diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml new file mode 100644 index 000000000..f6a9bc537 --- /dev/null +++ b/tools/config/arcsight.yml @@ -0,0 +1,352 @@ +title: ArcSight +order: 20 +backends: + - arcsight + - arcsight-esm +logsources: + linux: + product: linux + conditions: + deviceVendor: Unix + linux-sshd: + product: linux + service: sshd + conditions: + deviceVendor: Unix + linux-vsftpd: + product: linux + service: vsftpd + conditions: + deviceVendor: Unix + linux-auth: + product: linux + service: auth + conditions: + deviceVendor: Unix + linux-clamav: + product: linux + service: clamav + conditions: + deviceVendor: Unix + antivirus: + product: antivirus + conditions: + categoryDeviceGroup: /IDS/Host/AntiVirus + windows-dns: + product: windows + service: dns-server + conditions: + deviceVendor: Microsoft + deviceProduct: DNS-Server + windows-pc: + product: windows + service: powershell-classic + conditions: + deviceVendor: Microsoft + windows-sys: + product: windows + service: sysmon + conditions: + deviceVendor: Microsoft + deviceProduct: Sysmon + windows-sec: + product: windows + service: security + conditions: + deviceVendor: Microsoft + deviceProduct: Microsoft Windows + windows-power: + product: windows + service: powershell + conditions: + deviceVendor: Microsoft + windows-dhcp: + product: windows + service: dhcp + conditions: + deviceVendor: Microsoft + windows-system: + product: windows + service: system + conditions: + deviceVendor: Microsoft + windows-wmi: + product: windows + service: wmi + conditions: + deviceVendor: Microsoft + windows-driver-framework: + product: windows + service: driver-framework + conditions: + deviceVendor: Microsoft + windows-defender: + product: windows_defender + conditions: + deviceVendor: Microsoft + windows-driver: + product: windows + service: driver-framework + conditions: + deviceVendor: Microsoft + windows-app: + product: windows + service: application + conditions: + deviceVendor: Microsoft + proxy: + category: proxy + conditions: + categoryDeviceGroup: /Proxy + python: + product: python + conditions: + deviceProduct: Python + categoryDeviceGroup: /Application + ruby_on_rails: + product: ruby_on_rails + conditions: + deviceProduct: Ruby on Rails + categoryDeviceGroup: /Application + spring: + product: spring + conditions: + deviceProduct: Spring + categoryDeviceGroup: /Application + apache: + product: apache + conditions: + deviceProduct: Apache + categoryDeviceGroup: /Application + firewall: + product: firewall + conditions: + categoryDeviceGroup: /Firewall +fieldmappings: + EventID: externalId + Event-ID: externalId + Event_ID: externalId + eventId: externalId + event_id: externalId + event-id: externalId + eventid: externalId + dst: + - destinationAddress + dst_ip: + - destinationAddress + dst-ip: + - destinationAddress + src: + - sourceAddress + src_ip: + - sourceAddress + src-ip: + - sourceAddress + TargetImage: + - destinationProcessName + - filePath + ImageLoaded: + - destinationProcessName + - deviceCustomString1 + - filePath + - destinationProcessName + Image: + - deviceProcessName + - destinationProcessName + - sourceProcessName + ParentImage: + - sourceProcessName + LogonProcessName: + - destinationProcessName + - sourceProcessName + TargetProcessId: + - destinationProcessId + User: + - sourceUserName + TargetUserName: + - destinationUserName + LogonId: + - sourceUserId + SourceIp: + - sourceAddress + SourceNetworkAddress: + - sourceAddress + SourcePort: + - sourcePort + SourceHostname: + - sourceHostName + ParentProcessId: + - sourceProcessId + SourceProcessId: + - sourceProcessId + ProcessId: + - deviceProcessId + - destinationProcessId + DestinationPort: + - destinationPort + DestinationIp: + - destinationAddress + DestinationHostname: + - destinationHostName + DestinationIsIpv6: + - destinationIsIpv6 + SourcePortName: + - sourcePortName + DestinationPortName: + - destinationPortName + SourceIsIpv6: + - sourceIsIpv6 + FileVersion: + - fileId + Protocol: + - transportProtocol + TargetFilename: + - filePath + TargetFileName: + - filePath + Hashes: + - fileHash + Hash: + - fileHash + file_hash: + - fileHash + State: + - deviceAction + EventType: + - deviceAction + RuleName: + - deviceFacility + - reason + SourceImage: + - sourceProcessName + TerminalSessionId: + - deviceCustomNumber2 + SequenceNumber: + - deviceCustomNumber3 + Initiated: + - deviceCustomString4 + IntegrityLevel: + - deviceCustomString1 + - deviceCustomString5 + ProcessGuid: + - fileId + - deviceCustomString6 + SourceProcessGUID: + - flexString1 + TargetProcessGUID: + - fileId + - flexString2 + ParentProcessGuid: + - oldFileId + - deviceCustomString4 + Product: + - destinationServiceName + OriginalFileName: + - oldFilePath + Version: + - deviceCustomString1 + SchemaVersion: + - deviceCustomString2 + Signed: + - fileType + - deviceCustomString1 + Signature: + - deviceCustomString2 + SignatureStatus: + - filePermission + - deviceCustomString3 + NewThreadId: + - deviceCustomString1 + StartAddress: + - deviceCustomString2 + StartModule: + - deviceCustomString3 + StartFunction: + - deviceCustomString4 + Device: + - deviceCustomString5 + - deviceCustomString1 + GrantedAccess: + - deviceCustomString1 + - deviceCustomString2 + CallTrace: + - oldFilePath + - deviceCustomString3 + TargetObject: + - filePath + Details: + - deviceCustomString4 + - deviceCustomString1 + NewName: + - filePath + Configuration: + - filePath + PipeName: + - deviceCustomString6 + - fileName + Name: + - deviceCustomString1 + Operation: + - deviceCustomString2 + EventNamespace: + - deviceCustomString3 + Query: + - deviceCustomString4 + Type: + - deviceCustomString3 + Destination: + - fileName + Consumer: + - deviceCustomString1 + Filter: + - deviceCustomString3 + QueryName: + - destinationHostName + - requestUrl + QueryResults: + - deviceCustomString4 + - deviceCustomString1 + ID: + - deviceCustomString1 + Description: + - message + CommandLine: + - destinationServiceName + - deviceCustomString1 + ParentCommandLine: + - deviceCustomString2 + - sourceServiceName + CurrentDirectory: + - oldFilePath + LogonGuid: + - deviceCustomString6 + UserAgent: + - requestClientApplication + URL: + - requestUrl + - requestUrlQuery + FileName: + - fileName + - filePath + cs-uri-extension: + - fileType + c-uri-extension: + - fileType + s-dns: + - destinationDnsDomain + - destinationHost + r-dns: + - destinationDnsDomain + - destinationHost + event.name: + - name + http.request.body.content: + - requestUrl + url.query: + - requestUrl + cs-uri-path: + - filePath + keywords: + - deviceCustomString1 + ScriptBlockText: + - deviceCustomString1 \ No newline at end of file diff --git a/tools/config/carbon-black.yml b/tools/config/carbon-black.yml new file mode 100644 index 000000000..6b034c6e1 --- /dev/null +++ b/tools/config/carbon-black.yml @@ -0,0 +1,74 @@ +title: CarbonBlack field mapping +order: 20 +backends: + - carbonblack +fieldmappings: + AccountName: username + CommandLine: cmdline + ComputerName: hostname + CurrentDirectory: path + Description: product_name + DestinationHostname: winlog.event_data.DestinationHostname + DestinationIp: ipaddr + DestinationIsIpv6: ipaddr + DestinationPort: ipport + Image: process_name + ImageLoaded: modload + ImagePath: path + NewProcessName: process_name + #ParentCommandLine: NONE?? + ParentProcessName: parent_name + ParentImage: parent_name + Path: path + ProcessCommandLine: cmdline + ProcessName: process_name + Signature: digsig_result + + + +# DestinationHostname: hostname +# DestinationIp: ipaddr +# DestinationPort: ipport +# +# SourceIp: ipaddr +# SourcePort: ipport +# +# IpAddress: ipaddr +# IpPort: ipport +# +# ProcessName: process_name +# ParentProcessName: parent_name +# +# TargetDomainName: domain +# +# Image: path +# ImagePath: path +# ImageLoaded: path +# Path: path +# TargetFilename: path +# +# Hashes: md5 +# Imphash: md5 +# +# +# User: username +# SubjectDomainName: domain +# SubjectUserName: username +# +# WorkstationName: domain +# +# CommandLine: cmdline +# ComputerName: hostname +# +# FileVersion: product_version +# Description: product_desc +# Product: product_name +# Company: company_name +# +# Keywords: process_name +# Computer: host_type + + +excludedfields: + - EventID + - Robot2 diff --git a/tools/config/carbonblack.yml b/tools/config/carbonblack.yml new file mode 100644 index 000000000..e9f808ecc --- /dev/null +++ b/tools/config/carbonblack.yml @@ -0,0 +1,36 @@ +title: Splunk Windows log source conditions +order: 20 +backends: + - splunk + - carbonblack + - sumologic + +fieldmappings: + Image: path + CurrentDirectory: path + SourceIp: ipaddr + ImageLoaded: modload + CommandLine: cmdline + ProcessCommandLine: cmdline + DestinationIp: ipaddr + DestinationAddress: ipaddr + DestinationPort: ipport + DestPort: ipport + TargetObject: regmod + TargetFilename: filemod + TargetFileName: filemod + Targetfilename: filemod + ParentImage: parent_name + SourceImage: parent_name + TargetImage: childproc_name + NewProcessName: childproc_name + Description: file_desc + Product: product_name + Signature: digsig_publisher + CallTrace: modload + DestinationHostname: domain + User: username + StartModule: modload + Company: company_name + Description: file_desc + FileVersion: file_version \ No newline at end of file diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml new file mode 100644 index 000000000..f569ab47a --- /dev/null +++ b/tools/config/ecs-proxy.yml @@ -0,0 +1,25 @@ +title: Elastic Common Schema mapping for proxy logs +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + proxy: + category: proxy + index: filebeat-* +fieldmappings: + c-uri: url.original + c-uri-extension: url.extension + c-uri-query: url.query + c-uri-stem: url.original + c-useragent: user_agent.original + cs-cookie: http.cookie + cs-host: url.domain + cs-method: http.request.method + r-dns: url.domain + sc-status: http.response.status_code diff --git a/tools/config/filebeat-defaultindex.yml b/tools/config/filebeat-defaultindex.yml new file mode 100644 index 000000000..75f5451c1 --- /dev/null +++ b/tools/config/filebeat-defaultindex.yml @@ -0,0 +1,12 @@ +title: Elastic Filebeat default index name +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +defaultindex: + - filebeat-* diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml new file mode 100644 index 000000000..63097f0d0 --- /dev/null +++ b/tools/config/generic/sysmon.yml @@ -0,0 +1,11 @@ +title: Conversion of generic rules into Sysmon +order: 10 +logsources: + process_creation: + category: process_creation + product: windows + conditions: + EventID: 1 + rewrite: + product: windows + service: sysmon diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml new file mode 100644 index 000000000..83b143c96 --- /dev/null +++ b/tools/config/generic/windows-audit.yml @@ -0,0 +1,14 @@ +title: Conversion of generic process_creation rules into Security/4688 +order: 10 +logsources: + process_creation: + category: process_creation + product: windows + conditions: + EventID: 4688 + rewrite: + product: windows + service: security +fieldmappings: + Image: NewProcessName + ParentImage: ParentProcessName diff --git a/tools/config/helk.yml b/tools/config/helk.yml new file mode 100644 index 000000000..944e14103 --- /dev/null +++ b/tools/config/helk.yml @@ -0,0 +1,177 @@ +title: HELK index patterns and OSSEM field mappings +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + windows-application: + product: windows + service: application + index: logs-endpoint-winevent-application-* + windows-security: + product: windows + service: security + index: logs-endpoint-winevent-security-* + windows-sysmon: + product: windows + service: sysmon + index: logs-endpoint-winevent-sysmon-* + windows-system: + product: windows + service: system + index: logs-endpoint-winevent-system-* + windows-wmi: + product: windows + service: wmi + index: logs-endpoint-winevent-wmiactivity-* + windows-powershell: + product: windows + service: powershell + index: logs-endpoint-winevent-powershell-* + windows-powershell-classic: + product: windows + service: powershell-classic + index: logs-endpoint-winevent-powershell-* +defaultindex: logs-* +fieldmappings: + AccessMask: object_access_mask_requested + AccountName: user_name + AllowedToDelegateTo: user_attribute_allowed_todelegate + AttributeLDAPDisplayName: dsobject_attribute_name + AuditPolicyChanges: policy_changes + AuthenticationPackageName: logon_authentication_package + CallingProcessName: process_path + CallTrace: process_call_trace + ClientAddress: src_ip_addr + ClientIPAddress: src_ip_addr + ClientIP: src_ip_addr + CommandLine: process_command_line + Company: file_company + ComputerName: host_name + Configuration: + EventID=16: sysmon_configuration + ConnectedViaIPAddress: dst_nat_ip_addr + CurrentDirectory: process_current_directory + Description: file_description + DestAddress: dst_ip_addr + Destination: + EventID=20: wmi_consumer_destination + DestinationHostname: dst_host_name + DestinationIp: dst_ip_addr + DestinationPort: dst_port + DestinationPortName: dst_port_name + Details: + EventID=13: registry_key_value + Device: device_name + EngineVersion: powershell.engine.version + EventID: event_id + EventType: event_type + EventNamespace: + EventID=19: wmi_namespace + Filter: + EventID=21: wmi_filter_path + FailureCode: ticket_failure_code + FileName: file_name + FileVersion: file_version + GrantedAccess: process_granted_access + GroupName: group_name + GroupSid: group_sid + HiveName: hive_name + HostVersion: powershell.host.version + Image: process_path + ImageLoaded: + EventID=6: driver_loaded + EventID=7: module_loaded + Imphash: hash_imphash + Initiated: + EventID=3: network_initiated + IntegrityLevel: + EventID=1: process_integrity_level + ipAddress: dst_ip_addr + IpAddress: src_ip_addr + IPString: src_ip_addr + LaunchedViaIPAddress: dst_ip_addr + LogonProcessName: logon_process_name + LogonType: logon_type + MachineIpAddress: dst_ip_addr + MachineName: host_name + Name: + EventID=19: wmi_name + EventID=20: wmi_name + NewProcessName: process_path + NewName: + EventID=14: registry_key_new_name + ObjectClass: dsobject_class + ObjectName: object_name + ObjectType: object_type + ObjectValueName: object_value_name + Operation: + EventID=19: wmi_operation + EventID=20: wmi_operation + EventID=21: wmi_operation + OperationType: object_operation_type + OriginalFileName: file_name_original + ParentImage: process_parent_path + ParentProcessName: process_parent_path + PasswordLastSet: user_attribute_password_lastset + Path: process_path + ParentCommandLine: process_parent_command_line + PipeName: pipe_name + ProcessName: process_path + ProcessCommandLine: process_command_line + Product: file_product + Properties: object_properties + Protocol: + EventID=3: network_protocol + Query: + EventID=19: wmi_query + RelativeTargetName: share_relative_target_name + SourceAddress: src_ip_addr + SchemaVersion: + EventID=4: sysmon_schema_version + ServiceFileName: service_image_path + ServiceName: service_name + ShareName: share_name + Signature: signature + SignatureStatus: signature_status + Signed: signed + Source: source_name + SourceHostname: src_host_name + SourceImage: process_path + SourceIp: src_ip_addr + SourcePort: src_port + SourcePortName: src_port_name + StartAddress: thread_start_address + StartFunction: thread_start_function + StartModule: thread_start_module + Status: event_status + State: + EventID=4: service_state + EventID=16: sysmon_configuration_state + SubjectUserName: + EventID=4624: user_reporter_name + EventId=4648: user_name + EventID=5140: user_name + TargetServer: dst_ip_addr + TaskName: task_name + TicketEncryptionType: ticket_encryption_type + TicketOptions: ticket_options + TargetFilename: file_name + TargetImage: target_process_path + TargetProcessAddress: thread_start_address + TargetObject: registry_key_path + Type: + EventID=20: wmi_consumer_type + User: user_account + UserName: user_name + Value: + EventID=1102: dst_ip_addr + Version: + EventID=4: sysmon_version + Workstation: src_host_name + WorkstationName: src_host_name \ No newline at end of file diff --git a/tools/config/limacharlie.yml b/tools/config/limacharlie.yml new file mode 100644 index 000000000..693ca2149 --- /dev/null +++ b/tools/config/limacharlie.yml @@ -0,0 +1,11 @@ +title: LimaCharlie +backends: + - limacharlie +order: 20 +logsources: + windows: + product: windows + linux: + product: linux + netflow: + product: netflow \ No newline at end of file diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml new file mode 100644 index 000000000..ad7b425f7 --- /dev/null +++ b/tools/config/logpoint-windows.yml @@ -0,0 +1,149 @@ +title: Logpoint +order: 20 +backends: + - logpoint +logsources: + windows-security: + product: windows + service: security + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-system: + product: windows + service: system + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-dns-server: + product: windows + service: dns-server + conditions: + event_source: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' + +fieldmappings: + EventID: event_id + FailureCode: result_code + GroupName: group_name + GroupSid: group_sid + KeyLength: key_length + LogonProcessName: logon_process + LogonType: logon_type + ServiceName: service + SubjectAccountName: + EventID=4611: + - user + EventID=4624: + - target_user + - caller_user + EventID=4625: + - target_user + - caller_user + EventID=4634: + - user + EventID=4648: + - target_user + - caller_user + EventID=4662: + - user + EventID=4672: + - user + EventID=4688: + - user + EventID=4719: + - user + EventID=4720: + - target_user + - caller_user + EventID=4722: + - target_user + - caller_user + EventID=4723: + - target_user + - caller_user + EventID=4724: + - target_user + - caller_user + EventID=4728: + - user + - member + EventID=4729: + - user + - member + EventID=4731: + - user + EventID=4732: + - user + - member + EventID=4735: + - user + EventID=4737: + - user + EventID=4738: + - target_user + - caller_user + EventID=4740: + - target_user + - caller_user + EventID=4742: + - target_user + - caller_user + EventID=4755: + - user + EventID=4756: + - user + - member + EventID=4757: + - user + - member + EventID=4767: + - target_user + - caller_user + EventID=4768: + - user + EventID=4769: + - user + EventID=4770: + - user + EventID=4771: + - user + EventID=4774: + - user + EventID=4776: + - user + EventID=4781: + - target_user + - caller_user + EventID=4904: + - user + EventID=4905: + - user + EventID=5061: + - user + EventID=5136: + - user + EventID=5137: + - user + default: + - caller_user + - target_user + - user + - member + TicketOptions: ticket_options + TicketEnctyption: ticket_encryption + Type: event_type + UserName: + default: + - caller_user + - target_user + - user + - member + SourceWorkstation: workstation diff --git a/tools/config/logstash-defaultindex.yml b/tools/config/logstash-defaultindex.yml new file mode 100644 index 000000000..b9287b51b --- /dev/null +++ b/tools/config/logstash-defaultindex.yml @@ -0,0 +1,12 @@ +title: Generic Logstash index prefix +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +defaultindex: + - logstash-* diff --git a/tools/config/logstash-linux.yml b/tools/config/logstash-linux.yml new file mode 100644 index 000000000..645739d65 --- /dev/null +++ b/tools/config/logstash-linux.yml @@ -0,0 +1,25 @@ +title: Logstash Linux project (https://github.com/thomaspatzke/logstash-linux) +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + apache: + category: webserver + index: logstash-apache-* + webapp-error: + category: application + index: logstash-apache_error-* + linux-auth: + product: linux + service: auth + index: logstash-auth-* +fieldmappings: + client_ip: clientip + url: request +defaultindex: logstash-* diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml new file mode 100644 index 000000000..20d391049 --- /dev/null +++ b/tools/config/logstash-windows.yml @@ -0,0 +1,45 @@ +title: Logstash Windows common log sources +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + windows: + product: windows + index: logstash-windows-* + windows-application: + product: windows + service: application + conditions: + Channel: Application + windows-security: + product: windows + service: security + conditions: + Channel: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + Channel: Microsoft-Windows-Sysmon + windows-dns-server: + product: windows + service: dns-server + conditions: + Channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + Channel: 'Microsoft-Windows-DHCP-Server/Operational' +defaultindex: logstash-* diff --git a/tools/config/mitre/tactics.json b/tools/config/mitre/tactics.json new file mode 100644 index 000000000..e5549d8fd --- /dev/null +++ b/tools/config/mitre/tactics.json @@ -0,0 +1,202 @@ +[ + { + "external_id": "TA0040", + "url": "https://attack.mitre.org/tactics/TA0040", + "tactic": "Impact" + }, + { + "external_id": "TA0009", + "url": "https://attack.mitre.org/tactics/TA0009", + "tactic": "Collection" + }, + { + "external_id": "TA0011", + "url": "https://attack.mitre.org/tactics/TA0011", + "tactic": "Command and Control" + }, + { + "external_id": "TA0006", + "url": "https://attack.mitre.org/tactics/TA0006", + "tactic": "Credential Access" + }, + { + "external_id": "TA0007", + "url": "https://attack.mitre.org/tactics/TA0007", + "tactic": "Discovery" + }, + { + "external_id": "TA0005", + "url": "https://attack.mitre.org/tactics/TA0005", + "tactic": "Defense Evasion" + }, + { + "external_id": "TA0010", + "url": "https://attack.mitre.org/tactics/TA0010", + "tactic": "Exfiltration" + }, + { + "external_id": "TA0002", + "url": "https://attack.mitre.org/tactics/TA0002", + "tactic": "Execution" + }, + { + "external_id": "TA0008", + "url": "https://attack.mitre.org/tactics/TA0008", + "tactic": "Lateral Movement" + }, + { + "external_id": "TA0003", + "url": "https://attack.mitre.org/tactics/TA0003", + "tactic": "Persistence" + }, + { + "external_id": "TA0004", + "url": "https://attack.mitre.org/tactics/TA0004", + "tactic": "Privilege Escalation" + }, + { + "external_id": "TA0001", + "url": "https://attack.mitre.org/tactics/TA0001", + "tactic": "Initial Access" + }, + { + "external_id": "TA0020", + "url": "https://attack.mitre.org/tactics/TA0020", + "tactic": "Organizational Weakness Identification" + }, + { + "external_id": "TA0012", + "url": "https://attack.mitre.org/tactics/TA0012", + "tactic": "Priority Definition Planning" + }, + { + "external_id": "TA0025", + "url": "https://attack.mitre.org/tactics/TA0025", + "tactic": "Test Capabilities" + }, + { + "external_id": "TA0017", + "url": "https://attack.mitre.org/tactics/TA0017", + "tactic": "Organizational Information Gathering" + }, + { + "external_id": "TA0013", + "url": "https://attack.mitre.org/tactics/TA0013", + "tactic": "Priority Definition Direction" + }, + { + "external_id": "TA0018", + "url": "https://attack.mitre.org/tactics/TA0018", + "tactic": "Technical