pbom-dev · forgedhallpass · Sep 25, 2024
diff --git a/content/docs/technique.md b/content/docs/technique.md
@@ -1,6 +1,6 @@
 ---
 title: "Technique"
-description: "Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, an adversary create a backdoor in third party software used within the organization's supply chain. Techniques may also represent “what” an adversary gains by
+description: "Techniques represent "how" an adversary achieves a tactical objective by performing an action. For example, an adversary create a backdoor in third party software used within the organization's supply chain. Techniques may also represent "what" an adversary gains by
 performing an action. This is a useful distinction for the Discovery tactic as the techniques highlight what type of information an adversary is after with a particular action. 
 
 Sub-techniques further break down behaviors described by techniques into more specific descriptions of how behavior is used to achieve an objective. For example, with backdoor added to third party code, the adversary would need to become a maintainer of the third party library or masquerade the backdoor within a potentially legitimate pull request.
@@ -23,7 +23,7 @@ summary: # REQUIRED - <key:value>
 description: # REQUIRED - <key:value> - supports markdown
 mitigations: # REQUIRED - <list> -reference to mitigation references
 detections: # REQUIRED - <list> - reference to detection definitions
-subtechinques: # OPTIONAL <list> - reference to TechIDs
+subTechniques: # OPTIONAL <list> - reference to techniqueIDs
 references: # OPTIONAL <list> - reference to attacks, articles, blogs etc...
 metadata:
   state: # REQUIRED <key:value> choose  draft or release
@@ -46,21 +46,19 @@ description: |
     Dependency confusion is a type of supply chain attack that occurs when an attacker exploits the way some package managers, such as npm and PyPI, resolve dependencies when installing software libraries.
     In a typical software development project, developers rely on a variety of external libraries, often referred to as dependencies, to build their applications. These libraries are typically stored in a remote repository, and developers use a package manager to install and manage them. An attacker will utilize prior knowledge of usage of dependencies (*Discover used open-source dependencies*) to upload a malicious package with the same name to a public repository. This might "confuse" package managers to use to public resource instead of the local one - thus executing or infecting the CI/CD. This can happen on the developer's machine or the build system and has the potential to further steps of an attack - for example, if the malicious code exfiltrate an access token to production environment
 
-mitigations:
-# reference to mitigation references
+mitigations: # reference to mitigation references
     - M1200
 
-detections: 
-# reference to detection defintitions
+detections: # reference to detection definitions
     - Detect rogue outgoing traffic from CI/CD system
 
-subtechinques:
-# reference to TechIDs
+subTechniques: # reference to techniqueIDs
     - 
 
-refrences:
+references:
     - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
     - https://pytorch.org/blog/compromised-nightly-dependency/
+
 metadata:
     version: 0.1
     state: draft
@@ -169,11 +167,11 @@ summary: Dependency Confusion
 **Sample Response:**
 
 ```YAML
-decription: |
+description: |
       Dependency confusion is a type of supply chain attack that occurs when an attacker exploits the way some package managers, such as npm and PyPI, resolve dependencies when installing software libraries.
 ```
 
-## mitigiations
+## mitigations
 
 **Type:** String (long text)\
 **Description:** a list of mitigation methods - please reference a mitigation id. \
@@ -196,7 +194,7 @@ detections:
   - D1200
 ```
 
-## subtechinques
+## subTechniques
 
 **Type:** array\
 **Description:** A list of all sub-techniques associated with the technique itself.\
@@ -205,7 +203,7 @@ detections:
 **Sample Response:**
 
