diff --git a/data/en/artifacts/A_2001_web_application_server/A_2001_web_application_server.yml b/data/en/artifacts/A_2001_web_application_server/A_2001_web_application_server.yml
new file mode 100644
index 00000000..4bdf6cf1
--- /dev/null
+++ b/data/en/artifacts/A_2001_web_application_server/A_2001_web_application_server.yml
@@ -0,0 +1,12 @@
+title: Web application server
+id: A2001
+description: This artifact describes web application server entity
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/10
+modification_date: 2023/07/10
+references:
+ - https://d3fend.mitre.org/dao/artifact/d3f:WebApplicationServer/
+mapping:
+ - d3f:WebApplicationServer
+extended_description: |
+ A web application server is a web server that hosts applications. Application server frameworks are software frameworks for building application servers. An application server framework provides both facilities to create web applications and a server environment to run them. In the case of Java application servers, the server behaves like an extended virtual machine for running applications, transparently handling connections to the database on one side, and, often, connections to the Web client on the other.
\ No newline at end of file
diff --git a/data/en/artifacts/A_2002_web_server/A_2002_web_server.yml b/data/en/artifacts/A_2002_web_server/A_2002_web_server.yml
new file mode 100644
index 00000000..a6b7af90
--- /dev/null
+++ b/data/en/artifacts/A_2002_web_server/A_2002_web_server.yml
@@ -0,0 +1,15 @@
+title: Web server
+id: A2002
+description: This artifact describes web server entity
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/10
+modification_date: 2023/07/10
+references:
+ - https://d3fend.mitre.org/dao/artifact/d3f:WebServer/
+mapping:
+ - d3f:WebServer
+extended_description: |
+ A web server is server software, or hardware dedicated to running this software, that can satisfy client requests on the World Wide Web.
+ A web server can, in general, contain one or more websites. A web server processes incoming network requests over HTTP and several other related protocols.
+ While the major function is to serve content, a full implementation of HTTP also includes ways of receiving content from clients.
+ This feature is used for submitting web forms, including uploading of files.
\ No newline at end of file
diff --git a/data/en/artifacts/A_2003_web_script_file/A_2003_web_script_file.yml b/data/en/artifacts/A_2003_web_script_file/A_2003_web_script_file.yml
new file mode 100644
index 00000000..07a145db
--- /dev/null
+++ b/data/en/artifacts/A_2003_web_script_file/A_2003_web_script_file.yml
@@ -0,0 +1,12 @@
+title: Web script file
+id: A2003
+description: This artifact describes web script file entity
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/10
+modification_date: 2023/07/10
+references:
+ - https://d3fend.mitre.org/dao/artifact/d3f:WebScriptFile/
+mapping:
+ - d3f:WebScriptFile
+extended_description: |
+ A file containing a script in a web-scripting programming language. Web scripts may be present and run on the client or on the server side.
\ No newline at end of file
diff --git a/data/en/response_actions/RA_2010_ensure_successful_attack/RA_2010_ensure_successful_attack.yml b/data/en/response_actions/RA_2010_ensure_successful_attack/RA_2010_ensure_successful_attack.yml
new file mode 100644
index 00000000..b818260a
--- /dev/null
+++ b/data/en/response_actions/RA_2010_ensure_successful_attack/RA_2010_ensure_successful_attack.yml
@@ -0,0 +1,12 @@
+title: RA_2010_ensure_successful_attack
+id: RA2010
+description: >
+ Verify that the attack was successful
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: identification
+references:
+ - https://github.com/sroberts/awesome-iocs
+ - https://www.cve.org/
+extended_description: |
+ Verify that the attack was successful. To do this, use the official reports on a specific attack and its IOCs.
diff --git a/data/en/response_actions/RA_2321_scan_on_suspicious_files/RA_2321_scan_on_suspicious_files.yml b/data/en/response_actions/RA_2321_scan_on_suspicious_files/RA_2321_scan_on_suspicious_files.yml
new file mode 100644
index 00000000..39075909
--- /dev/null
+++ b/data/en/response_actions/RA_2321_scan_on_suspicious_files/RA_2321_scan_on_suspicious_files.yml
@@ -0,0 +1,16 @@
+title: RA_2321_scan_on_suspicious_files
+id: RA2321
+description: >
+ Scan file system for suspicious files(created or modified)
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: identification
+automation:
+ - antivirus
+ - EDR
+references:
+ - https://github.com/sroberts/awesome-iocs
+extended_description: |
+ Scan file system for suspicious files(created or modified). Often these are files that should not be there (in the standard delivery of the system) where they are.
+ In the case of a web server, check that there are no extraneous files in directories that have external access. To successfully search for suspicious files, use databases of known IOCs (see references for example).
