803
  ],
@@ -736,12 +840,14 @@
736
840
  ],
737
841
  "T1486": [
738
842
  "incident-response-playbook",
843
+ "ransomware-response",
739
844
  "sector-financial"
740
845
  ],
741
846
  "T1098": [
742
847
  "sector-telecom"
743
848
  ],
744
849
  "T1199": [
850
+ "idp-incident-response",
745
851
  "sector-telecom"
746
852
  ],
747
853
  "T1552": [
@@ -761,6 +867,29 @@
761
867
  ],
762
868
  "T1566.003": [
763
869
  "email-security-anti-phishing"
870
+ ],
871
+ "T1078.004": [
872
+ "cloud-iam-incident",
873
+ "idp-incident-response"
874
+ ],
875
+ "T1098.001": [
876
+ "cloud-iam-incident",
877
+ "idp-incident-response"
878
+ ],
879
+ "T1552.005": [
880
+ "cloud-iam-incident"
881
+ ],
882
+ "T1580": [
883
+ "cloud-iam-incident"
884
+ ],
885
+ "T1538": [
886
+ "cloud-iam-incident"
887
+ ],
888
+ "T1556.007": [
889
+ "idp-incident-response"
890
+ ],
891
+ "T1606.002": [
892
+ "idp-incident-response"
764
893
  ]
765
894
  },
766
895
  "rfc_refs": {
@@ -780,8 +909,10 @@
780
909
  ],
781
910
  "RFC-7519": [
782
911
  "api-security",
912
+ "cloud-iam-incident",
783
913
  "cloud-security",
784
914
  "identity-assurance",
915
+ "idp-incident-response",
785
916
  "mcp-agent-trust",
786
917
  "sector-financial",
787
918
  "sector-healthcare",
@@ -801,8 +932,10 @@
801
932
  ],
802
933
  "RFC-8725": [
803
934
  "api-security",
935
+ "cloud-iam-incident",
804
936
  "cloud-security",
805
937
  "identity-assurance",
938
+ "idp-incident-response",
806
939
  "mcp-agent-trust",
807
940
  "sector-financial",
808
941
  "webapp-security"
@@ -816,6 +949,7 @@
816
949
  "RFC-9421": [
817
950
  "ai-c2-detection",
818
951
  "api-security",
952
+ "idp-incident-response",
819
953
  "mcp-agent-trust",
820
954
  "sector-financial",
821
955
  "sector-healthcare"
@@ -862,6 +996,15 @@
862
996
  ],
863
997
  "RFC-9622": [
864
998
  "sector-telecom"
999
+ ],
1000
+ "RFC-8693": [
1001
+ "cloud-iam-incident"
1002
+ ],
1003
+ "RFC-9068": [
1004
+ "cloud-iam-incident"
1005
+ ],
1006
+ "RFC-7591": [
1007
+ "idp-incident-response"
865
1008
  ]
866
1009
  },
867
1010
  "dlp_refs": {}
package/data/attack-techniques.json CHANGED
@@ -64,7 +64,9 @@
64
64
  "tactic": "Stealth",
65
65
  "tactic_moved_from": "Defense Evasion",
66
66
  "tactic_id": "TA0005",
67
- "detection_strategies": ["DS0009"]
67
+ "detection_strategies": [
68
+ "DS0009"
69
+ ]
68
70
  },
69
71
  "T1040": {
70
72
  "name": "Network Sniffing",
@@ -86,7 +88,10 @@
86
88
  "name": "Command and Scripting Interpreter",
87
89
  "version": "v19",
88
90
  "tactic": "Execution",
89
- "detection_strategies": ["DS0009", "DS0017"]
91
+ "detection_strategies": [
92
+ "DS0009",
93
+ "DS0017"
94
+ ]
90
95
  },
91
96
  "T1059.001": {
92
97
  "name": "Command and Scripting Interpreter: PowerShell",
@@ -132,6 +137,15 @@
132
137
  "name": "Account Manipulation",
133
138
  "version": "v19"
134
139
  },
140
+ "T1098.001": {
141
+ "name": "Account Manipulation: Additional Cloud Credentials",
142
+ "version": "v19",
143
+ "tactic": "Persistence",
144
+ "detection_strategies": [
145
+ "DS0002",
146
+ "DS0028"
147
+ ]
148
+ },
135
149
  "T1102": {
136
150
  "name": "Web Service",
