From 274c0c50b06031829e8f33d06b6e4ccc354991d0 Mon Sep 17 00:00:00 2001
From: tiffb <tbergeron@mitre.org>
Date: Mon, 20 Nov 2023 12:53:47 -0600
Subject: [PATCH] Change caps to lowercase

---
 ...Mappings.png => build_sensor_mappings.png} | Bin
 docs/example_technique_mappings.rst           |  55 ------------------
 .../example_technique_mappings/CloudTrail.rst |   6 +-
 docs/example_technique_mappings/Linux.rst     |   2 +-
 docs/example_technique_mappings/Network.rst   |   2 +-
 docs/example_technique_mappings/Windows.rst   |   4 +-
 docs/example_technique_mappings/index.rst     |  10 ++--
 docs/index.rst                                |   3 +-
 docs/methodology/index.rst                    |   4 +-
 docs/methodology/step2.rst                    |   6 +-
 docs/methodology/step3.rst                    |   6 +-
 11 files changed, 20 insertions(+), 78 deletions(-)
 rename docs/_static/{BuildSensorMappings.png => build_sensor_mappings.png} (100%)
 delete mode 100644 docs/example_technique_mappings.rst

diff --git a/docs/_static/BuildSensorMappings.png b/docs/_static/build_sensor_mappings.png
similarity index 100%
rename from docs/_static/BuildSensorMappings.png
rename to docs/_static/build_sensor_mappings.png
diff --git a/docs/example_technique_mappings.rst b/docs/example_technique_mappings.rst
deleted file mode 100644
index 9148cc7..0000000
--- a/docs/example_technique_mappings.rst
+++ /dev/null
@@ -1,55 +0,0 @@
-Example Scenarios
-=================
-
-Examples are provided to depict how these mappings can be used to get from Sensor Events to Data Sources to Techniques. 
-It should be stated up fron that there is no easy, one-to-one mapping from data source to technique. In addition, 
-not all events are created equal in regard to visibility of specific techniques, and two events with the same field 
-names can in fact represent different data. Some amount of analyst judgement is required and, whenever judgement is 
-involved, there can be differences in opinion. The mapping methodology and these examples are provided to demonstrate 
-the judgement and rationale to apply when identifying specific event visibility into techniques. 
-
-.. toctree::
-
-    WinEx1
-    WinEx2
-    Linux
-    CldTrl1
-    CldTrl2
-    Network
-
-For example, both Access Token Manipulation (T1134) and Create or Modify System Process (T1543) include Process Creation. 
-However, as identified in the SMAP mappings, process creation includes Sysmon 1, WinEvtx 4688, and WinEvtx 4696. The first 
-assumption may be that Sysmon 1 and WinEvtx 4688 will potentially provide visbility of T1543 occurring in an environment, 
-but WinEvtx 4696 can be an additional detection for T1134. The full example walkthrough is provided below.
-
-Windows
--------
-
-T1543 Create or Modify System Process
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Our first scenario is to look into why WinEvtx 4696 is not a feasible detection for T1543: Create or Modify System Process. 
-
-.. image:: _static/WinEx2.png
-   :width: 700
-
-We start by asking ourselves, "**is there enough proof or evidence to say this system process was created or modified?**"
-
-
-`Sysmon EID 1 <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001>`_ was a resounding "**Yes**". Sysmon EID 1 simply triggers when a new process is created, which (in this context) may be created during installation of new software or as part of automated, repeated execution of software such as services. This event's attributes provides very detailed information about the process and the process execution, which is enough to indicate that this technique could have occurred.
-
-`WinEvtx EID 4688 <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688>`_
-was a resounding "**Yes**". When a system process or a user opens an executable, Windows creates a process in which that executable runs. Hence, this event is generated every time a program is started or executed. All necessary details about the executed program, who the program ran as, and the process that started the process is provided by the event, which is enough evidence to indicate that this technique could have occurred.
-
-`WinEvtx EID 4696 <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696>`_
-was a "**Yes with a Caveat**". A primary token is an access token that is typically created only by the Windows kernel and is assigned to a process to represent the default security information for that process. This primary token is assigned to a process when the process is created, which is why this event falls under process creation. This event, however, will only be generated when a process (usually a service or a scheduled task) starts under the authority of a different user than the user who created the process. In other words, this event triggers every time a process runs using the non-current access token by changing the "Token Elevation Type", enforced by Window's User Account Control (UAC). 
-
-**Caveat**: This event doesn’t generate when the process starts with the authority of the same user that created the process. For example, if a user with a "limited" (token with decreased privilege) Token Elevation Type (i.e., 3) creates a new process also with a "limited" Token Elevation Type, this event will not be generated. 
-
-Type 3 is the normal value when UAC is enabled and a user simply starts a program from the Start Menu. It's a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
-
-So, not only is all the information needed for the creation of the system process in WinEvtx 4688, including the primary token. But also WinEvtx is deprecated starting from Windows 7 and Windows 2008 R2.
-
-
-
-
diff --git a/docs/example_technique_mappings/CloudTrail.rst b/docs/example_technique_mappings/CloudTrail.rst
index 7e76981..6b4a172 100644
--- a/docs/example_technique_mappings/CloudTrail.rst
+++ b/docs/example_technique_mappings/CloudTrail.rst
@@ -2,7 +2,7 @@ CloudTrail Example Scenarios
 ============================
 
