security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

change to github

Browse Source
This commit is contained in:
vunx2
2020-02-28 16:56:48 +07:00
parent 139600009b
commit 58f5fa1b8e
29 changed files with 6711 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/config/arcsight.yml
+352
View File
@@ -0,0 +1,352 @@
title: ArcSight
order: 20
backends:
- arcsight
- arcsight-esm
logsources:
linux:
product: linux
conditions:
deviceVendor: Unix
linux-sshd:
product: linux
service: sshd
conditions:
deviceVendor: Unix
linux-vsftpd:
product: linux
service: vsftpd
conditions:
deviceVendor: Unix
linux-auth:
product: linux
service: auth
conditions:
deviceVendor: Unix
linux-clamav:
product: linux
service: clamav
conditions:
deviceVendor: Unix
antivirus:
product: antivirus
conditions:
categoryDeviceGroup: /IDS/Host/AntiVirus
windows-dns:
product: windows
service: dns-server
conditions:
deviceVendor: Microsoft
deviceProduct: DNS-Server
windows-pc:
product: windows
service: powershell-classic
conditions:
deviceVendor: Microsoft
windows-sys:
product: windows
service: sysmon
conditions:
deviceVendor: Microsoft
deviceProduct: Sysmon
windows-sec:
product: windows
service: security
conditions:
deviceVendor: Microsoft
deviceProduct: Microsoft Windows
windows-power:
product: windows
service: powershell
conditions:
deviceVendor: Microsoft
windows-dhcp:
product: windows
service: dhcp
conditions:
deviceVendor: Microsoft
windows-system:
product: windows
service: system
conditions:
deviceVendor: Microsoft
windows-wmi:
product: windows
service: wmi
conditions:
deviceVendor: Microsoft
windows-driver-framework:
product: windows
service: driver-framework
conditions:
deviceVendor: Microsoft
windows-defender:
product: windows_defender
conditions:
deviceVendor: Microsoft
windows-driver:
product: windows
service: driver-framework
conditions:
deviceVendor: Microsoft
windows-app:
product: windows
service: application
conditions:
deviceVendor: Microsoft
proxy:
category: proxy
conditions:
categoryDeviceGroup: /Proxy
python:
product: python
conditions:
deviceProduct: Python
categoryDeviceGroup: /Application
ruby_on_rails:
product: ruby_on_rails
conditions:
deviceProduct: Ruby on Rails
categoryDeviceGroup: /Application
spring:
product: spring
conditions:
deviceProduct: Spring
categoryDeviceGroup: /Application
apache:
product: apache
conditions:
deviceProduct: Apache
categoryDeviceGroup: /Application
firewall:
product: firewall
conditions:
categoryDeviceGroup: /Firewall
fieldmappings:
EventID: externalId
Event-ID: externalId
Event_ID: externalId
eventId: externalId
event_id: externalId
event-id: externalId
eventid: externalId
dst:
- destinationAddress
dst_ip:
- destinationAddress
dst-ip:
- destinationAddress
src:
- sourceAddress
src_ip:
- sourceAddress
src-ip:
- sourceAddress
TargetImage:
- destinationProcessName
- filePath
ImageLoaded:
- destinationProcessName
- deviceCustomString1
- filePath
- destinationProcessName
Image:
- deviceProcessName
- destinationProcessName
- sourceProcessName
ParentImage:
- sourceProcessName
LogonProcessName:
- destinationProcessName
- sourceProcessName
TargetProcessId:
- destinationProcessId
User:
- sourceUserName
TargetUserName:
- destinationUserName
LogonId:
- sourceUserId
SourceIp:
- sourceAddress
SourceNetworkAddress:
- sourceAddress
SourcePort:
- sourcePort
SourceHostname:
- sourceHostName
ParentProcessId:
- sourceProcessId
SourceProcessId:
- sourceProcessId
ProcessId:
- deviceProcessId
- destinationProcessId
DestinationPort:
- destinationPort
DestinationIp:
- destinationAddress
DestinationHostname:
- destinationHostName
DestinationIsIpv6:
- destinationIsIpv6
SourcePortName:
- sourcePortName
DestinationPortName:
- destinationPortName
SourceIsIpv6:
- sourceIsIpv6
FileVersion:
- fileId
Protocol:
- transportProtocol
TargetFilename:
- filePath
TargetFileName:
- filePath
Hashes:
- fileHash
Hash:
- fileHash
file_hash:
- fileHash
State:
- deviceAction
EventType:
- deviceAction
RuleName:
- deviceFacility
- reason
SourceImage:
- sourceProcessName
TerminalSessionId:
- deviceCustomNumber2
SequenceNumber:
- deviceCustomNumber3
Initiated:
- deviceCustomString4
IntegrityLevel:
- deviceCustomString1
- deviceCustomString5
ProcessGuid:
- fileId
- deviceCustomString6
SourceProcessGUID:
- flexString1
TargetProcessGUID:
- fileId
- flexString2
ParentProcessGuid:
- oldFileId
- deviceCustomString4
Product:
- destinationServiceName
OriginalFileName:
- oldFilePath
Version:
- deviceCustomString1
SchemaVersion:
- deviceCustomString2
Signed:
- fileType
- deviceCustomString1
Signature:
- deviceCustomString2
SignatureStatus:
- filePermission
- deviceCustomString3
NewThreadId:
- deviceCustomString1
StartAddress:
- deviceCustomString2
StartModule:
- deviceCustomString3
StartFunction:
- deviceCustomString4
Device:
- deviceCustomString5
- deviceCustomString1
GrantedAccess:
- deviceCustomString1
- deviceCustomString2
CallTrace:
- oldFilePath
- deviceCustomString3
TargetObject:
- filePath
Details:
- deviceCustomString4
- deviceCustomString1
NewName:
- filePath
Configuration:
- filePath
PipeName:
- deviceCustomString6
- fileName
Name:
- deviceCustomString1
Operation:
- deviceCustomString2
EventNamespace:
- deviceCustomString3
Query:
- deviceCustomString4
Type:
- deviceCustomString3
Destination:
- fileName
Consumer:
- deviceCustomString1
Filter:
- deviceCustomString3
QueryName:
- destinationHostName
- requestUrl
QueryResults:
- deviceCustomString4
- deviceCustomString1
ID:
- deviceCustomString1
Description:
- message
CommandLine:
- destinationServiceName
- deviceCustomString1
ParentCommandLine:
- deviceCustomString2
- sourceServiceName
CurrentDirectory:
- oldFilePath
LogonGuid:
- deviceCustomString6
UserAgent:
- requestClientApplication
URL:
- requestUrl
- requestUrlQuery
FileName:
- fileName
- filePath
cs-uri-extension:
- fileType
c-uri-extension:
- fileType
s-dns:
- destinationDnsDomain
- destinationHost
r-dns:
- destinationDnsDomain
- destinationHost
event.name:
- name
http.request.body.content:
- requestUrl
url.query:
- requestUrl
cs-uri-path:
- filePath
keywords:
- deviceCustomString1
ScriptBlockText:
- deviceCustomString1
tools/config/carbon-black.yml
+74
View File
@@ -0,0 +1,74 @@
title: CarbonBlack field mapping
order: 20
backends:
- carbonblack
fieldmappings:
AccountName: username
CommandLine: cmdline
ComputerName: hostname
CurrentDirectory: path
Description: product_name
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: ipaddr
DestinationIsIpv6: ipaddr
DestinationPort: ipport
Image: process_name
ImageLoaded: modload
ImagePath: path
NewProcessName: process_name
#ParentCommandLine: NONE??
ParentProcessName: parent_name
ParentImage: parent_name
Path: path
ProcessCommandLine: cmdline
ProcessName: process_name
Signature: digsig_result
# DestinationHostname: hostname
# DestinationIp: ipaddr
# DestinationPort: ipport
#
# SourceIp: ipaddr
# SourcePort: ipport
#
# IpAddress: ipaddr
# IpPort: ipport
#
# ProcessName: process_name
# ParentProcessName: parent_name
#
# TargetDomainName: domain
#
# Image: path
# ImagePath: path
# ImageLoaded: path
# Path: path
# TargetFilename: path
#
# Hashes: md5
# Imphash: md5
#
#
# User: username
# SubjectDomainName: domain
# SubjectUserName: username
#
# WorkstationName: domain
#
# CommandLine: cmdline
# ComputerName: hostname
#
# FileVersion: product_version
# Description: product_desc
# Product: product_name
# Company: company_name
#
# Keywords: process_name
# Computer: host_type
excludedfields:
- EventID
- Robot2
tools/config/carbonblack.yml
+36
View File
@@ -0,0 +1,36 @@
title: Splunk Windows log source conditions
order: 20
backends:
- splunk
- carbonblack
- sumologic
fieldmappings:
Image: path
CurrentDirectory: path
SourceIp: ipaddr
ImageLoaded: modload
CommandLine: cmdline
ProcessCommandLine: cmdline
DestinationIp: ipaddr
DestinationAddress: ipaddr
DestinationPort: ipport
DestPort: ipport
TargetObject: regmod
TargetFilename: filemod
TargetFileName: filemod
Targetfilename: filemod
ParentImage: parent_name
SourceImage: parent_name
TargetImage: childproc_name
NewProcessName: childproc_name
Description: file_desc
Product: product_name
Signature: digsig_publisher
CallTrace: modload
DestinationHostname: domain
User: username
StartModule: modload
Company: company_name
Description: file_desc
FileVersion: file_version
tools/config/ecs-proxy.yml
+25
View File
@@ -0,0 +1,25 @@
title: Elastic Common Schema mapping for proxy logs
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
proxy:
category: proxy
index: filebeat-*
fieldmappings:
c-uri: url.original
c-uri-extension: url.extension
c-uri-query: url.query
c-uri-stem: url.original
c-useragent: user_agent.original
cs-cookie: http.cookie
cs-host: url.domain
cs-method: http.request.method
r-dns: url.domain
sc-status: http.response.status_code
tools/config/filebeat-defaultindex.yml
+12
View File
@@ -0,0 +1,12 @@
title: Elastic Filebeat default index name
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
defaultindex:
- filebeat-*
tools/config/generic/sysmon.yml
+11
View File
@@ -0,0 +1,11 @@
title: Conversion of generic rules into Sysmon
order: 10
logsources:
process_creation:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
tools/config/generic/windows-audit.yml
+14
View File
@@ -0,0 +1,14 @@
title: Conversion of generic process_creation rules into Security/4688
order: 10
logsources:
process_creation:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
tools/config/helk.yml
+177
View File
@@ -0,0 +1,177 @@
title: HELK index patterns and OSSEM field mappings
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
windows-application:
product: windows
service: application
index: logs-endpoint-winevent-application-*
windows-security:
product: windows
service: security
index: logs-endpoint-winevent-security-*
windows-sysmon:
product: windows
service: sysmon
index: logs-endpoint-winevent-sysmon-*
windows-system:
product: windows
service: system
index: logs-endpoint-winevent-system-*
windows-wmi:
product: windows
service: wmi
index: logs-endpoint-winevent-wmiactivity-*
windows-powershell:
product: windows
service: powershell
index: logs-endpoint-winevent-powershell-*
windows-powershell-classic:
product: windows
service: powershell-classic
index: logs-endpoint-winevent-powershell-*
defaultindex: logs-*
fieldmappings:
AccessMask: object_access_mask_requested
AccountName: user_name
AllowedToDelegateTo: user_attribute_allowed_todelegate
AttributeLDAPDisplayName: dsobject_attribute_name
AuditPolicyChanges: policy_changes
AuthenticationPackageName: logon_authentication_package
CallingProcessName: process_path
CallTrace: process_call_trace
ClientAddress: src_ip_addr
ClientIPAddress: src_ip_addr
ClientIP: src_ip_addr
CommandLine: process_command_line
Company: file_company
ComputerName: host_name
Configuration:
EventID=16: sysmon_configuration
ConnectedViaIPAddress: dst_nat_ip_addr
CurrentDirectory: process_current_directory
Description: file_description
DestAddress: dst_ip_addr
Destination:
EventID=20: wmi_consumer_destination
DestinationHostname: dst_host_name
DestinationIp: dst_ip_addr
DestinationPort: dst_port
DestinationPortName: dst_port_name
Details:
EventID=13: registry_key_value
Device: device_name
EngineVersion: powershell.engine.version
EventID: event_id
EventType: event_type
EventNamespace:
EventID=19: wmi_namespace
Filter:
EventID=21: wmi_filter_path
FailureCode: ticket_failure_code
FileName: file_name
FileVersion: file_version
GrantedAccess: process_granted_access
GroupName: group_name
GroupSid: group_sid
HiveName: hive_name
HostVersion: powershell.host.version
Image: process_path
ImageLoaded:
EventID=6: driver_loaded
EventID=7: module_loaded
Imphash: hash_imphash
Initiated:
EventID=3: network_initiated
IntegrityLevel:
EventID=1: process_integrity_level
ipAddress: dst_ip_addr
IpAddress: src_ip_addr
IPString: src_ip_addr
LaunchedViaIPAddress: dst_ip_addr
LogonProcessName: logon_process_name
LogonType: logon_type
MachineIpAddress: dst_ip_addr
MachineName: host_name
Name:
EventID=19: wmi_name
EventID=20: wmi_name
NewProcessName: process_path
NewName:
EventID=14: registry_key_new_name
ObjectClass: dsobject_class
ObjectName: object_name
ObjectType: object_type
ObjectValueName: object_value_name
Operation:
EventID=19: wmi_operation
EventID=20: wmi_operation
EventID=21: wmi_operation
OperationType: object_operation_type
OriginalFileName: file_name_original
ParentImage: process_parent_path
ParentProcessName: process_parent_path
PasswordLastSet: user_attribute_password_lastset
Path: process_path
ParentCommandLine: process_parent_command_line
PipeName: pipe_name
ProcessName: process_path
ProcessCommandLine: process_command_line
Product: file_product
Properties: object_properties
Protocol:
EventID=3: network_protocol
Query:
EventID=19: wmi_query
RelativeTargetName: share_relative_target_name
SourceAddress: src_ip_addr
SchemaVersion:
EventID=4: sysmon_schema_version
ServiceFileName: service_image_path
ServiceName: service_name
ShareName: share_name
Signature: signature
SignatureStatus: signature_status
Signed: signed
Source: source_name
SourceHostname: src_host_name
SourceImage: process_path
SourceIp: src_ip_addr
SourcePort: src_port
SourcePortName: src_port_name
StartAddress: thread_start_address
StartFunction: thread_start_function
StartModule: thread_start_module
Status: event_status
State:
EventID=4: service_state
EventID=16: sysmon_configuration_state
SubjectUserName:
EventID=4624: user_reporter_name
EventId=4648: user_name
EventID=5140: user_name
TargetServer: dst_ip_addr
TaskName: task_name
TicketEncryptionType: ticket_encryption_type
TicketOptions: ticket_options
TargetFilename: file_name
TargetImage: target_process_path
TargetProcessAddress: thread_start_address
TargetObject: registry_key_path
Type:
EventID=20: wmi_consumer_type
User: user_account
UserName: user_name
Value:
EventID=1102: dst_ip_addr
Version:
EventID=4: sysmon_version
Workstation: src_host_name
WorkstationName: src_host_name
tools/config/limacharlie.yml
+11
View File
@@ -0,0 +1,11 @@
title: LimaCharlie
backends:
- limacharlie
order: 20
logsources:
windows:
product: windows
linux:
product: linux
netflow:
product: netflow
tools/config/logpoint-windows.yml
+149
View File
@@ -0,0 +1,149 @@
title: Logpoint
order: 20
backends:
- logpoint
logsources:
windows-security:
product: windows
service: security
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-system:
product: windows
service: system
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
source: 'Microsoft-Windows-DHCP-Server/Operational'
fieldmappings:
EventID: event_id
FailureCode: result_code
GroupName: group_name
GroupSid: group_sid
KeyLength: key_length
LogonProcessName: logon_process
LogonType: logon_type
ServiceName: service
SubjectAccountName:
EventID=4611:
- user
EventID=4624:
- target_user
- caller_user
EventID=4625:
- target_user
- caller_user
EventID=4634:
- user
EventID=4648:
- target_user
- caller_user
EventID=4662:
- user
EventID=4672:
- user
EventID=4688:
- user
EventID=4719:
- user
EventID=4720:
- target_user
- caller_user
EventID=4722:
- target_user
- caller_user
EventID=4723:
- target_user
- caller_user
EventID=4724:
- target_user
- caller_user
EventID=4728:
- user
- member
EventID=4729:
- user
- member
EventID=4731:
- user
EventID=4732:
- user
- member
EventID=4735:
- user
EventID=4737:
- user
EventID=4738:
- target_user
- caller_user
EventID=4740:
- target_user
- caller_user
EventID=4742:
- target_user
- caller_user
EventID=4755:
- user
EventID=4756:
- user
- member
EventID=4757:
- user
- member
EventID=4767:
- target_user
- caller_user
EventID=4768:
- user
EventID=4769:
- user
EventID=4770:
- user
EventID=4771:
- user
EventID=4774:
- user
EventID=4776:
- user
EventID=4781:
- target_user
- caller_user
EventID=4904:
- user
EventID=4905:
- user
EventID=5061:
- user
EventID=5136:
- user
EventID=5137:
- user
default:
- caller_user
- target_user
- user
- member
TicketOptions: ticket_options
TicketEnctyption: ticket_encryption
Type: event_type
UserName:
default:
- caller_user
- target_user
- user
- member
SourceWorkstation: workstation
tools/config/logstash-defaultindex.yml