+ Also, some systems (such as content management systems) have functionality to scan for suspicious files.
diff --git a/data/en/response_actions/RA_3002_restrict_access_to_vulnerable_components/RA_3002_restrict_access_to_vulnerable_components.yml b/data/en/response_actions/RA_3002_restrict_access_to_vulnerable_components/RA_3002_restrict_access_to_vulnerable_components.yml
new file mode 100644
index 00000000..975db860
--- /dev/null
+++ b/data/en/response_actions/RA_3002_restrict_access_to_vulnerable_components/RA_3002_restrict_access_to_vulnerable_components.yml
@@ -0,0 +1,12 @@
+title: RA_3002_restrict_access_to_vulnerable_components
+id: RA3002
+description: >
+ Restrict access to vulnerable components
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: containment
+automation:
+ - firewall
+ - EDR
+extended_description: |
+ If at the moment it is not possible to update/disable the system or there are no updates yet, restrict access to vulnerable components. Review the vulnerability description and recommended mitigation measures.
diff --git a/data/en/response_actions/RA_4003_clear_backup_copy/RA_4003_clear_backup_copy.yml b/data/en/response_actions/RA_4003_clear_backup_copy/RA_4003_clear_backup_copy.yml
new file mode 100644
index 00000000..30c38c7a
--- /dev/null
+++ b/data/en/response_actions/RA_4003_clear_backup_copy/RA_4003_clear_backup_copy.yml
@@ -0,0 +1,9 @@
+title: RA_4003_clear_backup_copy
+id: RA4003
+description: >
+ Clear backup copy
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+extended_description: |
+ Before restoring data from a backup, check that it is not infected and eradicate malicious data.
diff --git a/data/en/response_actions/RA_4004_update_sensitive_data/RA_4004_update_sensitive_data.yml b/data/en/response_actions/RA_4004_update_sensitive_data/RA_4004_update_sensitive_data.yml
new file mode 100644
index 00000000..e89d729d
--- /dev/null
+++ b/data/en/response_actions/RA_4004_update_sensitive_data/RA_4004_update_sensitive_data.yml
@@ -0,0 +1,9 @@
+title: RA_4004_update_sensitive_data
+id: RA4004
+description: >
+ Update sensitive data
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+extended_description: |
+ Attackers can change or read some sensitive data (passwords, database keys, etc.). This is usually done to persisted in the system. Update any sensitive data that has been read or modified.
diff --git a/data/en/response_actions/RA_4401_kill_process/RA_4401_kill_process.yml b/data/en/response_actions/RA_4401_kill_process/RA_4401_kill_process.yml
new file mode 100644
index 00000000..a50b0192
--- /dev/null
+++ b/data/en/response_actions/RA_4401_kill_process/RA_4401_kill_process.yml
@@ -0,0 +1,11 @@
+title: RA_4401_kill_process
+id: RA4401
+description: >
+ Kill the process
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+automation:
+ - EDR
+extended_description: |
+ Kill process. To do this, use the operating system tools or Endpoint Detection & Response(EDR) solutions
diff --git a/data/en/response_actions/RA_5003_check_service_on_correct_work/RA_5003_check_service_on_correct_work.yml b/data/en/response_actions/RA_5003_check_service_on_correct_work/RA_5003_check_service_on_correct_work.yml
new file mode 100644
index 00000000..2c76c2c2
--- /dev/null
+++ b/data/en/response_actions/RA_5003_check_service_on_correct_work/RA_5003_check_service_on_correct_work.yml
@@ -0,0 +1,9 @@
+title: RA_5003_check_service_on_correct_work
+id: RA5003
+description: >
+ Check service on correct work
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+stage: eradication
+extended_description: |
+ After containing and eradicating, check the resource for correct operation
diff --git a/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/RAI_2321_0001_bitrix_scan_on_suspicious_files.yml b/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/RAI_2321_0001_bitrix_scan_on_suspicious_files.yml
new file mode 100644
index 00000000..d2f98829
--- /dev/null
+++ b/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/RAI_2321_0001_bitrix_scan_on_suspicious_files.yml
@@ -0,0 +1,30 @@
+title: Bitrix scan on suspicious files
+id: RAI2321_0001
+description: Scan on suspicious files using bitrix
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_response_actions: RA2321
+tags:
+ - CMS
+linked_software:
+ - S3004
+linked_artifacts:
+ - A3002
+requirements:
+ software:
+ means_of_action:
+ - ID: S3004
+ cpe-fs: 'cpe:2.3:a:bitrix:bitrix_site_manager:-:*:*:*:*:*:*:*'
+ targets_of_action:
+extended_description: |
+ To search for suspicious files in the system, use the bitrix.xscan Bitrix module.
+ This is a graphical tool for finding suspicious files. As input, it takes the initial path from which the scan will begin.
