alert2action 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/README.md +203 -0
  2. package/alert2action.cmd +2 -0
  3. package/bin/alert2action.js +77 -0
  4. package/examples/brute-force-alert.json +33 -0
  5. package/examples/credential-dump-alert.json +32 -0
  6. package/examples/lateral-movement-alert.json +29 -0
  7. package/examples/malware-alert-2.json +30 -0
  8. package/examples/malware-alert.json +35 -0
  9. package/examples/phishing-alert.json +28 -0
  10. package/examples/privesc-alert.json +112 -0
  11. package/examples/soc-test-alert.json +80 -0
  12. package/package.json +48 -0
  13. package/src/formatter.js +267 -0
  14. package/src/guide-generator.js +478 -0
  15. package/src/index.js +28 -0
  16. package/src/mitre.js +837 -0
  17. package/src/parser.js +309 -0
package/src/mitre.js ADDED
@@ -0,0 +1,837 @@
1
+ /**
2
+ * MITRE ATT&CK Technique Mapper
3
+ * Maps alert keywords and behaviors to MITRE ATT&CK techniques
4
+ */
5
+
6
+ // Comprehensive MITRE ATT&CK technique database with investigation guidance
7
+ const MITRE_TECHNIQUES = {
8
+ // ===== RECONNAISSANCE (TA0043) =====
9
+ 'T1595': {
10
+ id: 'T1595',
11
+ name: 'Active Scanning',
12
+ tactic: 'Reconnaissance',
13
+ description: 'Adversaries actively scan victim infrastructure to gather information',
14
+ keywords: ['port scan', 'network scan', 'vulnerability scan', 'service enumeration', 'nmap', 'masscan', 'reconnaissance'],
15
+ logsToCheck: [
16
+ 'Firewall logs (denied connections)',
17
+ 'IDS/IPS alerts',
18
+ 'Web server access logs',
19
+ 'Network flow data'
20
+ ],
21
+ commands: {
22
+ windows: [
23
+ 'Get-WinEvent -LogName "Security" | Where-Object {$_.Id -eq 5156 -and $_.Message -match "Inbound"}',
24
+ 'netsh advfirewall firewall show rule name=all | findstr "Block"'
25
+ ],
26
+ linux: [
27
+ 'cat /var/log/syslog | grep -i "blocked\\|denied"',
28
+ 'iptables -L -n -v | grep DROP',
29
+ 'grep -i "refused\\|scan" /var/log/messages'
30
+ ]
31
+ },
32
+ containment: [
33
+ 'Block scanning source IP at firewall',
34
+ 'Enable rate limiting on border devices',
35
+ 'Review exposed services and reduce attack surface',
36
+ 'Consider honey pots for threat intelligence'
37
+ ],
38
+ falsePositives: [
39
+ 'Legitimate security scanners (Nessus, Qualys)',
40
+ 'IT inventory/asset discovery tools',
41
+ 'Network monitoring systems',
42
+ 'Authorized penetration testing'
43
+ ]
44
+ },
45
+
46
+ // ===== INITIAL ACCESS (TA0001) =====
47
+ 'T1566': {
48
+ id: 'T1566',
49
+ name: 'Phishing',
50
+ tactic: 'Initial Access',
51
+ description: 'Adversaries send phishing messages to gain access to victim systems',
52
+ keywords: ['phishing', 'spam', 'email', 'attachment', 'link', 'macro'],
53
+ logsToCheck: [
54
+ 'Email gateway logs',
55
+ 'Email server logs (Exchange, O365)',
56
+ 'Web proxy logs for clicked links',
57
+ 'Endpoint process logs for Office applications'
58
+ ],
59
+ commands: {
60
+ windows: [
61
+ 'Get-MessageTrace -SenderAddress <email> | Get-MessageTraceDetail',
62
+ 'Search-UnifiedAuditLog -Operations FileDownloaded,FileAccessed',
63
+ 'Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.Id -eq 1 -and $_.Message -match "OUTLOOK|WINWORD"}'
64
+ ],
65
+ linux: [
66
+ 'grep -r "From:.*@suspicious" /var/log/mail.log',
67
+ 'ausearch -c "thunderbird" -ts today'
68
+ ]
69
+ },
70
+ containment: [
71
+ 'Block sender email address/domain at email gateway',
72
+ 'Quarantine suspicious emails organization-wide',
73
+ 'Block malicious URLs at proxy/firewall',
74
+ 'Reset credentials for affected users'
75
+ ],
76
+ falsePositives: [
77
+ 'Legitimate marketing emails flagged by heuristics',
78
+ 'Internal phishing simulations/security awareness training',
79
+ 'Automated notification emails with external links'
80
+ ]
81
+ },
82
+
83
+ 'T1190': {
84
+ id: 'T1190',
85
+ name: 'Exploit Public-Facing Application',
86
+ tactic: 'Initial Access',
87
+ description: 'Adversaries exploit vulnerabilities in internet-facing applications',
