Moved cyberok recommendations for responding to attacks related to CMS Bitrix

data/en/artifacts/A_2001_web_application_server/A_2001_web_application_server.yml

@@ -0,0 +1,12 @@
+title: Web application server
+id: A2001
+description: This artifact describes web application server entity
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/10
+modification_date: 2023/07/10
+references:
+  - https://d3fend.mitre.org/dao/artifact/d3f:WebApplicationServer/
+mapping:
+  - d3f:WebApplicationServer
+extended_description: |
+  A web application server is a web server that hosts applications. Application server frameworks are software frameworks for building application servers. An application server framework provides both facilities to create web applications and a server environment to run them. In the case of Java application servers, the server behaves like an extended virtual machine for running applications, transparently handling connections to the database on one side, and, often, connections to the Web client on the other.

data/en/artifacts/A_2002_web_server/A_2002_web_server.yml

@@ -0,0 +1,15 @@
+title: Web server
+id: A2002
+description: This artifact describes web server entity
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/10
+modification_date: 2023/07/10
+references:
+  - https://d3fend.mitre.org/dao/artifact/d3f:WebServer/
+mapping:
+  - d3f:WebServer
+extended_description: |
+  A web server is server software, or hardware dedicated to running this software, that can satisfy client requests on the World Wide Web.
+  A web server can, in general, contain one or more websites. A web server processes incoming network requests over HTTP and several other related protocols.
+  While the major function is to serve content, a full implementation of HTTP also includes ways of receiving content from clients.
+  This feature is used for submitting web forms, including uploading of files.

data/en/artifacts/A_2003_web_script_file/A_2003_web_script_file.yml

@@ -0,0 +1,12 @@
+title: Web script file
+id: A2003
+description: This artifact describes web script file entity
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/10
+modification_date: 2023/07/10
+references:
+  - https://d3fend.mitre.org/dao/artifact/d3f:WebScriptFile/
+mapping:
+  - d3f:WebScriptFile
+extended_description: |
+  A file containing a script in a web-scripting programming language. Web scripts may be present and run on the client or on the server side.

data/en/response_actions/RA_2010_ensure_successful_attack/RA_2010_ensure_successful_attack.yml

@@ -0,0 +1,12 @@
+title: RA_2010_ensure_successful_attack
+id: RA2010
+description: >
+  Verify that the attack was successful
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: identification
+references:
+  - https://github.com/sroberts/awesome-iocs
+  - https://www.cve.org/
+extended_description: |
+  Verify that the attack was successful. To do this, use the official reports on a specific attack and its IOCs. 

data/en/response_actions/RA_2321_scan_on_suspicious_files/RA_2321_scan_on_suspicious_files.yml

@@ -0,0 +1,16 @@
+title: RA_2321_scan_on_suspicious_files
+id: RA2321
+description: >
+  Scan file system for suspicious files(created or modified)
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: identification
+automation:
+  - antivirus
+  - EDR
+references:
+  - https://github.com/sroberts/awesome-iocs
+extended_description: |
+  Scan file system for suspicious files(created or modified). Often these are files that should not be there (in the standard delivery of the system) where they are.
+  In the case of a web server, check that there are no extraneous files in directories that have external access. To successfully search for suspicious files, use databases of known IOCs (see references for example).
+  Also, some systems (such as content management systems) have functionality to scan for suspicious files.

data/en/response_actions/RA_3002_restrict_access_to_vulnerable_components/RA_3002_restrict_access_to_vulnerable_components.yml

@@ -0,0 +1,12 @@
+title: RA_3002_restrict_access_to_vulnerable_components
+id: RA3002
+description: >
+  Restrict access to vulnerable components
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: containment
+automation:
+  - firewall
+  - EDR
+extended_description: |
+  If at the moment it is not possible to update/disable the system or there are no updates yet, restrict access to vulnerable components. Review the vulnerability description and recommended mitigation measures.

data/en/response_actions/RA_4003_clear_backup_copy/RA_4003_clear_backup_copy.yml

@@ -0,0 +1,9 @@
+title: RA_4003_clear_backup_copy
+id: RA4003
+description: >
+  Clear backup copy
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+extended_description: |
+  Before restoring data from a backup, check that it is not infected and eradicate malicious data.

data/en/response_actions/RA_4004_update_sensitive_data/RA_4004_update_sensitive_data.yml

@@ -0,0 +1,9 @@
+title: RA_4004_update_sensitive_data
+id: RA4004
+description: >
+  Update sensitive data
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+extended_description: |
+  Attackers can change or read some sensitive data (passwords, database keys, etc.). This is usually done to persisted in the system. Update any sensitive data that has been read or modified.