+
+ Directory scan example:
+ 
+
+ An example of outputting the contents of a suspicious file:
+ 
+
+ [bitrix.xscan](https://marketplace.1c-bitrix.ru/solutions/bitrix.xscan/)
diff --git a/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/bitrix1.png b/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/bitrix1.png
new file mode 100644
index 00000000..c366c978
Binary files /dev/null and b/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/bitrix1.png differ
diff --git a/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/bitrix2.png b/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/bitrix2.png
new file mode 100644
index 00000000..abb041f8
Binary files /dev/null and b/data/en/response_actions_implementations/RAI_2321_0001_bitrix_scan_on_suspicious_files/bitrix2.png differ
diff --git a/data/en/response_actions_implementations/RAI_2402_0001_linux_find_process_by_executable_path/RAI_2402_0001_linux_find_process_by_executable_path.yml b/data/en/response_actions_implementations/RAI_2402_0001_linux_find_process_by_executable_path/RAI_2402_0001_linux_find_process_by_executable_path.yml
new file mode 100644
index 00000000..7d5cfaf3
--- /dev/null
+++ b/data/en/response_actions_implementations/RAI_2402_0001_linux_find_process_by_executable_path/RAI_2402_0001_linux_find_process_by_executable_path.yml
@@ -0,0 +1,28 @@
+title: Find process via Linux
+id: RAI2402_0001
+description: Find process by executable path via Linux standard command line utilities
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_response_actions: RA2402
+tags:
+ - linux
+linked_software:
+ - S0100
+linked_artifacts:
+ - A3002
+requirements:
+ software:
+ means_of_action:
+ - ID: S0100
+ cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+ targets_of_action:
+extended_description: |
+ To search for a process by its executable path, we can use standard Linux utilities such as **ps** and **grep**.
+ For example, if we need to find all processes whose path contains 'php' we can use the following command:
+
+ ``` ps aux | grep 'php' ```
+
+ To display only the PID of the found processes, we can use the utility **awk**:
+
+ ``` ps aux | grep 'php' | awk '{print $2}'```
\ No newline at end of file
diff --git a/data/en/response_actions_implementations/RAI_4301_0003_linux_delete_file/RAI_4301_0003_linux_delete_file.yml b/data/en/response_actions_implementations/RAI_4301_0003_linux_delete_file/RAI_4301_0003_linux_delete_file.yml
new file mode 100644
index 00000000..848746dd
--- /dev/null
+++ b/data/en/response_actions_implementations/RAI_4301_0003_linux_delete_file/RAI_4301_0003_linux_delete_file.yml
@@ -0,0 +1,37 @@
+title: Deleting a file using standard Linux utilities
+id: RAI4301_0003
+description: Removing a file from Linux using standard Linux utilities
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_software:
+ - S0100
+linked_response_actions: RA4301
+tags:
+ - linux
+linked_artifacts:
+ - A3002
+requirements:
+ software:
+ means_of_action:
+ - ID: S0100
+ cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+ targets_of_action:
+ - ID: S0100
+ cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+extended_description: |
+ To delete the file in Linux system we can use standard utilities such as **rm**
+ For example we have the file with path: /home/user/test.txt
+
+ To delete the file use below command.
+ ```
+ rm '/hone/user/test.txt'
+ ```
+
+ We can also delete a file by its hash using utilities such as **rm**, **find**, **md5sum**, **xargs**, **grep** and **awk**
+ For example, we have a file with md5 hash '62e0eeb44c135199947b619de59dc640' in the directory /home/user/test
+
+ To delete the file use below command.
+ ```
+ find /home/user/test -type f -print | xargs md5sum | grep '62e0eeb44c135199947b619de59dc640' | awk '{print $2}' | xargs rm
+ ```
\ No newline at end of file
diff --git a/data/en/response_actions_implementations/RAI_4401_0001_linux_kill_process/RAI_4401_0001_linux_kill_process.yml b/data/en/response_actions_implementations/RAI_4401_0001_linux_kill_process/RAI_4401_0001_linux_kill_process.yml
new file mode 100644
index 00000000..cf50241f
--- /dev/null
+++ b/data/en/response_actions_implementations/RAI_4401_0001_linux_kill_process/RAI_4401_0001_linux_kill_process.yml
@@ -0,0 +1,37 @@
+title: Killing a process using standard Linux utilities
+id: RAI4401_0001
+description: Killing a process in Linux using standard Linux utilities
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/14
+modification_date: 2023/07/14
+linked_software:
+ - S0100
+linked_response_actions: RA4401
+tags:
+ - linux
+linked_artifacts:
+ - A4001
+requirements:
+ software:
+ means_of_action:
+ - ID: S0100
+ cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+ targets_of_action:
+ - ID: S0100
+ cpe-fs: 'cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*'
+extended_description: |
+ To kill the process in Linux system we can use standard utilities such as **kill**
+ For example we have a process with name proc and with process ID 123
+
+ To kill a process use below command.