88
+ keywords: ['exploit', 'vulnerability', 'cve', 'web attack', 'injection', 'rce'],
89
+ logsToCheck: [
90
+ 'Web application firewall (WAF) logs',
91
+ 'Web server access logs (IIS, Apache, Nginx)',
92
+ 'Application error logs',
93
+ 'IDS/IPS alerts'
94
+ ],
95
+ commands: {
96
+ windows: [
97
+ 'Get-WinEvent -LogName "Microsoft-IIS-Logging/Logs" | Select-Object -First 100',
98
+ 'Get-Content C:\\inetpub\\logs\\LogFiles\\W3SVC1\\*.log | Select-String "4[0-9]{2}|5[0-9]{2}"'
99
+ ],
100
+ linux: [
101
+ 'cat /var/log/apache2/access.log | grep -E "(SELECT|UNION|INSERT|DROP|/etc/passwd)"',
102
+ 'journalctl -u nginx --since "1 hour ago"'
103
+ ]
104
+ },
105
+ containment: [
106
+ 'Apply emergency patches to affected applications',
107
+ 'Enable WAF blocking rules',
108
+ 'Rate limit suspicious source IPs',
109
+ 'Consider taking application offline if actively exploited'
110
+ ],
111
+ falsePositives: [
112
+ 'Security scanners and penetration testing',
113
+ 'Legitimate but malformed requests',
114
+ 'Web crawlers triggering error pages'
115
+ ]
116
+ },
117
+
118
+ 'T1078': {
119
+ id: 'T1078',
120
+ name: 'Valid Accounts',
121
+ tactic: 'Initial Access',
122
+ description: 'Adversaries use legitimate credentials to gain access',
123
+ keywords: ['valid account', 'compromised credential', 'stolen credential', 'account takeover'],
124
+ logsToCheck: [
125
+ 'Authentication logs (Windows Security, Linux auth.log)',
126
+ 'VPN logs',
127
+ 'Cloud identity provider logs (Azure AD, Okta)',
128
+ 'SSO logs'
129
+ ],
130
+ commands: {
131
+ windows: [
132
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4624,4625} -MaxEvents 100 | Where-Object {$_.Properties[8].Value -eq 10}',
133
+ 'Get-ADUser -Filter * -Properties LastLogonDate,PasswordLastSet | Where-Object {$_.Enabled -eq $true}'
134
+ ],
135
+ linux: [
136
+ 'lastlog',
137
+ 'grep "Accepted\\|Failed" /var/log/auth.log | tail -100',
138
+ 'cat /var/log/secure | grep -i "accepted password"'
139
+ ]
140
+ },
141
+ containment: [
142
+ 'Reset compromised account passwords immediately',
143
+ 'Revoke all active sessions/tokens',
144
+ 'Enable MFA if not already configured',
145
+ 'Review recent activity from compromised account'
146
+ ],
147
+ falsePositives: [
148
+ 'Legitimate travel or remote work from new locations',
149
+ 'VPN IP address changes',
150
+ 'Service account automation'
151
+ ]
152
+ },
153
+
154
+ // ===== EXECUTION (TA0002) =====
155
+ 'T1059': {
156
+ id: 'T1059',
157
+ name: 'Command and Scripting Interpreter',
158
+ tactic: 'Execution',
159
+ description: 'Adversaries abuse command and script interpreters to execute commands',
160
+ keywords: ['powershell', 'cmd', 'script', 'wscript', 'cscript', 'bash', 'python', 'execution', 'command line'],
161
+ logsToCheck: [
162
+ 'PowerShell ScriptBlock logs (Event ID 4104)',
163
+ 'Windows Sysmon logs (Event ID 1)',
164
+ 'Process creation logs',
165
+ 'Command line audit logs'
166
+ ],
167
+ commands: {
168
+ windows: [
169
+ 'Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Id -eq 4104}',
170
+ 'Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.Id -eq 1 -and ($_.Message -match "powershell|cmd|wscript")}',
171
+ 'wevtutil qe Security /q:"*[System[(EventID=4688)]]" /f:text /c:50'
172
+ ],
173
+ linux: [
174
+ 'cat /var/log/auth.log | grep -E "(bash|python|perl|ruby)"',
175
+ 'history | grep -E "(wget|curl|nc|ncat)"',
176
+ 'ausearch -c bash --raw | aureport --summary'
177
+ ]
178
+ },
179
+ containment: [
180
+ 'Kill malicious processes',
181
+ 'Isolate affected endpoint from network',
182
+ 'Block script execution via AppLocker/WDAC',
183
+ 'Review and remove any persistence mechanisms'
184
+ ],
185
+ falsePositives: [
186
+ 'Administrative scripts and automation',
187
+ 'IT management tools',
188
+ 'Developer activity',
189
+ 'Software installation scripts'
190
+ ]
191
+ },
192
+
193
+ 'T1059.001': {
194
+ id: 'T1059.001',