Weakness Identification" + }, + { + "external_id": "TA0022", + "url": "https://attack.mitre.org/tactics/TA0022", + "tactic": "Establish & Maintain Infrastructure" + }, + { + "external_id": "TA0023", + "url": "https://attack.mitre.org/tactics/TA0023", + "tactic": "Persona Development" + }, + { + "external_id": "TA0015", + "url": "https://attack.mitre.org/tactics/TA0015", + "tactic": "Technical Information Gathering" + }, + { + "external_id": "TA0021", + "url": "https://attack.mitre.org/tactics/TA0021", + "tactic": "Adversary OPSEC" + }, + { + "external_id": "TA0016", + "url": "https://attack.mitre.org/tactics/TA0016", + "tactic": "People Information Gathering" + }, + { + "external_id": "TA0026", + "url": "https://attack.mitre.org/tactics/TA0026", + "tactic": "Stage Capabilities" + }, + { + "external_id": "TA0024", + "url": "https://attack.mitre.org/tactics/TA0024", + "tactic": "Build Capabilities" + }, + { + "external_id": "TA0019", + "url": "https://attack.mitre.org/tactics/TA0019", + "tactic": "People Weakness Identification" + }, + { + "external_id": "TA0014", + "url": "https://attack.mitre.org/tactics/TA0014", + "tactic": "Target Selection" + }, + { + "external_id": "TA0035", + "url": "https://attack.mitre.org/tactics/TA0035", + "tactic": "Collection" + }, + { + "external_id": "TA0036", + "url": "https://attack.mitre.org/tactics/TA0036", + "tactic": "Exfiltration" + }, + { + "external_id": "TA0028", + "url": "https://attack.mitre.org/tactics/TA0028", + "tactic": "Persistence" + }, + { + "external_id": "TA0032", + "url": "https://attack.mitre.org/tactics/TA0032", + "tactic": "Discovery" + }, + { + "external_id": "TA0038", + "url": "https://attack.mitre.org/tactics/TA0038", + "tactic": "Network Effects" + }, + { + "external_id": "TA0030", + "url": "https://attack.mitre.org/tactics/TA0030", + "tactic": "Defense Evasion" + }, + { + "external_id": "TA0033", + "url": "https://attack.mitre.org/tactics/TA0033", + "tactic": "Lateral Movement" + }, + { + "external_id": "TA0031", + "url": "https://attack.mitre.org/tactics/TA0031", + "tactic": "Credential Access" + }, + { + "external_id": "TA0027", + "url": "https://attack.mitre.org/tactics/TA0027", + "tactic": "Initial Access" + }, + { + "external_id": "TA0039", + "url": "https://attack.mitre.org/tactics/TA0039", + "tactic": "Remote Service Effects" + }, + { + "external_id": "TA0037", + "url": "https://attack.mitre.org/tactics/TA0037", + "tactic": "Command and Control" + }, + { + "external_id": "TA0034", + "url": "https://attack.mitre.org/tactics/TA0034", + "tactic": "Impact" + }, + { + "external_id": "TA0029", + "url": "https://attack.mitre.org/tactics/TA0029", + "tactic": "Privilege Escalation" + } +] \ No newline at end of file diff --git a/tools/config/mitre/techniques.json b/tools/config/mitre/techniques.json new file mode 100644 index 000000000..22541bb27 --- /dev/null +++ b/tools/config/mitre/techniques.json @@ -0,0 +1,4353 @@ +[ + { + "technique_id": "T1531", + "technique": "Account Access Removal", + "url": "https://attack.mitre.org/techniques/T1531", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1506", + "technique": "Web Session Cookie", + "url": "https://attack.mitre.org/techniques/T1506", + "tactic": [ + "Defense Evasion", + "Lateral Movement" + ] + }, + { + "technique_id": "T1539", + "technique": "Steal Web Session Cookie", + "url": "https://attack.mitre.org/techniques/T1539", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1529", + "technique": "System Shutdown/Reboot", + "url": "https://attack.mitre.org/techniques/T1529", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1519", + "technique": "Emond", + "url": "https://attack.mitre.org/techniques/T1519", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1518", + "technique": "Software Discovery", + "url": "https://attack.mitre.org/techniques/T1518", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1534", + "technique": "Internal Spearphishing", + "url": "https://attack.mitre.org/techniques/T1534", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1528", + "technique": "Steal Application Access Token", + "url": "https://attack.mitre.org/techniques/T1528", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1522", + "technique": "Cloud Instance Metadata API", + "url": "https://attack.mitre.org/techniques/T1522", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1536", + "technique": "Revert Cloud Instance", + "url": "https://attack.mitre.org/techniques/T1536", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1535", + "technique": "Unused/Unsupported Cloud Regions", + "url": "https://attack.mitre.org/techniques/T1535", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1525", + "technique": "Implant Container Image", + "url": "https://attack.mitre.org/techniques/T1525", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1538", + "technique": "Cloud Service Dashboard", + "url": "https://attack.mitre.org/techniques/T1538", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1530", + "technique": "Data from Cloud Storage Object", + "url": "https://attack.mitre.org/techniques/T1530", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1537", + "technique": "Transfer Data to Cloud Account", + "url": "https://attack.mitre.org/techniques/T1537", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1526", + "technique": "Cloud Service Discovery", + "url": "https://attack.mitre.org/techniques/T1526", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1527", + "technique": "Application Access Token", + "url": "https://attack.mitre.org/techniques/T1527", + "tactic": [ + "Defense Evasion", + "Lateral Movement" + ] + }, + { + "technique_id": "T1514", + "technique": "Elevated Execution with Prompt", + "url": "https://attack.mitre.org/techniques/T1514", + "tactic": [ + "Privilege Escalation" + ] + }, + { + "technique_id": "T1505", + "technique": "Server Software Component", + "url": "https://attack.mitre.org/techniques/T1505", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1503", + "technique": "Credentials from Web Browsers", + "url": "https://attack.mitre.org/techniques/T1503", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1504", + "technique": "PowerShell Profile", + "url": "https://attack.mitre.org/techniques/T1504", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1502", + "technique": "Parent PID Spoofing", + "url": "https://attack.mitre.org/techniques/T1502", + "tactic": [ + "Defense Evasion", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1500", + "technique": "Compile After Delivery", + "url": "https://attack.mitre.org/techniques/T1500", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1501", + "technique": "Systemd Service", + "url": "https://attack.mitre.org/techniques/T1501", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1499", + "technique": "Endpoint Denial of Service", + "url": "https://attack.mitre.org/techniques/T1499", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1497", + "technique": "Virtualization/Sandbox Evasion", + "url": "https://attack.mitre.org/techniques/T1497", + "tactic": [ + "Defense Evasion", + "Discovery" + ] + }, + { + "technique_id": "T1498", + "technique": "Network Denial of Service", + "url": "https://attack.mitre.org/techniques/T1498", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1496", + "technique": "Resource Hijacking", + "url": "https://attack.mitre.org/techniques/T1496", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1495", + "technique": "Firmware Corruption", + "url": "https://attack.mitre.org/techniques/T1495", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1494", + "technique": "Runtime Data Manipulation", + "url": "https://attack.mitre.org/techniques/T1494", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1493", + "technique": "Transmitted Data Manipulation", + "url": "https://attack.mitre.org/techniques/T1493", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1492", + "technique": "Stored Data Manipulation", + "url": "https://attack.mitre.org/techniques/T1492", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1491", + "technique": "Defacement", + "url": "https://attack.mitre.org/techniques/T1491", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1490", + "technique": "Inhibit System Recovery", + "url": "https://attack.mitre.org/techniques/T1490", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1489", + "technique": "Service Stop", + "url": "https://attack.mitre.org/techniques/T1489", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1488", + "technique": "Disk Content Wipe", + "url": "https://attack.mitre.org/techniques/T1488", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1487", + "technique": "Disk Structure Wipe", + "url": "https://attack.mitre.org/techniques/T1487", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1486", + "technique": "Data Encrypted for Impact", + "url": "https://attack.mitre.org/techniques/T1486", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1485", + "technique": "Data Destruction", + "url": "https://attack.mitre.org/techniques/T1485", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1484", + "technique": "Group Policy Modification", + "url": "https://attack.mitre.org/techniques/T1484", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1483", + "technique": "Domain Generation Algorithms", + "url": "https://attack.mitre.org/techniques/T1483", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1482", + "technique": "Domain Trust Discovery", + "url": "https://attack.mitre.org/techniques/T1482", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1480", + "technique": "Execution Guardrails", + "url": "https://attack.mitre.org/techniques/T1480", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1222", + "technique": "File and Directory Permissions Modification", + "url": "https://attack.mitre.org/techniques/T1222", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1223", + "technique": "Compiled HTML File", + "url": "https://attack.mitre.org/techniques/T1223", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1221", + "technique": "Template Injection", + "url": "https://attack.mitre.org/techniques/T1221", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1220", + "technique": "XSL Script Processing", + "url": "https://attack.mitre.org/techniques/T1220", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1217", + "technique": "Browser Bookmark Discovery", + "url": "https://attack.mitre.org/techniques/T1217", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1213", + "technique": "Data from Information Repositories", + "url": "https://attack.mitre.org/techniques/T1213", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1190", + "technique": "Exploit Public-Facing Application", + "url": "https://attack.mitre.org/techniques/T1190", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1210", + "technique": "Exploitation of Remote Services", + "url": "https://attack.mitre.org/techniques/T1210", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1200", + "technique": "Hardware Additions", + "url": "https://attack.mitre.org/techniques/T1200", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1202", + "technique": "Indirect Command Execution", + "url": "https://attack.mitre.org/techniques/T1202", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1194", + "technique": "Spearphishing via Service", + "url": "https://attack.mitre.org/techniques/T1194", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1209", + "technique": "Time