Merge branch 'wagov:main' into main

docs/README.md

@@ -4,25 +4,32 @@ This site contains technical information to support WA Government Cyber Security
 
 ## WA Security Operations Centre (WA SOC)
 
-- [Connecting to the WA SOC](onboarding.md)
+- [Connecting to the WA SOC](onboarding.md) ([Sentinel Guidance](onboarding/sentinel-guidance.md))
 - [Advisories (TLP:CLEAR)](advisories.md)
 - [Incident Reporting User Guide (Jira)](guidelines/incident-reporting.md)
+- [Threat Hunting (MITRE ATT&CK Tactics and Techniques)](guidelines/TTP_Hunt/ttp-detection-guidelines.md)
 - [ACSC Essential Eight Assessment Process Guide](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide)
 
+
 ## Baselines & Guidelines
 
 Baselines are for use as self-assessment checklists, and guidelines are for general implementation guidance.
 
 !!! abstract "Baselines"
 
-    The WA SOC has developed a [Baseline for Event Ingestion](baselines/data-sources.md). It's currently under review to align with [MITRE ATT&CK®](https://attack.mitre.org) and develop detection coverage/quality into a standalone baseline. See [MITRE Data Sources](https://attack.mitre.org/datasources/) for SIEM (sensors/events) coverage and [MITRE Tactics](https://attack.mitre.org/tactics/enterprise/) for SIEM automated detection coverage.
+    - [Security Operations Baseline](baselines/security-operations.md) - aligned with [MITRE 11 Strategies of a World-Class Cybersecurity Operations Center](pdfs/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf) and [ACSC's Cyber Incident Response Plan Resource](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/publications/cyber-incident-response-plan).
+    - [Detection Coverage Baseline](baselines/data-sources.md) - *[telemetry collection](https://attack.mitre.org/datasources/)* and *[detection analytics](https://attack.mitre.org)* aligned to the [MITRE ATT&CK Framework](https://attack.mitre.org).
+    - [Vulnerability Management Baseline](baselines/vulnerability-management.md) - focused on undertaking operational **Identify** and **Protect** capabilities.
 
-!!! danger "Critical Infrastructure Entities"
+!!! danger "Critical Infrastructure Entities and Operational Technology"
 
-    The [CISA Cross-Sector Cybersecurity Performance Goals](https://www.cisa.gov/cross-sector-cybersecurity-performance-goals) detail very effective network and server hardening controls that are a highly valuable addition to the ACSC Essential 8, especially for entities in scope of [SOCI regulatory obligations](https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/regulatory-obligations).
+    The [CISA Cross-Sector Cybersecurity Performance Goals](https://www.cisa.gov/cross-sector-cybersecurity-performance-goals) are clear targeted recommendations focusing on most common and impactful threats, including cost, complexity and impact ratings against each recommendation. These are highly relevant targets for entities in scope of [SOCI regulatory obligations](https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/regulatory-obligations).
+
+    <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/W6Cu0xa8kds?si=flUQ8EyhaHgcDNzZ" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
 
 !!! tip "Guidelines"
 
+    - [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md) - Implementation guidance for [ACSC Cyber Supply Chain Risk Management](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management).
     - [Guide to Securing Remote Access Software (CISA)](https://www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software) - remote access software overview, including the malicious use of remote access software, detection methods, and recommendations for all organizations.
     - [#StopRansomware Guide (CISA)](https://www.cisa.gov/resources-tools/resources/stopransomware-guide) - one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
     - [Microsoft Sentinel Guidance](onboarding/sentinel-guidance.md) - Implementation guidance for using Sentinel for [ACSC Guidelines for System Monitoring](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-monitoring)

docs/advisories/20231106001-Cisco-Security-Advisory-for-Multiple-Products-Vulnerability.md

