Adding new triage guides

Author: aring87

content/triage-guides/sentinel/collection/Data-Collection-from-Local-System.md

@@ -0,0 +1,98 @@
+# Triage Guide: Data Collection from Local System
+
+## Detection Title
+Data Collection from Local System
+
+## Detection ID
+dodea-sig-018-data-collection-from-local-system
+
+## Objective
+
+This detection identifies access to user data locations and common document types on the local system. It is intended to surface behavior that may indicate collection of sensitive files for staging, review, or later exfiltration.
+
+## Why It Matters
+
+Attackers commonly collect data from local systems before exfiltration. Targeted file types such as:
+- `.docx`
+- `.pdf`
+- `.xls`
+- `.csv`
+
+may indicate interest in business documents, reports, exports, or user-generated content.
+
+This detection is most meaningful when tied to suspicious process context or follow-on staging behavior.
+
+## Alert Logic Summary
+
+The rule looks for file activity in paths such as:
+- `C:\Users\`
+- `Desktop`
+- `Documents`
+
+and file types such as:
+- `.docx`
+- `.pdf`
+- `.xls`
+- `.csv`
+
+## Initial Triage Questions
+
+- Which process accessed the files?
+- Which user context was involved?
+- Was the file access normal for the user’s role?
+- Was this isolated file access or part of a broader pattern?
+- Were files later compressed, copied, or transferred?
+
+## Investigation Steps
+
+1. Review the affected device and user context.
+2. Review the file names, folders, and action types involved.
+3. Identify the initiating process if available in related telemetry.
+4. Determine whether the file access pattern aligns with:
+   - user productivity
+   - backup/indexing
+   - document search
+   - suspicious staging behavior
+5. Check for related behavior:
+   - archive creation
+   - cloud upload
+   - outbound network transfer
+   - removable media access
+6. Review whether the same process touched many files or multiple folders.
+
+## Common False Positives
+
+- legitimate user access to personal or work documents
+- indexing and search services
+- backup tools
+- anti-malware scanning
+- DLP or compliance tooling
+- file preview behavior in normal workflows
+
+## Escalation Guidance
+
+Escalate when:
+- a suspicious process accesses many document files
+- file access is followed by compression or outbound transfer
+- the user or host context is unusual
+- access occurs during off-hours or from suspicious sessions
+- the file access pattern is inconsistent with the user’s role
+
+## Recommended Enrichment
+
+- file access timeline
+- associated process telemetry
+- archive creation telemetry
+- outbound network activity
+- removable media usage
+- cloud application events
+- user role and host criticality
+
+## ATT&CK Mapping
+
+- Collection
+- T1005 – Data from Local System
+
+## Related Rule
+
+- `detections/sentinel/collection/data-collection-from-local-system.yml`

content/triage-guides/sentinel/collection/clipboard-data-collection.md

@@ -0,0 +1,95 @@
+# Triage Guide: Clipboard Data Collection
+
+## Detection Title
+Clipboard Data Collection
+
+## Detection ID
+SENT-COLL-0001
+
+## Objective
+
+This detection identifies command-line or PowerShell activity interacting with clipboard contents. This may indicate collection of copied data, credentials, tokens, or user-generated content from the local system.
+
+## Why It Matters
+
+Attackers may access clipboard data to capture:
+- copied passwords
+- MFA codes
+- wallet addresses
+- sensitive text copied from documents or portals
+- other user data staged in memory for quick access
+
+Clipboard access alone is not inherently malicious, but it becomes more concerning when combined with credential access, scripting, or outbound transfer behavior.
+
+## Alert Logic Summary
+
+The rule looks for:
+- `powershell.exe`
+- `pwsh.exe`
+- `cmd.exe`
+
+with command lines containing:
+- `Get-Clipboard`
+- `Set-Clipboard`
+- `clip.exe`
+
+## Initial Triage Questions
+
+- Who ran the command?
+- Was the user performing legitimate admin or scripting work?
+- Was the command interactive, scripted, or part of automation?
+- Did the same session show signs of credential access, staging, or exfiltration?
+- Is the host a normal workstation, admin jump box, or shared support system?
+
+## Investigation Steps
+
+1. Review the full process command line.
+2. Confirm the executing user and logon context.
+3. Identify the parent process.
+4. Determine whether the activity was initiated from:
+   - an interactive terminal
+   - a script
+   - a remote session
+   - an automation tool
+5. Check for related activity shortly before or after:
+   - archive creation
+   - file enumeration
+   - browser credential access
+   - outbound network connections
+6. Review whether the clipboard command was reading, overwriting, or piping data.
+
+## Common False Positives
+
+- benign PowerShell automation
+- help desk or support workflows
+- user productivity scripts
+- clipboard cleanup or formatting utilities
+- scripts that copy command output for administrative purposes
+
+## Escalation Guidance
+
+Escalate when:
+- clipboard access is paired with suspicious scripting or encoded commands
+- the affected user is privileged or high-value
+- clipboard access occurs near exfiltration, archiving, or credential-theft behavior
+- the parent process or execution context is suspicious
+- the user cannot explain the activity
+
+## Recommended Enrichment
+
+- process tree
+- user logon session context
+- parent and child processes
+- recent file access activity
+- recent network connections
+- related alerts on the same host
+- account privilege level
+
+## ATT&CK Mapping
+
+- Collection
+- T1115 – Clipboard Data
+
+## Related Rule
+
+- `detections/sentinel/collection/clipboard-data-collection.yml`

content/triage-guides/sentinel/collection/mass-file-enumeration-in-user-data-paths.md