Providers", + "url": "https://attack.mitre.org/techniques/T1209", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1199", + "technique": "Trusted Relationship", + "url": "https://attack.mitre.org/techniques/T1199", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1191", + "technique": "CMSTP", + "url": "https://attack.mitre.org/techniques/T1191", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1207", + "technique": "DCShadow", + "url": "https://attack.mitre.org/techniques/T1207", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1189", + "technique": "Drive-by Compromise", + "url": "https://attack.mitre.org/techniques/T1189", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1211", + "technique": "Exploitation for Defense Evasion", + "url": "https://attack.mitre.org/techniques/T1211", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1218", + "technique": "Signed Binary Proxy Execution", + "url": "https://attack.mitre.org/techniques/T1218", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1193", + "technique": "Spearphishing Attachment", + "url": "https://attack.mitre.org/techniques/T1193", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1195", + "technique": "Supply Chain Compromise", + "url": "https://attack.mitre.org/techniques/T1195", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1204", + "technique": "User Execution", + "url": "https://attack.mitre.org/techniques/T1204", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1196", + "technique": "Control Panel Items", + "url": "https://attack.mitre.org/techniques/T1196", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1212", + "technique": "Exploitation for Credential Access", + "url": "https://attack.mitre.org/techniques/T1212", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1215", + "technique": "Kernel Modules and Extensions", + "url": "https://attack.mitre.org/techniques/T1215", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1197", + "technique": "BITS Jobs", + "url": "https://attack.mitre.org/techniques/T1197", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1214", + "technique": "Credentials in Registry", + "url": "https://attack.mitre.org/techniques/T1214", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1216", + "technique": "Signed Script Proxy Execution", + "url": "https://attack.mitre.org/techniques/T1216", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1192", + "technique": "Spearphishing Link", + "url": "https://attack.mitre.org/techniques/T1192", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1198", + "technique": "SIP and Trust Provider Hijacking", + "url": "https://attack.mitre.org/techniques/T1198", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1206", + "technique": "Sudo Caching", + "url": "https://attack.mitre.org/techniques/T1206", + "tactic": [ + "Privilege Escalation" + ] + }, + { + "technique_id": "T1203", + "technique": "Exploitation for Client Execution", + "url": "https://attack.mitre.org/techniques/T1203", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1208", + "technique": "Kerberoasting", + "url": "https://attack.mitre.org/techniques/T1208", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1201", + "technique": "Password Policy Discovery", + "url": "https://attack.mitre.org/techniques/T1201", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1205", + "technique": "Port Knocking", + "url": "https://attack.mitre.org/techniques/T1205", + "tactic": [ + "Defense Evasion", + "Persistence", + "Command And Control" + ] + }, + { + "technique_id": "T1219", + "technique": "Remote Access Tools", + "url": "https://attack.mitre.org/techniques/T1219", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1172", + "technique": "Domain Fronting", + "url": "https://attack.mitre.org/techniques/T1172", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1173", + "technique": "Dynamic Data Exchange", + "url": "https://attack.mitre.org/techniques/T1173", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1187", + "technique": "Forced Authentication", + "url": "https://attack.mitre.org/techniques/T1187", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1188", + "technique": "Multi-hop Proxy", + "url": "https://attack.mitre.org/techniques/T1188", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1174", + "technique": "Password Filter DLL", + "url": "https://attack.mitre.org/techniques/T1174", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1175", + "technique": "Component Object Model and Distributed COM", + "url": "https://attack.mitre.org/techniques/T1175", + "tactic": [ + "Lateral Movement", + "Execution" + ] + }, + { + "technique_id": "T1170", + "technique": "Mshta", + "url": "https://attack.mitre.org/techniques/T1170", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1179", + "technique": "Hooking", + "url": "https://attack.mitre.org/techniques/T1179", + "tactic": [ + "Persistence", + "Privilege Escalation", + "Credential Access" + ] + }, + { + "technique_id": "T1184", + "technique": "SSH Hijacking", + "url": "https://attack.mitre.org/techniques/T1184", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1181", + "technique": "Extra Window Memory Injection", + "url": "https://attack.mitre.org/techniques/T1181", + "tactic": [ + "Defense Evasion", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1177", + "technique": "LSASS Driver", + "url": "https://attack.mitre.org/techniques/T1177", + "tactic": [ + "Execution", + "Persistence" + ] + }, + { + "technique_id": "T1182", + "technique": "AppCert DLLs", + "url": "https://attack.mitre.org/techniques/T1182", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1176", + "technique": "Browser Extensions", + "url": "https://attack.mitre.org/techniques/T1176", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1185", + "technique": "Man in the Browser", + "url": "https://attack.mitre.org/techniques/T1185", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1180", + "technique": "Screensaver", + "url": "https://attack.mitre.org/techniques/T1180", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1183", + "technique": "Image File Execution Options Injection", + "url": "https://attack.mitre.org/techniques/T1183", + "tactic": [ + "Privilege Escalation", + "Persistence", + "Defense Evasion" + ] + }, + { + "technique_id": "T1171", + "technique": "LLMNR/NBT-NS Poisoning and Relay", + "url": "https://attack.mitre.org/techniques/T1171", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1186", + "technique": "Process Doppelg\\u00e4nging", + "url": "https://attack.mitre.org/techniques/T1186", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1178", + "technique": "SID-History Injection", + "url": "https://attack.mitre.org/techniques/T1178", + "tactic": [ + "Privilege Escalation" + ] + }, + { + "technique_id": "T1138", + "technique": "Application Shimming", + "url": "https://attack.mitre.org/techniques/T1138", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1140", + "technique": "Deobfuscate/Decode Files or Information", + "url": "https://attack.mitre.org/techniques/T1140", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1149", + "technique": "LC_MAIN Hijacking", + "url": "https://attack.mitre.org/techniques/T1149", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1152", + "technique": "Launchctl", + "url": "https://attack.mitre.org/techniques/T1152", + "tactic": [ + "Defense Evasion", + "Execution", + "Persistence" + ] + }, + { + "technique_id": "T1150", + "technique": "Plist Modification", + "url": "https://attack.mitre.org/techniques/T1150", + "tactic": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1163", + "technique": "Rc.common", + "url": "https://attack.mitre.org/techniques/T1163", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1166", + "technique": "Setuid and Setgid", + "url": "https://attack.mitre.org/techniques/T1166", + "tactic": [ + "Privilege Escalation", + "Persistence" + ] + }, + { + "technique_id": "T1157", + "technique": "Dylib Hijacking", + "url": "https://attack.mitre.org/techniques/T1157", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1155", + "technique": "AppleScript", + "url": "https://attack.mitre.org/techniques/T1155", + "tactic": [ + "Execution", + "Lateral Movement" + ] + }, + { + "technique_id": "T1136", + "technique": "Create Account", + "url": "https://attack.mitre.org/techniques/T1136", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1143", + "technique": "Hidden Window", + "url": "https://attack.mitre.org/techniques/T1143", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1141", + "technique": "Input Prompt", + "url": "https://attack.mitre.org/techniques/T1141", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1142", + "technique": "Keychain", + "url": "https://attack.mitre.org/techniques/T1142", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1159", + "technique": "Launch Agent", + "url": "https://attack.mitre.org/techniques/T1159", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1135", + "technique": "Network Share Discovery", + "url": "https://attack.mitre.org/techniques/T1135", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1148", + "technique": "HISTCONTROL", + "url": "https://attack.mitre.org/techniques/T1148", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1161", + "technique": "LC_LOAD_DYLIB Addition", + "url": "https://attack.mitre.org/techniques/T1161", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1154", + "technique": "Trap", + "url": "https://attack.mitre.org/techniques/T1154", + "tactic": [ + "Execution", + "Persistence" + ] + }, + { + "technique_id": "T1134", + "technique": "Access Token Manipulation", + "url": "https://attack.mitre.org/techniques/T1134", + "tactic": [ + "Defense Evasion", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1139", + "technique": "Bash History", + "url": "https://attack.mitre.org/techniques/T1139", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1147", + "technique": "Hidden Users", + "url": "https://attack.mitre.org/techniques/T1147", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1156", + "technique": ".bash_profile and .bashrc", + "url": "https://attack.mitre.org/techniques/T1156", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1146", + "technique": "Clear Command History", + "url": "https://attack.mitre.org/techniques/T1146", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1160", + "technique": "Launch Daemon", + "url": "https://attack.mitre.org/techniques/T1160", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1145", + "technique": "Private Keys", + "url": "https://attack.mitre.org/techniques/T1145", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1165", + "technique": "Startup Items", + "url": "https://attack.mitre.org/techniques/T1165", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1162", + "technique": "Login Item", + "url": "https://attack.mitre.org/techniques/T1162", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1137", + "technique": "Office Application Startup", + "url": "https://attack.mitre.org/techniques/T1137", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1151", + "technique": "Space after Filename", + "url": "https://attack.mitre.org/techniques/T1151", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1144", + "technique": "Gatekeeper Bypass", + "url": "https://attack.mitre.org/techniques/T1144", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1158", + "technique": "Hidden