@@ -0,0 +1,64 @@
+# Cisco Releases Security Advisories for Multiple Products - 20231106001
+
+## Overview
+
+Cisco has released security advisories for vulnerabilities affecting multiple Cisco products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
+
+## What is the vulnerability?
+
+[**CVE-2023-20048**](https://nvd.nist.gov/vuln/detail/CVE-2023-20048) - CVSS v3 Base Score: ***9.9***
+
+[**CVE-2023-20175**](https://nvd.nist.gov/vuln/detail/CVE-2023-20175) - CVSS v3 Base Score: ***8.8*** 
+
+[**CVE-2023-20170**](https://nvd.nist.gov/vuln/detail/CVE-2023-20170) - CVSS v3 Base Score: ***6.0*** 
+
+[**CVE-2023-20195**](https://nvd.nist.gov/vuln/detail/CVE-2023-20195) - CVSS v3 Base Score: ***4.7*** 
+
+[**CVE-2023-20196**](https://nvd.nist.gov/vuln/detail/CVE-2023-20196) - CVSS v3 Base Score: ***4.7*** 
+
+[**CVE-2023-20213**](https://nvd.nist.gov/vuln/detail/CVE-2023-20213) - CVSS v3 Base Score: ***4.3*** 
+
+[**CVE-2023-20244**](https://nvd.nist.gov/vuln/detail/CVE-2023-20244) - CVSS v3 Base Score: ***8.6*** 
+
+[**CVE-2023-20083**](https://nvd.nist.gov/vuln/detail/CVE-2023-20083) - CVSS v3 Base Score: ***8.6*** 
+
+[**CVE-2023-20063**](https://nvd.nist.gov/vuln/detail/CVE-2023-20063) - CVSS v3 Base Score: ***8.2*** 
+
+[**CVE-2023-20155**](https://nvd.nist.gov/vuln/detail/CVE-2023-20155) - CVSS v3 Base Score: ***7.5*** 
+
+[**CVE-2023-20219**](https://nvd.nist.gov/vuln/detail/CVE-2023-20219) - CVSS v3 Base Score: ***7.2*** 
+
+[**CVE-2023-20220**](https://nvd.nist.gov/vuln/detail/CVE-2023-20220) - CVSS v3 Base Score: ***7.2*** 
+
+[**CVE-2023-20095**](https://nvd.nist.gov/vuln/detail/CVE-2023-20095) - CVSS v3 Base Score: ***8.6*** 
+
+[**CVE-2023-20086**](https://nvd.nist.gov/vuln/detail/CVE-2023-20086) - CVSS v3 Base Score: ***8.6*** 
+
+## What is vulnerable?
+
+The vulnerability affects the following Cisco products:
+
+- [Cisco Firepower Management Center Software Command Injection Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-29MP49hN) affects Cisco Firepower Management Center product versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20048) 
+- [Cisco Identity Services Engine Command Injection Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-FceLP4xs) affects Cisco Identity Services Engine Software versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20175)  
+- [Cisco Identity Services Engine Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-FceLP4xs) affects Cisco Identity Services Engine Software versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20195)
+- [Cisco Firepower Threat Defense Software for Cisco Firepower 2100 Series Firewalls Inspection Rules Denial of Service Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-intrusion-dos-DfT7wyGC) affects Cisco Firepower Threat Defense Software versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20244)
+- [Cisco Firepower Threat Defense Software ICMPv6 with Snort 2 Denial of Service Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-icmpv6-dos-4eMkLuN) affects Cisco Firepower Threat Defense Software versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20083)
+- [Cisco Firepower Threat Defense Software and Firepower Management Center Software Code Injection Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fmc-code-inj-wSHrgz8L) affects Cisco Firepower Management Center versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20063)
+- [Cisco Firepower Management Center Software Log API Denial of Service Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-logview-dos-AYJdeX55) affects Cisco Firepower Management Center versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20155)
+- [Cisco Firepower Management Center Software Command Injection Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmdinj-bTEgufOX) affects Cisco Firepower Management Center versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20219) and [here](https://www.cve.org/CVERecord?id=CVE-2023-20220)
+- [Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Denial of Service Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-dos-3GhZQBAS) affects Cisco Adaptive Security Appliance (ASA) Software versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20095)
+- [Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software ICMPv6 Message Processing Denial of Service Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-icmpv6-t5TzqwNd) affects Cisco Adaptive Security Appliance (ASA) Software versions [as listed here](https://www.cve.org/CVERecord?id=CVE-2023-20086)
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [CISA Alerts](https://www.cisa.gov/news-events/alerts/2023/11/03/cisco-releases-security-advisories-multiple-products)
+
+## Additional References
+
+- [Cisco security advisories](https://sec.cloudapps.cisco.com/security/center/publicationListing.x)

docs/advisories/20231106002-New-Microsoft-Exchange-zero-days-allow-RCE,-data-theft-attacks.md

