From 58b68758b4e5c8fcaec8d8b6b95b5e1f273df481 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 14 Jul 2020 17:53:32 +0200 Subject: [PATCH] fix: wrong MITRE ATT&CK ids used in the beta version --- rules/network/cisco/aaa/cisco_cli_clear_logs.yml | 4 ++-- rules/network/cisco/aaa/cisco_cli_file_deletion.yml | 2 +- rules/windows/builtin/win_susp_backup_delete.yml | 2 +- rules/windows/builtin/win_susp_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_susp_sdelete.yml | 2 +- rules/windows/builtin/win_susp_security_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_susp_time_modification.yml | 2 +- .../powershell/powershell_clear_powershell_history.yml | 2 +- rules/windows/process_creation/win_etw_trace_evasion.yml | 2 +- rules/windows/process_creation/win_malware_notpetya.yml | 2 +- rules/windows/process_creation/win_shadow_copies_deletion.yml | 2 +- rules/windows/process_creation/win_susp_bcdedit.yml | 2 +- rules/windows/process_creation/win_susp_eventlog_clear.yml | 2 +- rules/windows/process_creation/win_susp_fsutil_usage.yml | 2 +- 14 files changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 244bdeade..35671eedc 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -11,8 +11,8 @@ tags: - attack.defense_evasion - attack.t1146 - attack.t1070 - - attack.t1551.003 - - attack.t1551 + - attack.t1070.003 + - attack.t1070 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index ec6b4e1ef..f248dd598 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -15,7 +15,7 @@ tags: - attack.t1488 - attack.t1487 - attack.t1561.002 - - attack.t1551.004 + - attack.t1070.004 - attack.t1561.001 logsource: product: cisco diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 332b6c806..d58d1d606 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -10,7 +10,7 @@ date: 2017/05/12 tags: - attack.defense_evasion - attack.t1107 - - attack.t1551.004 + - attack.t1070.004 logsource: product: windows service: application diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index b0698a1cb..7b87b35c8 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -10,7 +10,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 8483f0265..540a09538 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -13,7 +13,7 @@ tags: - attack.t1107 - attack.t1066 - attack.s0195 - - attack.t1551.004 + - attack.t1070.004 - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index d31a49b42..9e0f24d76 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -5,7 +5,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 author: Florian Roth date: 2017/02/19 logsource: diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index c457b28e5..e015c0256 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -11,7 +11,7 @@ midified: 2020/01/27 tags: - attack.defense_evasion - attack.t1099 - - attack.t1551.006 + - attack.t1070.006 logsource: product: windows service: security diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index 4f52faecf..db298c670 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -9,7 +9,7 @@ references: tags: - attack.defense_evasion - attack.t1146 - - attack.t1551.003 + - attack.t1070.003 logsource: product: windows service: powershell diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 6b6e182fa..d7b7000fe 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -12,7 +12,7 @@ tags: - attack.execution - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 10ecc8a76..4293239d7 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -16,7 +16,7 @@ tags: - attack.t1003 - car.2016-04-002 - attack.t1218.011 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index d017b3596..6fb0d27d7 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -15,7 +15,7 @@ tags: - attack.impact - attack.t1070 - attack.t1490 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index 7b74bef44..e5c87b340 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -11,7 +11,7 @@ tags: - attack.t1070 - attack.persistence - attack.t1067 - - attack.t1551 + - attack.t1070 - attack.t1542.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index b0e27546a..bff846f4f 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 - - attack.t1551 + - attack.t1070 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e7a3d0c9a..26348553c 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -12,7 +12,7 @@ references: tags: - attack.defense_evasion - attack.t1070 - - attack.t1551 + - attack.t1070 logsource: category: process_creation product: windows