+12
View File
@@ -0,0 +1,12 @@
title: Generic Logstash index prefix
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
defaultindex:
- logstash-*
tools/config/logstash-linux.yml
+25
View File
@@ -0,0 +1,25 @@
title: Logstash Linux project (https://github.com/thomaspatzke/logstash-linux)
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
apache:
category: webserver
index: logstash-apache-*
webapp-error:
category: application
index: logstash-apache_error-*
linux-auth:
product: linux
service: auth
index: logstash-auth-*
fieldmappings:
client_ip: clientip
url: request
defaultindex: logstash-*
tools/config/logstash-windows.yml
+45
View File
@@ -0,0 +1,45 @@
title: Logstash Windows common log sources
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
Channel: Application
windows-security:
product: windows
service: security
conditions:
Channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
Channel: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
Channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
Channel: 'Microsoft-Windows-DHCP-Server/Operational'
defaultindex: logstash-*
tools/config/mitre/tactics.json
+202
View File
@@ -0,0 +1,202 @@
[
{
"external_id": "TA0040",
"url": "https://attack.mitre.org/tactics/TA0040",
"tactic": "Impact"
},
{
"external_id": "TA0009",
"url": "https://attack.mitre.org/tactics/TA0009",
"tactic": "Collection"
},
{
"external_id": "TA0011",
"url": "https://attack.mitre.org/tactics/TA0011",
"tactic": "Command and Control"
},
{
"external_id": "TA0006",
"url": "https://attack.mitre.org/tactics/TA0006",
"tactic": "Credential Access"
},
{
"external_id": "TA0007",
"url": "https://attack.mitre.org/tactics/TA0007",
"tactic": "Discovery"
},
{
"external_id": "TA0005",
"url": "https://attack.mitre.org/tactics/TA0005",
"tactic": "Defense Evasion"
},
{
"external_id": "TA0010",
"url": "https://attack.mitre.org/tactics/TA0010",
"tactic": "Exfiltration"
},
{
"external_id": "TA0002",
"url": "https://attack.mitre.org/tactics/TA0002",
"tactic": "Execution"
},
{
"external_id": "TA0008",
"url": "https://attack.mitre.org/tactics/TA0008",
"tactic": "Lateral Movement"
},
{
"external_id": "TA0003",
"url": "https://attack.mitre.org/tactics/TA0003",
"tactic": "Persistence"
},
{
"external_id": "TA0004",
"url": "https://attack.mitre.org/tactics/TA0004",
"tactic": "Privilege Escalation"
},
{
"external_id": "TA0001",
"url": "https://attack.mitre.org/tactics/TA0001",
"tactic": "Initial Access"
},
{
"external_id": "TA0020",
"url": "https://attack.mitre.org/tactics/TA0020",
"tactic": "Organizational Weakness Identification"
},
{
"external_id": "TA0012",
"url": "https://attack.mitre.org/tactics/TA0012",
"tactic": "Priority Definition Planning"
},
{
"external_id": "TA0025",
"url": "https://attack.mitre.org/tactics/TA0025",
"tactic": "Test Capabilities"
},
{
"external_id": "TA0017",
"url": "https://attack.mitre.org/tactics/TA0017",
"tactic": "Organizational Information Gathering"
},
{
"external_id": "TA0013",
"url": "https://attack.mitre.org/tactics/TA0013",
"tactic": "Priority Definition Direction"
},
{
"external_id": "TA0018",
"url": "https://attack.mitre.org/tactics/TA0018",
"tactic": "Technical Weakness Identification"
},
{
"external_id": "TA0022",
"url": "https://attack.mitre.org/tactics/TA0022",
"tactic": "Establish & Maintain Infrastructure"
},
{
"external_id": "TA0023",
"url": "https://attack.mitre.org/tactics/TA0023",
"tactic": "Persona Development"
},
{
"external_id": "TA0015",
"url": "https://attack.mitre.org/tactics/TA0015",
"tactic": "Technical Information Gathering"
},
{
"external_id": "TA0021",
"url": "https://attack.mitre.org/tactics/TA0021",
"tactic": "Adversary OPSEC"
},
{
"external_id": "TA0016",
"url": "https://attack.mitre.org/tactics/TA0016",
"tactic": "People Information Gathering"
},
{
"external_id": "TA0026",
"url": "https://attack.mitre.org/tactics/TA0026",
"tactic": "Stage Capabilities"
},
{
"external_id": "TA0024",
"url": "https://attack.mitre.org/tactics/TA0024",
"tactic": "Build Capabilities"
},
{
"external_id": "TA0019",
"url": "https://attack.mitre.org/tactics/TA0019",
"tactic": "People Weakness Identification"
},
{
"external_id": "TA0014",
"url": "https://attack.mitre.org/tactics/TA0014",
"tactic": "Target Selection"
},
{
"external_id": "TA0035",
"url": "https://attack.mitre.org/tactics/TA0035",
"tactic": "Collection"
},
{
"external_id": "TA0036",
"url": "https://attack.mitre.org/tactics/TA0036",
"tactic": "Exfiltration"
},
{
"external_id": "TA0028",
"url": "https://attack.mitre.org/tactics/TA0028",
"tactic": "Persistence"
},
{
"external_id": "TA0032",
"url": "https://attack.mitre.org/tactics/TA0032",
"tactic": "Discovery"
},
{
"external_id": "TA0038",
"url": "https://attack.mitre.org/tactics/TA0038",
"tactic": "Network Effects"
},
{
"external_id": "TA0030",
"url": "https://attack.mitre.org/tactics/TA0030",
"tactic": "Defense Evasion"
},
{
"external_id": "TA0033",
"url": "https://attack.mitre.org/tactics/TA0033",
"tactic": "Lateral Movement"
},
{
"external_id": "TA0031",
"url": "https://attack.mitre.org/tactics/TA0031",
"tactic": "Credential Access"
},
{
"external_id": "TA0027",
"url": "https://attack.mitre.org/tactics/TA0027",
"tactic": "Initial Access"
},
{
"external_id": "TA0039",
"url": "https://attack.mitre.org/tactics/TA0039",
"tactic": "Remote Service Effects"
},
{
"external_id": "TA0037",
"url": "https://attack.mitre.org/tactics/TA0037",
"tactic": "Command and Control"
},
{
"external_id": "TA0034",
"url": "https://attack.mitre.org/tactics/TA0034",
"tactic": "Impact"
},
{
"external_id": "TA0029",
"url": "https://attack.mitre.org/tactics/TA0029",
"tactic": "Privilege Escalation"
}
]
tools/config/mitre/techniques.json
+4353
View File
@@ -0,0 +1,4353 @@
[
{
"technique_id": "T1531",
"technique": "Account Access Removal",
"url": "https://attack.mitre.org/techniques/T1531",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1506",
"technique": "Web Session Cookie",
"url": "https://attack.mitre.org/techniques/T1506",
"tactic": [
"Defense Evasion",
"Lateral Movement"
]
},
{
"technique_id": "T1539",
"technique": "Steal Web Session Cookie",
"url": "https://attack.mitre.org/techniques/T1539",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1529",
"technique": "System Shutdown/Reboot",
"url": "https://attack.mitre.org/techniques/T1529",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1519",
"technique": "Emond",
"url": "https://attack.mitre.org/techniques/T1519",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1518",
"technique": "Software Discovery",
"url": "https://attack.mitre.org/techniques/T1518",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1534",
"technique": "Internal Spearphishing",
"url": "https://attack.mitre.org/techniques/T1534",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1528",
"technique": "Steal Application Access Token",
"url": "https://attack.mitre.org/techniques/T1528",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1522",
"technique": "Cloud Instance Metadata API",
"url": "https://attack.mitre.org/techniques/T1522",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1536",
"technique": "Revert Cloud Instance",
"url": "https://attack.mitre.org/techniques/T1536",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1535",
"technique": "Unused/Unsupported Cloud Regions",
"url": "https://attack.mitre.org/techniques/T1535",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1525",
"technique": "Implant Container Image",
"url": "https://attack.mitre.org/techniques/T1525",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1538",
"technique": "Cloud Service Dashboard",
"url": "https://attack.mitre.org/techniques/T1538",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1530",
"technique": "Data from Cloud Storage Object",
"url": "https://attack.mitre.org/techniques/T1530",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1537",
"technique": "Transfer Data to Cloud Account",
"url": "https://attack.mitre.org/techniques/T1537",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1526",
"technique": "Cloud Service Discovery",
"url": "https://attack.mitre.org/techniques/T1526",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1527",
"technique": "Application Access Token",
"url": "https://attack.mitre.org/techniques/T1527",
"tactic": [
"Defense Evasion",
"Lateral Movement"
]
},
{
"technique_id": "T1514",
"technique": "Elevated Execution with Prompt",
"url": "https://attack.mitre.org/techniques/T1514",
"tactic": [
"Privilege Escalation"
]
},
{
"technique_id": "T1505",
"technique": "Server Software Component",
"url": "https://attack.mitre.org/techniques/T1505",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1503",
"technique": "Credentials from Web Browsers",
"url": "https://attack.mitre.org/techniques/T1503",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1504",
"technique": "PowerShell Profile",
"url": "https://attack.mitre.org/techniques/T1504",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1502",
"technique": "Parent PID Spoofing",
"url": "https://attack.mitre.org/techniques/T1502",
"tactic": [
"Defense Evasion",
"Privilege Escalation"
]
},
{
"technique_id": "T1500",
"technique": "Compile After Delivery",
"url": "https://attack.mitre.org/techniques/T1500",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1501",
"technique": "Systemd Service",
"url": "https://attack.mitre.org/techniques/T1501",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1499",
"technique": "Endpoint Denial of Service",
"url": "https://attack.mitre.org/techniques/T1499",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1497",
"technique": "Virtualization/Sandbox Evasion",
"url": "https://attack.mitre.org/techniques/T1497",
"tactic": [
"Defense Evasion",
"Discovery"
]
},
{
"technique_id": "T1498",
"technique": "Network Denial of Service",
"url": "https://attack.mitre.org/techniques/T1498",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1496",
"technique": "Resource Hijacking",
"url": "https://attack.mitre.org/techniques/T1496",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1495",
"technique": "Firmware Corruption",
"url": "https://attack.mitre.org/techniques/T1495",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1494",
"technique": "Runtime Data Manipulation",
"url": "https://attack.mitre.org/techniques/T1494",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1493",
"technique": "Transmitted Data Manipulation",
"url": "https://attack.mitre.org/techniques/T1493",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1492",
"technique": "Stored Data Manipulation",
"url": "https://attack.mitre.org/techniques/T1492",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1491",
"technique": "Defacement",
"url": "https://attack.mitre.org/techniques/T1491",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1490",
"technique": "Inhibit System Recovery",
"url": "https://attack.mitre.org/techniques/T1490",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1489",
"technique": "Service Stop",
"url": "https://attack.mitre.org/techniques/T1489",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1488",
"technique": "Disk Content Wipe",
"url": "https://attack.mitre.org/techniques/T1488",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1487",
"technique": "Disk Structure Wipe",
"url": "https://attack.mitre.org/techniques/T1487",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1486",
"technique": "Data Encrypted for Impact",
"url": "https://attack.mitre.org/techniques/T1486",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1485",
"technique": "Data Destruction",
"url": "https://attack.mitre.org/techniques/T1485",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1484",
"technique": "Group Policy Modification",
"url": "https://attack.mitre.org/techniques/T1484",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1483",
"technique": "Domain Generation Algorithms",
"url": "https://attack.mitre.org/techniques/T1483",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1482",
"technique": "Domain Trust Discovery",
"url": "https://attack.mitre.org/techniques/T1482",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1480",
"technique": "Execution Guardrails",
"url": "https://attack.mitre.org/techniques/T1480",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1222",
"technique": "File and Directory Permissions Modification",
"url": "https://attack.mitre.org/techniques/T1222",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1223",
"technique": "Compiled HTML File",
"url": "https://attack.mitre.org/techniques/T1223",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1221",
"technique": "Template Injection",
"url": "https://attack.mitre.org/techniques/T1221",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1220",
"technique": "XSL Script Processing",
"url": "https://attack.mitre.org/techniques/T1220",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1217",
"technique": "Browser Bookmark Discovery",
"url": "https://attack.mitre.org/techniques/T1217",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1213",
"technique": "Data from Information Repositories",
"url": "https://attack.mitre.org/techniques/T1213",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1190",
"technique": "Exploit Public-Facing Application",
"url": "https://attack.mitre.org/techniques/T1190",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1210",
"technique": "Exploitation of Remote Services",
"url": "https://attack.mitre.org/techniques/T1210",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1200",
"technique": "Hardware Additions",
"url": "https://attack.mitre.org/techniques/T1200",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1202",
"technique": "Indirect Command Execution",
"url": "https://attack.mitre.org/techniques/T1202",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1194",
"technique": "Spearphishing via Service",
"url": "https://attack.mitre.org/techniques/T1194",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1209",
"technique": "Time Providers",
"url": "https://attack.mitre.org/techniques/T1209",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1199",
"technique": "Trusted Relationship",
"url": "https://attack.mitre.org/techniques/T1199",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1191",
"technique": "CMSTP",
"url": "https://attack.mitre.org/techniques/T1191",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1207",
"technique": "DCShadow",
"url": "https://attack.mitre.org/techniques/T1207",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1189",
"technique": "Drive-by Compromise",
"url": "https://attack.mitre.org/techniques/T1189",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1211",
"technique": "Exploitation for Defense Evasion",
"url": "https://attack.mitre.org/techniques/T1211",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1218",
"technique": "Signed Binary Proxy Execution",
"url": "https://attack.mitre.org/techniques/T1218",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1193",
"technique": "Spearphishing Attachment",
"url": "https://attack.mitre.org/techniques/T1193",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1195",
"technique": "Supply Chain Compromise",
"url": "https://attack.mitre.org/techniques/T1195",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1204",
"technique": "User Execution",
"url": "https://attack.mitre.org/techniques/T1204",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1196",
"technique": "Control Panel Items",
"url": "https://attack.mitre.org/techniques/T1196",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1212",
"technique": "Exploitation for Credential Access",
"url": "https://attack.mitre.org/techniques/T1212",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1215",
"technique": "Kernel Modules and Extensions",
"url": "https://attack.mitre.org/techniques/T1215",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1197",
"technique": "BITS Jobs",
"url": "https://attack.mitre.org/techniques/T1197",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1214",