 ```YAML
-subtechnique: 
+subTechnique: 
   - T1001
   - T1002
 ```
@@ -234,7 +232,7 @@ references:
 **Description:** state of document. The options are `draft` or `release`\
 **Field requirement:** <span style="color:#FF3A39;background-color:#FFF2F1">Mandatory</span>
 
-### metadata.versionte
+### metadata.version
 **Type:** String\
 **Description:** Version number\
 **Field requirement:** <span style="color:#39B55B; background-color:#EBF7EE;">Optional</span>

diff --git a/content/oscar/detections/D1120 - Implement source code scanning for credentials.yaml b/content/oscar/detections/D1120 - Implement source code scanning for credentials.yaml
@@ -4,7 +4,7 @@ summary: Implement source code scanning for credentials and tokens
 description: |
   Set up monitoring of reported issues based on regular credentials scanning results.
   Scan web applications for embedded secrets and credentials.
-  It is particularily important after deployment to a web endpoint that you scan that newly deployed app for secrets, credentials and other sensitive data. 
+  It is particularly important after deployment to a web endpoint that you scan that newly deployed app for secrets, credentials and other sensitive data. 
 
 references:
   - https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning

diff --git a/content/oscar/detections/D1262 - Implement vulnerability assesment.yaml b/content/oscar/detections/D1262 - Implement vulnerability assesment.yaml
@@ -1,6 +1,6 @@
 id: D1262
 type: Detection
-summary: Implement vulnerability assesment
+summary: Implement vulnerability assessment
 description: |
   Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application. 
   It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.

diff --git a/content/oscar/mitigations/M1120 - Store credentials in vault.yaml b/content/oscar/mitigations/M1120 - Store credentials in vault.yaml
@@ -3,7 +3,7 @@ type: Mitigation
 summary: Store credentials in vault
 description: |
   Sensitive data like credentials and API tokens should not be stored directly in code. 
-  Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. 
+  Modern applications talk to many third-party APIs, SaaS solutions and other dependencies. 
   This integration usually requires an API token, username & password credential or other similar variable.  
   Sometimes these sensitive credentials include database host strings or hostnames.  
   All of these credentials should not be stored directly in code.   

diff --git a/content/oscar/mitigations/M1121 - Enable git hooks.yaml b/content/oscar/mitigations/M1121 - Enable git hooks.yaml
@@ -3,7 +3,7 @@ type: Mitigation
 summary: Enable git hooks to find source code related issues early
 description: |
   Enable git hooks to automate the scanning of source code before it is published via git commits.  
-  All Git implementations include a hooks directory inthe .git base directory.  
+  All Git implementations include a hooks directory in the .git base directory.  
   In that directory are several git automations called "hooks".  
   These hooks will automatically run scripts when certain actions happen.  
   The best example of this is the pre-commit hook that runs before a git commit is successful. 

diff --git a/content/oscar/mitigations/M1201 - Restrict egress traffic from CICD.yaml b/content/oscar/mitigations/M1201 - Restrict egress traffic from CICD.yaml
@@ -1,9 +1,9 @@
 id: M1201
 type: Mitigation
-summary: Restrict egresss traffic in CI/CD
+summary: Restrict egress traffic in CI/CD
 description: |
-  Restrict egress traffic from the build system to authorized destinations. This is pretty straightforward and a very feasble mitigation since a build system usually requires access to a very limited destinations.
-  Controlling the traffic has many benifits:
+  Restrict egress traffic from the build system to authorized destinations. This is pretty straightforward and a very feasible mitigation since a build system usually requires access to a very limited destinations.
+  Controlling the traffic has many benefits:
   1. Prevent exfiltration of sensitive information
   2. Block download of packages from unauthorized package repositories
   3. Block download of malware

diff --git a/content/oscar/mitigations/M1250 - Enable data encryption in transit.yaml b/content/oscar/mitigations/M1250 - Enable data encryption in transit.yaml
@@ -1,6 +1,6 @@
 id: M1250
 type: Mitigation
-summary: Enable data sencryption in transit
+summary: Enable data encryption in transit
 description: |
   Data encryption in transit is a critical security control in cloud computing that involves encrypting data as it moves between two points over a network or the internet. This is important to prevent data breaches, protect sensitive data, and comply with data privacy regulations. 
   Cloud service providers use various encryption protocols to establish a secure communication channel, and organizations should ensure that encryption is properly implemented and verified.

diff --git a/content/oscar/mitigations/M1501 - Require SBOM from all third-party suppliers.yaml b/content/oscar/mitigations/M1501 - Require SBOM from all third-party suppliers.yaml
@@ -4,7 +4,7 @@ summary: Require SBOM from all third-party suppliers
 description: |
