From e9f5585a9f50dbd01eb06bdc61a5b3ce19243b2c Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri, 6 May 2022 13:21:12 -0400 Subject: [PATCH] [Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945) * updated content to reflect changes from Security Docs team * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_expect_binary.toml * TOML linting * added escape for crdential_access_spn_attribute_modified.toml --- rules/linux/execution_crash_binary.toml | 10 ++++---- rules/linux/execution_env_binary.toml | 10 ++++---- rules/linux/execution_expect_binary.toml | 10 ++++---- rules/linux/execution_find_binary.toml | 8 +++---- rules/linux/execution_flock_binary.toml | 8 +++---- rules/linux/execution_gcc_binary.toml | 8 +++---- rules/linux/execution_mysql_binary.toml | 10 ++++---- rules/linux/execution_ssh_binary.toml | 13 ++++++----- rules/linux/execution_vi_binary.toml | 8 +++---- ...l_access_moving_registry_hive_via_smb.toml | 11 +++++---- ...dential_access_remote_sam_secretsdump.toml | 23 ++++++++++--------- ...dential_access_spn_attribute_modified.toml | 20 ++++++++-------- ...cious_winreg_access_via_sebackup_priv.toml | 18 +++++++-------- ...evasion_workfolders_control_execution.toml | 16 ++++++------- 14 files changed, 88 insertions(+), 85 deletions(-) diff --git a/rules/linux/execution_crash_binary.toml b/rules/linux/execution_crash_binary.toml index fc0f9598b..1ce3568a1 100644 --- a/rules/linux/execution_crash_binary.toml +++ b/rules/linux/execution_crash_binary.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2022/03/21" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies Linux binary crash abuse to break out from restricted environments by spawning an interactive system -shell.The crash utility helps to analyze Linux crash dump data or a live system and the activity of spawing a shell is -not a standard use of this binary by a user or system administrator. It indicates a potentially malicious actor -attempting to improve the capabilities or stability of their access. +Identifies Linux binary crash abuse to break out from restricted environments by spawning an interactive system shell. +The crash utility helps analyze Linux crash dump data or a live system and the activity of spawning a shell is not a +standard use of this binary by a user or system administrator. It indicates a potentially malicious actor attempting to +improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_env_binary.toml b/rules/linux/execution_env_binary.toml index a9aa85cf7..d4563ba11 100644 --- a/rules/linux/execution_env_binary.toml +++ b/rules/linux/execution_env_binary.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/03/28" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.The -env utility is a shell command for Unix like OS which is used to print a list of environment variables and the activity -of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially -malicious actor attempting to improve the capabilities or stability of their access +Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell. The +env utility is a shell command for Unix-like operating systems and is used to print a list of environment variables. The +activity of spawning a shell is not a standard use of this binary for a user or system administrator. It indicates a +potentially malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_expect_binary.toml b/rules/linux/execution_expect_binary.toml index d2bad64ec..3e698ecf0 100644 --- a/rules/linux/execution_expect_binary.toml +++ b/rules/linux/execution_expect_binary.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2022/03/07" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell. -The expect utility allows us to automate control of interactive applications such as telnet,ftp,ssh and others and the -activity of spawning shell is not a standard use of this binary for a user or system administrator and could potentially -indicate malicious actor attempting to improve the capabilities or stability of their access. +Identifies Linux binary expect command abuse to break out from restricted environments by spawning an interactive system +shell. The expect utility allows us to automate control of interactive applications such as Telnet, FTP, SSH and others. +The activity of spawning shell is not a standard use of this binary for a user or system administrator and could +potentially indicate malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_find_binary.toml b/rules/linux/execution_find_binary.toml index f45619325..d09e2498e 100644 --- a/rules/linux/execution_find_binary.toml +++ b/rules/linux/execution_find_binary.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2022/02/28" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. -The find command in Unix is a command line utility for walking a file hirerarchy and the activity of spawning shell is -not a standard use of this binary for a user or system administrator.It indicates a potentially malicious actor -attempting to improve the capabilities or stability of their access. +The find command in Unix is a command line utility for walking a file hierarchy. The activity of spawning shell is not a +standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to +improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_flock_binary.toml b/rules/linux/execution_flock_binary.toml index 81dbaaa1a..19ed27e48 100644 --- a/rules/linux/execution_flock_binary.toml +++ b/rules/linux/execution_flock_binary.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2022/03/22" maturity = "production" -updated_date = "2022/03/22" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies Linux binary flock abuse to break out from restricted environments by spawning an interactive system -shell.The flock utility allows us to manage advisory file locks in shell scripts or on the command line and the activity -of spawing a shell is not a standard use of this binary by a user or system administrator. It indicates a potentially +Identifies Linux binary flock abuse to break out from restricted environments by spawning an interactive system shell. +The flock utility allows users to manage advisory file locks in shell scripts or on the command line. The activity of +spawning a shell is not a standard use of this binary by a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" diff --git a/rules/linux/execution_gcc_binary.toml b/rules/linux/execution_gcc_binary.toml index 69c8d4b1e..d2b163a28 100644 --- a/rules/linux/execution_gcc_binary.toml +++ b/rules/linux/execution_gcc_binary.