"technique": "Credentials in Registry",
"url": "https://attack.mitre.org/techniques/T1214",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1216",
"technique": "Signed Script Proxy Execution",
"url": "https://attack.mitre.org/techniques/T1216",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1192",
"technique": "Spearphishing Link",
"url": "https://attack.mitre.org/techniques/T1192",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1198",
"technique": "SIP and Trust Provider Hijacking",
"url": "https://attack.mitre.org/techniques/T1198",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1206",
"technique": "Sudo Caching",
"url": "https://attack.mitre.org/techniques/T1206",
"tactic": [
"Privilege Escalation"
]
},
{
"technique_id": "T1203",
"technique": "Exploitation for Client Execution",
"url": "https://attack.mitre.org/techniques/T1203",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1208",
"technique": "Kerberoasting",
"url": "https://attack.mitre.org/techniques/T1208",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1201",
"technique": "Password Policy Discovery",
"url": "https://attack.mitre.org/techniques/T1201",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1205",
"technique": "Port Knocking",
"url": "https://attack.mitre.org/techniques/T1205",
"tactic": [
"Defense Evasion",
"Persistence",
"Command And Control"
]
},
{
"technique_id": "T1219",
"technique": "Remote Access Tools",
"url": "https://attack.mitre.org/techniques/T1219",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1172",
"technique": "Domain Fronting",
"url": "https://attack.mitre.org/techniques/T1172",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1173",
"technique": "Dynamic Data Exchange",
"url": "https://attack.mitre.org/techniques/T1173",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1187",
"technique": "Forced Authentication",
"url": "https://attack.mitre.org/techniques/T1187",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1188",
"technique": "Multi-hop Proxy",
"url": "https://attack.mitre.org/techniques/T1188",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1174",
"technique": "Password Filter DLL",
"url": "https://attack.mitre.org/techniques/T1174",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1175",
"technique": "Component Object Model and Distributed COM",
"url": "https://attack.mitre.org/techniques/T1175",
"tactic": [
"Lateral Movement",
"Execution"
]
},
{
"technique_id": "T1170",
"technique": "Mshta",
"url": "https://attack.mitre.org/techniques/T1170",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1179",
"technique": "Hooking",
"url": "https://attack.mitre.org/techniques/T1179",
"tactic": [
"Persistence",
"Privilege Escalation",
"Credential Access"
]
},
{
"technique_id": "T1184",
"technique": "SSH Hijacking",
"url": "https://attack.mitre.org/techniques/T1184",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1181",
"technique": "Extra Window Memory Injection",
"url": "https://attack.mitre.org/techniques/T1181",
"tactic": [
"Defense Evasion",
"Privilege Escalation"
]
},
{
"technique_id": "T1177",
"technique": "LSASS Driver",
"url": "https://attack.mitre.org/techniques/T1177",
"tactic": [
"Execution",
"Persistence"
]
},
{
"technique_id": "T1182",
"technique": "AppCert DLLs",
"url": "https://attack.mitre.org/techniques/T1182",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1176",
"technique": "Browser Extensions",
"url": "https://attack.mitre.org/techniques/T1176",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1185",
"technique": "Man in the Browser",
"url": "https://attack.mitre.org/techniques/T1185",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1180",
"technique": "Screensaver",
"url": "https://attack.mitre.org/techniques/T1180",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1183",
"technique": "Image File Execution Options Injection",
"url": "https://attack.mitre.org/techniques/T1183",
"tactic": [
"Privilege Escalation",
"Persistence",
"Defense Evasion"
]
},
{
"technique_id": "T1171",
"technique": "LLMNR/NBT-NS Poisoning and Relay",
"url": "https://attack.mitre.org/techniques/T1171",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1186",
"technique": "Process Doppelg\\u00e4nging",
"url": "https://attack.mitre.org/techniques/T1186",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1178",
"technique": "SID-History Injection",
"url": "https://attack.mitre.org/techniques/T1178",
"tactic": [
"Privilege Escalation"
]
},
{
"technique_id": "T1138",
"technique": "Application Shimming",
"url": "https://attack.mitre.org/techniques/T1138",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1140",
"technique": "Deobfuscate/Decode Files or Information",
"url": "https://attack.mitre.org/techniques/T1140",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1149",
"technique": "LC_MAIN Hijacking",
"url": "https://attack.mitre.org/techniques/T1149",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1152",
"technique": "Launchctl",
"url": "https://attack.mitre.org/techniques/T1152",
"tactic": [
"Defense Evasion",
"Execution",
"Persistence"
]
},
{
"technique_id": "T1150",
"technique": "Plist Modification",
"url": "https://attack.mitre.org/techniques/T1150",
"tactic": [
"Defense Evasion",
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1163",
"technique": "Rc.common",
"url": "https://attack.mitre.org/techniques/T1163",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1166",
"technique": "Setuid and Setgid",
"url": "https://attack.mitre.org/techniques/T1166",
"tactic": [
"Privilege Escalation",
"Persistence"
]
},
{
"technique_id": "T1157",
"technique": "Dylib Hijacking",
"url": "https://attack.mitre.org/techniques/T1157",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1155",
"technique": "AppleScript",
"url": "https://attack.mitre.org/techniques/T1155",
"tactic": [
"Execution",
"Lateral Movement"
]
},
{
"technique_id": "T1136",
"technique": "Create Account",
"url": "https://attack.mitre.org/techniques/T1136",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1143",
"technique": "Hidden Window",
"url": "https://attack.mitre.org/techniques/T1143",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1141",
"technique": "Input Prompt",
"url": "https://attack.mitre.org/techniques/T1141",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1142",
"technique": "Keychain",
"url": "https://attack.mitre.org/techniques/T1142",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1159",
"technique": "Launch Agent",
"url": "https://attack.mitre.org/techniques/T1159",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1135",
"technique": "Network Share Discovery",
"url": "https://attack.mitre.org/techniques/T1135",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1148",
"technique": "HISTCONTROL",
"url": "https://attack.mitre.org/techniques/T1148",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1161",
"technique": "LC_LOAD_DYLIB Addition",
"url": "https://attack.mitre.org/techniques/T1161",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1154",
"technique": "Trap",
"url": "https://attack.mitre.org/techniques/T1154",
"tactic": [
"Execution",
"Persistence"
]
},
{
"technique_id": "T1134",
"technique": "Access Token Manipulation",
"url": "https://attack.mitre.org/techniques/T1134",
"tactic": [
"Defense Evasion",
"Privilege Escalation"
]
},
{
"technique_id": "T1139",
"technique": "Bash History",
"url": "https://attack.mitre.org/techniques/T1139",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1147",
"technique": "Hidden Users",
"url": "https://attack.mitre.org/techniques/T1147",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1156",
"technique": ".bash_profile and .bashrc",
"url": "https://attack.mitre.org/techniques/T1156",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1146",
"technique": "Clear Command History",
"url": "https://attack.mitre.org/techniques/T1146",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1160",
"technique": "Launch Daemon",
"url": "https://attack.mitre.org/techniques/T1160",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1145",
"technique": "Private Keys",
"url": "https://attack.mitre.org/techniques/T1145",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1165",
"technique": "Startup Items",
"url": "https://attack.mitre.org/techniques/T1165",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1162",
"technique": "Login Item",
"url": "https://attack.mitre.org/techniques/T1162",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1137",
"technique": "Office Application Startup",
"url": "https://attack.mitre.org/techniques/T1137",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1151",
"technique": "Space after Filename",
"url": "https://attack.mitre.org/techniques/T1151",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1144",
"technique": "Gatekeeper Bypass",
"url": "https://attack.mitre.org/techniques/T1144",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1158",
"technique": "Hidden Files and Directories",
"url": "https://attack.mitre.org/techniques/T1158",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1168",
"technique": "Local Job Scheduling",
"url": "https://attack.mitre.org/techniques/T1168",
"tactic": [
"Persistence",
"Execution"
]
},
{
"technique_id": "T1164",
"technique": "Re-opened Applications",
"url": "https://attack.mitre.org/techniques/T1164",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1167",
"technique": "Securityd Memory",
"url": "https://attack.mitre.org/techniques/T1167",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1153",
"technique": "Source",
"url": "https://attack.mitre.org/techniques/T1153",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1169",
"technique": "Sudo",
"url": "https://attack.mitre.org/techniques/T1169",
"tactic": [
"Privilege Escalation"
]
},
{
"technique_id": "T1133",
"technique": "External Remote Services",
"url": "https://attack.mitre.org/techniques/T1133",
"tactic": [
"Persistence",
"Initial Access"
]
},
{
"technique_id": "T1132",
"technique": "Data Encoding",
"url": "https://attack.mitre.org/techniques/T1132",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1131",
"technique": "Authentication Package",
"url": "https://attack.mitre.org/techniques/T1131",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1130",
"technique": "Install Root Certificate",
"url": "https://attack.mitre.org/techniques/T1130",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1129",
"technique": "Execution through Module Load",
"url": "https://attack.mitre.org/techniques/T1129",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1128",
"technique": "Netsh Helper DLL",
"url": "https://attack.mitre.org/techniques/T1128",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1127",
"technique": "Trusted Developer Utilities",
"url": "https://attack.mitre.org/techniques/T1127",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1126",
"technique": "Network Share Connection Removal",
"url": "https://attack.mitre.org/techniques/T1126",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1125",
"technique": "Video Capture",
"url": "https://attack.mitre.org/techniques/T1125",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1124",
"technique": "System Time Discovery",
"url": "https://attack.mitre.org/techniques/T1124",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1123",
"technique": "Audio Capture",
"url": "https://attack.mitre.org/techniques/T1123",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1122",
"technique": "Component Object Model Hijacking",
"url": "https://attack.mitre.org/techniques/T1122",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1121",
"technique": "Regsvcs/Regasm",
"url": "https://attack.mitre.org/techniques/T1121",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1120",
"technique": "Peripheral Device Discovery",
"url": "https://attack.mitre.org/techniques/T1120",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1119",
"technique": "Automated Collection",
"url": "https://attack.mitre.org/techniques/T1119",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1118",
"technique": "InstallUtil",
"url": "https://attack.mitre.org/techniques/T1118",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1117",
"technique": "Regsvr32",
"url": "https://attack.mitre.org/techniques/T1117",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1116",
"technique": "Code Signing",
"url": "https://attack.mitre.org/techniques/T1116",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1115",
"technique": "Clipboard Data",
"url": "https://attack.mitre.org/techniques/T1115",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1114",
"technique": "Email Collection",
"url": "https://attack.mitre.org/techniques/T1114",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1113",
"technique": "Screen Capture",
"url": "https://attack.mitre.org/techniques/T1113",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1112",
"technique": "Modify Registry",
"url": "https://attack.mitre.org/techniques/T1112",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1111",
"technique": "Two-Factor Authentication Interception",
"url": "https://attack.mitre.org/techniques/T1111",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1110",
"technique": "Brute Force",
"url": "https://attack.mitre.org/techniques/T1110",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1109",
"technique": "Component Firmware",
"url": "https://attack.mitre.org/techniques/T1109",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1108",
"technique": "Redundant Access",
"url": "https://attack.mitre.org/techniques/T1108",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1107",
"technique": "File Deletion",
"url": "https://attack.mitre.org/techniques/T1107",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1106",
"technique": "Execution through API",
"url": "https://attack.mitre.org/techniques/T1106",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1105",
"technique": "Remote File Copy",
"url": "https://attack.mitre.org/techniques/T1105",
"tactic": [
"Command And Control",
"Lateral Movement"
]
},
{
"technique_id": "T1104",
"technique": "Multi-Stage Channels",
"url": "https://attack.mitre.org/techniques/T1104",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1103",
"technique": "AppInit DLLs",
"url": "https://attack.mitre.org/techniques/T1103",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1102",
"technique": "Web Service",
"url": "https://attack.mitre.org/techniques/T1102",
"tactic": [
"Command And Control",
"Defense Evasion"
]
},
{
"technique_id": "T1101",
"technique": "Security Support Provider",
"url": "https://attack.mitre.org/techniques/T1101",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1100",
"technique": "Web Shell",
"url": "https://attack.mitre.org/techniques/T1100",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1099",
"technique": "Timestomp",
"url": "https://attack.mitre.org/techniques/T1099",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1098",
"technique": "Account Manipulation",
"url": "https://attack.mitre.org/techniques/T1098",
"tactic": [
"Credential Access",
"Persistence"
]
},
{
"technique_id": "T1097",
"technique": "Pass the Ticket",
"url": "https://attack.mitre.org/techniques/T1097",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1096",
"technique": "NTFS File Attributes",
"url": "https://attack.mitre.org/techniques/T1096",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1095",
"technique": "Standard Non-Application Layer Protocol",
"url": "https://attack.mitre.org/techniques/T1095",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1094",
"technique": "Custom Command and Control Protocol",
"url": "https://attack.mitre.org/techniques/T1094",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1093",
"technique": "Process Hollowing",
"url": "https://attack.mitre.org/techniques/T1093",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1092",
"technique": "Communication Through Removable Media",