195
+ name: 'PowerShell',
196
+ tactic: 'Execution',
197
+ description: 'Adversaries abuse PowerShell for execution and automation',
198
+ keywords: ['powershell', 'encoded', 'base64', 'invoke-expression', 'iex', 'bypass', 'downloadstring'],
199
+ logsToCheck: [
200
+ 'PowerShell ScriptBlock logs (Event ID 4104)',
201
+ 'PowerShell Module logs (Event ID 4103)',
202
+ 'Windows Sysmon Event ID 1',
203
+ 'Windows Security Event ID 4688'
204
+ ],
205
+ commands: {
206
+ windows: [
207
+ 'Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 100 | Where-Object {$_.Id -eq 4104} | Format-List',
208
+ 'Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";Id=1} | Where-Object {$_.Message -match "powershell.*-enc|-encoded|downloadstring|invoke-expression"}',
209
+ 'Get-Process powershell,pwsh -ErrorAction SilentlyContinue | Select-Object Id,Name,CommandLine'
210
+ ],
211
+ linux: [
212
+ 'ps aux | grep -i pwsh'
213
+ ]
214
+ },
215
+ containment: [
216
+ 'Terminate suspicious PowerShell processes',
217
+ 'Enable Constrained Language Mode',
218
+ 'Block encoded command execution via GPO',
219
+ 'Capture process memory for forensics before termination'
220
+ ],
221
+ falsePositives: [
222
+ 'System Center Configuration Manager (SCCM)',
223
+ 'Azure automation scripts',
224
+ 'IT admin troubleshooting',
225
+ 'Legitimate base64 operations'
226
+ ]
227
+ },
228
+
229
+ // ===== PERSISTENCE (TA0003) =====
230
+ 'T1053': {
231
+ id: 'T1053',
232
+ name: 'Scheduled Task/Job',
233
+ tactic: 'Persistence',
234
+ description: 'Adversaries abuse task scheduling to maintain persistence',
235
+ keywords: ['scheduled task', 'cron', 'at job', 'task scheduler', 'persistence'],
236
+ logsToCheck: [
237
+ 'Windows Task Scheduler logs (Event ID 106, 140, 141)',
238
+ 'Windows Security logs (Event ID 4698, 4699, 4700)',
239
+ 'Linux cron logs',
240
+ 'Sysmon Event ID 1 for schtasks.exe'
241
+ ],
242
+ commands: {
243
+ windows: [
244
+ 'Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} | Select-Object TaskName,TaskPath,State',
245
+ 'schtasks /query /v /fo csv | ConvertFrom-Csv | Where-Object {$_."Next Run Time" -ne "N/A"}',
246
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4698} -MaxEvents 50'
247
+ ],
248
+ linux: [
249
+ 'crontab -l',
250
+ 'cat /etc/crontab',
251
+ 'ls -la /etc/cron.d/',
252
+ 'systemctl list-timers --all'
253
+ ]
254
+ },
255
+ containment: [
256
+ 'Delete malicious scheduled tasks',
257
+ 'Audit all scheduled tasks across affected systems',
258
+ 'Restrict task scheduler permissions',
259
+ 'Monitor for task recreation'
260
+ ],
261
+ falsePositives: [
262
+ 'System maintenance tasks',
263
+ 'Backup schedules',
264
+ 'Patch management automation',
265
+ 'Monitoring agent tasks'
266
+ ]
267
+ },
268
+
269
+ 'T1547': {
270
+ id: 'T1547',
271
+ name: 'Boot or Logon Autostart Execution',
272
+ tactic: 'Persistence',
273
+ description: 'Adversaries configure system settings to run programs at startup',
274
+ keywords: ['autorun', 'startup', 'registry', 'run key', 'boot', 'logon'],
275
+ logsToCheck: [
276
+ 'Sysmon Event ID 12, 13, 14 (Registry)',
277
+ 'Windows Security Event ID 4657',
278
+ 'Autoruns output',
279
+ 'Startup folder contents'
280
+ ],
281
+ commands: {
282
+ windows: [
283
+ 'Get-ItemProperty -Path "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"',
284
+ 'Get-ItemProperty -Path "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"',
285
+ 'Get-ChildItem "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"',
286
+ 'autorunsc.exe -accepteula -a * -c -h -s -v -vt'
287
+ ],
288
+ linux: [
289
+ 'ls -la /etc/init.d/',
290
+ 'systemctl list-unit-files --type=service --state=enabled',
291
+ 'cat ~/.bashrc ~/.profile | grep -v "^#"'
292
+ ]
293
+ },
294
+ containment: [
295
+ 'Remove malicious registry entries',
296
+ 'Delete startup folder items',
297
+ 'Disable malicious services',
298
+ 'Re-image endpoint if heavily compromised'
299
+ ],
300