@@ -0,0 +1,36 @@
+# New Microsoft Exchange zero-days allow RCE, data theft attacks - 20231106002
+
+## Overview
+
+Trend Micro has disclosed zero day vulnerabilities within Microsoft Exchange, which allows attackers to exploit and remotely execute arbitrary code or disclose sensitive information.
+
+## What is the vulnerability?
+
+Note: The vulnerabilities identified do not currently have any CVE's associated with them.
+
+-   [ZDI-23-1578](https://www.zerodayinitiative.com/advisories/ZDI-23-1578/) - CVSS v3 Base Score: ***7.5*** -- A remote code execution (RCE) flaw in the 'ChainedSerializationBinder' class, where user data isn't adequately validated, allowing attackers to deserialize untrusted data. Successful exploitation enables an attacker to execute arbitrary code as 'SYSTEM,' the highest level of privileges on Windows.
+-   [ZDI-23-1579](https://www.zerodayinitiative.com/advisories/ZDI-23-1579/) - CVSS v3 Base Score: ***7.1*** -- Located in the 'DownloadDataFromUri' method, this flaw is due to insufficient validation of a URI before resource access. Attackers can exploit it to access sensitive information from Exchange servers.
+-   [ZDI-23-1580](https://www.zerodayinitiative.com/advisories/ZDI-23-1580/) - CVSS v3 Base Score: ***7.1*** -- This vulnerability, in the 'DownloadDataFromOfficeMarketPlace' method, also stems from improper URI validation, potentially leading to unauthorized information disclosure.
+-   [ZDI-23-1581](https://www.zerodayinitiative.com/advisories/ZDI-23-1581/) - CVSS v3 Base Score: ***7.1*** -- Present in the CreateAttachmentFromUri method, this flaw resembles the previous bugs with inadequate URI validation, again, risking sensitive data exposure.
+
+## What is vulnerable?
+
+The vulnerability affects the following products:
+
+- Exchange
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- Microsoft has not released a fix for the issue(s) identified above. However, it is advised to update to the latest version of Exchange, and any future updates that may become available.
+
+#### Additional Details:
+-   Regarding ZDI-23-1578: Customers who have applied the August Security Updates are already protected.
+-   Regarding ZDI-23-1579: The technique described requires an attacker to have prior access to email credentials.
+-   Regarding ZDI-23-1580: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information.
+-   Regarding ZDI-23-1581: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege.
+
+## Additional References
+
+- [New Microsoft Exchange zero-days allow RCE, data theft attacks (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-theft-attacks/)

docs/advisories/20231108001-Atlassian-Confluence-Data-Center-and-Server-Improper-Authorisation-Vulnerability.md

@@ -0,0 +1,38 @@
+# Atlassian Confluence Data Center and Server Improper Authorization Vulnerability - 20231108001
+
+## Overview
+
+Atlassian has released updates to Improper Authorization Vulnerability In Confluence Data Center and Server security article including the CVSS score and fixed versions.
+
+## What is the vulnerability?
+
+[**CVE-2023-22518**](https://nvd.nist.gov/vuln/detail/CVE-2023-22518) - CVSS v3 Base Score: ***10.0***
+
+## What is vulnerable?
+
+This Improper Authorization vulnerability ***affects all versions*** prior to the listed fix versions of Confluence Data Center and Server. Atlassian recommends patching to the fixed LTS version or later.
+
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or the latest version) below.
+
+| **Product**                       | **Fixed Versions**                          |
+|-----------------------------------|---------------------------------------------|
+| Confluence Data Center and Server | 7.19.16<br>8.3.4<br>8.4.4<br>8.5.3<br>8.6.1 |
+
+## Additional References
+
+- [Improper Authorization Vulnerability In Confluence Data Center and Server - 20231101002 - WASOC Advisory](./20231101002-Improper-Authorization-Vulnerability-In-Confluence-Data-Center-and-Server.md)
+
+- [CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server](https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html)
+
+- [[CONFSERVER-93142] Improper Authorization in Confluence Data Center and Server - CVE-2023-22518 - Create and track feature requests for Atlassian products.](https://jira.atlassian.com/browse/CONFSERVER-93142)
+
+- [NVD - CVE-2023-22518 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2023-22518)