"url": "https://attack.mitre.org/techniques/T1092",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1091",
"technique": "Replication Through Removable Media",
"url": "https://attack.mitre.org/techniques/T1091",
"tactic": [
"Lateral Movement",
"Initial Access"
]
},
{
"technique_id": "T1090",
"technique": "Connection Proxy",
"url": "https://attack.mitre.org/techniques/T1090",
"tactic": [
"Command And Control",
"Defense Evasion"
]
},
{
"technique_id": "T1089",
"technique": "Disabling Security Tools",
"url": "https://attack.mitre.org/techniques/T1089",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1088",
"technique": "Bypass User Account Control",
"url": "https://attack.mitre.org/techniques/T1088",
"tactic": [
"Defense Evasion",
"Privilege Escalation"
]
},
{
"technique_id": "T1087",
"technique": "Account Discovery",
"url": "https://attack.mitre.org/techniques/T1087",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1086",
"technique": "PowerShell",
"url": "https://attack.mitre.org/techniques/T1086",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1085",
"technique": "Rundll32",
"url": "https://attack.mitre.org/techniques/T1085",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1084",
"technique": "Windows Management Instrumentation Event Subscription",
"url": "https://attack.mitre.org/techniques/T1084",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1083",
"technique": "File and Directory Discovery",
"url": "https://attack.mitre.org/techniques/T1083",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1082",
"technique": "System Information Discovery",
"url": "https://attack.mitre.org/techniques/T1082",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1081",
"technique": "Credentials in Files",
"url": "https://attack.mitre.org/techniques/T1081",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1080",
"technique": "Taint Shared Content",
"url": "https://attack.mitre.org/techniques/T1080",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1079",
"technique": "Multilayer Encryption",
"url": "https://attack.mitre.org/techniques/T1079",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1078",
"technique": "Valid Accounts",
"url": "https://attack.mitre.org/techniques/T1078",
"tactic": [
"Defense Evasion",
"Persistence",
"Privilege Escalation",
"Initial Access"
]
},
{
"technique_id": "T1077",
"technique": "Windows Admin Shares",
"url": "https://attack.mitre.org/techniques/T1077",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1076",
"technique": "Remote Desktop Protocol",
"url": "https://attack.mitre.org/techniques/T1076",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1075",
"technique": "Pass the Hash",
"url": "https://attack.mitre.org/techniques/T1075",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1074",
"technique": "Data Staged",
"url": "https://attack.mitre.org/techniques/T1074",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1073",
"technique": "DLL Side-Loading",
"url": "https://attack.mitre.org/techniques/T1073",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1072",
"technique": "Third-party Software",
"url": "https://attack.mitre.org/techniques/T1072",
"tactic": [
"Execution",
"Lateral Movement"
]
},
{
"technique_id": "T1071",
"technique": "Standard Application Layer Protocol",
"url": "https://attack.mitre.org/techniques/T1071",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1070",
"technique": "Indicator Removal on Host",
"url": "https://attack.mitre.org/techniques/T1070",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1069",
"technique": "Permission Groups Discovery",
"url": "https://attack.mitre.org/techniques/T1069",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1068",
"technique": "Exploitation for Privilege Escalation",
"url": "https://attack.mitre.org/techniques/T1068",
"tactic": [
"Privilege Escalation"
]
},
{
"technique_id": "T1067",
"technique": "Bootkit",
"url": "https://attack.mitre.org/techniques/T1067",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1066",
"technique": "Indicator Removal from Tools",
"url": "https://attack.mitre.org/techniques/T1066",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1065",
"technique": "Uncommonly Used Port",
"url": "https://attack.mitre.org/techniques/T1065",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1064",
"technique": "Scripting",
"url": "https://attack.mitre.org/techniques/T1064",
"tactic": [
"Defense Evasion",
"Execution"
]
},
{
"technique_id": "T1063",
"technique": "Security Software Discovery",
"url": "https://attack.mitre.org/techniques/T1063",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1062",
"technique": "Hypervisor",
"url": "https://attack.mitre.org/techniques/T1062",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1061",
"technique": "Graphical User Interface",
"url": "https://attack.mitre.org/techniques/T1061",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1060",
"technique": "Registry Run Keys / Startup Folder",
"url": "https://attack.mitre.org/techniques/T1060",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1059",
"technique": "Command-Line Interface",
"url": "https://attack.mitre.org/techniques/T1059",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1058",
"technique": "Service Registry Permissions Weakness",
"url": "https://attack.mitre.org/techniques/T1058",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1057",
"technique": "Process Discovery",
"url": "https://attack.mitre.org/techniques/T1057",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1056",
"technique": "Input Capture",
"url": "https://attack.mitre.org/techniques/T1056",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1055",
"technique": "Process Injection",
"url": "https://attack.mitre.org/techniques/T1055",
"tactic": [
"Defense Evasion",
"Privilege Escalation"
]
},
{
"technique_id": "T1054",
"technique": "Indicator Blocking",
"url": "https://attack.mitre.org/techniques/T1054",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1053",
"technique": "Scheduled Task",
"url": "https://attack.mitre.org/techniques/T1053",
"tactic": [
"Execution",
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1052",
"technique": "Exfiltration Over Physical Medium",
"url": "https://attack.mitre.org/techniques/T1052",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1051",
"technique": "Shared Webroot",
"url": "https://attack.mitre.org/techniques/T1051",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1050",
"technique": "New Service",
"url": "https://attack.mitre.org/techniques/T1050",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1049",
"technique": "System Network Connections Discovery",
"url": "https://attack.mitre.org/techniques/T1049",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1048",
"technique": "Exfiltration Over Alternative Protocol",
"url": "https://attack.mitre.org/techniques/T1048",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1047",
"technique": "Windows Management Instrumentation",
"url": "https://attack.mitre.org/techniques/T1047",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1046",
"technique": "Network Service Scanning",
"url": "https://attack.mitre.org/techniques/T1046",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1045",
"technique": "Software Packing",
"url": "https://attack.mitre.org/techniques/T1045",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1044",
"technique": "File System Permissions Weakness",
"url": "https://attack.mitre.org/techniques/T1044",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1043",
"technique": "Commonly Used Port",
"url": "https://attack.mitre.org/techniques/T1043",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1042",
"technique": "Change Default File Association",
"url": "https://attack.mitre.org/techniques/T1042",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1041",
"technique": "Exfiltration Over Command and Control Channel",
"url": "https://attack.mitre.org/techniques/T1041",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1040",
"technique": "Network Sniffing",
"url": "https://attack.mitre.org/techniques/T1040",
"tactic": [
"Credential Access",
"Discovery"
]
},
{
"technique_id": "T1039",
"technique": "Data from Network Shared Drive",
"url": "https://attack.mitre.org/techniques/T1039",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1038",
"technique": "DLL Search Order Hijacking",
"url": "https://attack.mitre.org/techniques/T1038",
"tactic": [
"Persistence",
"Privilege Escalation",
"Defense Evasion"
]
},
{
"technique_id": "T1037",
"technique": "Logon Scripts",
"url": "https://attack.mitre.org/techniques/T1037",
"tactic": [
"Lateral Movement",
"Persistence"
]
},
{
"technique_id": "T1036",
"technique": "Masquerading",
"url": "https://attack.mitre.org/techniques/T1036",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1035",
"technique": "Service Execution",
"url": "https://attack.mitre.org/techniques/T1035",
"tactic": [
"Execution"
]
},
{
"technique_id": "T1034",
"technique": "Path Interception",
"url": "https://attack.mitre.org/techniques/T1034",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1033",
"technique": "System Owner/User Discovery",
"url": "https://attack.mitre.org/techniques/T1033",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1032",
"technique": "Standard Cryptographic Protocol",
"url": "https://attack.mitre.org/techniques/T1032",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1031",
"technique": "Modify Existing Service",
"url": "https://attack.mitre.org/techniques/T1031",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1030",
"technique": "Data Transfer Size Limits",
"url": "https://attack.mitre.org/techniques/T1030",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1029",
"technique": "Scheduled Transfer",
"url": "https://attack.mitre.org/techniques/T1029",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1028",
"technique": "Windows Remote Management",
"url": "https://attack.mitre.org/techniques/T1028",
"tactic": [
"Execution",
"Lateral Movement"
]
},
{
"technique_id": "T1027",
"technique": "Obfuscated Files or Information",
"url": "https://attack.mitre.org/techniques/T1027",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1026",
"technique": "Multiband Communication",
"url": "https://attack.mitre.org/techniques/T1026",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1025",
"technique": "Data from Removable Media",
"url": "https://attack.mitre.org/techniques/T1025",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1024",
"technique": "Custom Cryptographic Protocol",
"url": "https://attack.mitre.org/techniques/T1024",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1023",
"technique": "Shortcut Modification",
"url": "https://attack.mitre.org/techniques/T1023",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1022",
"technique": "Data Encrypted",
"url": "https://attack.mitre.org/techniques/T1022",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1021",
"technique": "Remote Services",
"url": "https://attack.mitre.org/techniques/T1021",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1020",
"technique": "Automated Exfiltration",
"url": "https://attack.mitre.org/techniques/T1020",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1019",
"technique": "System Firmware",
"url": "https://attack.mitre.org/techniques/T1019",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1018",
"technique": "Remote System Discovery",
"url": "https://attack.mitre.org/techniques/T1018",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1017",
"technique": "Application Deployment Software",
"url": "https://attack.mitre.org/techniques/T1017",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1016",
"technique": "System Network Configuration Discovery",
"url": "https://attack.mitre.org/techniques/T1016",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1015",
"technique": "Accessibility Features",
"url": "https://attack.mitre.org/techniques/T1015",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1014",
"technique": "Rootkit",
"url": "https://attack.mitre.org/techniques/T1014",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1013",
"technique": "Port Monitors",
"url": "https://attack.mitre.org/techniques/T1013",
"tactic": [
"Persistence",
"Privilege Escalation"
]
},
{
"technique_id": "T1012",
"technique": "Query Registry",
"url": "https://attack.mitre.org/techniques/T1012",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1011",
"technique": "Exfiltration Over Other Network Medium",
"url": "https://attack.mitre.org/techniques/T1011",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1010",
"technique": "Application Window Discovery",
"url": "https://attack.mitre.org/techniques/T1010",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1009",
"technique": "Binary Padding",
"url": "https://attack.mitre.org/techniques/T1009",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1008",
"technique": "Fallback Channels",
"url": "https://attack.mitre.org/techniques/T1008",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1007",
"technique": "System Service Discovery",
"url": "https://attack.mitre.org/techniques/T1007",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1006",
"technique": "File System Logical Offsets",
"url": "https://attack.mitre.org/techniques/T1006",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1005",
"technique": "Data from Local System",
"url": "https://attack.mitre.org/techniques/T1005",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1004",
"technique": "Winlogon Helper DLL",
"url": "https://attack.mitre.org/techniques/T1004",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1003",
"technique": "Credential Dumping",
"url": "https://attack.mitre.org/techniques/T1003",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1002",
"technique": "Data Compressed",
"url": "https://attack.mitre.org/techniques/T1002",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1001",
"technique": "Data Obfuscation",
"url": "https://attack.mitre.org/techniques/T1001",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1397",
"technique": "Spearphishing for Information",
"url": "https://attack.mitre.org/techniques/T1397",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1307",
"technique": "Acquire and/or use 3rd party infrastructure services",
"url": "https://attack.mitre.org/techniques/T1307",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1275",
"technique": "Aggregate individual's digital footprint",
"url": "https://attack.mitre.org/techniques/T1275",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1294",
"technique": "Analyze hardware/software security defensive capabilities",
"url": "https://attack.mitre.org/techniques/T1294",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1295",
"technique": "Analyze social and business relationships, interests, and affiliations",
"url": "https://attack.mitre.org/techniques/T1295",
"tactic": [
"People Weakness Identification"
]
},
{
"technique_id": "T1299",
"technique": "Assess opportunities created by business deals",
"url": "https://attack.mitre.org/techniques/T1299",
"tactic": [
"Organizational Weakness Identification"
]
},
{
"technique_id": "T1228",
"technique": "Assign KITs/KIQs into categories",
"url": "https://attack.mitre.org/techniques/T1228",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1349",
"technique": "Build or acquire exploits",
"url": "https://attack.mitre.org/techniques/T1349",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1343",
"technique": "Choose pre-compromised persona and affiliated accounts",
"url": "https://attack.mitre.org/techniques/T1343",
"tactic": [
"Persona Development"
]
},
{
"technique_id": "T1388",
"technique": "Compromise of externally facing system",
"url": "https://attack.mitre.org/techniques/T1388",
"tactic": [
"Compromise"
]
},
{
"technique_id": "T1268",
"technique": "Conduct social engineering",
"url": "https://attack.mitre.org/techniques/T1268",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1345",
"technique": "Create custom payloads",