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2022/03/09" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.The -gcc utility is a complier system for various languages and mainly used to complie C and C++ programs and the activity of -spawning shell is not a standard use of this binary for a user or system administrator.It indicates a potentially +Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell. The +gcc utility is a complier system for various languages and mainly used to compile C and C++ programs. The activity of +spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" diff --git a/rules/linux/execution_mysql_binary.toml b/rules/linux/execution_mysql_binary.toml index d1834fc22..cff334632 100644 --- a/rules/linux/execution_mysql_binary.toml +++ b/rules/linux/execution_mysql_binary.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2022/03/09" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.The -MySQL is an open source relational database management system and the activity of spawning shell is not a standard use -of this binary for a user or system administrator.It indicates a potentially malicious actor attempting to improve the -capabilities or stability of their access. +Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell. The +MySQL server is an open source relational database management system. The activity of spawning shell is not a standard +use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve +the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_ssh_binary.toml b/rules/linux/execution_ssh_binary.toml index dbd9d326b..b5038ccb3 100644 --- a/rules/linux/execution_ssh_binary.toml +++ b/rules/linux/execution_ssh_binary.toml @@ -1,21 +1,22 @@ [metadata] creation_date = "2022/03/10" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.The -ssh is a network protocol that gives users,particularly system administrators a secure way to access a computer over a -network and the activity of spawning shell is not a standard use of this binary for a user or system administrator.It -indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. +Identifies Linux binary SSH abuse to break out from restricted environments by spawning an interactive system shell. The +SSH protocol is a network protocol that gives users, particularly system administrators, a secure way to access a +computer over a network. The activity of spawning shell is not a standard use of this binary for a user or system +administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their +access. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" -name = "Linux Restricted Shell Breakout via the ssh command" +name = "Linux Restricted Shell Breakout via the SSH command" references = ["https://gtfobins.github.io/gtfobins/ssh/"] risk_score = 47 rule_id = "97da359b-2b61-4a40-b2e4-8fc48cf7a294" diff --git a/rules/linux/execution_vi_binary.toml b/rules/linux/execution_vi_binary.toml index c3cc2b525..48838367b 100644 --- a/rules/linux/execution_vi_binary.toml +++ b/rules/linux/execution_vi_binary.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2022/03/03" maturity = "production" -updated_date = "2022/03/24" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. -The vi/vim is the standard text editor in Linux distribution and the activity of spawning a shell is not a standard use -of this binary by a user or system administrator and could potentially indicate malicious actor attempting to improve -the capabilities or stability of their access." +The vi/vim editor is the standard text editor in Linux distributions, and the activity of spawning a shell is not a +standard use of this binary by a user or system administrator. This could potentially indicate a malicious actor +attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index cd4846904..8de119ed8 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -3,13 +3,14 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "File header bytes field populated until 7.15." min_stack_version = "7.15.0" -updated_date = "2022/03/10" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate an -exfiltration attempt of a previously dumped SAM registry hive for credential extraction on an attacker-controlled system. +Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which +may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential +extraction on an attacker-controlled system. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -21,7 +22,7 @@ note = """## Triage and analysis ### Investigating Windows Registry File Creation in SMB Share Dumping registry hives is a common way to access credential information. Some hives store credential material, as is the -case for the SAM hive, which stores locally cached credentials (SAM Secrets), and the SECURITY hive, which stores domain +case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. @@ -34,7 +35,7 @@ file on an SMB share, which may indicate this kind of exfiltration attempt. - Investigate other alerts related to the user/host in the last 48 hours. - Confirm whether the account owner is aware of the operation. - Examine command line logs for the period when the alert was triggered. -- Capture the registry file(s) to scope the compromised credentials in an eventual Incident Response. +- Capture the registry file(s) to scope the compromised credentials in an eventual incident response. ### False positive analysis diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 2f6726065..2e72504ab 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -3,13 +3,13 @@ creation_date = "2022/03/01" maturity = "production" min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15" min_stack_version = "7.15.0" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies remote access to the registry to potentially dump credential data from the SAM registry hive in preparation -for credential access and privileges elevation. +Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) +registry hive in preparation for credential access and privileges elevation. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"] @@ -21,7 +21,7 @@ note = """## Triage and analysis ### Investigating Potential Remote Credential Access via Registry Dumping registry hives is a common way to access credential information. Some hives store credential material, -such as the SAM hive, which stores locally cached credentials (SAM Secrets), and the SECURITY hive, which stores domain +such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. @@ -33,7 +33,7 @@ credentials to access other systems in the domain. - Identify the target host role, involved account, and source host. - Determine the privileges assigned to any compromised accounts. - Investigate other alerts related to the involved user and source host in the last 48 hours. -- Scope potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target +- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host. ### False positive analysis @@ -55,7 +55,7 @@ be monitored by the security team. ## Config -This rule uses Elastic Endpoint file creation and System Integration events for correlation. Both data should be +This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work. If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. @@ -81,29 +81,30 @@ sequence by host.id, user.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "OS Credential Dumping" id = "T1003" +name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] -name = "Security Account Manager" id = "T1003.002" +name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" [rule.threat.tactic] -name = "Credential Access" id = "TA0006" +name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Remote Services" id = "T1021" +name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -name = "Lateral Movement" id = "TA0008" +name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index af21d6563..0e36844da 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2022/02/22" maturity = "production" -updated_date = "2022/03/28" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a -user to configure SPNs so that they can perform Kerberoasting. Administrators can also configure this for legitimate -purposes, exposing the account to Kerberoasting. +user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also +configure this for legitimate purposes, exposing the account to Kerberoasting. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*"] @@ -26,7 +26,7 @@ By default, only computer accounts have SPNs, which creates no significant risk, domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting. -A user account with an SPN assigned is considered a Service Account, and is accessible to the entire domain. If any +A user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex. @@ -77,7 +77,7 @@ DS Access > Audit Directory Service Changes (Success,Failure) ``` -The above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. +The above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule. As this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise. ``` @@ -107,16 +107,16 @@ and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + - [[rule.threat.technique.subtechnique]] - name = "Kerberoasting" - id = "T1558.003" - reference = "https://attack.mitre.org/techniques/T1558/003/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index d0a3abfc8..bc48f88d2 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/29" [rule] author = ["Elastic"] description = """ -Identifies remote access to the registry via an account with Backup Operators group membership. This may indicate an -attempt to exfiltrate credentials via dumping the SAM registry hive in preparation for credential access and privileges -elevation. +Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an +attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for +credential access and privileges elevation. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*"] @@ -64,30 +64,30 @@ sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "OS Credential Dumping" id = "T1003" +name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] -name = "Security Account Manager" id = "T1003.002" +name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" [rule.threat.tactic] -name = "Credential Access" id = "TA0006" +name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Remote Services" id = "T1021" +name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -name = "Lateral Movement" id = "TA0008" +name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 7b05ad260..52dd84195 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/03/02" maturity = "production" -updated_date = "2022/04/06" +updated_date = "2022/04/29" [rule] author = ["Elastic", "Austin Songer"] @@ -13,14 +13,14 @@ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" -name = "Signed Proxy Execution via MS WorkFolders" +name = "Signed Proxy Execution via MS Work Folders" note = """## Triage and analysis -### Investigating Signed Proxy Execution via MS WorkFolders +### Investigating Signed Proxy Execution via MS Work Folders Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When -called, Work Folders will automatically execute any Portable Executable (PE) named `control.exe` as an argument before +called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share. Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and @@ -30,7 +30,7 @@ increase privileges. - Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine if other child processes spawned during execution. -- Trace the activity related to the `control.exe` binary to identify any continuing intrusion activity on the host. +- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host. - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default. - Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity @@ -42,14 +42,14 @@ disk from a separate binary. ### False positive analysis - Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the -instance where a suspicious `control.exe` is passed as an argument. +instance where a suspicious control.exe is passed as an argument. ### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Isolate the involved host to prevent further post-compromise behavior. -- Review the Work Folders synced share to determine if the 'control.exe' was shared and if so remove it. -- If no lateral movement was identified during investigation, take the effected host offline if possible and remove the +- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it. +- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation. - Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.