   An SBOM for every third-party artifact helps to ensure an artifact is safe to use and fully compliant. 
   This file lists all important metadata, especially all the dependencies of an artifact, and allows for verification of each dependency. 
-  If one of the dependencies/artifacts is attacked or has a new vulnerability (e.g., the “SolarWinds” or even “log4j” attack), it is easier to detect what has been affected by this incident because dependencies in use are listed in the SBOM file
+  If one of the dependencies/artifacts is attacked or has a new vulnerability (e.g., the "SolarWinds" or even "log4j" attack), it is easier to detect what has been affected by this incident because dependencies in use are listed in the SBOM file.
 
 references:
   - https://snyk.io/blog/building-sbom-open-source-supply-chain-security/

diff --git a/content/oscar/stories/AS1 - Webmin 1.900 RCE.yaml b/content/oscar/stories/AS1 - Webmin 1.900 RCE.yaml
@@ -6,7 +6,7 @@ summary: Webmin 1.900 RCE
 description: |
         Webmin, a widely used server administration software, experienced a security incident where attackers introduced a backdoor into version 1.890. This backdoor allowed individuals with knowledge of it to execute commands with root privileges. Subsequent versions, 1.900 to 1.920, also contained a similar backdoor in the code, but it was not exploitable in a default Webmin installation. Only if an administrator had specifically enabled the "changing of expired passwords" feature in the Webmin Configuration ⇾ Authentication section, could it be utilized by an attacker. These vulnerabilities were not accidental flaws; rather, the Webmin source code was deliberately modified to include a concealed vulnerability.
 
-# Techinques used in attack
+# Techniques used in attack
 attacks:
   - attack: Webmin
     index: 1
@@ -23,7 +23,7 @@ attacks:
     - techniqueID: T0191
       techName:  Malicious Code In Artifacts
       tactic: Impact
-      comment: The attackers infected the webmin code with a backdoor that allowed remote code execution.
+      comment: The attackers infected the Webmin code with a backdoor that allowed remote code execution.
 
     - techniqueID: T0135
       tactic: Initial Access
@@ -35,8 +35,8 @@ attacks:
       tactic: Initial Access
       techName: Outdated Software Components
       comment: |
-              The webmin build server was apperantly explioitable and the attackers used this to repeat the attack. 
-              *"On September 10th 2018, the vulnerable build server was decomissioned and replaced with a newly installed server running CentOS 7. However, the build directory containing the modified file was copied across from backups made on the original server."*
+              The Webmin build server was apparently exploitable and the attackers used this to repeat the attack. 
+              "On September 10th 2018, the vulnerable build server was decommissioned and replaced with a newly installed server running CentOS 7. However, the build directory containing the modified file was copied across from backups made on the original server."
 
   - attack: Webmin Customers
     index: 2

diff --git a/content/oscar/stories/AS107 - Dependabot.yaml b/content/oscar/stories/AS107 - Dependabot.yaml
@@ -6,7 +6,7 @@ summary: Spoofed Dependabot
 description: |
     A large-scale attack targeted hundreds of GitHub repositories, involving malicious code commits designed to mimic "Dependabot," a standard GitHub tool. The attackers attempted to go unnoticed by impersonating this trusted tool.
 
-# Techinques used in attack
+# Techniques used in attack
 attacks:
   - attack: Github Repos
     index: 1
@@ -44,7 +44,7 @@ attacks:
         Attackers also infected Javascript files with a password stealing malware.
 
 
-  - attack: Users of code for inefected repoistories
+  - attack: Users of code for infected repositories
     index: 2
     stage: post-supply-chain
     customer: 1

diff --git a/content/oscar/stories/AS108 - JuiceStealer.yaml b/content/oscar/stories/AS108 - JuiceStealer.yaml
@@ -6,7 +6,7 @@ summary: JuiceStealer - PyPi Supply Chain Attack
 description: |
     The threat actor known as "JuiceLedger" orchestrated a large-scale attack on PyPi, the official Python package repository. This attack was multifaceted, targeting package maintainers by attempting to compromise their PyPi accounts. Additionally, the attacker engaged in TypoSquatting, uploading malicious packages to the repository
 
-# Techinques used in attack
+# Techniques used in attack
 attacks:
   - attack: PyPi package maintainers
     index: 1
@@ -36,7 +36,7 @@ attacks:
         Simultaneously with the phishing attempts, the same malware, JuiceStealer, was introduced into hundreds of Python packages, strategically designed to mimic legitimate packages
 
 
-  - attack: Users of code for inefected repoistories
+  - attack: Users of code for infected repositories
     index: 2
     stage: post-supply-chain
     customer: 1

diff --git a/content/oscar/stories/AS109 - Pytorch.yaml b/content/oscar/stories/AS109 - Pytorch.yaml
@@ -4,9 +4,9 @@ date: 2022-12
 
 summary: Pytorch Dependency Confusion
 description: |
-    PyTorch is a machine learning framework based on the Torch library. On December 2022, it was revealed that several builds were infected by malware that was designed to steal environment variables and files. This attack was facilitiated by using dependency confusion of the package "torchtriton" which PyTorch was consuming.