"url": "https://attack.mitre.org/techniques/T1345",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1382",
"technique": "DNS poisoning",
"url": "https://attack.mitre.org/techniques/T1382",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1284",
"technique": "Determine 3rd party infrastructure services",
"url": "https://attack.mitre.org/techniques/T1284",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1259",
"technique": "Determine external network trust dependencies",
"url": "https://attack.mitre.org/techniques/T1259",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1244",
"technique": "Determine secondary level tactical element",
"url": "https://attack.mitre.org/techniques/T1244",
"tactic": [
"Target Selection"
]
},
{
"technique_id": "T1255",
"technique": "Discover target logon/email address format",
"url": "https://attack.mitre.org/techniques/T1255",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1286",
"technique": "Dumpster dive",
"url": "https://attack.mitre.org/techniques/T1286",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1377",
"technique": "Exploit public-facing application",
"url": "https://attack.mitre.org/techniques/T1377",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1365",
"technique": "Hardware or software supply chain implant",
"url": "https://attack.mitre.org/techniques/T1365",
"tactic": [
"Stage Capabilities"
]
},
{
"technique_id": "T1272",
"technique": "Identify business relationships",
"url": "https://attack.mitre.org/techniques/T1272",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1278",
"technique": "Identify job postings and needs/gaps",
"url": "https://attack.mitre.org/techniques/T1278",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1263",
"technique": "Identify security defensive capabilities",
"url": "https://attack.mitre.org/techniques/T1263",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1264",
"technique": "Identify technology usage patterns",
"url": "https://attack.mitre.org/techniques/T1264",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1252",
"technique": "Map network topology",
"url": "https://attack.mitre.org/techniques/T1252",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1316",
"technique": "Non-traditional or less attributable payment options",
"url": "https://attack.mitre.org/techniques/T1316",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1319",
"technique": "Obfuscate or encrypt code",
"url": "https://attack.mitre.org/techniques/T1319",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1281",
"technique": "Obtain templates/branding materials",
"url": "https://attack.mitre.org/techniques/T1281",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1335",
"technique": "Procure required equipment and software",
"url": "https://attack.mitre.org/techniques/T1335",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1351",
"technique": "Remote access tool development",
"url": "https://attack.mitre.org/techniques/T1351",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1395",
"technique": "Runtime code download and execution",
"url": "https://attack.mitre.org/techniques/T1395",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1367",
"technique": "Spear phishing messages with malicious attachments",
"url": "https://attack.mitre.org/techniques/T1367",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1371",
"technique": "Targeted client-side exploitation",
"url": "https://attack.mitre.org/techniques/T1371",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1357",
"technique": "Test malware in various execution environments",
"url": "https://attack.mitre.org/techniques/T1357",
"tactic": [
"Test Capabilities"
]
},
{
"technique_id": "T1387",
"technique": "Unauthorized user introduces compromise delivery mechanism",
"url": "https://attack.mitre.org/techniques/T1387",
"tactic": [
"Compromise"
]
},
{
"technique_id": "T1329",
"technique": "Acquire and/or use 3rd party infrastructure services",
"url": "https://attack.mitre.org/techniques/T1329",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1332",
"technique": "Acquire or compromise 3rd party signing certificates",
"url": "https://attack.mitre.org/techniques/T1332",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1287",
"technique": "Analyze data collected",
"url": "https://attack.mitre.org/techniques/T1287",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1303",
"technique": "Analyze presence of outsourced capabilities",
"url": "https://attack.mitre.org/techniques/T1303",
"tactic": [
"Organizational Weakness Identification"
]
},
{
"technique_id": "T1224",
"technique": "Assess leadership areas of interest",
"url": "https://attack.mitre.org/techniques/T1224",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1238",
"technique": "Assign KITs, KIQs, and/or intelligence requirements",
"url": "https://attack.mitre.org/techniques/T1238",
"tactic": [
"Priority Definition Direction"
]
},
{
"technique_id": "T1347",
"technique": "Build and configure delivery systems",
"url": "https://attack.mitre.org/techniques/T1347",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1391",
"technique": "Choose pre-compromised mobile app developer account credentials or signing keys",
"url": "https://attack.mitre.org/techniques/T1391",
"tactic": [
"Persona Development"
]
},
{
"technique_id": "T1354",
"technique": "Compromise 3rd party or closed-source vulnerability/exploit information",
"url": "https://attack.mitre.org/techniques/T1354",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1279",
"technique": "Conduct social engineering",
"url": "https://attack.mitre.org/techniques/T1279",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1339",
"technique": "Create backup infrastructure",
"url": "https://attack.mitre.org/techniques/T1339",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1374",
"technique": "Credential pharming",
"url": "https://attack.mitre.org/techniques/T1374",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1230",
"technique": "Derive intelligence requirements",
"url": "https://attack.mitre.org/techniques/T1230",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1250",
"technique": "Determine domain and IP address space",
"url": "https://attack.mitre.org/techniques/T1250",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1282",
"technique": "Determine physical locations",
"url": "https://attack.mitre.org/techniques/T1282",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1350",
"technique": "Discover new exploits and monitor exploit-provider forums",
"url": "https://attack.mitre.org/techniques/T1350",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1326",
"technique": "Domain registration hijacking",
"url": "https://attack.mitre.org/techniques/T1326",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1261",
"technique": "Enumerate externally facing software applications technologies, languages, and dependencies",
"url": "https://attack.mitre.org/techniques/T1261",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1234",
"technique": "Generate analyst intelligence requirements",
"url": "https://attack.mitre.org/techniques/T1234",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1280",
"technique": "Identify business processes/tempo",
"url": "https://attack.mitre.org/techniques/T1280",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1248",
"technique": "Identify job postings and needs/gaps",
"url": "https://attack.mitre.org/techniques/T1248",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1348",
"technique": "Identify resources required to build capabilities",
"url": "https://attack.mitre.org/techniques/T1348",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1265",
"technique": "Identify supply chains",
"url": "https://attack.mitre.org/techniques/T1265",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1375",
"technique": "Leverage compromised 3rd party resources",
"url": "https://attack.mitre.org/techniques/T1375",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1315",
"technique": "Network-based hiding techniques",
"url": "https://attack.mitre.org/techniques/T1315",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1318",
"technique": "Obfuscate operational infrastructure",
"url": "https://attack.mitre.org/techniques/T1318",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1251",
"technique": "Obtain domain/IP registration information",
"url": "https://attack.mitre.org/techniques/T1251",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1305",
"technique": "Private whois services",
"url": "https://attack.mitre.org/techniques/T1305",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1235",
"technique": "Receive operator KITs/KIQs tasking",
"url": "https://attack.mitre.org/techniques/T1235",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1358",
"technique": "Review logs and residual traces",
"url": "https://attack.mitre.org/techniques/T1358",
"tactic": [
"Test Capabilities"
]
},
{
"technique_id": "T1340",
"technique": "Shadow DNS",
"url": "https://attack.mitre.org/techniques/T1340",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1237",
"technique": "Submit KITs, KIQs, and intelligence requirements",
"url": "https://attack.mitre.org/techniques/T1237",
"tactic": [
"Priority Definition Direction"
]
},
{
"technique_id": "T1356",
"technique": "Test callback functionality",
"url": "https://attack.mitre.org/techniques/T1356",
"tactic": [
"Test Capabilities"
]
},
{
"technique_id": "T1361",
"technique": "Test signature detection for file upload/email filters",
"url": "https://attack.mitre.org/techniques/T1361",
"tactic": [
"Test Capabilities"
]
},
{
"technique_id": "T1327",
"technique": "Use multiple DNS infrastructures",
"url": "https://attack.mitre.org/techniques/T1327",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1277",
"technique": "Acquire OSINT data sets and information",
"url": "https://attack.mitre.org/techniques/T1277",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1310",
"technique": "Acquire or compromise 3rd party signing certificates",
"url": "https://attack.mitre.org/techniques/T1310",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1301",
"technique": "Analyze business processes",
"url": "https://attack.mitre.org/techniques/T1301",
"tactic": [
"Organizational Weakness Identification"
]
},
{
"technique_id": "T1297",
"technique": "Analyze organizational skillsets and deficiencies",
"url": "https://attack.mitre.org/techniques/T1297",
"tactic": [
"People Weakness Identification"
]
},
{
"technique_id": "T1236",
"technique": "Assess current holdings, needs, and wants",
"url": "https://attack.mitre.org/techniques/T1236",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1298",
"technique": "Assess vulnerability of 3rd party vendors",
"url": "https://attack.mitre.org/techniques/T1298",
"tactic": [
"Organizational Weakness Identification"
]
},
{
"technique_id": "T1384",
"technique": "Automated system performs requested action",
"url": "https://attack.mitre.org/techniques/T1384",
"tactic": [
"Compromise"
]
},
{
"technique_id": "T1352",
"technique": "C2 protocol development",
"url": "https://attack.mitre.org/techniques/T1352",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1334",
"technique": "Compromise 3rd party infrastructure to support delivery",
"url": "https://attack.mitre.org/techniques/T1334",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1253",
"technique": "Conduct passive scanning",
"url": "https://attack.mitre.org/techniques/T1253",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1383",
"technique": "Confirmation of launched compromise achieved",
"url": "https://attack.mitre.org/techniques/T1383",
"tactic": [
"Compromise"
]
},
{
"technique_id": "T1231",
"technique": "Create strategic plan",
"url": "https://attack.mitre.org/techniques/T1231",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1380",
"technique": "Deploy exploit using advertising",
"url": "https://attack.mitre.org/techniques/T1380",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1285",
"technique": "Determine centralization of IT management",
"url": "https://attack.mitre.org/techniques/T1285",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1242",
"technique": "Determine operational element",
"url": "https://attack.mitre.org/techniques/T1242",
"tactic": [
"Target Selection"
]
},
{
"technique_id": "T1342",
"technique": "Develop social network persona digital footprint",
"url": "https://attack.mitre.org/techniques/T1342",
"tactic": [
"Persona Development"
]
},
{
"technique_id": "T1323",
"technique": "Domain Generation Algorithms (DGA)",
"url": "https://attack.mitre.org/techniques/T1323",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1262",
"technique": "Enumerate client configurations",
"url": "https://attack.mitre.org/techniques/T1262",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1364",
"technique": "Friend/Follow/Connect to targets of interest",
"url": "https://attack.mitre.org/techniques/T1364",
"tactic": [
"Stage Capabilities"
]
},
{
"technique_id": "T1233",
"technique": "Identify analyst level gaps",
"url": "https://attack.mitre.org/techniques/T1233",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1270",
"technique": "Identify groups/roles",
"url": "https://attack.mitre.org/techniques/T1270",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1271",
"technique": "Identify personnel with an authority/privilege",
"url": "https://attack.mitre.org/techniques/T1271",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1246",
"technique": "Identify supply chains",
"url": "https://attack.mitre.org/techniques/T1246",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1336",
"technique": "Install and configure hardware, network, and systems",
"url": "https://attack.mitre.org/techniques/T1336",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1322",
"technique": "Misattributable credentials",
"url": "https://attack.mitre.org/techniques/T1322",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1331",
"technique": "Obfuscate infrastructure",
"url": "https://attack.mitre.org/techniques/T1331",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1396",
"technique": "Obtain booter/stressor subscription",
"url": "https://attack.mitre.org/techniques/T1396",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1353",
"technique": "Post compromise tool development",
"url": "https://attack.mitre.org/techniques/T1353",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1239",
"technique": "Receive KITs/KIQs and determine requirements",
"url": "https://attack.mitre.org/techniques/T1239",
"tactic": [
"Priority Definition Direction"
]
},
{
"technique_id": "T1290",
"technique": "Research visibility gap of security vendors",
"url": "https://attack.mitre.org/techniques/T1290",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1317",
"technique": "Secure and protect infrastructure",
"url": "https://attack.mitre.org/techniques/T1317",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1393",
"technique": "Test ability to evade automated mobile application security analysis performed by app stores",
"url": "https://attack.mitre.org/techniques/T1393",
"tactic": [
"Test Capabilities"
]
},
{
"technique_id": "T1292",
"technique": "Test signature detection",
"url": "https://attack.mitre.org/techniques/T1292",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1362",
"technique": "Upload, install, and configure software/tools",
"url": "https://attack.mitre.org/techniques/T1362",
"tactic": [
"Stage Capabilities"
]
},
{
"technique_id": "T1266",
"technique": "Acquire OSINT data sets and information",
"url": "https://attack.mitre.org/techniques/T1266",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1308",
"technique": "Acquire and/or use 3rd party software services",
"url": "https://attack.mitre.org/techniques/T1308",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1293",
"technique": "Analyze application security posture",
"url": "https://attack.mitre.org/techniques/T1293",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1300",