+ falsePositives: [
301
+ 'Legitimate software updaters',
302
+ 'Antivirus startup entries',
303
+ 'Corporate management agents',
304
+ 'User-installed applications'
305
+ ]
306
+ },
307
+
308
+ // ===== PRIVILEGE ESCALATION (TA0004) =====
309
+ 'T1548.002': {
310
+ id: 'T1548.002',
311
+ name: 'Bypass User Account Control',
312
+ tactic: 'Privilege Escalation',
313
+ description: 'Adversaries bypass UAC to elevate privileges without prompting the user',
314
+ keywords: ['uac bypass', 'privilege escalation', 'elevation', 'system', 'admin', 'token_elevation', 'integrity_level', 'auto-elevated', 'silentcleanup'],
315
+ logsToCheck: [
316
+ 'Sysmon Event ID 1 (Process Creation with elevated token)',
317
+ 'Windows Security Event ID 4688 (Process Creation)',
318
+ 'Windows Security Event ID 4648 (Explicit Credential Use)',
319
+ 'UAC Event ID 1 in Application Log'
320
+ ],
321
+ commands: {
322
+ windows: [
323
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4688} | Where-Object {$_.Message -match "TokenElevationType.*%%1937"}',
324
+ 'Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";Id=1} | Where-Object {$_.Message -match "IntegrityLevel.*System|High"}',
325
+ 'Get-ScheduledTask | Where-Object {$_.Principal.RunLevel -eq "Highest"} | Select-Object TaskName,TaskPath',
326
+ 'reg query "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v EnableLUA'
327
+ ],
328
+ linux: [
329
+ 'cat /var/log/auth.log | grep -i "sudo\\|su "',
330
+ 'ausearch -m USER_AUTH -ts today'
331
+ ]
332
+ },
333
+ containment: [
334
+ 'IMMEDIATELY isolate endpoint - active compromise',
335
+ 'Terminate elevated processes spawned by attack',
336
+ 'Review and remove any malicious scheduled tasks',
337
+ 'Check for persistence mechanisms (services, registry)',
338
+ 'Force password reset for affected user',
339
+ 'Enable UAC highest setting and investigate bypass method'
340
+ ],
341
+ falsePositives: [
342
+ 'Legitimate auto-elevation by installers',
343
+ 'Administrative tools with manifest requesting elevation',
344
+ 'Windows Update and maintenance tasks',
345
+ 'Enterprise software deployment'
346
+ ]
347
+ },
348
+
349
+ 'T1134': {
350
+ id: 'T1134',
351
+ name: 'Access Token Manipulation',
352
+ tactic: 'Privilege Escalation',
353
+ description: 'Adversaries manipulate access tokens to operate under different security contexts',
354
+ keywords: ['token', 'impersonation', 'privilege', 'system', 'token_elevation', 'logon_type', 'security context'],
355
+ logsToCheck: [
356
+ 'Windows Security Event ID 4624 (Logon with token info)',
357
+ 'Windows Security Event ID 4672 (Special Privileges Assigned)',
358
+ 'Sysmon Event ID 10 (Process Access)',
359
+ 'Windows Security Event ID 4673 (Privileged Service Called)'
360
+ ],
361
+ commands: {
362
+ windows: [
363
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4672} -MaxEvents 50 | Format-List',
364
+ 'whoami /priv',
365
+ 'Get-Process | Where-Object {$_.SessionId -eq 0} | Select-Object Name,Id,SessionId',
366
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4624} | Where-Object {$_.Properties[8].Value -eq 9}'
367
+ ],
368
+ linux: [
369
+ 'ps aux | grep -E "^root.*pts"',
370
+ 'cat /var/log/auth.log | grep -i "session opened for user root"'
371
+ ]
372
+ },
373
+ containment: [
374
+ 'Terminate processes using stolen/manipulated tokens',
375
+ 'Isolate affected system',
376
+ 'Force logoff all sessions on compromised host',
377
+ 'Reset credentials for impersonated accounts',
378
+ 'Review all SYSTEM-level processes for malicious activity'
379
+ ],
380
+ falsePositives: [
381
+ 'Service accounts running as SYSTEM',
382
+ 'Scheduled tasks running with elevated privileges',
383
+ 'Windows services performing impersonation',
384
+ 'Remote management tools'
385
+ ]
386
+ },
387
+
388
+ // ===== CREDENTIAL ACCESS (TA0006) =====
389
+ 'T1003': {
390
+ id: 'T1003',
391
+ name: 'OS Credential Dumping',
392
+ tactic: 'Credential Access',
393