+ ```
+ kill 123
+ ```
+
+ To kill a process that is listening on port 22 we can use standard utilities such as **fuser**
+ For example we have a process that is listening on tcp port 22
+
+ To kill a process use below command.
+ ```
+ fuser -k 22/tcp
+ ```
\ No newline at end of file
diff --git a/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/RP0011.png b/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/RP0011.png
new file mode 100644
index 00000000..de1e4dcb
Binary files /dev/null and b/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/RP0011.png differ
diff --git a/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/RP_0011_bitrix_remote_code_execution_exploitation.yml b/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/RP_0011_bitrix_remote_code_execution_exploitation.yml
new file mode 100644
index 00000000..d4a16aeb
--- /dev/null
+++ b/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/RP_0011_bitrix_remote_code_execution_exploitation.yml
@@ -0,0 +1,209 @@
+title: Bitrix remote code execution exploitation
+description: Response playbook for "Bitrix remote code execution exploitation" attack
+id: RP0011
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/10
+modification_date: 2023/07/11
+linked_artifacts:
+ - A3002
+ - A4001
+ - A1008
+ - A1007
+ - A2001
+ - A2002
+tags:
+ - status.stable
+ - severity.high
+ - tlp.amber
+ - pap.white
+ - bitrix
+preparation:
+ - RP_1001_operational_preparations
+identification:
+ - RA_2008_prepare_iocs_list
+ - RA_2321_scan_on_suspicious_files
+ - RA_2010_ensure_successful_attack
+ - RA_2009_scan_with_iocs_and_rules
+ - RA_2302_list_files_modified
+ - RA_2402_find_process_by_executable_path
+containment:
+ - RA_3001_patch_vulnerability
+ - RA_3002_restrict_access_to_vulnerable_components
+eradication:
+ - RA_4301_remove_file
+ - RP_1005_eradication_of_persisting_on_linux_host
+ - RA_4401_kill_process
+ - RA_4003_clear_backup_copy
+ - RA_4004_update_sensitive_data
+recovery:
+ - RA_5002_restore_data_from_backup
+ - RA_5003_check_service_on_correct_work
+lessons_learned:
+ - RA_6001_develop_incident_report
+ - RA_6002_conduct_lessons_learned_exercise
+
+extended_description: |
+ Attackers can exploiting vulnerabilities in bitrix CMS for remote code execution on server. After that, they can carry out attacks within the network. When responding to this incident, it is important to check for known IOCs, as well as pay attention to suspicious files that are not in the standard distribution.
+workflow: |
+ 
+
+ ### Finding IOCs
+
+ | File name | Directory | Command for find |
+ | --------- | --------- | ---------------- |
+ | *xmlrpcs.php* | Various directories are used | *find ./ -name xmlrpcs.php* |
+ | *inputs.php* | Various directories are used | *find ./ -name inputs.php* (note that /bitrix/modules/sale/lib/delivery/inputs.php is a legitimate file) |
+ | *l.php* | /bitrix/src/app/ | find ./ -name l.php |
+ | */bitrix/tools/spread.php* | /bitrix/tools/
/bitrix/ | |
+ | *access.php*
*wp.php*
*temp.php*
*locale.php*
*themes.php*
*network.php*
*container.php*
*router.php*
*wp-login.php* | | |
+ | /bitrix/tools/send_trait_imap.php | | |
+ | /bitrix/tools/.cas.php
/bitrix/tools/.cas.tmp.php | | |
+
+ Pay attention to all files with a non-dictionary, randomly generated name from the character set [a-z, 0-9] in the /bitrix/admin/ directory and in the root directory of the site.
+ Some identified files:
+
+ 1. */bitrix/admin/f408f2b7df70.php*
+ 2. */bitrix/admin/8f1c222aae51.php*
+ 3. */2469a41bac71.php*
+ 4. */98826/bfd99.php*
+
+ ### Identification
+
+ #### 1 Checking by means of bitrix.xscan
+ Install bitrix.xscan from bitrix marketplace and start scanning. To do this, open the panel site management and go to the next tab: *"Настройки" -> bitrix.xscan -> "Поиск и поиск(бета)"*
+ The module will scan the entire site and display the identified suspicious files.
+ #### 2 Checking the access logs to the web server
+ Check the fact of successful exploitation CVE-2022-27228. Search command example:
+ ``` grep -E 'POST /bitrix/tools/(html_editor_action.php)|(vote/uf.php)' /var/log/www.access.log* | grep '200' ```
+ Similarly check requests for files from the finding IOCs section with code 200.
+ Similarly, check for POST requests with a 200 response code containing the lines:
+
+ - bitrixxx
+ - BX_STAT
+ - BX_TOKEN
+ - ==
+
+ For 'BX_STAT' search it is better to use regular expression: 'BX_STAT[^E]' because the 'BX_STATE' argument is used by default in legitimate files.