"technique": "Analyze organizational skillsets and deficiencies",
"url": "https://attack.mitre.org/techniques/T1300",
"tactic": [
"Organizational Weakness Identification"
]
},
{
"technique_id": "T1306",
"technique": "Anonymity services",
"url": "https://attack.mitre.org/techniques/T1306",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1302",
"technique": "Assess security posture of physical locations",
"url": "https://attack.mitre.org/techniques/T1302",
"tactic": [
"Organizational Weakness Identification"
]
},
{
"technique_id": "T1381",
"technique": "Authentication attempt",
"url": "https://attack.mitre.org/techniques/T1381",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1341",
"technique": "Build social network persona",
"url": "https://attack.mitre.org/techniques/T1341",
"tactic": [
"Persona Development"
]
},
{
"technique_id": "T1321",
"technique": "Common, high volume protocols and software",
"url": "https://attack.mitre.org/techniques/T1321",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1254",
"technique": "Conduct active scanning",
"url": "https://attack.mitre.org/techniques/T1254",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1249",
"technique": "Conduct social engineering",
"url": "https://attack.mitre.org/techniques/T1249",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1232",
"technique": "Create implementation plan",
"url": "https://attack.mitre.org/techniques/T1232",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1324",
"technique": "DNSCalc",
"url": "https://attack.mitre.org/techniques/T1324",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1260",
"technique": "Determine 3rd party infrastructure services",
"url": "https://attack.mitre.org/techniques/T1260",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1258",
"technique": "Determine firmware version",
"url": "https://attack.mitre.org/techniques/T1258",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1241",
"technique": "Determine strategic target",
"url": "https://attack.mitre.org/techniques/T1241",
"tactic": [
"Target Selection"
]
},
{
"technique_id": "T1379",
"technique": "Disseminate removable media",
"url": "https://attack.mitre.org/techniques/T1379",
"tactic": [
"Stage Capabilities"
]
},
{
"technique_id": "T1311",
"technique": "Dynamic DNS",
"url": "https://attack.mitre.org/techniques/T1311",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1325",
"technique": "Fast Flux DNS",
"url": "https://attack.mitre.org/techniques/T1325",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1314",
"technique": "Host-based hiding techniques",
"url": "https://attack.mitre.org/techniques/T1314",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1283",
"technique": "Identify business relationships",
"url": "https://attack.mitre.org/techniques/T1283",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1267",
"technique": "Identify job postings and needs/gaps",
"url": "https://attack.mitre.org/techniques/T1267",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1274",
"technique": "Identify sensitive personnel information",
"url": "https://attack.mitre.org/techniques/T1274",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1389",
"technique": "Identify vulnerabilities in third-party software libraries",
"url": "https://attack.mitre.org/techniques/T1389",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1273",
"technique": "Mine social media",
"url": "https://attack.mitre.org/techniques/T1273",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1390",
"technique": "OS-vendor provided communication channels",
"url": "https://attack.mitre.org/techniques/T1390",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1313",
"technique": "Obfuscation or cryptography",
"url": "https://attack.mitre.org/techniques/T1313",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1247",
"technique": "Acquire OSINT data sets and information",
"url": "https://attack.mitre.org/techniques/T1247",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1346",
"technique": "Obtain/re-use payloads",
"url": "https://attack.mitre.org/techniques/T1346",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1330",
"technique": "Acquire and/or use 3rd party software services",
"url": "https://attack.mitre.org/techniques/T1330",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1288",
"technique": "Analyze architecture and configuration posture",
"url": "https://attack.mitre.org/techniques/T1288",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1304",
"technique": "Proxy/protocol relays",
"url": "https://attack.mitre.org/techniques/T1304",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1289",
"technique": "Analyze organizational skillsets and deficiencies",
"url": "https://attack.mitre.org/techniques/T1289",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1378",
"technique": "Replace legitimate binary with malware",
"url": "https://attack.mitre.org/techniques/T1378",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1229",
"technique": "Assess KITs/KIQs benefits",
"url": "https://attack.mitre.org/techniques/T1229",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1337",
"technique": "SSL certificate acquisition for domain",
"url": "https://attack.mitre.org/techniques/T1337",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1296",
"technique": "Assess targeting options",
"url": "https://attack.mitre.org/techniques/T1296",
"tactic": [
"People Weakness Identification"
]
},
{
"technique_id": "T1386",
"technique": "Authorized user performs requested cyber action",
"url": "https://attack.mitre.org/techniques/T1386",
"tactic": [
"Compromise"
]
},
{
"technique_id": "T1369",
"technique": "Spear phishing messages with malicious links",
"url": "https://attack.mitre.org/techniques/T1369",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1328",
"technique": "Buy domain name",
"url": "https://attack.mitre.org/techniques/T1328",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1366",
"technique": "Targeted social media phishing",
"url": "https://attack.mitre.org/techniques/T1366",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1312",
"technique": "Compromise 3rd party infrastructure to support delivery",
"url": "https://attack.mitre.org/techniques/T1312",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1359",
"technique": "Test malware to evade detection",
"url": "https://attack.mitre.org/techniques/T1359",
"tactic": [
"Test Capabilities"
]
},
{
"technique_id": "T1226",
"technique": "Conduct cost/benefit analysis",
"url": "https://attack.mitre.org/techniques/T1226",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1376",
"technique": "Conduct social engineering or HUMINT operation",
"url": "https://attack.mitre.org/techniques/T1376",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1355",
"technique": "Create infected removable media",
"url": "https://attack.mitre.org/techniques/T1355",
"tactic": [
"Build Capabilities"
]
},
{
"technique_id": "T1320",
"technique": "Data Hiding",
"url": "https://attack.mitre.org/techniques/T1320",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1245",
"technique": "Determine approach/attack vector",
"url": "https://attack.mitre.org/techniques/T1245",
"tactic": [
"Target Selection"
]
},
{
"technique_id": "T1243",
"technique": "Determine highest level tactical element",
"url": "https://attack.mitre.org/techniques/T1243",
"tactic": [
"Target Selection"
]
},
{
"technique_id": "T1227",
"technique": "Develop KITs/KIQs",
"url": "https://attack.mitre.org/techniques/T1227",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1394",
"technique": "Distribute malicious software development tools",
"url": "https://attack.mitre.org/techniques/T1394",
"tactic": [
"Stage Capabilities"
]
},
{
"technique_id": "T1333",
"technique": "Dynamic DNS",
"url": "https://attack.mitre.org/techniques/T1333",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1344",
"technique": "Friend/Follow/Connect to targets of interest",
"url": "https://attack.mitre.org/techniques/T1344",
"tactic": [
"Persona Development"
]
},
{
"technique_id": "T1385",
"technique": "Human performs requested action of physical nature",
"url": "https://attack.mitre.org/techniques/T1385",
"tactic": [
"Compromise"
]
},
{
"technique_id": "T1225",
"technique": "Identify gap areas",
"url": "https://attack.mitre.org/techniques/T1225",
"tactic": [
"Priority Definition Planning"
]
},
{
"technique_id": "T1269",
"technique": "Identify people of interest",
"url": "https://attack.mitre.org/techniques/T1269",
"tactic": [
"People Information Gathering"
]
},
{
"technique_id": "T1276",
"technique": "Identify supply chains",
"url": "https://attack.mitre.org/techniques/T1276",
"tactic": [
"Organizational Information Gathering"
]
},
{
"technique_id": "T1256",
"technique": "Identify web defensive services",
"url": "https://attack.mitre.org/techniques/T1256",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1257",
"technique": "Mine technical blogs/forums",
"url": "https://attack.mitre.org/techniques/T1257",
"tactic": [
"Technical Information Gathering"
]
},
{
"technique_id": "T1309",
"technique": "Obfuscate infrastructure",
"url": "https://attack.mitre.org/techniques/T1309",
"tactic": [
"Adversary Opsec"
]
},
{
"technique_id": "T1392",
"technique": "Obtain Apple iOS enterprise distribution key pair and certificate",
"url": "https://attack.mitre.org/techniques/T1392",
"tactic": [
"Persona Development"
]
},
{
"technique_id": "T1363",
"technique": "Port redirector",
"url": "https://attack.mitre.org/techniques/T1363",
"tactic": [
"Stage Capabilities"
]
},
{
"technique_id": "T1373",
"technique": "Push-notification client-side exploit",
"url": "https://attack.mitre.org/techniques/T1373",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1291",
"technique": "Research relevant vulnerabilities/CVEs",
"url": "https://attack.mitre.org/techniques/T1291",
"tactic": [
"Technical Weakness Identification"
]
},
{
"technique_id": "T1338",
"technique": "SSL certificate acquisition for trust breaking",
"url": "https://attack.mitre.org/techniques/T1338",
"tactic": [
"Establish & Maintain Infrastructure"
]
},
{
"technique_id": "T1368",
"technique": "Spear phishing messages with text only",
"url": "https://attack.mitre.org/techniques/T1368",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1240",
"technique": "Task requirements",
"url": "https://attack.mitre.org/techniques/T1240",
"tactic": [
"Priority Definition Direction"
]
},
{
"technique_id": "T1360",
"technique": "Test physical access",
"url": "https://attack.mitre.org/techniques/T1360",
"tactic": [
"Test Capabilities"
]
},
{
"technique_id": "T1370",
"technique": "Untargeted client-side exploitation",
"url": "https://attack.mitre.org/techniques/T1370",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1372",
"technique": "Unconditional client-side exploitation/Injected Website/Driveby",
"url": "https://attack.mitre.org/techniques/T1372",
"tactic": [
"Launch"
]
},
{
"technique_id": "T1533",
"technique": "Data from Local System",
"url": "https://attack.mitre.org/techniques/T1533",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1532",
"technique": "Data Encrypted",
"url": "https://attack.mitre.org/techniques/T1532",
"tactic": [
"Exfiltration"
]
},
{
"technique_id": "T1523",
"technique": "Evade Analysis Environment",
"url": "https://attack.mitre.org/techniques/T1523",
"tactic": [
"Defense Evasion",
"Discovery"
]
},
{
"technique_id": "T1521",
"technique": "Standard Cryptographic Protocol",
"url": "https://attack.mitre.org/techniques/T1521",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1520",
"technique": "Domain Generation Algorithms",
"url": "https://attack.mitre.org/techniques/T1520",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1516",
"technique": "Input Injection",
"url": "https://attack.mitre.org/techniques/T1516",
"tactic": [
"Defense Evasion",
"Impact"
]
},
{
"technique_id": "T1517",
"technique": "Access Notifications",
"url": "https://attack.mitre.org/techniques/T1517",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1512",
"technique": "Capture Camera",
"url": "https://attack.mitre.org/techniques/T1512",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1513",
"technique": "Screen Capture",
"url": "https://attack.mitre.org/techniques/T1513",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1509",
"technique": "Uncommonly Used Port",
"url": "https://attack.mitre.org/techniques/T1509",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1510",
"technique": "Clipboard Modification",
"url": "https://attack.mitre.org/techniques/T1510",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1508",
"technique": "Suppress Application Icon",
"url": "https://attack.mitre.org/techniques/T1508",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1507",
"technique": "Network Information Discovery",
"url": "https://attack.mitre.org/techniques/T1507",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1481",
"technique": "Web Service",
"url": "https://attack.mitre.org/techniques/T1481",
"tactic": [
"Command And Control"
]
},
{
"technique_id": "T1476",
"technique": "Deliver Malicious App via Other Means",
"url": "https://attack.mitre.org/techniques/T1476",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1475",
"technique": "Deliver Malicious App via Authorized App Store",
"url": "https://attack.mitre.org/techniques/T1475",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1474",
"technique": "Supply Chain Compromise",
"url": "https://attack.mitre.org/techniques/T1474",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1477",
"technique": "Exploit via Radio Interfaces",
"url": "https://attack.mitre.org/techniques/T1477",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1478",
"technique": "Install Insecure or Malicious Configuration",
"url": "https://attack.mitre.org/techniques/T1478",
"tactic": [
"Defense Evasion",
"Initial Access"
]
},
{
"technique_id": "T1444",
"technique": "Masquerade as Legitimate Application",
"url": "https://attack.mitre.org/techniques/T1444",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1443",
"technique": "Remotely Install Application",
"url": "https://attack.mitre.org/techniques/T1443",
"tactic": []
},
{
"technique_id": "T1411",
"technique": "Input Prompt",
"url": "https://attack.mitre.org/techniques/T1411",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1424",
"technique": "Process Discovery",
"url": "https://attack.mitre.org/techniques/T1424",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1421",
"technique": "System Network Connections Discovery",
"url": "https://attack.mitre.org/techniques/T1421",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1437",
"technique": "Standard Application Layer Protocol",
"url": "https://attack.mitre.org/techniques/T1437",
"tactic": [
"Command And Control",
"Exfiltration"
]
},
{
"technique_id": "T1422",
"technique": "System Network Configuration Discovery",
"url": "https://attack.mitre.org/techniques/T1422",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1406",
"technique": "Obfuscated Files or Information",
"url": "https://attack.mitre.org/techniques/T1406",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1416",
"technique": "Android Intent Hijacking",
"url": "https://attack.mitre.org/techniques/T1416",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1447",
"technique": "Delete Device Data",
"url": "https://attack.mitre.org/techniques/T1447",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1398",
"technique": "Modify OS Kernel or Boot Partition",
"url": "https://attack.mitre.org/techniques/T1398",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1400",
"technique": "Modify System Partition",
"url": "https://attack.mitre.org/techniques/T1400",
"tactic": [
"Defense Evasion",
"Persistence",
"Impact"
]
},
{
"technique_id": "T1425",
"technique": "Insecure Third-Party Libraries",
"url": "https://attack.mitre.org/techniques/T1425",
"tactic": []
},
{
"technique_id": "T1402",
"technique": "App Auto-Start at Device Boot",
