From 31aee7ffd8268fafc5bac676e3cfbb07d5cb1063 Mon Sep 17 00:00:00 2001
From: Steven <steven.dias@ynov.com>
Date: Tue, 28 Nov 2023 10:51:24 +0100
Subject: [PATCH] Merge PR #4601 from @StevenD33 - Add ATT&CK Group Tag For
 Some Emerging Threats Rules

update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag
update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag
update : Potential Operation Triangulation C2 Beaconing Activity - Proxy - Add related ATT&CK group tag
update : Potential POWERTRASH Script Execution - Add related ATT&CK group tag
update : Potential APT FIN7 Related PowerShell Script Created - Add related ATT&CK group tag
update : Potential APT FIN7 POWERHOLD Execution - Add related ATT&CK group tag
update : Potential APT Mustang Panda Activity Against Australian Gov - Add related ATT&CK group tag
update : Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity - Add related ATT&CK group tag
---
 .../2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml            | 1 +
 .../2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml        | 1 +
 .../net_dns_apt_equation_group_triangulation_c2_coms.yml         | 1 +
 .../proxy_apt_equation_group_triangulation_c2_coms.yml           | 1 +
 ...e_event_win_apt_fin7_powershell_scripts_naming_convention.yml | 1 +
 .../2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml                  | 1 +
 .../2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml       | 1 +
 .../proc_creation_win_apt_fin7_powertrash_lateral_movement.yml   | 1 +
 .../TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml     | 1 +
 .../proc_creation_win_apt_mustang_panda_indicators.yml           | 1 +
 10 files changed, 10 insertions(+)

diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml
index 33cebae52..64f968112 100644
--- a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml
+++ b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml
@@ -15,6 +15,7 @@ tags:
     - attack.persistence
     - attack.t1546
     - attack.t1053
+    - attack.g0125
     - detection.emerging_threats
 logsource:
     category: process_creation
diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml
index b5bd44e99..d09df9fad 100644
--- a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml
+++ b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml
@@ -11,6 +11,7 @@ modified: 2023/01/02
 tags:
     - attack.initial_access
     - attack.t1190
+    - attack.g0125
     - detection.emerging_threats
 logsource:
     category: webserver
diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml
index 913d4f9f5..3850fbec3 100644
--- a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml
+++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml
@@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems)
 date: 2023/06/01
 tags:
     - attack.command_and_control
+    - attack.g0020
     - detection.emerging_threats
 logsource:
     category: dns
diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml
index da3dfcd35..09f41413f 100644
--- a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml
+++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml
@@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems)
 date: 2023/06/01
 tags:
     - attack.command_and_control
+    - attack.g0020
     - detection.emerging_threats
 logsource:
     category: proxy
diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml
index e130d292f..a97a37877 100644
--- a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml
+++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml
@@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/04
 tags:
     - attack.execution
+    - attack.g0046
     - detection.emerging_threats
 logsource:
     category: file_event
diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml
index ef1789633..dd4828d7a 100644
--- a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml
+++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml
@@ -9,6 +9,7 @@ date: 2023/05/04
 tags:
     - attack.execution
     - attack.t1059.001
+    - attack.g0046
     - detection.emerging_threats
 logsource:
     product: windows
diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml
index e55581be4..38519e2c8 100644
--- a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml
+++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml
@@ -9,6 +9,7 @@ date: 2023/05/04
 tags:
     - attack.execution
     - attack.t1059.001
+    - attack.g0046
     - detection.emerging_threats
 logsource:
     product: windows
diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml
index 8a5118dfa..9195364bc 100644
--- a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml
+++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml
@@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/04
 tags:
     - attack.execution
+    - attack.g0046
     - detection.emerging_threats
 logsource:
     category: process_creation
diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml
index 680ed7a93..c9323758c 100644
--- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml
+++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml
@@ -12,6 +12,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1574.001
     - attack.t1574.002
+    - attack.g0032
     - detection.emerging_threats
 logsource:
     product: windows
diff --git a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml
index 4d4c002d1..0e86da4b0 100644
--- a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml
+++ b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml
@@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
 tags:
     - attack.execution
+    - attack.g0129
     - detection.emerging_threats
 logsource:
     category: process_creation