+ #### 3 Search for new malicious files
+ Check for atypical files (including those from the finding IOCs section)
+ #### 4 Search for modified files
+ In addition to creating new files, attackers can make changes to existing files in order to inject malicious code. To do this, check for the presence of fragments of the following lines in the source code of the application:
+
+ - str_rot13
+ - md5($_COOKIE
+ - bitrixxx
+ - eval(base64_decode
+ - BX_STAT
+ - BX_TOKEN
+ - parse_str(hex2bin
+ - iasfgjlzcb
+ - QlhfVE9LRU4=
+ - gzinflate(base64_decode
+ - C.A.S
+ - urldecode(base64_decode(hex2bin
+
+ The following files must be excluded from the search results for the string "str_rot13":
+
+ - /bitrix/modules/main/classes/general/vuln_scanner.php
+ - /bitrix/modules/main/lib/search/content.php
+ - /bitrix/modules/socialnetwork/lib/item/logindex.php
+
+ because they use the "str_rot13()" function by default
+
+ An example of a command to search for suspicious files:
+ ```grep -Er 'str_rot13|md5\(\$_COOKIE|bitrixxx|eval\(base64_decode|BX_STAT[^E]|BX_TOKEN|parse_str\(hex2bin|iasfgjlzcb|QlhfVE9LRU4=|gzinflate\(base64_decode|C\.A\.S|urldecode\(base64_decode\(hex2bin' /*```
+
+ Known files where malicious code is embedded:
+
+ - /bitrix/modules/main/include/prolog_after.php
+ - /bitrix/admin/security_file_verifier.php
+ - /bitrix/modules/main/bx_root.php
+
+ It should be noted that it is worth looking not only for application files (.php), as attackers also use the technique of writing the “.htaccess” file to change the web server configuration.
+ #### 5 Find persistence points
+ - Check ways to persist access to the host. For example, the presence of illegitimate tasks in the cron task scheduler and other methods (for more details, see [Eradication of persisting on linux host response playbook](/response_playbooks/RP_1005_eradication_of_persisting_on_linux_host/entity)
+ - On the page with the list of Bitrix Agents (/bitrix/admin/agent_list.php), check the called functions for malicious code. To do this, open the site control panel and go to the following tab:
+ *"Настройки" > "Настройки продукта" > "Агенты"*
+
+ The name of the Agent can be anything, but most likely the malicious Agent will be visually visible. You can also see the presence of the eval() function, which agents should not contain:
+ 
+
+
+ ### Containment
+
+ If it is not possible to update the CMS to the latest version, you can block POST requests to vulnerable files. Several options for how to do this:
+
+ #### 1. Modifying web application files
+ For each site, you need to modify the following files:
+
+ - /bitrix/tools/upload.php
+ - /bitrix/tools/mail_entry.php
+ - /bitrix/modules/main/include/virtual_file_system.php
+ - /bitrix/components/bitrix/sender.mail.editor/ajax.php
+ - /bitrix/tools/vote/uf.php
+ - /bitrix/tools/html_editor_action.php
+ - /bitrix/admin/site_checker.php
+
+ Before the "require_once" function, add the following code:
+ ```
+ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+ header("Status: 404 Not Found");
+ die();
+ }
+ ```
+
+ #### 2. Restricting access to vulnerable files using the web server
+ Add deny rules to the web server configuration.