+    PyTorch is a machine learning framework based on the Torch library. On December 2022, it was revealed that several builds were infected by malware that was designed to steal environment variables and files. This attack was facilitated by using dependency confusion of the package "torchtriton" which PyTorch was consuming.
 
-# Techinques used in attack
+# Techniques used in attack
 attacks:
   - attack: Torchtriton package
     index: 1
@@ -18,7 +18,7 @@ attacks:
       techName: Dependency Confusion
       tactic: Initial Access
       comment: |
-        Torchtriron is a package that the Pytorch project is consuming. On December 2022, the package was altered to exfiltrate sensitive information. Later on, the person that performs this attack confessed anonymosly that it was done for research purposes and all the collected data was deleted.
+        Torchtriton is a package that the Pytorch project is consuming. On December 2022, the package was altered to exfiltrate sensitive information. Later on, the person that performs this attack confessed anonymously that it was done for research purposes and all the collected data was deleted.
 
 
 

diff --git a/content/oscar/stories/AS2 - 3CX Software.yaml b/content/oscar/stories/AS2 - 3CX Software.yaml
@@ -4,9 +4,9 @@ date: 2023-04
 
 summary: 3CX Desktop
 description: |
-        3CX is a VOIP software company with more than 600000 customers. In April 2023, the company was subject to an attack that infected their 3CX desktop software with malware. It is suspected to be a nation state attack carried out by North Korea. The attack was faciltiated by attacking the supply chain of a trading software company, Trading Technoloigies. 
+        3CX is a VOIP software company with more than 600000 customers. In April 2023, the company was subject to an attack that infected their 3CX desktop software with malware. It is suspected to be a nation state attack carried out by North Korea. The attack was facilitated by attacking the supply chain of a trading software company, Trading Technologies. 
 
-# Techinques used in attack
+# Techniques used in attack
 attacks:
   - attack: Trading Technologies
     index: 1
@@ -17,7 +17,7 @@ attacks:
     - techniqueID: T0191
       techName: Malicious Code In Artifacts
       tactic: Impact
-      comment: The attackers trojanized the softare X_TRADER. The software was digitally signed by "Trading Technologies" which strongly suggests that the firm's supply chain was breached.
+      comment: The attackers trojanized the software X_TRADER. The software was digitally signed by "Trading Technologies" which strongly suggests that the firm's supply chain was breached.
       links:
         https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
   - attack: 3CX
@@ -54,7 +54,7 @@ attacks:
       tactic: Credential Access
       techName: Harvesting Sensitive Information From Files
       comment: |
-              3CX used to save their application password unencrypted/unhashed in the file system. It is not clear if that was used as part of this attack, but the fact is that they released a new client that resolves this issue.
+              3CX used to save their application password unencrypted/un-hashed in the file system. It is not clear if that was used as part of this attack, but the fact is that they released a new client that resolves this issue.
 
     - techniqueID: T0176
       tactic: Defense Evasion

diff --git a/content/oscar/stories/AS3 - Codecov Bash Uploader.yaml b/content/oscar/stories/AS3 - Codecov Bash Uploader.yaml
@@ -6,7 +6,7 @@ summary: Codecov Breach
 description: |
         Codecov is a popular code coverage utility that is used as stem in the CI/CD of many companies.
 
-# Techinques used in attack
+# Techniques used in attack
 attacks:
   - attack: Codecov
     index: 1
@@ -22,7 +22,7 @@ attacks:
       - techniqueID: T0142
         techName: Accidental Public Disclosure Of Internal Resources
         tactic: Reconnaissance
-        comment: The git credentials was indeliberately saved in the public docker image
+        comment: The git credentials was in-deliberately saved in the public docker image
 
       - techniqueID: T0114
         techName: Compromised Service Account
@@ -32,7 +32,7 @@ attacks:
       - techniqueID: T0191
         techName: Malicious Code In Artifacts
         tactic: Impact
-        comment: The Bash Uploader script was modified to exfiltrate environnent variables of the running system
+        comment: The Bash Uploader script was modified to exfiltrate environment variables of the running system
 
   - attack: Codecov users
     index: 2
@@ -45,7 +45,7 @@ attacks:
         tactic: Execution
         techName: Command Injection
         comment: |
-                When the Codecov image was executed - the malicious implant in the Bash Uploader script exflitrated environment variable to the attacker controlled
+                When the Codecov image was executed - the malicious implant in the Bash Uploader script exfiltrated environment variable to the attacker controlled
 
       - techniqueID: T0122
         tactic: Initial Access