Files and Directories", + "url": "https://attack.mitre.org/techniques/T1158", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1168", + "technique": "Local Job Scheduling", + "url": "https://attack.mitre.org/techniques/T1168", + "tactic": [ + "Persistence", + "Execution" + ] + }, + { + "technique_id": "T1164", + "technique": "Re-opened Applications", + "url": "https://attack.mitre.org/techniques/T1164", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1167", + "technique": "Securityd Memory", + "url": "https://attack.mitre.org/techniques/T1167", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1153", + "technique": "Source", + "url": "https://attack.mitre.org/techniques/T1153", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1169", + "technique": "Sudo", + "url": "https://attack.mitre.org/techniques/T1169", + "tactic": [ + "Privilege Escalation" + ] + }, + { + "technique_id": "T1133", + "technique": "External Remote Services", + "url": "https://attack.mitre.org/techniques/T1133", + "tactic": [ + "Persistence", + "Initial Access" + ] + }, + { + "technique_id": "T1132", + "technique": "Data Encoding", + "url": "https://attack.mitre.org/techniques/T1132", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1131", + "technique": "Authentication Package", + "url": "https://attack.mitre.org/techniques/T1131", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1130", + "technique": "Install Root Certificate", + "url": "https://attack.mitre.org/techniques/T1130", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1129", + "technique": "Execution through Module Load", + "url": "https://attack.mitre.org/techniques/T1129", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1128", + "technique": "Netsh Helper DLL", + "url": "https://attack.mitre.org/techniques/T1128", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1127", + "technique": "Trusted Developer Utilities", + "url": "https://attack.mitre.org/techniques/T1127", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1126", + "technique": "Network Share Connection Removal", + "url": "https://attack.mitre.org/techniques/T1126", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1125", + "technique": "Video Capture", + "url": "https://attack.mitre.org/techniques/T1125", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1124", + "technique": "System Time Discovery", + "url": "https://attack.mitre.org/techniques/T1124", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1123", + "technique": "Audio Capture", + "url": "https://attack.mitre.org/techniques/T1123", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1122", + "technique": "Component Object Model Hijacking", + "url": "https://attack.mitre.org/techniques/T1122", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1121", + "technique": "Regsvcs/Regasm", + "url": "https://attack.mitre.org/techniques/T1121", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1120", + "technique": "Peripheral Device Discovery", + "url": "https://attack.mitre.org/techniques/T1120", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1119", + "technique": "Automated Collection", + "url": "https://attack.mitre.org/techniques/T1119", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1118", + "technique": "InstallUtil", + "url": "https://attack.mitre.org/techniques/T1118", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1117", + "technique": "Regsvr32", + "url": "https://attack.mitre.org/techniques/T1117", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1116", + "technique": "Code Signing", + "url": "https://attack.mitre.org/techniques/T1116", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1115", + "technique": "Clipboard Data", + "url": "https://attack.mitre.org/techniques/T1115", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1114", + "technique": "Email Collection", + "url": "https://attack.mitre.org/techniques/T1114", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1113", + "technique": "Screen Capture", + "url": "https://attack.mitre.org/techniques/T1113", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1112", + "technique": "Modify Registry", + "url": "https://attack.mitre.org/techniques/T1112", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1111", + "technique": "Two-Factor Authentication Interception", + "url": "https://attack.mitre.org/techniques/T1111", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1110", + "technique": "Brute Force", + "url": "https://attack.mitre.org/techniques/T1110", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1109", + "technique": "Component Firmware", + "url": "https://attack.mitre.org/techniques/T1109", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1108", + "technique": "Redundant Access", + "url": "https://attack.mitre.org/techniques/T1108", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1107", + "technique": "File Deletion", + "url": "https://attack.mitre.org/techniques/T1107", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1106", + "technique": "Execution through API", + "url": "https://attack.mitre.org/techniques/T1106", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1105", + "technique": "Remote File Copy", + "url": "https://attack.mitre.org/techniques/T1105", + "tactic": [ + "Command And Control", + "Lateral Movement" + ] + }, + { + "technique_id": "T1104", + "technique": "Multi-Stage Channels", + "url": "https://attack.mitre.org/techniques/T1104", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1103", + "technique": "AppInit DLLs", + "url": "https://attack.mitre.org/techniques/T1103", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1102", + "technique": "Web Service", + "url": "https://attack.mitre.org/techniques/T1102", + "tactic": [ + "Command And Control", + "Defense Evasion" + ] + }, + { + "technique_id": "T1101", + "technique": "Security Support Provider", + "url": "https://attack.mitre.org/techniques/T1101", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1100", + "technique": "Web Shell", + "url": "https://attack.mitre.org/techniques/T1100", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1099", + "technique": "Timestomp", + "url": "https://attack.mitre.org/techniques/T1099", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1098", + "technique": "Account Manipulation", + "url": "https://attack.mitre.org/techniques/T1098", + "tactic": [ + "Credential Access", + "Persistence" + ] + }, + { + "technique_id": "T1097", + "technique": "Pass the Ticket", + "url": "https://attack.mitre.org/techniques/T1097", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1096", + "technique": "NTFS File Attributes", + "url": "https://attack.mitre.org/techniques/T1096", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1095", + "technique": "Standard Non-Application Layer Protocol", + "url": "https://attack.mitre.org/techniques/T1095", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1094", + "technique": "Custom Command and Control Protocol", + "url": "https://attack.mitre.org/techniques/T1094", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1093", + "technique": "Process Hollowing", + "url": "https://attack.mitre.org/techniques/T1093", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1092", + "technique": "Communication Through Removable Media", + "url": "https://attack.mitre.org/techniques/T1092", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1091", + "technique": "Replication Through Removable Media", + "url": "https://attack.mitre.org/techniques/T1091", + "tactic": [ + "Lateral Movement", + "Initial Access" + ] + }, + { + "technique_id": "T1090", + "technique": "Connection Proxy", + "url": "https://attack.mitre.org/techniques/T1090", + "tactic": [ + "Command And Control", + "Defense Evasion" + ] + }, + { + "technique_id": "T1089", + "technique": "Disabling Security Tools", + "url": "https://attack.mitre.org/techniques/T1089", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1088", + "technique": "Bypass User Account Control", + "url": "https://attack.mitre.org/techniques/T1088", + "tactic": [ + "Defense Evasion", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1087", + "technique": "Account Discovery", + "url": "https://attack.mitre.org/techniques/T1087", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1086", + "technique": "PowerShell", + "url": "https://attack.mitre.org/techniques/T1086", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1085", + "technique": "Rundll32", + "url": "https://attack.mitre.org/techniques/T1085", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1084", + "technique": "Windows Management Instrumentation Event Subscription", + "url": "https://attack.mitre.org/techniques/T1084", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1083", + "technique": "File and Directory Discovery", + "url": "https://attack.mitre.org/techniques/T1083", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1082", + "technique": "System Information Discovery", + "url": "https://attack.mitre.org/techniques/T1082", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1081", + "technique": "Credentials in Files", + "url": "https://attack.mitre.org/techniques/T1081", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1080", + "technique": "Taint Shared Content", + "url": "https://attack.mitre.org/techniques/T1080", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1079", + "technique": "Multilayer Encryption", + "url": "https://attack.mitre.org/techniques/T1079", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1078", + "technique": "Valid Accounts", + "url": "https://attack.mitre.org/techniques/T1078", + "tactic": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation", + "Initial Access" + ] + }, + { + "technique_id": "T1077", + "technique": "Windows Admin Shares", + "url": "https://attack.mitre.org/techniques/T1077", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1076", + "technique": "Remote Desktop Protocol", + "url": "https://attack.mitre.org/techniques/T1076", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1075", + "technique": "Pass the Hash", + "url": "https://attack.mitre.org/techniques/T1075", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1074", + "technique": "Data Staged", + "url": "https://attack.mitre.org/techniques/T1074", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1073", + "technique": "DLL Side-Loading", + "url": "https://attack.mitre.org/techniques/T1073", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1072", + "technique": "Third-party Software", + "url": "https://attack.mitre.org/techniques/T1072", + "tactic": [ + "Execution", + "Lateral Movement" + ] + }, + { + "technique_id": "T1071", + "technique": "Standard Application Layer Protocol", + "url": "https://attack.mitre.org/techniques/T1071", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1070", + "technique": "Indicator Removal on Host", + "url": "https://attack.mitre.org/techniques/T1070", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1069", + "technique": "Permission Groups Discovery", + "url": "https://attack.mitre.org/techniques/T1069", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1068", + "technique": "Exploitation for Privilege Escalation", + "url": "https://attack.mitre.org/techniques/T1068", + "tactic": [ + "Privilege Escalation" + ] + }, + { + "technique_id": "T1067", + "technique": "Bootkit", + "url": "https://attack.mitre.org/techniques/T1067", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1066", + "technique": "Indicator