+ Example rules for NGINX web server:
+
+ ```
+ location /bitrix/tools/vote/uf.php {
+ if ($request_method = POST ) {
+ deny all;
+ }
+ }
+
+ location /bitrix/tools/html_editor_action.php {
+ if ($request_method = POST ) {
+ deny all;
+ }
+ }
+ ```
+
+ #### 3. Restricting access to vulnerable files using WAF/NGFW
+ Disable direct POST requests to files:
+
+ - /bitrix/tools/html_editor_action.php
+ - /bitrix/tools/vote/uf.php
+
+ ### Eradication
+
+ 1. Stop the web server service
+ 2. Check for another in-memory process executing PHP and stop that process
+ Example command for this: *kill $(ps aux | grep 'php' | awk '{print $2}')*
+ 3. Clear cache of web applications
+ 4. Delete malicious files and clear embedded files identified at the identification stage
+ 5. Check the backup copy of the site (similar to the identification section) and, if malicious objects are finding, delete malicious objects or implementation of malicious code
+ Additionally, it is recommended to use file control (https://dev.1c-bitrix.ru/user_help/settings/security/security_file_verifier.php)
+
+ ### Recovery
+
+ 1. Restore site from backup
+ 2. Check the functionality of all sections of the site
+ 3. Update Bitrix Site Manager and PHP to the latest versions
+ 4. Change passwords of all CMS accounts
+ 5. Change the DB key "signer_default_key"
+ Example command for change DB key:
+ ```
+ $oldKey = \Bitrix\Main\Config\Option::get('main', 'signer_default_key', false);
+ \Bitrix\Main\Config\Option::set('main', 'signer_default_key', hash('sha512', uniqid(rand(), true)));
+ echo "OldKey was: $oldKey\n";
+ ```
+
+ ## Response discovery mapping
+ | ARTIFACT | RESPONSE ACTION | RESPONSE ACTION OBSERVABLES |
+ | ------------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
+ | <[File]>(A_3002) | [Scan on suspicious files](#identification)
[Update sensitive information](#eradication)
*Find suspicious create or modification and known IOCs files using bitrix.xscan and standard utilities (ex. grep)* | Web shell loaded by attackers or modified file |
+ | <[Process]>(A_4001) | [Find process by executable path](#identification)
[Kill Process](#eradication)
*After stop <[web application server]>(A_2001) find remaining 'php' processes and kill them* | Process in which attackers code execute |
+ | <[Log]>(A_1008) | [Ensure successful attack](#identification)
*Find the success of the exploit in the <[web server]>(A_2002) logs* | Log with successful exploit that contains <[ip address]>(A_1007) from which the attack was carried out |
+
diff --git a/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/agents.png b/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/agents.png
new file mode 100644
index 00000000..25c9480d
Binary files /dev/null and b/data/en/response_playbooks/RP_0011_bitrix_remote_code_execution_exploitation/agents.png differ
diff --git a/data/en/response_playbooks/RP_1005_eradication_of_persisting_on_linux_host/RP_1005_eradication_of_persisting_on_linux_host.yml b/data/en/response_playbooks/RP_1005_eradication_of_persisting_on_linux_host/RP_1005_eradication_of_persisting_on_linux_host.yml
new file mode 100644
index 00000000..65751940
--- /dev/null
+++ b/data/en/response_playbooks/RP_1005_eradication_of_persisting_on_linux_host/RP_1005_eradication_of_persisting_on_linux_host.yml
@@ -0,0 +1,14 @@
+title: Eradication of persisting on linux host
+id: RP1005
+description: Sub-playbook "eradication of persisting on linux host"
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/12
+modification_date: 2023/07/12
+severity: M
+tlp: AMBER
+pap: WHITE
+tags:
+ - sub-playbook
+workflow: |
+ 1. TODO: create response actions
+ 2. TODO: create workflow
diff --git a/data/en/usecases/UC_0007_bitrix_remote_code_execution_exploitation/UC_0007_bitrix_remote_code_execution_exploitation.yml b/data/en/usecases/UC_0007_bitrix_remote_code_execution_exploitation/UC_0007_bitrix_remote_code_execution_exploitation.yml
new file mode 100644
index 00000000..39bc054d
--- /dev/null
+++ b/data/en/usecases/UC_0007_bitrix_remote_code_execution_exploitation/UC_0007_bitrix_remote_code_execution_exploitation.yml
@@ -0,0 +1,61 @@
+title: 'Remote code execution in Bitrix using vote or fileman modules'
+id: UC0007
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/09
+modification_date: 2023/07/09
+severity: H
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - bitrix
+linked_response_playbooks:
+ - RP0011
+linked_artifacts:
+ - A1008
+ - A2001
+ - A2002
+ - A2003
+ - A3002
+description: Attackers can use vulnerabilities in modules vote or fileman in Bitrix CMS to remote code execution
+extended_description: |
+ For remote code execution attackers can exploiting vulnerabilities in modules **vote** or **fileman** in Bitrix CMS
+
+ ### Vote module
+ Insufficient validation of user input in vote module Bitrix CMS allow attackers to arbitrary object instantiation which leads to arbitrary file write and remote code execution.
+ To exploit this vulnerability, attackers form a special POST request to the endpoint */bitrix/tools/vote/uf.php*
+ This vulnerability exist in the vote module Bitrix site manager up to version 22.0.400 of all editions except start.
+ This vulnerability has been assigned an identifier CVE-2022-27228.
+
+ ### Fileman module
+ Vulnerability in fileman module Bitrix CMS allow attackers to arbitrary file write which leads to remote code execution.
+ To exploit this vulnerability, attackers form a special POST request to the endpoint */bitrix/tools/html_editor_action.php*
+ File that the attackers upload to the server will be located in folder upload/, in which file execution is usually prohibited.
+ To bypass this restriction attackers can upload a file with .phar extension and run successfully on debian-like distributions.