data/en/response_actions/RA_4401_kill_process/RA_4401_kill_process.yml

@@ -0,0 +1,11 @@
+title: RA_4401_kill_process
+id: RA4401
+description: >
+  Kill the process
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+automation:
+  - EDR
+extended_description: |
+  Kill process. To do this, use the operating system tools or Endpoint Detection & Response(EDR) solutions

data/en/response_actions/RA_5003_check_service_on_correct_work/RA_5003_check_service_on_correct_work.yml

@@ -0,0 +1,9 @@
+title: RA_5003_check_service_on_correct_work
+id: RA5003
+description: >
+  Check service on correct work
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+extended_description: |
+  After containing and eradicating, check the resource for correct operation

data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/RAI_2321_0001_bitrix_scan_on_suspicious_files.yml

@@ -0,0 +1,30 @@
+title: Bitrix scan on suspicious files
+id: RAI2321_0001
+description: Scan on suspicious files using bitrix
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_response_actions: RA2321
+tags:
+  - CMS
+linked_software:
+  - S3004
+linked_artifacts:
+  - A3002
+requirements:
+  software:
+    means_of_action:
+    - ID: S3004
+      cpe-fs: 'cpe:2.3:a:bitrix:bitrix_site_manager:-:*:*:*:*:*:*:*'
+    targets_of_action:
+extended_description: |
+  To search for suspicious files in the system, use the bitrix.xscan Bitrix module. 
+  This is a graphical tool for finding suspicious files. As input, it takes the initial path from which the scan will begin.
+
+  Directory scan example:
+  <img src="../bitrix1.png" alt="Directory scan"/>
+
+  An example of outputting the contents of a suspicious file:
+  <img src="../bitrix2.png" alt="Suspicious file content"/>
+
+  [bitrix.xscan](https://marketplace.1c-bitrix.ru/solutions/bitrix.xscan/)

data/en/response_actions_implementations/RAI_2402_0001_linux_find_process_by_executable_path/RAI_2402_0001_linux_find_process_by_executable_path.yml

@@ -0,0 +1,28 @@
+title: Find process via Linux
+id: RAI2402_0001
+description: Find process by executable path via Linux standard command line utilities
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_response_actions: RA2402
+tags:
+  - linux
+linked_software:
+  - S0100
+linked_artifacts:
+  - A3002
+requirements:
+  software:
+    means_of_action:
+    - ID: S0100
+      cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+    targets_of_action:
+extended_description: |
+  To search for a process by its executable path, we can use standard Linux utilities such as **ps** and **grep**.
+  For example, if we need to find all processes whose path contains 'php' we can use the following command:
+
+  ``` ps aux | grep 'php' ```
+
+  To display only the PID of the found processes, we can use the utility **awk**:
+
+  ``` ps aux | grep 'php' | awk '{print $2}'```

data/en/response_actions_implementations/RAI_4301_0003_linux_delete_file/RAI_4301_0003_linux_delete_file.yml

@@ -0,0 +1,37 @@
+title: Deleting a file using standard Linux utilities
+id: RAI4301_0003
+description: Removing a file from Linux using standard Linux utilities
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_software:
+  - S0100
+linked_response_actions: RA4301
+tags:
+  - linux
+linked_artifacts:
+  - A3002
+requirements:
+  software:
+    means_of_action:
+      - ID: S0100
+        cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+    targets_of_action:
+      - ID: S0100
+        cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+extended_description: |
+  To delete the file in Linux system we can use standard utilities such as **rm**
+  For example we have the file with path: /home/user/test.txt
+
+  To delete the file use below command.
+  ```
+  rm '/hone/user/test.txt'
+  ```
+
+  We can also delete a file by its hash using utilities such as **rm**, **find**, **md5sum**, **xargs**, **grep** and **awk**
+  For example, we have a file with md5 hash '62e0eeb44c135199947b619de59dc640' in the directory /home/user/test
+
+  To delete the file use below command.
+  ```
+  find /home/user/test -type f -print | xargs md5sum | grep '62e0eeb44c135199947b619de59dc640' | awk '{print $2}' | xargs rm
+  ```

data/en/response_actions_implementations/RAI_4401_0001_linux_kill_process/RAI_4401_0001_linux_kill_process.yml

@@ -0,0 +1,37 @@
+title: Killing a process using standard Linux utilities
+id: RAI4401_0001
+description: Killing a process in Linux using standard Linux utilities
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_software:
+  - S0100
+linked_response_actions: RA4401
+tags:
+  - linux
+linked_artifacts:
+  - A4001
+requirements:
+  software:
+    means_of_action:
+      - ID: S0100
+        cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+    targets_of_action:
+      - ID: S0100
+        cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+extended_description: |
+  To kill the process in Linux system we can use standard utilities such as **kill**
+  For example we have a process with name proc and with process ID 123
+
+  To kill a process use below command.
+  ```
+  kill 123
+  ```
+
+  To kill a process that is listening on port 22 we can use standard utilities such as **fuser**
+  For example we have a process that is listening on tcp port 22
+
+  To kill a process use below command.
+  ```
+  fuser -k 22/tcp
+  ```