Removal from Tools", + "url": "https://attack.mitre.org/techniques/T1066", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1065", + "technique": "Uncommonly Used Port", + "url": "https://attack.mitre.org/techniques/T1065", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1064", + "technique": "Scripting", + "url": "https://attack.mitre.org/techniques/T1064", + "tactic": [ + "Defense Evasion", + "Execution" + ] + }, + { + "technique_id": "T1063", + "technique": "Security Software Discovery", + "url": "https://attack.mitre.org/techniques/T1063", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1062", + "technique": "Hypervisor", + "url": "https://attack.mitre.org/techniques/T1062", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1061", + "technique": "Graphical User Interface", + "url": "https://attack.mitre.org/techniques/T1061", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1060", + "technique": "Registry Run Keys / Startup Folder", + "url": "https://attack.mitre.org/techniques/T1060", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1059", + "technique": "Command-Line Interface", + "url": "https://attack.mitre.org/techniques/T1059", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1058", + "technique": "Service Registry Permissions Weakness", + "url": "https://attack.mitre.org/techniques/T1058", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1057", + "technique": "Process Discovery", + "url": "https://attack.mitre.org/techniques/T1057", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1056", + "technique": "Input Capture", + "url": "https://attack.mitre.org/techniques/T1056", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1055", + "technique": "Process Injection", + "url": "https://attack.mitre.org/techniques/T1055", + "tactic": [ + "Defense Evasion", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1054", + "technique": "Indicator Blocking", + "url": "https://attack.mitre.org/techniques/T1054", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1053", + "technique": "Scheduled Task", + "url": "https://attack.mitre.org/techniques/T1053", + "tactic": [ + "Execution", + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1052", + "technique": "Exfiltration Over Physical Medium", + "url": "https://attack.mitre.org/techniques/T1052", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1051", + "technique": "Shared Webroot", + "url": "https://attack.mitre.org/techniques/T1051", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1050", + "technique": "New Service", + "url": "https://attack.mitre.org/techniques/T1050", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1049", + "technique": "System Network Connections Discovery", + "url": "https://attack.mitre.org/techniques/T1049", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1048", + "technique": "Exfiltration Over Alternative Protocol", + "url": "https://attack.mitre.org/techniques/T1048", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1047", + "technique": "Windows Management Instrumentation", + "url": "https://attack.mitre.org/techniques/T1047", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1046", + "technique": "Network Service Scanning", + "url": "https://attack.mitre.org/techniques/T1046", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1045", + "technique": "Software Packing", + "url": "https://attack.mitre.org/techniques/T1045", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1044", + "technique": "File System Permissions Weakness", + "url": "https://attack.mitre.org/techniques/T1044", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1043", + "technique": "Commonly Used Port", + "url": "https://attack.mitre.org/techniques/T1043", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1042", + "technique": "Change Default File Association", + "url": "https://attack.mitre.org/techniques/T1042", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1041", + "technique": "Exfiltration Over Command and Control Channel", + "url": "https://attack.mitre.org/techniques/T1041", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1040", + "technique": "Network Sniffing", + "url": "https://attack.mitre.org/techniques/T1040", + "tactic": [ + "Credential Access", + "Discovery" + ] + }, + { + "technique_id": "T1039", + "technique": "Data from Network Shared Drive", + "url": "https://attack.mitre.org/techniques/T1039", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1038", + "technique": "DLL Search Order Hijacking", + "url": "https://attack.mitre.org/techniques/T1038", + "tactic": [ + "Persistence", + "Privilege Escalation", + "Defense Evasion" + ] + }, + { + "technique_id": "T1037", + "technique": "Logon Scripts", + "url": "https://attack.mitre.org/techniques/T1037", + "tactic": [ + "Lateral Movement", + "Persistence" + ] + }, + { + "technique_id": "T1036", + "technique": "Masquerading", + "url": "https://attack.mitre.org/techniques/T1036", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1035", + "technique": "Service Execution", + "url": "https://attack.mitre.org/techniques/T1035", + "tactic": [ + "Execution" + ] + }, + { + "technique_id": "T1034", + "technique": "Path Interception", + "url": "https://attack.mitre.org/techniques/T1034", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1033", + "technique": "System Owner/User Discovery", + "url": "https://attack.mitre.org/techniques/T1033", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1032", + "technique": "Standard Cryptographic Protocol", + "url": "https://attack.mitre.org/techniques/T1032", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1031", + "technique": "Modify Existing Service", + "url": "https://attack.mitre.org/techniques/T1031", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1030", + "technique": "Data Transfer Size Limits", + "url": "https://attack.mitre.org/techniques/T1030", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1029", + "technique": "Scheduled Transfer", + "url": "https://attack.mitre.org/techniques/T1029", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1028", + "technique": "Windows Remote Management", + "url": "https://attack.mitre.org/techniques/T1028", + "tactic": [ + "Execution", + "Lateral Movement" + ] + }, + { + "technique_id": "T1027", + "technique": "Obfuscated Files or Information", + "url": "https://attack.mitre.org/techniques/T1027", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1026", + "technique": "Multiband Communication", + "url": "https://attack.mitre.org/techniques/T1026", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1025", + "technique": "Data from Removable Media", + "url": "https://attack.mitre.org/techniques/T1025", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1024", + "technique": "Custom Cryptographic Protocol", + "url": "https://attack.mitre.org/techniques/T1024", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1023", + "technique": "Shortcut Modification", + "url": "https://attack.mitre.org/techniques/T1023", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1022", + "technique": "Data Encrypted", + "url": "https://attack.mitre.org/techniques/T1022", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1021", + "technique": "Remote Services", + "url": "https://attack.mitre.org/techniques/T1021", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1020", + "technique": "Automated Exfiltration", + "url": "https://attack.mitre.org/techniques/T1020", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1019", + "technique": "System Firmware", + "url": "https://attack.mitre.org/techniques/T1019", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1018", + "technique": "Remote System Discovery", + "url": "https://attack.mitre.org/techniques/T1018", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1017", + "technique": "Application Deployment Software", + "url": "https://attack.mitre.org/techniques/T1017", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1016", + "technique": "System Network Configuration Discovery", + "url": "https://attack.mitre.org/techniques/T1016", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1015", + "technique": "Accessibility Features", + "url": "https://attack.mitre.org/techniques/T1015", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1014", + "technique": "Rootkit", + "url": "https://attack.mitre.org/techniques/T1014", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1013", + "technique": "Port Monitors", + "url": "https://attack.mitre.org/techniques/T1013", + "tactic": [ + "Persistence", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1012", + "technique": "Query Registry", + "url": "https://attack.mitre.org/techniques/T1012", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1011", + "technique": "Exfiltration Over Other Network Medium", + "url": "https://attack.mitre.org/techniques/T1011", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1010", + "technique": "Application Window Discovery", + "url": "https://attack.mitre.org/techniques/T1010", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1009", + "technique": "Binary Padding", + "url": "https://attack.mitre.org/techniques/T1009", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1008", + "technique": "Fallback Channels", + "url": "https://attack.mitre.org/techniques/T1008", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1007", + "technique": "System Service Discovery", + "url": "https://attack.mitre.org/techniques/T1007", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1006", + "technique": "File System Logical Offsets", + "url": "https://attack.mitre.org/techniques/T1006", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1005", + "technique": "Data from Local System", + "url": "https://attack.mitre.org/techniques/T1005", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1004", + "technique": "Winlogon Helper DLL", + "url": "https://attack.mitre.org/techniques/T1004", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1003", + "technique": "Credential Dumping", + "url": "https://attack.mitre.org/techniques/T1003", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1002", + "technique": "Data Compressed", + "url": "https://attack.mitre.org/techniques/T1002", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1001", + "technique": "Data Obfuscation", + "url": "https://attack.mitre.org/techniques/T1001", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1397", + "technique": "Spearphishing for Information", + "url": "https://attack.mitre.org/techniques/T1397", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1307", + "technique": "Acquire and/or use 3rd party infrastructure services", + "url": "https://attack.mitre.org/techniques/T1307", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1275", + "technique": "Aggregate individual's digital footprint", + "url": "https://attack.mitre.org/techniques/T1275", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1294", + "technique": "Analyze hardware/software security defensive capabilities", + "url": "https://attack.mitre.org/techniques/T1294", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1295", + "technique": "Analyze social and business relationships, interests, and affiliations", + "url": "https://attack.mitre.org/techniques/T1295", + "tactic": [ + "People Weakness Identification" + ] + }, + { + "technique_id": "T1299", + "technique": "Assess opportunities created by business