+
+ ## Attack mapping
+
+ | ARTIFACT | OBJECT | DESCRIPTION |
+ | :--------| :------| :-----------|
+ | **Attack Prerequisites** |
+ | <[Web application server]>(A_2001) | Bitrix CMS | Bitrix site manager up to version 22.0.400 of all editions except start with installed modules fileman or vote |
+ | <[Web server]>(A_2002) | Apache in most cases | Web server hosting Bitrix CMS |
+ | <[Web script file]>(A_2003) | Php file | Php file with vulnerable code executing on the server side |
+ | **Side Observables** |
+ | <[Log]>(A_1008) | Web server request logs | Logs of requests to the web server with attempts to exploit the vulnerability |
+ | <[File]>(A_3002) | Web shell file | File with .php or .phar extension which attackers uploaded on server for command execution |
+
+ ## Attack result
+
+ The result of this attack is a code execution on <[web server]>(A_2002). Most often, attackers upload a web shell to execute commands on the server.
+
+ | RESOURCE | DESCRIPTION |
+ | :--------| :-----------|
+ | **Attack Prerequisites** |
+ | <[Web server]>(A_2002) | Web server network availability |
+ | <[Web script file]>(A_2003) | Script file with vulnerable code |
+ | **Result Consequences** |
+ | <[File]>(A_3002) | Web shell that allows attackers to execute commands on a web server |
+
+ ## References
+ 1.
+ 2.
diff --git a/data/en/usecases/UC_0009_bitrix_remote_code_execution_through_vote_module/UC_0009_bitrix_remote_code_execution_through_vote_module.yml b/data/en/usecases/UC_0009_bitrix_remote_code_execution_through_vote_module/UC_0009_bitrix_remote_code_execution_through_vote_module.yml
new file mode 100644
index 00000000..726e46dc
--- /dev/null
+++ b/data/en/usecases/UC_0009_bitrix_remote_code_execution_through_vote_module/UC_0009_bitrix_remote_code_execution_through_vote_module.yml
@@ -0,0 +1,54 @@
+title: 'Remote code execution in Bitrix using vote module'
+id: UC0009
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/08/07
+modification_date: 2023/08/07
+severity: H
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - bitrix
+linked_response_playbooks:
+ - RP0011
+linked_artifacts:
+ - A1008
+ - A2001
+ - A2002
+ - A2003
+#targets:
+# - ID: S3004
+# cpe_from: 'cpe:2.3:a:bitrix:bitrix:20.0.0:*:*:*:*:*:*:*'
+# cpe_to: 'cpe:2.3:a:bitrix:bitrix:20.0.975:*:*:*:*:*:*:*'
+# - ID: 3004
+# cpe_from: 'cpe:2.3:a:bitrix:vote:-:*:*:*:*:*:*:*'
+# cpe_to: 'cpe:2.3:a:bitrix:vote:-:*:*:*:*:*:*:*'
+
+description: Attackers can use vulnerabilities in vote module in Bitrix CMS to remote code execution
+extended_description: |
+ For remote code execution attackers can exploiting vulnerabilities in modules **vote** in Bitrix CMS
+
+ Insufficient validation of user input in vote module Bitrix CMS allow attackers to arbitrary object instantiation which leads to arbitrary file write and remote code execution.
+ To exploit this vulnerability, attackers form a special POST request to the endpoint */bitrix/tools/vote/uf.php*
+ This vulnerability exist in the vote module Bitrix site manager up to version 22.0.400 of all editions except start.
+ This vulnerability has been assigned an identifier CVE-2022-27228.
+
+ An example of an entry in the web server logs indicating that this vulnerability was successfully exploited:
+
+ ```
+ POST /bitrix/tools/vote/uf.php?attachId[ENTITY_TYPE]=CFileUploader&attachId[ENTITY_ID][events][onFileIsStarted][]=CAllAgent&attachId[ENTITY_ID][events][onFileIsStarted][]=Update&attachId[MODULE_ID]=vote&action=vote HTTP/1.0" 200
+ ```
+
+ ## Attack mapping
+
+ | ARTIFACT/RESOURCE | DESCRIPTION |
+ | :----------------| :----------|
+ | **Attack Prerequisites** |
+ | <[Bitrix]>(A_2001) network available | Network availability of CMS Bitrix with enabled vote module |
+ | **Attack Consequences** |
+ | Remote code execution on <[Web server]>(A_2002) | Possibility of remote code execution on the web server hosting Bitrix |
+ | **Side Observables** |
+ | <[Log]>(A_1008) | Log entry about a successful POST request to a vulnerable */bitrix/tools/vote/uf.php* <[file]>(A_2003) |
+
+ ## References
+ 1.
+ 2.