@@ -0,0 +1,95 @@
+# Triage Guide: Mass File Enumeration in User Data Paths
+
+## Detection Title
+Mass File Enumeration in User Data Paths
+
+## Detection ID
+SENT-COLL-0002
+
+## Objective
+
+This detection identifies processes touching large numbers of files across user data paths within a short period. This may indicate data discovery, staging, or collection activity prior to archiving or exfiltration.
+
+## Why It Matters
+
+Large-scale file enumeration across:
+- user profiles
+- desktop folders
+- document folders
+- download directories
+
+can indicate an attempt to identify or collect valuable user data. While some legitimate tools do this, the behavior is important to review when tied to suspicious processes or timing.
+
+## Alert Logic Summary
+
+The rule looks for activity in paths such as:
+- `\Users\`
+- `\Desktop\`
+- `\Documents\`
+- `\Downloads\`
+
+It summarizes file touches over 15 minutes and alerts when:
+- file touches are high
+- multiple distinct user-data paths are involved
+
+## Initial Triage Questions
+
+- What process touched the files?
+- Is the process a known backup, indexing, or security tool?
+- Was the user performing normal file-management activity?
+- Did the process also create archives or stage files?
+- Is there outbound transfer behavior soon after?
+
+## Investigation Steps
+
+1. Identify the initiating process and account.
+2. Review the time window and total file-touch volume.
+3. Confirm whether the process is expected on the host.
+4. Determine whether the activity is:
+   - backup
+   - search indexing
+   - anti-malware scanning
+   - scripted file collection
+5. Review for related activity after enumeration:
+   - zip or archive creation
+   - cloud upload
+   - external network transfer
+   - copying to temporary or staging locations
+6. Check whether the same process touched sensitive departments, shared data, or multiple users’ folders.
+
+## Common False Positives
+
+- backup agents
+- indexing services
+- anti-malware or EDR scanning
+- administrative bulk file operations
+- migration or profile-copy utilities
+
+## Escalation Guidance
+
+Escalate when:
+- the process is unusual or unsigned
+- enumeration is followed by compression or transfer
+- the user context is suspicious
+- the process is script-based or attacker-adjacent
+- the host shows related discovery, collection, or exfiltration behavior
+
+## Recommended Enrichment
+
+- initiating process details
+- signer and file path of the process
+- parent process
+- archive creation events
+- outbound network telemetry
+- cloud application activity
+- recent alerts on the same host
+
+## ATT&CK Mapping
+
+- Collection
+- T1005 – Data from Local System
+- T1039 – Data from Network Shared Drive
+
+## Related Rule
+
+- `detections/sentinel/collection/mass-file-enumeration-in-user-data-paths.yml`

content/triage-guides/sentinel/collection/screen-capture-utility-execution.md

@@ -0,0 +1,91 @@
+# Triage Guide: Screen Capture Utility Execution
+
+## Detection Title
+Screen Capture Utility Execution
+
+## Detection ID
+SENT-COLL-0003
+
+## Objective
+
+This detection identifies execution of screenshot or screen-capture tools that may be used to collect visible user-session data, application contents, or on-screen credentials.
+
+## Why It Matters
+
+Screen capture can be used to collect:
+- user session details
+- visible documents
+- internal dashboards
+- chat contents
+- credentials or MFA prompts displayed on screen
+
+This behavior is not always malicious, but it becomes more significant when tied to remote access, credential theft, or exfiltration activity.
+
+## Alert Logic Summary
+
+The rule looks for execution of:
+- `snippingtool.exe`
+- `psr.exe`
+- `nircmd.exe`
+
+or command lines containing:
+- `screenshot`
+- `capturedesktop`
+- `screen capture`
+
+## Initial Triage Questions
+
+- Was the host being used for support or documentation?
+- Is the user known to take screenshots as part of their role?
+- Was the tool launched interactively or by script?
+- Were image files written to disk?
+- Was there follow-on staging or exfiltration behavior?
+
+## Investigation Steps
+
+1. Review the executing process and command line.
+2. Identify the user and session context.
+3. Determine whether the host was under support, training, or documentation activity.
+4. Review whether image or capture files were created and where.
+5. Check for related suspicious activity:
+   - remote access tools
+   - credential access
+   - archive creation
+   - outbound transfer
+6. Determine whether the tool is approved and expected in the environment.
+
+## Common False Positives
+
+- legitimate screenshots by users
+- IT support sessions
+- training or documentation creation
+- problem-step recording for troubleshooting
+- approved admin or automation tooling
+
+## Escalation Guidance
+
+Escalate when:
+- capture tools are launched by unusual parent processes
+- capture activity is scripted or hidden
+- images are staged for outbound transfer
+- the affected host or account is high-value
+- the activity is paired with credential access or remote-control behavior
+
+## Recommended Enrichment
+
+- process tree
+- written image or recording files
+- destination folders
+- recent outbound network activity
+- remote access tool presence
+- related alerts on the same host
+- user role and host sensitivity
+
+## ATT&CK Mapping
+
+- Collection
+- T1113 – Screen Capture
+
+## Related Rule
+
+- `detections/sentinel/collection/screen-capture-utility-execution.yml`