+ description: 'Adversaries attempt to dump credentials from the operating system',
394
+ keywords: ['credential dump', 'mimikatz', 'lsass', 'hash', 'password dump', 'sam', 'ntds'],
395
+ logsToCheck: [
396
+ 'Sysmon Event ID 10 (Process Access to LSASS)',
397
+ 'Windows Security Event ID 4656, 4663',
398
+ 'Windows Defender alerts',
399
+ 'EDR process access alerts'
400
+ ],
401
+ commands: {
402
+ windows: [
403
+ 'Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";Id=10} | Where-Object {$_.Message -match "lsass.exe"}',
404
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4656} | Where-Object {$_.Message -match "lsass"}',
405
+ 'Get-Process lsass | Select-Object Id,Name,Handles,CPU'
406
+ ],
407
+ linux: [
408
+ 'cat /var/log/auth.log | grep -i "shadow\\|passwd"',
409
+ 'ausearch -sc open -f /etc/shadow'
410
+ ]
411
+ },
412
+ containment: [
413
+ 'Isolate endpoint immediately',
414
+ 'Force password reset for ALL users who logged into compromised system',
415
+ 'Rotate Kerberos KRBTGT account (domain-wide compromise)',
416
+ 'Enable Credential Guard if not configured'
417
+ ],
418
+ falsePositives: [
419
+ 'Antivirus scanning LSASS',
420
+ 'Windows Defender ATP collecting telemetry',
421
+ 'Legitimate security tools'
422
+ ]
423
+ },
424
+
425
+ // ===== DEFENSE EVASION (TA0005) =====
426
+ 'T1055': {
427
+ id: 'T1055',
428
+ name: 'Process Injection',
429
+ tactic: 'Defense Evasion',
430
+ description: 'Adversaries inject code into processes to evade defenses',
431
+ keywords: ['process injection', 'dll injection', 'hollowing', 'code injection', 'remote thread'],
432
+ logsToCheck: [
433
+ 'Sysmon Event ID 8 (CreateRemoteThread)',
434
+ 'Sysmon Event ID 10 (Process Access)',
435
+ 'Windows Security Event ID 4688',
436
+ 'EDR process injection alerts'
437
+ ],
438
+ commands: {
439
+ windows: [
440
+ 'Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";Id=8} | Select-Object -First 20',
441
+ 'Get-Process | Where-Object {$_.Modules.Count -gt 100} | Select-Object Name,Id',
442
+ 'malfind (Volatility plugin on memory dump)'
443
+ ],
444
+ linux: [
445
+ 'cat /proc/[pid]/maps | grep rwx',
446
+ 'grep -r "LD_PRELOAD" /proc/*/environ 2>/dev/null'
447
+ ]
448
+ },
449
+ containment: [
450
+ 'Isolate affected endpoint',
451
+ 'Capture memory dump before terminating processes',
452
+ 'Identify injected code and parent process',
453
+ 'Block malicious process hashes'
454
+ ],
455
+ falsePositives: [
456
+ 'Antivirus real-time scanning',
457
+ 'Application compatibility shims',
458
+ 'Debugging tools',
459
+ 'Some legitimate software hooks'
460
+ ]
461
+ },
462
+
463
+ 'T1070': {
464
+ id: 'T1070',
465
+ name: 'Indicator Removal',
466
+ tactic: 'Defense Evasion',
467
+ description: 'Adversaries delete or modify artifacts to hide their activity',
468
+ keywords: ['log clearing', 'indicator removal', 'timestomp', 'file deletion', 'event log', 'audit'],
469
+ logsToCheck: [
470
+ 'Windows Security Event ID 1102 (Audit Log Cleared)',
471
+ 'Windows Security Event ID 104 (System Log Cleared)',
472
+ 'Sysmon Event ID 23 (File Delete)',
473
+ 'File integrity monitoring alerts'
474
+ ],
475
+ commands: {
476
+ windows: [
477
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=1102} -MaxEvents 10',
478
+ 'Get-WinEvent -FilterHashtable @{LogName="System";Id=104} -MaxEvents 10',
479
+ 'wevtutil el | ForEach-Object {wevtutil gli $_} | Where-Object {$_ -match "numberOfLogRecords: 0"}'
480
+ ],
481
+ linux: [
482
+ 'ls -la /var/log/ | grep "^-.*0"',
483
+ 'stat /var/log/auth.log',
484
+ 'ausearch -m DEL -ts today'
485
+ ]
486
+ },
487
+ containment: [
488
+ 'Preserve remaining logs immediately',
489
+ 'Enable centralized logging if not configured',
490
+ 'Check for backup log copies',
491
+ 'Review shadow copies for deleted evidence'
492
+ ],
493
+ falsePositives: [
494
+ 'Log rotation',
495
+ 'System administrators clearing old logs',
496
+ 'Storage cleanup scripts'
497
+ ]
498
+ },
499
+
