/APT-OpenIOC-Detection-Rules

This repository contains OpenIOC rules to aid in hunting for indicators of compromise and TTPs focused on Advanced Persistent Threat groups.

MIT LicenseMIT

Overview

This repository contains OpenIOC rules to aid in hunting for indicators of compromise and TTPs focused on Advanced Persistent Threat groups.

These rules can be utilized as hunting or detection rules that can be imported to your EDR security solution's user-defined and/or custom rule intelligence database to enhance its detection capabilities. Environment-specific tuning is recommended before deploying these as detection rules.

Detection engineering is based on the tools, techniques, tactics, and procedures observed from the following references, including but not limited to:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

https://github.com/sliverarmory

https://redcanary.com/threat-detection-report/

These rules are provided freely to the community without warranty.

What is OpenIOC?

OpenIOC provides a standard format and terms for describing the artifacts encountered during the course of an investigation.

How to create or modify OpenIOC rules?

The FireEye OpenIOC 1.1 Editor is a free tool that provides an interface for managing data and manipulating the logical structures of v1.1 OpenIOCs.

https://fireeye.market/apps/211404