deals", + "url": "https://attack.mitre.org/techniques/T1299", + "tactic": [ + "Organizational Weakness Identification" + ] + }, + { + "technique_id": "T1228", + "technique": "Assign KITs/KIQs into categories", + "url": "https://attack.mitre.org/techniques/T1228", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1349", + "technique": "Build or acquire exploits", + "url": "https://attack.mitre.org/techniques/T1349", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1343", + "technique": "Choose pre-compromised persona and affiliated accounts", + "url": "https://attack.mitre.org/techniques/T1343", + "tactic": [ + "Persona Development" + ] + }, + { + "technique_id": "T1388", + "technique": "Compromise of externally facing system", + "url": "https://attack.mitre.org/techniques/T1388", + "tactic": [ + "Compromise" + ] + }, + { + "technique_id": "T1268", + "technique": "Conduct social engineering", + "url": "https://attack.mitre.org/techniques/T1268", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1345", + "technique": "Create custom payloads", + "url": "https://attack.mitre.org/techniques/T1345", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1382", + "technique": "DNS poisoning", + "url": "https://attack.mitre.org/techniques/T1382", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1284", + "technique": "Determine 3rd party infrastructure services", + "url": "https://attack.mitre.org/techniques/T1284", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1259", + "technique": "Determine external network trust dependencies", + "url": "https://attack.mitre.org/techniques/T1259", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1244", + "technique": "Determine secondary level tactical element", + "url": "https://attack.mitre.org/techniques/T1244", + "tactic": [ + "Target Selection" + ] + }, + { + "technique_id": "T1255", + "technique": "Discover target logon/email address format", + "url": "https://attack.mitre.org/techniques/T1255", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1286", + "technique": "Dumpster dive", + "url": "https://attack.mitre.org/techniques/T1286", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1377", + "technique": "Exploit public-facing application", + "url": "https://attack.mitre.org/techniques/T1377", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1365", + "technique": "Hardware or software supply chain implant", + "url": "https://attack.mitre.org/techniques/T1365", + "tactic": [ + "Stage Capabilities" + ] + }, + { + "technique_id": "T1272", + "technique": "Identify business relationships", + "url": "https://attack.mitre.org/techniques/T1272", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1278", + "technique": "Identify job postings and needs/gaps", + "url": "https://attack.mitre.org/techniques/T1278", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1263", + "technique": "Identify security defensive capabilities", + "url": "https://attack.mitre.org/techniques/T1263", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1264", + "technique": "Identify technology usage patterns", + "url": "https://attack.mitre.org/techniques/T1264", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1252", + "technique": "Map network topology", + "url": "https://attack.mitre.org/techniques/T1252", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1316", + "technique": "Non-traditional or less attributable payment options", + "url": "https://attack.mitre.org/techniques/T1316", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1319", + "technique": "Obfuscate or encrypt code", + "url": "https://attack.mitre.org/techniques/T1319", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1281", + "technique": "Obtain templates/branding materials", + "url": "https://attack.mitre.org/techniques/T1281", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1335", + "technique": "Procure required equipment and software", + "url": "https://attack.mitre.org/techniques/T1335", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1351", + "technique": "Remote access tool development", + "url": "https://attack.mitre.org/techniques/T1351", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1395", + "technique": "Runtime code download and execution", + "url": "https://attack.mitre.org/techniques/T1395", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1367", + "technique": "Spear phishing messages with malicious attachments", + "url": "https://attack.mitre.org/techniques/T1367", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1371", + "technique": "Targeted client-side exploitation", + "url": "https://attack.mitre.org/techniques/T1371", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1357", + "technique": "Test malware in various execution environments", + "url": "https://attack.mitre.org/techniques/T1357", + "tactic": [ + "Test Capabilities" + ] + }, + { + "technique_id": "T1387", + "technique": "Unauthorized user introduces compromise delivery mechanism", + "url": "https://attack.mitre.org/techniques/T1387", + "tactic": [ + "Compromise" + ] + }, + { + "technique_id": "T1329", + "technique": "Acquire and/or use 3rd party infrastructure services", + "url": "https://attack.mitre.org/techniques/T1329", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1332", + "technique": "Acquire or compromise 3rd party signing certificates", + "url": "https://attack.mitre.org/techniques/T1332", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1287", + "technique": "Analyze data collected", + "url": "https://attack.mitre.org/techniques/T1287", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1303", + "technique": "Analyze presence of outsourced capabilities", + "url": "https://attack.mitre.org/techniques/T1303", + "tactic": [ + "Organizational Weakness Identification" + ] + }, + { + "technique_id": "T1224", + "technique": "Assess leadership areas of interest", + "url": "https://attack.mitre.org/techniques/T1224", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1238", + "technique": "Assign KITs, KIQs, and/or intelligence requirements", + "url": "https://attack.mitre.org/techniques/T1238", + "tactic": [ + "Priority Definition Direction" + ] + }, + { + "technique_id": "T1347", + "technique": "Build and configure delivery systems", + "url": "https://attack.mitre.org/techniques/T1347", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1391", + "technique": "Choose pre-compromised mobile app developer account credentials or signing keys", + "url": "https://attack.mitre.org/techniques/T1391", + "tactic": [ + "Persona Development" + ] + }, + { + "technique_id": "T1354", + "technique": "Compromise 3rd party or closed-source vulnerability/exploit information", + "url": "https://attack.mitre.org/techniques/T1354", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1279", + "technique": "Conduct social engineering", + "url": "https://attack.mitre.org/techniques/T1279", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1339", + "technique": "Create backup infrastructure", + "url": "https://attack.mitre.org/techniques/T1339", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1374", + "technique": "Credential pharming", + "url": "https://attack.mitre.org/techniques/T1374", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1230", + "technique": "Derive intelligence requirements", + "url": "https://attack.mitre.org/techniques/T1230", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1250", + "technique": "Determine domain and IP address space", + "url": "https://attack.mitre.org/techniques/T1250", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1282", + "technique": "Determine physical locations", + "url": "https://attack.mitre.org/techniques/T1282", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1350", + "technique": "Discover new exploits and monitor exploit-provider forums", + "url": "https://attack.mitre.org/techniques/T1350", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1326", + "technique": "Domain registration hijacking", + "url": "https://attack.mitre.org/techniques/T1326", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1261", + "technique": "Enumerate externally facing software applications technologies, languages, and dependencies", + "url": "https://attack.mitre.org/techniques/T1261", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1234", + "technique": "Generate analyst intelligence requirements", + "url": "https://attack.mitre.org/techniques/T1234", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1280", + "technique": "Identify business processes/tempo", + "url": "https://attack.mitre.org/techniques/T1280", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1248", + "technique": "Identify job postings and needs/gaps", + "url": "https://attack.mitre.org/techniques/T1248", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1348", + "technique": "Identify resources required to build capabilities", + "url": "https://attack.mitre.org/techniques/T1348", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1265", + "technique": "Identify supply chains", + "url": "https://attack.mitre.org/techniques/T1265", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1375", + "technique": "Leverage compromised 3rd party resources", + "url": "https://attack.mitre.org/techniques/T1375", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1315", + "technique": "Network-based hiding techniques", + "url": "https://attack.mitre.org/techniques/T1315", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1318", + "technique": "Obfuscate operational infrastructure", + "url": "https://attack.mitre.org/techniques/T1318", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1251", + "technique": "Obtain domain/IP registration information", + "url": "https://attack.mitre.org/techniques/T1251", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1305", + "technique": "Private whois services", + "url": "https://attack.mitre.org/techniques/T1305", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1235", + "technique": "Receive operator KITs/KIQs tasking", + "url": "https://attack.mitre.org/techniques/T1235", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1358", + "technique": "Review logs and residual traces", + "url": "https://attack.mitre.org/techniques/T1358", + "tactic": [ + "Test Capabilities" + ] + }, + { + "technique_id": "T1340", + "technique": "Shadow DNS", + "url": "https://attack.mitre.org/techniques/T1340", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1237", + "technique": "Submit KITs, KIQs, and intelligence requirements", + "url": "https://attack.mitre.org/techniques/T1237", + "tactic": [ + "Priority Definition Direction" + ] + }, + { + "technique_id": "T1356", + "technique": "Test callback functionality", + "url": "https://attack.mitre.org/techniques/T1356", + "tactic": [ + "Test Capabilities" + ] + }, + { + "technique_id": "T1361", + "technique": "Test signature detection for file upload/email filters", + "url": "https://attack.mitre.org/techniques/T1361", + "tactic": [ + "Test Capabilities" + ] + }, + { + "technique_id": "T1327", + "technique": "Use multiple DNS infrastructures", + "url": "https://attack.mitre.org/techniques/T1327", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1277", + "technique": "Acquire OSINT data sets and information", + "url": "https://attack.mitre.org/techniques/T1277", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1310", + "technique": "Acquire or compromise 3rd party signing