500
+ // ===== DISCOVERY (TA0007) =====
501
+ 'T1087': {
502
+ id: 'T1087',
503
+ name: 'Account Discovery',
504
+ tactic: 'Discovery',
505
+ description: 'Adversaries enumerate accounts to understand the environment',
506
+ keywords: ['account discovery', 'user enumeration', 'net user', 'domain users', 'whoami'],
507
+ logsToCheck: [
508
+ 'Windows Security Event ID 4798, 4799',
509
+ 'Sysmon Event ID 1 (net.exe usage)',
510
+ 'LDAP query logs',
511
+ 'Active Directory audit logs'
512
+ ],
513
+ commands: {
514
+ windows: [
515
+ 'Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";Id=1} | Where-Object {$_.Message -match "net user|net group|dsquery"}',
516
+ 'Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -gt (Get-Date).AddDays(-7)}',
517
+ 'Get-WinEvent -LogName "Security" | Where-Object {$_.Id -in @(4798,4799)}'
518
+ ],
519
+ linux: [
520
+ 'grep -E "getent|ldapsearch|cat.*passwd" /var/log/auth.log',
521
+ 'ausearch -c getent -ts today'
522
+ ]
523
+ },
524
+ containment: [
525
+ 'Review if enumeration was from compromised account',
526
+ 'Limit LDAP query permissions',
527
+ 'Enable detailed AD auditing',
528
+ 'Monitor for subsequent lateral movement'
529
+ ],
530
+ falsePositives: [
531
+ 'IT admin account audits',
532
+ 'HR onboarding scripts',
533
+ 'Directory sync tools',
534
+ 'Help desk user lookups'
535
+ ]
536
+ },
537
+
538
+ // ===== EXFILTRATION (TA0010) =====
539
+ 'T1041': {
540
+ id: 'T1041',
541
+ name: 'Exfiltration Over C2 Channel',
542
+ tactic: 'Exfiltration',
543
+ description: 'Adversaries exfiltrate data over existing command and control channels',
544
+ keywords: ['exfiltration', 'data theft', 'data transfer', 'large transfer', 'upload', 'data exfil'],
545
+ logsToCheck: [
546
+ 'Proxy/Firewall logs (large outbound transfers)',
547
+ 'DLP alerts',
548
+ 'Cloud access security broker (CASB) logs',
549
+ 'Network flow data'
550
+ ],
551
+ commands: {
552
+ windows: [
553
+ 'Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Sort-Object -Property OwningProcess | Select-Object -First 20',
554
+ 'Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.Id -eq 3 -and $_.Message -match "Destination.*:443|:80"}'
555
+ ],
556
+ linux: [
557
+ 'ss -tunapl | sort -nk5 | tail -20',
558
+ 'nethogs -v 3',
559
+ 'iftop -t -s 10'
560
+ ]
561
+ },
562
+ containment: [
563
+ 'Block C2 communication immediately',
564
+ 'Identify and preserve exfiltrated data scope',
565
+ 'Check DLP logs for data classification',
566
+ 'Notify legal/compliance for breach assessment',
567
+ 'Preserve network captures for forensics'
568
+ ],
569
+ falsePositives: [
570
+ 'Large legitimate file uploads (backups)',
571
+ 'Video conferencing',
572
+ 'Cloud sync services',
573
+ 'Software updates'
574
+ ]
575
+ },
576
+
577
+ // ===== LATERAL MOVEMENT (TA0008) =====
578
+ 'T1021': {
579
+ id: 'T1021',
580
+ name: 'Remote Services',
581
+ tactic: 'Lateral Movement',
582
+ description: 'Adversaries use remote services to move laterally within network',
583
+ keywords: ['lateral', 'remote', 'psexec', 'wmi', 'smb', 'rdp', 'ssh', 'winrm'],
584
+ logsToCheck: [
585
+ 'Windows Security Event ID 4624 (logon type 3, 10)',
586
+ 'Windows Security Event ID 4648 (explicit credentials)',
587
+ 'SMB logs',
588
+ 'RDP connection logs',
589
+ 'SSH auth logs'
590
+ ],
591
+ commands: {
592
+ windows: [
593
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4624} | Where-Object {$_.Properties[8].Value -in @(3,10)} | Select-Object -First 50',
594
+ 'Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";Id=1149}',
595
+ 'qwinsta /server:<hostname>'
596
+ ],
597
+ linux: [
598
+ 'grep "Accepted" /var/log/auth.log | tail -50',
599
+ 'last -50',
600
+ 'who'
601
+ ]
602
+ },
603
+ containment: [
604
+ 'Block lateral movement paths at network level',
605
+ 'Disable administrative shares if not needed',
606
+ 'Segment network to limit lateral movement',
607
+ 'Force re-authentication on sensitive systems'
