- Original path:
profiles/composite/incident-response.toml
# Incident Response Profile
# Focused profile for incident response and threat hunting
includes = [
"../base/malware.toml",
"../base/network.toml",
"../base/credentials.toml"
]
decode = ["base64", "hex", "unicode-escape-sequences"]
# Focus on recently modified files
[[patterns]]
name = "Suspicious Timestamp Modification"
pattern = "(?:touch|timestomp|SetFileTime)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Log Deletion"
pattern = "(?:clear-eventlog|wevtutil.*cl|rm.*\\.log|del.*\\.log)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Firewall Modification"
pattern = "(?:netsh.*firewall|iptables|ufw|firewall-cmd)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Account Creation"
pattern = "(?:net\\s+user.*\\/add|useradd|adduser|New-LocalUser)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Lateral Movement"
pattern = "(?:psexec|winrm|wmi.*process|sc.*\\\\\\\\|net\\s+use\\s+\\\\\\\\)"
case-insensitive = true
type = "regex"
[[signatures]]
name = "Compromised Indicators"
query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Shell%' OR pattern_name LIKE '%Credential%' OR pattern_name LIKE '%Lateral%'"
[[signatures]]
name = "Very High Entropy Files"
query = "SELECT sha256, shannon_entropy FROM unique_files WHERE shannon_entropy > 7.9 ORDER BY shannon_entropy DESC"