137
151
  "version": "v19"
@@ -192,7 +206,10 @@
192
206
  "name": "Data Encrypted for Impact",
193
207
  "version": "v19",
194
208
  "tactic": "Impact",
195
- "detection_strategies": ["DS0007", "DS0011"]
209
+ "detection_strategies": [
210
+ "DS0007",
211
+ "DS0011"
212
+ ]
196
213
  },
197
214
  "T1505": {
198
215
  "name": "Server Software Component",
@@ -266,7 +283,9 @@
266
283
  "name": "Modify Authentication Process",
267
284
  "version": "v19",
268
285
  "tactic": "Credential Access",
269
- "detection_strategies": ["DS0002"]
286
+ "detection_strategies": [
287
+ "DS0002"
288
+ ]
270
289
  },
271
290
  "T1557": {
272
291
  "name": "Adversary-in-the-Middle",
@@ -278,7 +297,10 @@
278
297
  "tactic": "Defense Impairment",
279
298
  "tactic_moved_from": "Defense Evasion",
280
299
  "tactic_id": "TA0112",
281
- "detection_strategies": ["DS0017", "DS0022"]
300
+ "detection_strategies": [
301
+ "DS0017",
302
+ "DS0022"
303
+ ]
282
304
  },
283
305
  "T1562.006": {
284
306
  "name": "Impair Defenses: Indicator Blocking",
@@ -286,7 +308,9 @@
286
308
  "tactic": "Defense Impairment",
287
309
  "tactic_moved_from": "Defense Evasion",
288
310
  "tactic_id": "TA0112",
289
- "detection_strategies": ["DS0017"]
311
+ "detection_strategies": [
312
+ "DS0017"
313
+ ]
290
314
  },
291
315
  "T1565": {
292
316
  "name": "Data Manipulation",
@@ -345,6 +369,15 @@
345
369
  "name": "Forge Web Credentials: Web Cookies",
346
370
  "version": "v19"
347
371
  },
372
+ "T1606.002": {
373
+ "name": "Forge Web Credentials: SAML Tokens",
374
+ "version": "v19",
375
+ "tactic": "Credential Access",
376
+ "detection_strategies": [
377
+ "DS0002",
378
+ "DS0026"
379
+ ]
380
+ },
348
381
  "T1610": {
349
382
  "name": "Deploy Container",
350
383
  "version": "v19"
@@ -353,7 +386,10 @@
353
386
  "name": "Escape to Host",
354
387
  "version": "v19",
355
388
  "tactic": "Privilege Escalation",
356
- "detection_strategies": ["DS0009", "DS0029"]
389
+ "detection_strategies": [
390
+ "DS0009",
391
+ "DS0029"
392
+ ]
357
393
  },
358
394
  "T1613": {
359
395
  "name": "Container and Resource Discovery",
@@ -365,7 +401,9 @@
365
401
  "tactic": "Stealth",
366
402
  "tactic_id": "TA0005",
367
403
  "added_in": "v19",
368
- "detection_strategies": ["DS0009"]
404
+ "detection_strategies": [
405
+ "DS0009"
406
+ ]
369
407
  },
370
408
  "T1480.003": {
371
409
  "name": "Execution Guardrails: Mutex Lock",
@@ -373,42 +411,58 @@
373
411
  "tactic": "Stealth",
374
412
  "tactic_id": "TA0005",
375
413
  "added_in": "v19",
376
- "detection_strategies": ["DS0009"]
414
+ "detection_strategies": [
415
+ "DS0009"
416
+ ]
377
417
  },
378
418
  "T1059.013": {
379
419
  "name": "Command and Scripting Interpreter: Cloud API",
380
420
  "version": "v19",
381
421
  "tactic": "Execution",
382
422
  "added_in": "v18",
383
- "detection_strategies": ["DS0017", "DS0025"]
423
+ "detection_strategies": [
424
+ "DS0017",
425
+ "DS0025"
426
+ ]
384
427
  },
385
428
  "T1556.007": {
386
429
  "name": "Modify Authentication Process: Hybrid Identity",
387
430
  "version": "v19",
388
431
  "tactic": "Credential Access",
389