608
+ ],
609
+ falsePositives: [
610
+ 'Normal admin remote management',
611
+ 'File server access',
612
+ 'Patch management systems',
613
+ 'Jump server usage'
614
+ ]
615
+ },
616
+
617
+ // ===== COMMAND AND CONTROL (TA0011) =====
618
+ 'T1071': {
619
+ id: 'T1071',
620
+ name: 'Application Layer Protocol',
621
+ tactic: 'Command and Control',
622
+ description: 'Adversaries communicate using application layer protocols',
623
+ keywords: ['c2', 'command and control', 'beacon', 'callback', 'http', 'https', 'dns'],
624
+ logsToCheck: [
625
+ 'Proxy/Firewall logs',
626
+ 'DNS query logs',
627
+ 'Network flow data',
628
+ 'EDR network telemetry'
629
+ ],
630
+ commands: {
631
+ windows: [
632
+ 'Get-NetTCPConnection | Where-Object {$_.State -eq "Established" -and $_.RemotePort -in @(80,443,8080)}',
633
+ 'Get-DnsClientCache | Where-Object {$_.Entry -notmatch "microsoft|windows|office"}',
634
+ 'netstat -ano | findstr ESTABLISHED'
635
+ ],
636
+ linux: [
637
+ 'netstat -tunapl | grep ESTABLISHED',
638
+ 'ss -tunapl',
639
+ 'cat /var/log/syslog | grep -i dns'
640
+ ]
641
+ },
642
+ containment: [
643
+ 'Block C2 IP addresses/domains at firewall',
644
+ 'Sinkhole malicious domains',
645
+ 'Isolate infected endpoints',
646
+ 'Hunt for additional infected hosts communicating to same C2'
647
+ ],
648
+ falsePositives: [
649
+ 'CDN traffic',
650
+ 'Cloud service connections',
651
+ 'Software update services',
652
+ 'Legitimate API calls'
653
+ ]
654
+ },
655
+
656
+ // ===== IMPACT (TA0040) =====
657
+ 'T1486': {
658
+ id: 'T1486',
659
+ name: 'Data Encrypted for Impact',
660
+ tactic: 'Impact',
661
+ description: 'Adversaries encrypt data to render it inaccessible (ransomware)',
662
+ keywords: ['ransomware', 'encrypt', 'ransom', 'locked files', 'cryptolocker', 'bitcoin'],
663
+ logsToCheck: [
664
+ 'File system audit logs',
665
+ 'Sysmon Event ID 11 (File Create)',
666
+ 'Volume Shadow Copy deletion logs',
667
+ 'Backup system logs'
668
+ ],
669
+ commands: {
670
+ windows: [
671
+ 'vssadmin list shadows',
672
+ 'Get-ChildItem -Path C:\\ -Recurse -Include "*.encrypted","*.locked","README*.txt","DECRYPT*.txt" -ErrorAction SilentlyContinue | Select-Object -First 20',
673
+ 'Get-WinEvent -FilterHashtable @{LogName="Application";Id=8194} -MaxEvents 10'
674
+ ],
675
+ linux: [
676
+ 'find / -name "*.encrypted" -o -name "*README*ransom*" 2>/dev/null | head -20',
677
+ 'df -h'
678
+ ]
679
+ },
680
+ containment: [
681
+ 'IMMEDIATELY isolate affected systems from network',
682
+ 'Do NOT shut down - preserve memory for forensics',
683
+ 'Stop ransomware process if still running',
684
+ 'Identify patient zero and encryption timestamp',
685
+ 'Assess backup availability and integrity'
686
+ ],
687
+ falsePositives: [
688
+ 'Legitimate encryption software (BitLocker, VeraCrypt)',
689
+ 'File archiving with password protection',
690
+ 'DRM-protected content'
691
+ ]
692
+ },
693
+
694
+ // ===== BRUTE FORCE (Special) =====
695
+ 'T1110': {
696
+ id: 'T1110',
697
+ name: 'Brute Force',
698
+ tactic: 'Credential Access',
699
+ description: 'Adversaries use brute force techniques to obtain credentials',
700
+ keywords: ['brute force', 'password spray', 'credential stuffing', 'failed login', 'authentication failure', 'multiple failed'],
701
+ logsToCheck: [
702
+ 'Windows Security Event ID 4625 (Failed logon)',
703
+ 'Windows Security Event ID 4771 (Kerberos pre-auth failed)',
704
+ 'Azure AD Sign-in logs',
705
+ 'Linux /var/log/auth.log'
706
+ ],
707
+ commands: {
708
+ windows: [
709
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4625} -MaxEvents 100 | Group-Object {$_.Properties[5].Value} | Sort-Object Count -Descending',
710
+ 'Get-WinEvent -FilterHashtable @{LogName="Security";Id=4625} | Group-Object {$_.Properties[19].Value} | Sort-Object Count -Descending | Select-Object -First 10',
711
+ 'net accounts'
712
+ ],
713
+ linux: [
714