\ No newline at end of file
diff --git a/data/en/usecases/UC_0010_bitrix_remote_code_execution_through_fileman_module/UC_0010_bitrix_remote_code_execution_through_fileman_module.yml b/data/en/usecases/UC_0010_bitrix_remote_code_execution_through_fileman_module/UC_0010_bitrix_remote_code_execution_through_fileman_module.yml
new file mode 100644
index 00000000..8be2311a
--- /dev/null
+++ b/data/en/usecases/UC_0010_bitrix_remote_code_execution_through_fileman_module/UC_0010_bitrix_remote_code_execution_through_fileman_module.yml
@@ -0,0 +1,56 @@
+title: 'Remote code execution in Bitrix using fileman module'
+id: UC0010
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/08/08
+modification_date: 2023/08/08
+severity: H
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - bitrix
+linked_response_playbooks:
+ - RP0011
+linked_artifacts:
+ - A1008
+ - A2001
+ - A2002
+ - A2003
+#targets:
+# - ID: S3004
+# cpe_from: 'cpe:2.3:a:bitrix:bitrix:-:*:*:*:*:*:*:*'
+# cpe_to: 'cpe:2.3:a:bitrix:bitrix:-:*:*:*:*:*:*:*'
+# - ID: S0100
+# cpe_from: 'cpe:2.3:o:debian:debian_linux:-:*:*:*:*:*:*:*'
+# cpe_to: 'cpe:2.3:o:debian:debian_linux:-:*:*:*:*:*:*:*'
+
+description: Attackers can use vulnerabilities in fileman module in Bitrix CMS to remote code execution
+extended_description: |
+
+ Vulnerability in fileman module Bitrix CMS allow attackers to arbitrary file write.
+ To exploit this vulnerability, attackers form a special POST request to the endpoint */bitrix/tools/html_editor_action.php*
+ To be able to remotely execute code on a web server, attackers upload a web script file that can execute their commands.
+ File that the attackers upload to the server will be located in folder upload/, in which file execution is usually prohibited.
+ To bypass this restriction attackers can upload a file with .phar extension and run successfully on debian-like distributions.
+
+ An example of an entry in the web server logs indicating that this vulnerability was successfully exploited:
+
+ ```
+ POST /bitrix/tools/html_editor_action.php HTTP/1.0" 200
+ ```
+
+ ## Attack mapping
+
+ | ARTIFACT/RESOURCE | DESCRIPTION |
+ | :-----------------| :-----------|
+ | **Attack Prerequisites** |
+ | <[Bitrix]>(A_2001) network available | Network availability of CMS Bitrix |
+ | <[Web server]>(A_2002) | Web server on debian like distribution |
+ | **Attack Consequences** |
+ | Remote code execution on <[Web server]>(A_2002) | Possibility of remote code execution on the web server hosting Bitrix |
+ | **Side Observables** |
+ | <[Log]>(A_1008) | Log entry about a successful POST request to a vulnerable */bitrix/tools/html_editor_action.php* <[file]>(A_2003) |
+ | <[Web script file]>(A_2003) | Web script file in the download folder/ with which attackers execute commands on the web server |
+
+ ## References
+ 1.
+ 2.
\ No newline at end of file
diff --git a/data/en/usecases/UC_0011_bitrix_persistence/UC_0011_bitrix_persistence.yml b/data/en/usecases/UC_0011_bitrix_persistence/UC_0011_bitrix_persistence.yml
new file mode 100644
index 00000000..01a6f313
--- /dev/null
+++ b/data/en/usecases/UC_0011_bitrix_persistence/UC_0011_bitrix_persistence.yml
@@ -0,0 +1,38 @@
+title: 'Persistence on web server with bitrix'
+id: UC0011
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/08/11
+modification_date: 2023/08/11
+severity: H
+tags:
+ - attack.persistence
+ - bitrix
+linked_response_playbooks:
+ - RP0011
+linked_artifacts:
+ - A2001
+ - A2002
+#targets:
+# - ID: S3004
+# cpe_from: 'cpe:2.3:a:bitrix24:bitrix24:-:*:*:*:*:*:*:*'
+# cpe_to: 'cpe:2.3:a:bitrix24:bitrix24:-:*:*:*:*:*:*:*'
+
+description: Attackers can use bitrix functionality to persist on the host
+extended_description: |
+
+ Attackers can use bitrix functionality to persist on the host. Bitrix has a functionality called agents. Agents are a technology that allows you to run official PHP functions at a specified frequency.
+ Attackers can create new or modify existing agents to persist on the host.
+
+ ## Attack mapping
+
+ | ARTIFACT/RESOURCE | DESCRIPTION |
+ | :-----------------| :-----------|
+ | **Attack Prerequisites** |
+ | Code execution on <[Web server]>(A_2002) | Possibility of code execution on the web server hosting <[Bitrix]>(A_2001) |
+ | **Attack Consequences** |
+ | Persistence on <[Web server]>(A_2002) | Persistence on the web server hosting <[Bitrix]>(A_2001) |
+ | **Side Observables** |
+ | |
+
+ ## References
+ 1.
\ No newline at end of file