 Both CloudTrail examples involve User Account data components. The first review the use of
-User Account Modification to provide visbility into Account Manipulation (T1098), while the 
+User Account Modification to provide visibility into Account Manipulation (T1098), while the 
 second considers User Account Metadata for detection of Password Policy Discovery (T1201)
 behavior. 
 
@@ -12,7 +12,7 @@ Account Manipulation (T1098)
 The following are the criteria considered for Account Manipulation (T1098). These were 
 directly taken by reviewing the definition of the technique. 
 
-.. image:: _static/CldTrlEx1.png
+.. image:: ../_static/cldtrlex1.png
    :width: 700
 
 1. Looking at the event logs themselves, is this enough proof or evidence to determine 
@@ -70,7 +70,7 @@ Password Policy Discovery (T1201)
 The following are the criteria considered for Password Policy Discovery (T1201). These 
 were directly taken by reviewing the definition of the technique. 
 
-.. image:: _static/CldTrlEx2.png
+.. image:: ../_static/cldtrlex2.png
    :width: 700
 
 1. Looking at the event logs themselves, is this enough proof or evidence to determine 
diff --git a/docs/example_technique_mappings/Linux.rst b/docs/example_technique_mappings/Linux.rst
index c2fba0c..ce5b007 100644
--- a/docs/example_technique_mappings/Linux.rst
+++ b/docs/example_technique_mappings/Linux.rst
@@ -11,7 +11,7 @@ This example explores Auditd events mapped to the User Account Creation data com
 their potential visibility into detecting activity associated with Create Local Account 
 (T1136.001). 
 
-.. image:: _static/LinuxEx1.png
+.. image:: ../_static/linuxex1.png
    :width: 700
 
 1. Looking at the event logs, is this enough proof or evidence to determine that "a local 
diff --git a/docs/example_technique_mappings/Network.rst b/docs/example_technique_mappings/Network.rst
index 2ba1f03..e40771e 100644
--- a/docs/example_technique_mappings/Network.rst
+++ b/docs/example_technique_mappings/Network.rst
@@ -14,7 +14,7 @@ and/or mining of information in a network managed Data from Configuration Reposi
 of Snmp_report, Ssl_plaintext_data, http_entity_data have been mapped to this data component 
 under this project.
 
-.. image:: _static/NetworkEx1.png
+.. image:: ../_static/networkex1.png
    :width: 700
 
 1. Looking at the events themselves, is this enough proof or evidence to determine "data is 
diff --git a/docs/example_technique_mappings/Windows.rst b/docs/example_technique_mappings/Windows.rst
index 4568634..2e793f2 100644
--- a/docs/example_technique_mappings/Windows.rst
+++ b/docs/example_technique_mappings/Windows.rst
@@ -11,7 +11,7 @@ As identified in the SMAP mappings, process creation information can be collecte
 Sysmon 1, WinEvtx 4688, WinEvtx 4696. This first example walks through why WinEvtx 4696 
 may not be a feasible detection for Create or Modify System Process (T1543).
 
-.. image:: _static/WinEx1.png
+.. image:: ../_static/winex1.png
    :width: 700
 
 1. Looking at the event logs themselves, is this enough proof or evidence to determine 
@@ -109,7 +109,7 @@ As identified in the SMAP mappings, Windows Registry key creation can be collect
 Sysmon 12 and WinEvtx 4657. This example walks through using these events to potentially 
 provide detection for Create or Modify System Process (T1543).
 
-.. image:: _static/WinEx2.png
+.. image:: ../_static/winex2.png
    :width: 700
 
 1. Looking at what the event logs themselves, is this enough proof or evidence to say 
diff --git a/docs/example_technique_mappings/index.rst b/docs/example_technique_mappings/index.rst
index 3db813a..b934e0a 100644
--- a/docs/example_technique_mappings/index.rst
+++ b/docs/example_technique_mappings/index.rst
@@ -17,8 +17,8 @@ additonal customized considerations must also be given when looking to provide i
 
 .. toctree::
 
-    Windows
-    Linux
-    CloudTrail
-    Network
-    
+    windows
+    linux
+    cloudtrail
+    network
+
diff --git a/docs/index.rst b/docs/index.rst
index 1770b7e..7a12a9f 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -8,7 +8,6 @@ into real-world adversary behaviors potentially occurring in their environments.
 representions of information that can be collected to concrete logs, sensors, and other security 
 capabilities that provide that type of data.   
 
