added new triage guides

Author: aring87

content/triage-guides/sentinel/command-and-control/dns-tunneling-behavior.md

@@ -0,0 +1,90 @@
+# Triage Guide: DNS Tunneling Behavior
+
+## Detection Title
+DNS Tunneling Behavior
+
+## Detection ID
+SENT-C2-0001
+
+## Objective
+
+This detection identifies unusually high volumes of DNS traffic combined with long query lengths over a short time window. This may indicate DNS tunneling, covert beaconing, or encoded data transfer through DNS queries.
+
+## Why It Matters
+
+DNS tunneling can be used for:
+- covert command-and-control
+- data exfiltration
+- persistence of communications when web traffic is restricted
+- blending malicious traffic into commonly allowed DNS flows
+
+High query counts plus long query strings are a useful signal for suspicious DNS abuse.
+
+## Alert Logic Summary
+
+The rule looks for:
+- `DeviceNetworkEvents`
+- DNS traffic on port 53
+- summarized activity over 15 minutes
+- high query counts
+- elevated average DNS query length
+
+## Initial Triage Questions
+
+- Which process is generating the DNS traffic?
+- Is the process normally DNS-heavy in this environment?
+- Are the queries abnormally long, repetitive, or high-entropy?
+- Does the traffic appear TXT-heavy or tunneling-like?
+- Is there related process execution or staging behavior?
+
+## Investigation Steps
+
+1. Review the initiating process name and user context.
+2. Confirm the host type and whether it normally generates heavy DNS traffic.
+3. Examine query characteristics if available:
+   - query length
+   - domain patterns
+   - repetition
+   - entropy-like appearance
+4. Review the 15-minute burst for volume and recurrence.
+5. Check for known developer, security, or diagnostics tools that may explain the behavior.
+6. Correlate with:
+   - suspicious process execution
+   - external downloads
+   - archive creation
+   - exfiltration-related activity
+
+## Common False Positives
+
+- developer tooling with frequent DNS lookups
+- internal diagnostics or troubleshooting tools
+- some security products or research tools
+- misconfigured scripts repeatedly resolving domains
+
+## Escalation Guidance
+
+Escalate when:
+- the generating process is unusual or suspicious
+- domains or queries look encoded or tunneled
+- activity is repeated across intervals
+- the host also shows execution or staging behavior
+- the user or host context makes the activity abnormal
+
+## Recommended Enrichment
+
+- destination domains if available
+- DNS query lengths and frequency
+- initiating process path and signer
+- process tree
+- related external network activity
+- file staging or archive activity
+- host role and criticality
+
+## ATT&CK Mapping
+
+- Command and Control
+- T1071.004 – Application Layer Protocol: DNS
+
+## Related Rule
+
+- `detections/sentinel/command-and-control/dns-tunneling-behavior.yml`

content/triage-guides/sentinel/command-and-control/dns-tunneling-using-iodine.md

@@ -0,0 +1,86 @@
+# Triage Guide: DNS Tunneling Using Iodine
+
+## Detection Title
+DNS Tunneling Using Iodine
+
+## Detection ID
+dodea-sig-033-dns-tunnel-iodine
+
+## Objective
+
+This detection identifies network connections over DNS port 53 from a process associated with Iodine, a known DNS tunneling tool. This may indicate covert command-and-control or data transfer using DNS as a transport mechanism.
+
+## Why It Matters
+
+DNS tunneling tools such as Iodine can be used to:
+- bypass network controls
+- establish covert command-and-control
+- move data through DNS traffic
+- hide malicious communications in a commonly allowed protocol
+
+Use of Iodine on an endpoint is rarely normal in enterprise environments.
+
+## Alert Logic Summary
+
+The rule looks for:
+- `DeviceNetworkEvents`
+- `RemotePort == 53`
+- `InitiatingProcessFileName` containing `iodine`
+
+## Initial Triage Questions
+
+- Is Iodine approved or expected in this environment?
+- Which user executed the process?
+- Is the host a workstation, server, or test system?
+- Were there repeated DNS connections or sustained traffic?
+- Is there related suspicious process, archive, or exfiltration behavior?
+
+## Investigation Steps
+
+1. Review the initiating process name, path, and user context.
+2. Confirm whether the file is actually Iodine or similarly named masquerading content.
+3. Check the parent process and execution lineage.
+4. Review the timeline of DNS activity:
+   - duration
+   - frequency
+   - destination patterns
+5. Determine whether the host also shows:
+   - encoded command execution
+   - archive creation
+   - file staging
+   - unusual external traffic
+6. Review whether the host role makes any legitimate tunneling activity plausible.
+
+## Common False Positives
+
+- lab or red team testing using Iodine
+- controlled security validation exercises
+- research systems intentionally running DNS tunnel tools
+
+## Escalation Guidance
+
+Escalate when:
+- Iodine execution is not explicitly authorized
+- DNS activity is sustained or repetitive
+- the host also shows staging, execution, or exfiltration behavior
+- the tool is executed from suspicious paths or by unusual accounts
+- the user cannot explain the activity
+
+## Recommended Enrichment
+
+- full process path
+- file hash and signer status
+- parent process
+- DNS request volume and timing
+- queried domains if available
+- related file, process, and network activity
+- host criticality and user role
+
+## ATT&CK Mapping
+
+- Command and Control
+- T1071.004 – Application Layer Protocol: DNS
+
+## Related Rule
+
+- `detections/sentinel/command-and-control/dns-tunneling-using-iodine.yml`

content/triage-guides/sentinel/command-and-control/external-powershell-or-lolbin-traffic.md