432
  "added_in": "v18",
390
- "detection_strategies": ["DS0002", "DS0028"]
433
+ "detection_strategies": [
434
+ "DS0002",
435
+ "DS0028"
436
+ ]
391
437
  },
392
438
  "T1486.004": {
393
439
  "name": "Data Encrypted for Impact: Data Theft Before Encryption",
394
440
  "version": "v19",
395
441
  "tactic": "Impact",
396
442
  "added_in": "v19",
397
- "detection_strategies": ["DS0007", "DS0011", "DS0029"]
443
+ "detection_strategies": [
444
+ "DS0007",
445
+ "DS0011",
446
+ "DS0029"
447
+ ]
398
448
  },
399
449
  "T1682": {
400
450
  "name": "Query Public AI Services",
401
451
  "version": "v19",
402
452
  "tactic": "Reconnaissance",
403
453
  "added_in": "v19",
404
- "detection_strategies": ["DS0029"]
454
+ "detection_strategies": [
455
+ "DS0029"
456
+ ]
405
457
  },
406
458
  "T1683": {
407
459
  "name": "Generate Content",
408
460
  "version": "v19",
409
461
  "tactic": "Resource Development",
410
462
  "added_in": "v19",
411
- "detection_strategies": ["DS0029"]
463
+ "detection_strategies": [
464
+ "DS0029"
465
+ ]
412
466
  },
413
467
  "T1685": {
414
468
  "name": "Disable or Modify Tools",
@@ -416,7 +470,10 @@
416
470
  "tactic": "Defense Impairment",
417
471
  "tactic_id": "TA0112",
418
472
  "added_in": "v19",
419
- "detection_strategies": ["DS0017", "DS0022"]
473
+ "detection_strategies": [
474
+ "DS0017",
475
+ "DS0022"
476
+ ]
420
477
  },
421
478
  "T1686": {
422
479
  "name": "Disable or Modify System Firewall",
@@ -424,7 +481,9 @@
424
481
  "tactic": "Defense Impairment",
425
482
  "tactic_id": "TA0112",
426
483
  "added_in": "v19",
427
- "detection_strategies": ["DS0017"]
484
+ "detection_strategies": [
485
+ "DS0017"
486
+ ]
428
487
  },
429
488
  "T1687": {
430
489
  "name": "Exploitation for Defense Impairment",
@@ -432,7 +491,9 @@
432
491
  "tactic": "Defense Impairment",
433
492
  "tactic_id": "TA0112",
434
493
  "added_in": "v19",
435
- "detection_strategies": ["DS0009"]
494
+ "detection_strategies": [
495
+ "DS0009"
496
+ ]
436
497
  },
437
498
  "T1689": {
438
499
  "name": "Downgrade Attack",
@@ -440,7 +501,9 @@
440
501
  "tactic": "Defense Impairment",
441
502
  "tactic_id": "TA0112",
442
503
  "added_in": "v19",
443
- "detection_strategies": ["DS0029"]
504
+ "detection_strategies": [
505
+ "DS0029"
506
+ ]
444
507
  },
445
508
  "T1690": {
446
509
  "name": "Prevent Command History Logging",
@@ -448,6 +511,28 @@
448
511
  "tactic": "Defense Impairment",
449
512
  "tactic_id": "TA0112",
450
513
  "added_in": "v19",
451
- "detection_strategies": ["DS0017"]
514
+ "detection_strategies": [
515
+ "DS0017"
516
+ ]
517
+ },
518
+ "T1580": {
519
+ "name": "Cloud Infrastructure Discovery",
520
+ "version": "v19"
521
+ },
522
+ "T1538": {
523
+ "name": "Cloud Service Dashboard",
524
+ "version": "v19"
525
+ },
526
+ "T1562.008": {
527
+ "name": "Impair Defenses: Disable or Modify Cloud Logs",
528
+ "version": "v19"
529
+ },
530
+ "T1136.003": {
531
+ "name": "Create Account: Cloud Account",
532
+ "version": "v19"
533
+ },
534
+ "T1098.003": {
535
+ "name": "Account Manipulation: Additional Cloud Roles",
536
+ "version": "v19"
452
537
  }
453
538
  }