-
 This project is created and maintained by `MITRE Engenuity Center for Threat-Informed Defense
 (Center) <https://ctid.mitre-engenuity.org/>`_ and is funded by our `research participants <https://ctid.mitre-engenuity.org/our-work/>`_, in futherance of our mission to
 advance the start of the art and the state of the practice in threat-informed defense globally.
@@ -25,7 +24,7 @@ threat-informed decisions.
     methodology/index
     levels/index
     use_cases
-    example_technique_mappings
+    example_technique_mappings/index
     future_work
     changelog
 
diff --git a/docs/methodology/index.rst b/docs/methodology/index.rst
index 16b48d6..8b386a7 100644
--- a/docs/methodology/index.rst
+++ b/docs/methodology/index.rst
@@ -22,13 +22,11 @@ The Sensor Mappings to ATT&CK mapping methodology consists of the following step
 - **Definition Correlation** - For each identified event, understand the security capabilities it provides.
 - **Relationship Correlation** - Identify the ATT&CK Data Sources mappable to event IDs.
 
-<img src="./docs/_static/methodology.png" width="900px">
-
 .. toctree::
 
     step1
     step2
     step3
 
-.. image:: _static/BuildSensorMappings.png
+.. image:: ../_static/build_sensor_mappings.png
    :width: 700    
diff --git a/docs/methodology/step2.rst b/docs/methodology/step2.rst
index 7ce28cd..7936294 100644
--- a/docs/methodology/step2.rst
+++ b/docs/methodology/step2.rst
@@ -26,7 +26,7 @@ provided by this event includes the user account that requested the creation of
 executed a new process. This event also provides metadata that can help us to describe the data elements needed later on in 
 Step 3 of this methodology.
 
-.. image:: ../_static/MSDN_4688_Ex.png
+.. image:: ../_static/msdn_4688_ex.png
    :width: 600
 
 - The action that triggered the generation of this event was the creation of a new process (Activity). 
@@ -38,7 +38,7 @@ Correlate to ATT&CK Data Component Definition
 To correlate with ATT&CK, the `Data Source <https://attack.mitre.org/datasources/>`_ pages provide definitions for each 
 individual Data Source. 
 
-.. image:: ../_static/ATTACK_Ex_PC.png
+.. image:: ../_static/attack_ex_pc.png
    :width: 600
 
 For Process Creation, ATT&CK's definition is : **..the initial construction of an executable..**. Through key word review, it 
@@ -48,5 +48,5 @@ ATT&CK Data Component.
 A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and WinEvtx 4696. The image below shows that 
 the definitions all have some correlation with either starting or executing a process. 
 
-.. image:: ../_static/DefinitionCorrelation_Ex.png
+.. image:: ../_static/definitioncorrelation_Ex.png
    :width: 700
\ No newline at end of file
diff --git a/docs/methodology/step3.rst b/docs/methodology/step3.rst
index 9128b73..0e4d8f9 100644
--- a/docs/methodology/step3.rst
+++ b/docs/methodology/step3.rst
@@ -12,7 +12,7 @@ As mentioned in Step 2, `Event ID 4688: A new process has been created <https://
 that can help to describe the data elements needed. For instance, regarding the user account data element, 
 information on the logon ID and the domain it belongs to is collected. 
 
-.. image:: ../_static/MSDN_4688_Ex_Attributes.png
+.. image:: ../_static/msdn_4688_ex_attributes.png
    :width: 600
 
 The use of Data Elements helps to understand key attributes that are related to the adversary behavior. 
@@ -25,7 +25,7 @@ Additional context on how to establish data elements can be gained by considerin
 - *What are all the data objects that define the context of the data source?*
 - *What are some attributes from the event log that contributes to the activity of the adversary behavior?*
 
-.. image:: ../_static/DataElement_Ex.png
+.. image:: ../_static/dataelement_ex.png
    :width: 700
 
 This method can also be used to provide a general idea of what information needs to be collected. 
@@ -44,7 +44,7 @@ relationships are the ones that make references to the action that triggered the
 Informational relationships are the ones defined based on the metadata provided by the event. Therefore, 
 please be aware of alternative data elements (i.e., a thread can create a process).
 
-.. image:: ../_static/Relationship_Ex.png
+.. image:: ../_static/relationship_ex.png
    :width: 700
 
 As discussed by `OSSEM <https://github.com/OTRF/OSSEM>`_ at their ATT&CKcon 2018 and 2019 presentation, the activity of the