Create Playbook from a Template
A template is a collection of Techniques - that represent a campaign, an APT, or a type of attack. Starting a Playbook from a Template will populate it with this set of Techniques. This can speed-up the process of responding to a better known attack profile.
Featured Templates
The following templates represent high-visibility, ongoing cyber incidents being actively monitored by CISA Threat Hunting
All Templates
Search for a template
Volt Typhoon
Link: Volt Typhoon on MITRE ATT&CK (group G1017)
Countermeasures for Techniques used by Volt Typhoon. > Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials. > > \- <https://attack.mitre.org/groups/G1017/>
SolarWinds Compromise
Link: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
Countermeasures aiding in recovery from the SolarWinds Orion Platform supply chain compromise. > The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm. > > In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes. The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems. > > \- <https://attack.mitre.org/campaigns/C0024/>
Active Directory Identity Remediation
Countermeasures aiding in the recovery of an Active Directory Compromise, specifically for the identity aspect of Active Directory and other highly important countermeasures. This is intended to be edited to more accurately suit your environment and specifically target Threat Actor TTPs relevant to your compromise.
Active Directory General Remediation
The intended role of this template is to provide additional general guidance for Active Directory recovery. This includes a broad number of countermeasures to be used in addition after the execution of the Active Directory Identity template. This template is also intended to be edited to only include countermeasures that are relevant to your environment and what TTPs an Adversary has carried out within the environment.
A Playbook is open
Using the "Create Playbook from a template" page requires that no playbook is open, however a Playbook is still open.
A Playbook can be closed by going to the Review Playbook Page and choosing to close it. Make sure to export/save your playbook as JSON if you wish to load it later.