"url": "https://attack.mitre.org/techniques/T1402",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1401",
"technique": "Abuse Device Administrator Access to Prevent Removal",
"url": "https://attack.mitre.org/techniques/T1401",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1404",
"technique": "Exploit OS Vulnerability",
"url": "https://attack.mitre.org/techniques/T1404",
"tactic": [
"Privilege Escalation"
]
},
{
"technique_id": "T1403",
"technique": "Modify Cached Executable Code",
"url": "https://attack.mitre.org/techniques/T1403",
"tactic": [
"Persistence"
]
},
{
"technique_id": "T1442",
"technique": "Fake Developer Accounts",
"url": "https://attack.mitre.org/techniques/T1442",
"tactic": []
},
{
"technique_id": "T1419",
"technique": "Device Type Discovery",
"url": "https://attack.mitre.org/techniques/T1419",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1418",
"technique": "Application Discovery",
"url": "https://attack.mitre.org/techniques/T1418",
"tactic": [
"Defense Evasion",
"Discovery"
]
},
{
"technique_id": "T1417",
"technique": "Input Capture",
"url": "https://attack.mitre.org/techniques/T1417",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1438",
"technique": "Alternate Network Mediums",
"url": "https://attack.mitre.org/techniques/T1438",
"tactic": [
"Command And Control",
"Exfiltration"
]
},
{
"technique_id": "T1423",
"technique": "Network Service Scanning",
"url": "https://attack.mitre.org/techniques/T1423",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1440",
"technique": "Detect App Analysis Environment",
"url": "https://attack.mitre.org/techniques/T1440",
"tactic": []
},
{
"technique_id": "T1439",
"technique": "Eavesdrop on Insecure Network Communication",
"url": "https://attack.mitre.org/techniques/T1439",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1464",
"technique": "Jamming or Denial of Service",
"url": "https://attack.mitre.org/techniques/T1464",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1463",
"technique": "Manipulate Device Communication",
"url": "https://attack.mitre.org/techniques/T1463",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1462",
"technique": "Malicious Software Development Tools",
"url": "https://attack.mitre.org/techniques/T1462",
"tactic": []
},
{
"technique_id": "T1461",
"technique": "Lockscreen Bypass",
"url": "https://attack.mitre.org/techniques/T1461",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1460",
"technique": "Biometric Spoofing",
"url": "https://attack.mitre.org/techniques/T1460",
"tactic": []
},
{
"technique_id": "T1459",
"technique": "Device Unlock Code Guessing or Brute Force",
"url": "https://attack.mitre.org/techniques/T1459",
"tactic": []
},
{
"technique_id": "T1458",
"technique": "Exploit via Charging Station or PC",
"url": "https://attack.mitre.org/techniques/T1458",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1405",
"technique": "Exploit TEE Vulnerability",
"url": "https://attack.mitre.org/techniques/T1405",
"tactic": [
"Credential Access",
"Privilege Escalation"
]
},
{
"technique_id": "T1467",
"technique": "Rogue Cellular Base Station",
"url": "https://attack.mitre.org/techniques/T1467",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1420",
"technique": "File and Directory Discovery",
"url": "https://attack.mitre.org/techniques/T1420",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1466",
"technique": "Downgrade to Insecure Protocols",
"url": "https://attack.mitre.org/techniques/T1466",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1465",
"technique": "Rogue Wi-Fi Access Points",
"url": "https://attack.mitre.org/techniques/T1465",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1468",
"technique": "Remotely Track Device Without Authorization",
"url": "https://attack.mitre.org/techniques/T1468",
"tactic": [
"Remote Service Effects"
]
},
{
"technique_id": "T1435",
"technique": "Access Calendar Entries",
"url": "https://attack.mitre.org/techniques/T1435",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1451",
"technique": "SIM Card Swap",
"url": "https://attack.mitre.org/techniques/T1451",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1414",
"technique": "Capture Clipboard Data",
"url": "https://attack.mitre.org/techniques/T1414",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1457",
"technique": "Malicious Media Content",
"url": "https://attack.mitre.org/techniques/T1457",
"tactic": []
},
{
"technique_id": "T1426",
"technique": "System Information Discovery",
"url": "https://attack.mitre.org/techniques/T1426",
"tactic": [
"Discovery"
]
},
{
"technique_id": "T1472",
"technique": "Generate Fraudulent Advertising Revenue",
"url": "https://attack.mitre.org/techniques/T1472",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1399",
"technique": "Modify Trusted Execution Environment",
"url": "https://attack.mitre.org/techniques/T1399",
"tactic": [
"Defense Evasion",
"Persistence"
]
},
{
"technique_id": "T1470",
"technique": "Obtain Device Cloud Backups",
"url": "https://attack.mitre.org/techniques/T1470",
"tactic": [
"Remote Service Effects"
]
},
{
"technique_id": "T1446",
"technique": "Device Lockout",
"url": "https://attack.mitre.org/techniques/T1446",
"tactic": [
"Impact",
"Defense Evasion"
]
},
{
"technique_id": "T1415",
"technique": "URL Scheme Hijacking",
"url": "https://attack.mitre.org/techniques/T1415",
"tactic": [
"Credential Access"
]
},
{
"technique_id": "T1413",
"technique": "Access Sensitive Data in Device Logs",
"url": "https://attack.mitre.org/techniques/T1413",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1436",
"technique": "Commonly Used Port",
"url": "https://attack.mitre.org/techniques/T1436",
"tactic": [
"Command And Control",
"Exfiltration"
]
},
{
"technique_id": "T1445",
"technique": "Abuse of iOS Enterprise App Signing Key",
"url": "https://attack.mitre.org/techniques/T1445",
"tactic": []
},
{
"technique_id": "T1412",
"technique": "Capture SMS Messages",
"url": "https://attack.mitre.org/techniques/T1412",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1409",
"technique": "Access Stored Application Data",
"url": "https://attack.mitre.org/techniques/T1409",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1410",
"technique": "Network Traffic Capture or Redirection",
"url": "https://attack.mitre.org/techniques/T1410",
"tactic": [
"Collection",
"Credential Access"
]
},
{
"technique_id": "T1407",
"technique": "Download New Code at Runtime",
"url": "https://attack.mitre.org/techniques/T1407",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1408",
"technique": "Disguise Root/Jailbreak Indicators",
"url": "https://attack.mitre.org/techniques/T1408",
"tactic": [
"Defense Evasion"
]
},
{
"technique_id": "T1427",
"technique": "Attack PC via USB Connection",
"url": "https://attack.mitre.org/techniques/T1427",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1428",
"technique": "Exploit Enterprise Resources",
"url": "https://attack.mitre.org/techniques/T1428",
"tactic": [
"Lateral Movement"
]
},
{
"technique_id": "T1429",
"technique": "Capture Audio",
"url": "https://attack.mitre.org/techniques/T1429",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1430",
"technique": "Location Tracking",
"url": "https://attack.mitre.org/techniques/T1430",
"tactic": [
"Collection",
"Discovery"
]
},
{
"technique_id": "T1431",
"technique": "App Delivered via Web Download",
"url": "https://attack.mitre.org/techniques/T1431",
"tactic": []
},
{
"technique_id": "T1432",
"technique": "Access Contact List",
"url": "https://attack.mitre.org/techniques/T1432",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1433",
"technique": "Access Call Log",
"url": "https://attack.mitre.org/techniques/T1433",
"tactic": [
"Collection"
]
},
{
"technique_id": "T1434",
"technique": "App Delivered via Email Attachment",
"url": "https://attack.mitre.org/techniques/T1434",
"tactic": []
},
{
"technique_id": "T1471",
"technique": "Data Encrypted for Impact",
"url": "https://attack.mitre.org/techniques/T1471",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1450",
"technique": "Exploit SS7 to Track Device Location",
"url": "https://attack.mitre.org/techniques/T1450",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1473",
"technique": "Malicious or Vulnerable Built-in Device Functionality",
"url": "https://attack.mitre.org/techniques/T1473",
"tactic": []
},
{
"technique_id": "T1448",
"technique": "Premium SMS Toll Fraud",
"url": "https://attack.mitre.org/techniques/T1448",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1453",
"technique": "Abuse Accessibility Features",
"url": "https://attack.mitre.org/techniques/T1453",
"tactic": [
"Collection",
"Credential Access",
"Impact",
"Defense Evasion"
]
},
{
"technique_id": "T1454",
"technique": "Malicious SMS Message",
"url": "https://attack.mitre.org/techniques/T1454",
"tactic": []
},
{
"technique_id": "T1469",
"technique": "Remotely Wipe Data Without Authorization",
"url": "https://attack.mitre.org/techniques/T1469",
"tactic": [
"Remote Service Effects"
]
},
{
"technique_id": "T1452",
"technique": "Manipulate App Store Rankings or Ratings",
"url": "https://attack.mitre.org/techniques/T1452",
"tactic": [
"Impact"
]
},
{
"technique_id": "T1455",
"technique": "Exploit Baseband Vulnerability",
"url": "https://attack.mitre.org/techniques/T1455",
"tactic": []
},
{
"technique_id": "T1456",
"technique": "Drive-by Compromise",
"url": "https://attack.mitre.org/techniques/T1456",
"tactic": [
"Initial Access"
]
},
{
"technique_id": "T1449",
"technique": "Exploit SS7 to Redirect Phone Calls/SMS",
"url": "https://attack.mitre.org/techniques/T1449",
"tactic": [
"Network Effects"
]
},
{
"technique_id": "T1441",
"technique": "Stolen Developer Credentials or Signing Keys",
"url": "https://attack.mitre.org/techniques/T1441",
"tactic": []
}
]
tools/config/netwitness.yml
+92
View File
@@ -0,0 +1,92 @@
title: NetWitness
order: 20
backends:
- netwitness
logsources:
linux:
product: linux
conditions:
device.class: rhlinux
linux-sshd:
product: linux
service: sshd
conditions:
device.class: rhlinux
client: sshd
linux-auth:
product: linux
service: auth
conditions:
device.class: rhlinux
linux-clamav:
product: linux
service: clamav
conditions:
device.class: rhlinux
windows-sys:
product: windows
service: sysmon
conditions:
device.type: winevent_nic
event.source: microsoft-windows-security-auditing
windows-power:
product: windows
service: powershell
conditions:
device.type: winevent_nic
windows-dhcp:
product: windows
service: dhcp
conditions:
device.type: winevent_nic
event.source: microsoft-windows-dhcp-server
windows-sec:
product: windows
service: security
conditions:
device.type: winevent_nic
event.source: microsoft-windows-security-auditing
windows-system:
product: windows
service: system
conditions:
device.type: winevent_nic
fieldmappings:
dst:
- ip.dst
dst_ip:
- ip.dst
src:
- ip.src
src_ip:
- ip.src
DestinationPort:
- ip.dstport
EventID:
- reference.id
NewProcessName:
- process
LogonType:
- logon.type
AccountName:
- user.dst
c-uri-extension:
- extension
c-useragent:
- user.agent
r-dns:
- alias.host
DestinationHostname:
- alias.host
cs-host:
- alias.host
c-uri-query:
- web.page
c-uri:
- web.page
cs-method:
- action
cs-cookie:
- web.cookie
SubjectUserName:
- user.dst
tools/config/powershell.yml
+71
View File
@@ -0,0 +1,71 @@
title: Logsource to LogName mappings for PowerShell backend
order: 20
backends:
- powershell
logsources:
windows-application:
product: windows
service: application
conditions:
LogName: 'Application'
windows-security:
product: windows
service: security
conditions:
LogName: 'Security'
windows-system:
product: windows
service: system
conditions:
LogName: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
LogName: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
LogName: 'Microsoft-Windows-PowerShell/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
LogName: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
LogName: 'Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
LogName: 'Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
category: dns
conditions:
LogName: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
LogName: 'Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
LogName: 'Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
LogName: 'Microsoft-Windows-DHCP-Server/Operational'
tools/config/qradar.yml
+77
View File
@@ -0,0 +1,77 @@
title: QRadar
backends:
- qradar
order: 20
logsources:
apache:
product: apache
conditions:
LOGSOURCETYPENAME(devicetype): ilike '%apache%'
windows:
product: windows
conditions:
LOGSOURCETYPENAME(devicetype): 'Microsoft Windows Security Event Log'
qflow:
product: qflow
index: flows
netflow:
product: netflow
index: flows
ipfix:
product: ipfix
index: flows
flow:
category: flow
index: flows
fieldmappings:
<<<<<<< HEAD
EventID:
- Event ID Code
dst:
- destinationIP
dst_ip:
- destinationIP
src:
- sourceIP
src_ip:
- sourceIP
c-ip: sourceIP
cs-ip: sourceIP
cs-uri: url
c-uri: sourceIP
c-uri-extension: file_extension
UserAgent: user_agent
c-uri-query: uri_query
HttpMethod: Method
URL: URL
r-dns: FQDN
ClientIP: sourceIP
ServiceFileName: Service Name
=======
EventID:
- Event ID Code
dst:
- destinationIP
dst_ip:
- destinationIP
src:
- sourceIP
src_ip:
- sourceIP
c-ip: sourceIP
cs-ip: sourceIP
c-uri: url
c-uri-extension: file_extension
c-useragent: user_agent
c-uri-query: uri_query
cs-method: Method
r-dns: FQDN
ClientIP: sourceIP
ServiceFileName: Service Name
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
tools/config/qualys.yml
+20
View File
@@ -0,0 +1,20 @@
title: Qualys
order: 20
backends:
- qualys
fieldmappings:
dst:
- network.remote.address.ip
dst_ip:
- network.remote.address.ip
src:
- network.local.address.ip
src_ip:
- network.local.address.ip
file_hash:
- file.hash.md5
- file.hash.sha256
NewProcessName: process.name
ServiceName: process.name
ServiceFileName: process.name
TargetObject: registry.path
tools/config/splunk-windows-index.yml
+11
View File
@@ -0,0 +1,11 @@
title: Splunk Windows index and EventID field mapping
order: 20
backends:
- splunk
- splunkxml
logsources:
windows:
product: windows
index: windows
fieldmappings:
EventID: EventCode
tools/config/splunk-windows.yml
+74
View File
@@ -0,0 +1,74 @@
title: Splunk Windows log source conditions
order: 20
backends:
- splunk
- splunkxml
logsources:
windows-application:
product: windows
service: application
conditions:
source: 'WinEventLog:Application'
windows-security:
product: windows
service: security
conditions:
source: 'WinEventLog:Security'
windows-system:
product: windows
service: system
conditions:
source: 'WinEventLog:System'
windows-sysmon:
product: windows
service: sysmon
conditions:
source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
source: 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
source: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
category: dns
conditions:
source: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
source: 'Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
source: 'Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
source: 'Microsoft-Windows-DHCP-Server/Operational'
fieldmappings:
EventID: EventCode
tools/config/splunk-zeek.yml
+46
View File
@@ -0,0 +1,46 @@
title: Splunk Zeek sourcetype mappings
order: 20
backends:
- splunk
- splunkxml
logsources:
zeek-conn:
product: zeek
service: conn
conditions:
sourcetype: 'bro:conn:json'
zeek-dns:
product: zeek
service: dns
conditions:
sourcetype: 'bro:dns:json'
zeek-files:
product: zeek
service: files
conditions:
sourcetype: 'bro:files:json'
zeek-kerberos:
product: zeek
service: kerberos
conditions:
sourcetype: 'bro:kerberos:json'
zeek-http:
product: zeek
service: http
conditions:
sourcetype: 'bro:http:json'
zeek-rdp:
product: zeek
service: rdp
conditions:
sourcetype: 'bro:rdp:json'
zeek-ssl:
product: zeek
service: ssl
conditions:
sourcetype: 'bro:ssl:json'
zeek-x509:
product: zeek
service: x509
conditions:
sourcetype: 'bro:x509:json'
tools/config/sumologic.yml
+110
View File
@@ -0,0 +1,110 @@
title: SumoLogic
order: 20
backends:
- sumologic
# Sumulogic mapping depends on customer configuration. Adapt to your context!
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
# supposing existing FER for service, EventChannel, EventID
logsources:
unix:
product: unix
index: UNIX
linux:
product: linux
index: LINUX
linux-sshd:
product: linux
service: sshd
index: LINUX
linux-auth:
product: linux
service: auth
index: LINUX
linux-clamav:
product: linux
service: clamav
index: LINUX
windows:
product: windows
index: WINDOWS
windows-sysmon:
product: windows
service: sysmon
conditions:
EventChannel: Microsoft-Windows-Sysmon
index: WINDOWS
windows-security:
product: windows
service: security
conditions:
EventChannel: Security
index: WINDOWS
windows-powershell:
product: windows
service: powershell
conditions:
EventChannel: Microsoft-Windows-Powershell
index: WINDOWS
windows-system:
product: windows
service: system
conditions:
EventChannel: System
index: WINDOWS
windows-dhcp:
product: windows
service: dhcp
conditions:
EventChannel: Microsoft-Windows-DHCP-Server
index: WINDOWS
apache:
product: apache
service: apache
index: WEBSERVER
apache2:
product: apache
index: WEBSERVER
webserver:
category: webserver
index: WEBSERVER
firewall:
category: firewall
index: FIREWALL
firewall2:
product: firewall
index: FIREWALL
network-dns:
category: dns
index: DNS
network-dns2:
product: dns
index: DNS
proxy:
category: proxy
index: PROXY
antivirus:
product: antivirus
index: ANTIVIRUS
application-sql:
product: sql
index: DATABASE
application-python:
product: python
index: APPLICATIONS
application-django:
product: django
index: DJANGO
application-rails:
product: rails
index: RAILS
<<<<<<< HEAD
application-rails:
category: application
product: ruby_on_rails
index: RAILS
=======
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
application-spring:
product: spring
index: SPRING
# if no index, search in all indexes
tools/config/thor.yml
+90
View File
@@ -0,0 +1,90 @@
title: THOR
order: 20
backends:
- thor
# this configuration differs from other configurations and can not be used
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
logsources:
# log source configurations for generic sigma rules
process_creation_1:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_2:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
# target system configurations
windows-application:
product: windows
service: application
sources:
- 'WinEventLog:Application'
windows-security:
product: windows
service: security
sources:
- 'WinEventLog:Security'
windows-system:
product: windows
service: system
sources:
- 'WinEventLog:System'
windows-sysmon:
product: windows
service: sysmon
sources:
- 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
sources:
- 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
windows-taskscheduler:
product: windows
service: taskscheduler
sources:
- 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
sources:
- 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
windows-dhcp:
product: windows
service: dhcp
sources:
- 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
apache:
category: webserver
sources:
- 'File:/var/log/apache/*.log'
- 'File:/var/log/apache2/*.log'
- 'File:/var/log/httpd/*.log'
linux-auth:
product: linux
service: auth
sources:
- 'File:/var/log/auth.log'
- 'File:/var/log/auth.log.?'
linux-syslog:
product: linux
service: syslog
sources:
- 'File:/var/log/syslog'
- 'File:/var/log/syslog.?'
logfiles:
category: logfile
sources:
- 'File:*.log'
tools/config/winlogbeat-modules-enabled.yml
+215
View File
@@ -0,0 +1,215 @@
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
- es-qs
- es-dsl
<<<<<<< HEAD
=======
- es-rule
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
<<<<<<< HEAD
=======
- elasticsearch-rule
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
<<<<<<< HEAD
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: process.args
ComputerName: winlog.ComputerName
CurrentDirectory: process.working_directory
Description: winlog.event_data.Description
DestinationHostname: destination.domain
DestinationIp: destination.ip
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
DestinationPort: destination.port
DestinationPortName: network.protocol
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: file.path
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: process.executable
ImageLoaded: file.path
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: source.ip
IpPort: source.port
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: process.parent.args
ParentProcessName: process.parent.name
ParentImage: process.parent.executable
Path: winlog.event_data.Path
PipeName: file.name
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: process.executable
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceHostname: source.domain
SourceImage: process.executable
SourceIp: source.ip
SourcePort: source.port
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectDomainName: user.domain
SubjectUserName: user.name
SubjectUserSid: user.id
TargetFilename: file.path
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
TargetDomainName: user.domain
TargetUserName: user.name
TargetUserSid: user.id
User: user.name
WorkstationName: source.domain
=======
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: process.args
ComputerName: winlog.computer_name
ContextInfo: winlog.event_data.ContextInfo
CurrentDirectory: process.working_directory
Description: winlog.event_data.Description
DestinationHostname: destination.domain
DestinationIp: destination.ip
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
DestinationPort: destination.port
DestinationPortName: network.protocol
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: file.path
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: process.executable
ImageLoaded: file.path
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: source.ip
IpPort: source.port
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
Message: winlog.event_data.Message
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: process.parent.args
ParentProcessName: process.parent.name
ParentImage: process.parent.executable
Path: winlog.event_data.Path
PipeName: file.name
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: process.executable
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceHostname: source.domain
SourceImage: process.executable
SourceIp: source.ip
SourcePort: source.port
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectDomainName: user.domain
SubjectUserName: user.name
SubjectUserSid: user.id
TargetFilename: file.path
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
TargetDomainName: user.domain
TargetUserName: user.name
TargetUserSid: user.id
User: user.name
WorkstationName: source.domain
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
tools/config/winlogbeat-old.yml
+188
View File
@@ -0,0 +1,188 @@
title: Elastic Winlogbeat (<=6.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
source: 'Microsoft-Windows-DHCP-Server/Operational'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
<<<<<<< HEAD
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
CommandLine: event_data.CommandLine
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Properties: event_data.Properties
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
=======
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
CommandLine: event_data.CommandLine
ComputerName: computer_name
ContextInfo: event_data.ContextInfo
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
Message: event_data.Message
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Properties: event_data.Properties
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
tools/config/winlogbeat.yml
+188
View File
@@ -0,0 +1,188 @@
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
<<<<<<< HEAD
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.ComputerName
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
=======
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.computer_name
ContextInfo: winlog.event_data.ContextInfo
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
Message: winlog.event_data.Message
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
tools/sigma/backends/carbonblack.py
+29 -149
View File
@@ -1,4 +1,3 @@
<<<<<<< HEAD
# Output backends for sigmac
# Copyright 2016-2018 Thomas Patzke, Florian Roth, Roey
@@ -77,7 +76,10 @@ class CarbonBlackBackend(SingleTextQueryBackend):
def generateMapItemNode(self, node):
fieldname, value = node
value = self.cleanValue(value)
if(fieldname == "path"):
value = self.cleanValuePath(value)
else:
value = self.cleanValue(value)
print(str(value))
if(fieldname == "EventID" and (type(value) is str or type(value) is int )):
fieldname = self.generateEventKey(value)
@@ -136,8 +138,25 @@ class CarbonBlackBackend(SingleTextQueryBackend):
new_value = '"' + new_value +'"'
new_value = new_value.replace("(", "\(")
new_value = new_value.replace(")", "\)")
new_value = new_value.replace(" ", "\ ")
if ('"' not in new_value):
new_value = new_value.replace(" ", "\ ")
new_value = new_value.strip()
if type(new_value) is list:
for index, vl in enumerate(new_value):
new_value[index] = self.cleanValue(vl)
return new_value
def cleanValuePath(self, value):
new_value = value
if type(new_value) is str:
# double backslash convention
if (new_value[:2] in ("*\/","*\\")):
new_value = new_value[2:]
if (new_value[:1] == '*'):
new_value = new_value.replace("*", "", 1)
# need tuning
if("*" in new_value and " " in new_value):
new_value=re.escape(new_value)
new_value = new_value.strip()
if type(new_value) is list:
for index, vl in enumerate(new_value):
@@ -157,6 +176,8 @@ class CarbonBlackBackend(SingleTextQueryBackend):
return ''
def cleanIPRange(self,value):
if('*' not in value):
return value
new_value = value
if type(new_value) is str and value.find('*') :
sub = value.count('.')
@@ -174,7 +195,7 @@ class CarbonBlackBackend(SingleTextQueryBackend):
return new_value
def postAPI(self,result,title,desc):
url = 'https://10.14.132.6//api/v1/watchlist'
url = 'https://10.14.132.35//api/v1/watchlist'
body = {
"name":title,
"search_query":"q="+str(result),
@@ -182,7 +203,7 @@ class CarbonBlackBackend(SingleTextQueryBackend):
"index_type":"events"
}
header = {
"X-Auth-Token": "6ff62a0dd9cf895b806fbd3190f3c0b18d98a9ae"
"X-Auth-Token": "099c366b1e56c0bca3ae61ce1fb7435af7a5926c"
}
print(title)
x = requests.post(url, data =json.dumps(body), headers = header, verify=False)
@@ -209,148 +230,7 @@ class CarbonBlackBackend(SingleTextQueryBackend):
result += after
# if mapped is not None:
# result += fields
self.postAPI(result,title,desc)
# self.postAPI(result,title,desc)
# print (title)
# print (str(result))
return result
=======
import re
from fnmatch import fnmatch
from sigma.backends.base import SingleTextQueryBackend
from sigma.backends.exceptions import NotSupportedError
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression
from sigma.parser.modifiers.base import SigmaTypeModifier
class CarbonBlackWildcardHandlingMixin:
"""
Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further,
provide configurability with backend parameters.
"""
# options = SingleTextQueryBackend.options + (
# ("keyword_field", None, "Keyword sub-field name", None),
# ("keyword_blacklist", None, "Fields that don't have a keyword subfield (wildcards * and ? allowed)", None)
# )
reContainsWildcard = re.compile("(?:(?<!\\\\)|\\\\\\\\)[*?]").search
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.matchKeyword = True
try:
self.blacklist = self.keyword_blacklist.split(",")
except AttributeError:
self.blacklist = list()
def containsWildcard(self, value):
"""Determine if value contains wildcard."""
if type(value) == str:
res = self.reContainsWildcard(value)
return res
else:
return False
class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryBackend):
"""Converts Sigma rule into CarbonBlack query string. Only searches, no aggregations."""
identifier = "carbonblack"
active = True
#reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|(?<!\\\\)\\\\(?![*?\\\\])|\\\\u|&&|\\|\\|)")
reEscape = re.compile("([\s\s+])")
reClear = re.compile("[<>]")
andToken = " AND "
orToken = " OR "
notToken = " -"
subExpression = "(%s)"
listExpression = "%s"
listSeparator = " OR "
valueExpression = '%s'
typedValueExpression = {
SigmaRegularExpressionModifier: "/%s/"
}
nullExpression = "NOT _exists_:%s"
notNullExpression = "_exists_:%s"
mapExpression = "%s:%s"
mapListsSpecialHandling = False
def __init__(self, *args, **kwargs):
"""Initialize field mappings."""
super().__init__(*args, **kwargs)
self.category = None
self.excluded_fields = None
def cleanValue(self, val):
val = super().cleanValue(val)
if isinstance(val, str):
if val.startswith("*\\"):
val = val.replace("*\\", "*")
if val.startswith("*/"):
val = val.replace("*/", "*")
if val.endswith("\\*"):
val = val.replace("\\*", "*")
if val.endswith("/*"):
val = val.replace("/*", "*")
return val
def generateValueNode(self, node):
result = super().generateValueNode(node)
if result == "" or result.isspace():
return '""'
else:
if self.matchKeyword: # don't quote search value on keyword field
return result
else:
return "%s" % result
def generateMapItemNode(self, node):
fieldname, value = node
if fieldname.lower() in self.excluded_fields:
return
else:
transformed_fieldname = self.fieldNameMapping(fieldname, value)
if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
#return self.mapExpression % (transformed_fieldname, self.generateNode(value))
if isinstance(value, list):
return self.generateNode([self.mapExpression % (transformed_fieldname, self.cleanValue(item)) for item in value])
elif isinstance(value, str) or isinstance(value, int):
return self.mapExpression % (transformed_fieldname, self.generateNode(value))
elif type(value) == list:
return self.generateMapItemListNode(transformed_fieldname, value)
elif isinstance(value, SigmaTypeModifier):
return self.generateMapItemTypedNode(transformed_fieldname, value)
elif value is None:
return self.nullExpression % (transformed_fieldname,)
else:
raise TypeError("Backend does not support map values of type " + str(type(value)))
def generateNOTNode(self, node):
expression = super().generateNode(node.item)
if expression:
return "(%s%s)" % (self.notToken, expression)
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
try:
self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
self.counted = sigmaparser.parsedyaml.get('counted', None)
self.excluded_fields = [item.lower() for item in sigmaparser.config.config.get("excludedfields", [])]
except KeyError:
self.category = None
if self.category == "process_creation":
for parsed in sigmaparser.condparsed:
query = self.generateQuery(parsed)
result = ""
if query is not None:
result += query
return result
else:
raise NotSupportedError("Not supported logsource category.")
>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c
print (str(result))
return result
tools/sigma/eventdict.py
+2 -2
View File
@@ -6,9 +6,9 @@ event = {
# 5: Process termincated
6: ('modload_count','[1 to *]'),
7: ('modload_count','[1 to *]'),
8: ('crossproc_type', 'remote_thread'),
8: ('crossproc_count', '[1 to *]'),
# 9: Raw Access Read
10: ('crossproc_type', 'process_open'),
10: ('crossproc_count', '[1 to *]'),
11: ('filemod_count','[1 to *]'),
12: ('regmod_count','[1 to *]'),
13: ('regmod_count','[1 to *]'),