+ 'grep "Failed password" /var/log/auth.log | awk \'{print $(NF-3)}\' | sort | uniq -c | sort -rn | head -10',
715
+ 'lastb | head -50',
716
+ 'fail2ban-client status sshd'
717
+ ]
718
+ },
719
+ containment: [
720
+ 'Block attacking IP addresses',
721
+ 'Lock affected user accounts temporarily',
722
+ 'Enable account lockout policies',
723
+ 'Implement MFA for targeted accounts',
724
+ 'Consider geo-blocking if attacks from specific regions'
725
+ ],
726
+ falsePositives: [
727
+ 'Users forgetting passwords',
728
+ 'Password manager sync issues',
729
+ 'Cached credentials after password change',
730
+ 'Service accounts with expired passwords'
731
+ ]
732
+ }
733
+ };
734
+
735
+ /**
736
+ * Map alert to MITRE ATT&CK techniques based on keywords and context
737
+ */
738
+ function mapToMitre(parsedAlert) {
739
+ const matches = [];
740
+ const keywords = parsedAlert.keywords || [];
741
+ const allText = [
742
+ parsedAlert.title,
743
+ parsedAlert.description,
744
+ parsedAlert.category,
745
+ parsedAlert.processCommandLine
746
+ ].filter(Boolean).join(' ').toLowerCase();
747
+
748
+ for (const [techId, technique] of Object.entries(MITRE_TECHNIQUES)) {
749
+ let score = 0;
750
+ const matchedKeywords = [];
751
+
752
+ // Check each technique's keywords
753
+ for (const keyword of technique.keywords) {
754
+ if (keywords.includes(keyword) || allText.includes(keyword)) {
755
+ score += 10;
756
+ matchedKeywords.push(keyword);
757
+ }
758
+ }
759
+
760
+ // Boost score for specific indicators
761
+ if (techId === 'T1110' && (allText.includes('failed') && allText.includes('login'))) {
762
+ score += 20;
763
+ }
764
+ if (techId === 'T1059.001' && parsedAlert.processName?.toLowerCase().includes('powershell')) {
765
+ score += 30;
766
+ }
767
+ if (techId === 'T1003' && allText.includes('lsass')) {
768
+ score += 30;
769
+ }
770
+ if (techId === 'T1566' && (allText.includes('email') || allText.includes('attachment'))) {
771
+ score += 15;
772
+ }
773
+
774
+ // T1053 (Scheduled Task) - require actual evidence of scheduled tasks
775
+ if (techId === 'T1053') {
776
+ const hasSchtasks = parsedAlert.processName?.toLowerCase().includes('schtasks');
777
+ const hasTaskName = allText.includes('task') && (allText.includes('create') || allText.includes('schedule'));
778
+ const hasTaskEvidence = parsedAlert.rawData?.persistence?.method?.toLowerCase().includes('task');
779
+ if (hasSchtasks || hasTaskEvidence) {
780
+ score += 25; // Strong evidence
781
+ } else if (!hasTaskName && score < 15) {
782
+ score = 0; // Remove weak matches to avoid false positives
783
+ }
784
+ }
785
+
786
+ // T1548.002 (UAC Bypass) - boost for privilege escalation context
787
+ if (techId === 'T1548.002') {
788
+ if (allText.includes('uac') || allText.includes('bypass')) {
789
+ score += 25;
790
+ }
791
+ if (parsedAlert.rawData?.privilege_escalation?.attempted) {
792
+ score += 30;
793
+ }
794
+ }
795
+
796
+ // T1134 (Token Manipulation) - boost for token/privilege context
797
+ if (techId === 'T1134') {
798
+ if (allText.includes('token') || allText.includes('impersonation')) {
799
+ score += 20;
800
+ }
801
+ if (parsedAlert.rawData?.privilege_change?.new_integrity_level === 'System') {
802
+ score += 30;
803
+ }
804
+ }
805
+
806
+ if (score > 0) {
807
+ matches.push({
808
+ technique: technique,
809
+ score: score,
810
+ matchedKeywords: matchedKeywords,
811
+ confidence: score >= 30 ? 'high' : score >= 15 ? 'medium' : 'low'
812
+ });
813
+ }
814
+ }
815
+
816
+ // Sort by score descending
817
+ matches.sort((a, b) => b.score - a.score);
818
+
819
+ // Return top 3 matches
820
+ return matches.slice(0, 3);
821
+ }
822
+
823
+ /**
824
+ * Get a technique by ID
825
+ */
826
+ function getTechnique(techId) {
827
+ return MITRE_TECHNIQUES[techId] || null;
828
+ }
829
+
830
+ /**
831
+ * Get all techniques
832
+ */
833
+ function getAllTechniques() {
834
+ return MITRE_TECHNIQUES;
835
+ }
836
+
837
+ module.exports = { mapToMitre, getTechnique, getAllTechniques };