@@ -0,0 +1,94 @@
+# Triage Guide: External PowerShell or LOLBin Traffic
+
+## Detection Title
+External PowerShell or LOLBin Traffic
+
+## Detection ID
+dodea-sig-020-external-powershell-LOLBIN-traffic
+
+## Objective
+
+This detection identifies outbound connections to public IP space from PowerShell or common LOLBins such as `wscript.exe` and `mshta.exe`. This may indicate remote payload retrieval, callback traffic, or abuse of native Windows tooling for command-and-control.
+
+## Why It Matters
+
+PowerShell and LOLBins are commonly used to:
+- download remote payloads
+- execute scripts from the internet
+- establish outbound callbacks
+- proxy malicious traffic through trusted native binaries
+
+External traffic from these tools is not always malicious, but it is high value for triage.
+
+## Alert Logic Summary
+
+The rule looks for:
+- `DeviceNetworkEvents`
+- `RemoteIPType == "Public"`
+- initiating process names:
+  - `powershell.exe`
+  - `wscript.exe`
+  - `mshta.exe`
+
+## Initial Triage Questions
+
+- What process made the external connection?
+- Was the process launched interactively, by script, or by another binary?
+- Is the destination known and expected?
+- Was the user performing legitimate admin or automation work?
+- Did the process also execute suspicious commands, downloads, or script content?
+
+## Investigation Steps
+
+1. Review the initiating process and full command line if available in related telemetry.
+2. Identify the user, parent process, and execution chain.
+3. Review the destination:
+   - IP
+   - domain if available
+   - reputation
+   - geolocation if relevant
+4. Determine whether the connection aligns with:
+   - approved automation
+   - software update behavior
+   - expected admin scripting
+5. Check for nearby suspicious events:
+   - web downloads
+   - encoded commands
+   - child process launches
+   - file writes to temp or user paths
+6. Review recurrence across the same host or account.
+
+## Common False Positives
+
+- administrative scripts reaching public services
+- support tooling using PowerShell or HTA frameworks
+- approved software bootstrap or update activity
+- scripted access to cloud APIs or public repos
+
+## Escalation Guidance
+
+Escalate when:
+- the external destination is suspicious or unknown
+- the process lineage is unusual
+- the tool is launched from user-writable paths or script hosts
+- there is follow-on execution, staging, or persistence
+- the user cannot explain the activity
+
+## Recommended Enrichment
+
+- full command line
+- parent and child processes
+- destination IP/domain details
+- file writes near the connection time
+- script block or PowerShell telemetry if available
+- related alerts on the same host
+- user role and host sensitivity
+
+## ATT&CK Mapping
+
+- Command and Control
+- T1071.001 – Application Layer Protocol: Web Protocols
+
+## Related Rule
+
+- `detections/sentinel/command-and-control/external-powershell-or-lolbin-traffic.yml`

content/triage-guides/sentinel/command-and-control/powershell-or-lolbin-external-network-traffic.md

@@ -0,0 +1,92 @@
+# Triage Guide: PowerShell or LOLBin External Network Traffic
+
+## Detection Title
+PowerShell or LOLBin External Network Traffic
+
+## Detection ID
+SENT-C2-0002
+
+## Objective
+
+This detection identifies outbound connections to external destinations from PowerShell and common LOLBins such as `mshta.exe`, `rundll32.exe`, `regsvr32.exe`, and `certutil.exe`. This may indicate payload retrieval, callback traffic, or remote content execution.
+
+## Why It Matters
+
+Adversaries frequently use built-in tools to:
+- contact remote infrastructure
+- fetch scripts or payloads
+- proxy malicious traffic through trusted binaries
+- establish command-and-control
+
+These binaries have legitimate uses, but external network activity from them is often worth investigating.
+
+## Alert Logic Summary
+
+The rule looks for:
+- `DeviceNetworkEvents`
+- initiating processes:
+  - `powershell.exe`
+  - `pwsh.exe`
+  - `mshta.exe`
+  - `rundll32.exe`
+  - `regsvr32.exe`
+  - `certutil.exe`
+- remote IPs outside private address ranges
+
+## Initial Triage Questions
+
+- Which binary made the connection?
+- What launched it?
+- Is the external destination expected?
+- Was this a download, callback, or one-off connection?
+- Are there follow-on execution or persistence events?
+
+## Investigation Steps
+
+1. Review the initiating process and account context.
+2. Check the parent process and surrounding execution chain.
+3. Review the destination IP, domain, and port.
+4. Determine whether the tool normally talks externally in this environment.
+5. Look for nearby activity such as:
+   - downloads
+   - temp-file writes
+   - DLL/script execution
+   - persistence creation
+6. Assess whether the external connection occurred on a privileged host, server, or admin account.
+
+## Common False Positives
+
+- approved admin automation
+- software installation or update workflows
+- security or compliance scripts
+- support tools using public services
+
+## Escalation Guidance
+
+Escalate when:
+- the destination is suspicious or unrecognized
+- the process is spawned by unusual parents
+- the same host shows multiple suspicious LOLBin executions
+- there is evidence of staging or follow-on execution
+- the activity involves privileged users or critical systems
+
+## Recommended Enrichment
+
+- full command line
+- parent and child processes
+- destination domain/IP reputation
+- related file events
+- script or DLL load telemetry if available
+- recent alerts on the device
+- host criticality and user context
+
+## ATT&CK Mapping
+
+- Command and Control
+- Execution
+- T1105 – Ingress Tool Transfer
+- T1218 – System Binary Proxy Execution
+
+## Related Rule
+
+- `detections/sentinel/command-and-control/powershell-or-lolbin-external-network-traffic.yml`