certificates", + "url": "https://attack.mitre.org/techniques/T1310", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1301", + "technique": "Analyze business processes", + "url": "https://attack.mitre.org/techniques/T1301", + "tactic": [ + "Organizational Weakness Identification" + ] + }, + { + "technique_id": "T1297", + "technique": "Analyze organizational skillsets and deficiencies", + "url": "https://attack.mitre.org/techniques/T1297", + "tactic": [ + "People Weakness Identification" + ] + }, + { + "technique_id": "T1236", + "technique": "Assess current holdings, needs, and wants", + "url": "https://attack.mitre.org/techniques/T1236", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1298", + "technique": "Assess vulnerability of 3rd party vendors", + "url": "https://attack.mitre.org/techniques/T1298", + "tactic": [ + "Organizational Weakness Identification" + ] + }, + { + "technique_id": "T1384", + "technique": "Automated system performs requested action", + "url": "https://attack.mitre.org/techniques/T1384", + "tactic": [ + "Compromise" + ] + }, + { + "technique_id": "T1352", + "technique": "C2 protocol development", + "url": "https://attack.mitre.org/techniques/T1352", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1334", + "technique": "Compromise 3rd party infrastructure to support delivery", + "url": "https://attack.mitre.org/techniques/T1334", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1253", + "technique": "Conduct passive scanning", + "url": "https://attack.mitre.org/techniques/T1253", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1383", + "technique": "Confirmation of launched compromise achieved", + "url": "https://attack.mitre.org/techniques/T1383", + "tactic": [ + "Compromise" + ] + }, + { + "technique_id": "T1231", + "technique": "Create strategic plan", + "url": "https://attack.mitre.org/techniques/T1231", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1380", + "technique": "Deploy exploit using advertising", + "url": "https://attack.mitre.org/techniques/T1380", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1285", + "technique": "Determine centralization of IT management", + "url": "https://attack.mitre.org/techniques/T1285", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1242", + "technique": "Determine operational element", + "url": "https://attack.mitre.org/techniques/T1242", + "tactic": [ + "Target Selection" + ] + }, + { + "technique_id": "T1342", + "technique": "Develop social network persona digital footprint", + "url": "https://attack.mitre.org/techniques/T1342", + "tactic": [ + "Persona Development" + ] + }, + { + "technique_id": "T1323", + "technique": "Domain Generation Algorithms (DGA)", + "url": "https://attack.mitre.org/techniques/T1323", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1262", + "technique": "Enumerate client configurations", + "url": "https://attack.mitre.org/techniques/T1262", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1364", + "technique": "Friend/Follow/Connect to targets of interest", + "url": "https://attack.mitre.org/techniques/T1364", + "tactic": [ + "Stage Capabilities" + ] + }, + { + "technique_id": "T1233", + "technique": "Identify analyst level gaps", + "url": "https://attack.mitre.org/techniques/T1233", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1270", + "technique": "Identify groups/roles", + "url": "https://attack.mitre.org/techniques/T1270", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1271", + "technique": "Identify personnel with an authority/privilege", + "url": "https://attack.mitre.org/techniques/T1271", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1246", + "technique": "Identify supply chains", + "url": "https://attack.mitre.org/techniques/T1246", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1336", + "technique": "Install and configure hardware, network, and systems", + "url": "https://attack.mitre.org/techniques/T1336", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1322", + "technique": "Misattributable credentials", + "url": "https://attack.mitre.org/techniques/T1322", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1331", + "technique": "Obfuscate infrastructure", + "url": "https://attack.mitre.org/techniques/T1331", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1396", + "technique": "Obtain booter/stressor subscription", + "url": "https://attack.mitre.org/techniques/T1396", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1353", + "technique": "Post compromise tool development", + "url": "https://attack.mitre.org/techniques/T1353", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1239", + "technique": "Receive KITs/KIQs and determine requirements", + "url": "https://attack.mitre.org/techniques/T1239", + "tactic": [ + "Priority Definition Direction" + ] + }, + { + "technique_id": "T1290", + "technique": "Research visibility gap of security vendors", + "url": "https://attack.mitre.org/techniques/T1290", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1317", + "technique": "Secure and protect infrastructure", + "url": "https://attack.mitre.org/techniques/T1317", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1393", + "technique": "Test ability to evade automated mobile application security analysis performed by app stores", + "url": "https://attack.mitre.org/techniques/T1393", + "tactic": [ + "Test Capabilities" + ] + }, + { + "technique_id": "T1292", + "technique": "Test signature detection", + "url": "https://attack.mitre.org/techniques/T1292", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1362", + "technique": "Upload, install, and configure software/tools", + "url": "https://attack.mitre.org/techniques/T1362", + "tactic": [ + "Stage Capabilities" + ] + }, + { + "technique_id": "T1266", + "technique": "Acquire OSINT data sets and information", + "url": "https://attack.mitre.org/techniques/T1266", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1308", + "technique": "Acquire and/or use 3rd party software services", + "url": "https://attack.mitre.org/techniques/T1308", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1293", + "technique": "Analyze application security posture", + "url": "https://attack.mitre.org/techniques/T1293", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1300", + "technique": "Analyze organizational skillsets and deficiencies", + "url": "https://attack.mitre.org/techniques/T1300", + "tactic": [ + "Organizational Weakness Identification" + ] + }, + { + "technique_id": "T1306", + "technique": "Anonymity services", + "url": "https://attack.mitre.org/techniques/T1306", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1302", + "technique": "Assess security posture of physical locations", + "url": "https://attack.mitre.org/techniques/T1302", + "tactic": [ + "Organizational Weakness Identification" + ] + }, + { + "technique_id": "T1381", + "technique": "Authentication attempt", + "url": "https://attack.mitre.org/techniques/T1381", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1341", + "technique": "Build social network persona", + "url": "https://attack.mitre.org/techniques/T1341", + "tactic": [ + "Persona Development" + ] + }, + { + "technique_id": "T1321", + "technique": "Common, high volume protocols and software", + "url": "https://attack.mitre.org/techniques/T1321", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1254", + "technique": "Conduct active scanning", + "url": "https://attack.mitre.org/techniques/T1254", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1249", + "technique": "Conduct social engineering", + "url": "https://attack.mitre.org/techniques/T1249", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1232", + "technique": "Create implementation plan", + "url": "https://attack.mitre.org/techniques/T1232", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1324", + "technique": "DNSCalc", + "url": "https://attack.mitre.org/techniques/T1324", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1260", + "technique": "Determine 3rd party infrastructure services", + "url": "https://attack.mitre.org/techniques/T1260", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1258", + "technique": "Determine firmware version", + "url": "https://attack.mitre.org/techniques/T1258", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1241", + "technique": "Determine strategic target", + "url": "https://attack.mitre.org/techniques/T1241", + "tactic": [ + "Target Selection" + ] + }, + { + "technique_id": "T1379", + "technique": "Disseminate removable media", + "url": "https://attack.mitre.org/techniques/T1379", + "tactic": [ + "Stage Capabilities" + ] + }, + { + "technique_id": "T1311", + "technique": "Dynamic DNS", + "url": "https://attack.mitre.org/techniques/T1311", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1325", + "technique": "Fast Flux DNS", + "url": "https://attack.mitre.org/techniques/T1325", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1314", + "technique": "Host-based hiding techniques", + "url": "https://attack.mitre.org/techniques/T1314", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1283", + "technique": "Identify business relationships", + "url": "https://attack.mitre.org/techniques/T1283", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1267", + "technique": "Identify job postings and needs/gaps", + "url": "https://attack.mitre.org/techniques/T1267", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1274", + "technique": "Identify sensitive personnel information", + "url": "https://attack.mitre.org/techniques/T1274", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1389", + "technique": "Identify vulnerabilities in third-party software libraries", + "url": "https://attack.mitre.org/techniques/T1389", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1273", + "technique": "Mine social media", + "url": "https://attack.mitre.org/techniques/T1273", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1390", + "technique": "OS-vendor provided communication channels", + "url": "https://attack.mitre.org/techniques/T1390", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1313", + "technique": "Obfuscation or cryptography", + "url": "https://attack.mitre.org/techniques/T1313", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1247", + "technique": "Acquire OSINT data sets and information", + "url": "https://attack.mitre.org/techniques/T1247", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1346", + "technique": "Obtain/re-use payloads", + "url": "https://attack.mitre.org/techniques/T1346", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1330", + "technique": "Acquire and/or use 3rd party software services", + "url": "https://attack.mitre.org/techniques/T1330", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1288", + "technique": "Analyze architecture and configuration posture", + "url": "https://attack.mitre.org/techniques/T1288", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1304", + "technique": "Proxy/protocol relays", + "url": "https://attack.mitre.org/techniques/T1304", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1289", + "technique": "Analyze organizational skillsets and deficiencies", + "url": "https://attack.mitre.org/techniques/T1289", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1378", + "technique": "Replace legitimate binary with malware", + "url": "https://attack.mitre.org/techniques/T1378", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1229", + "technique": "Assess KITs/KIQs benefits", + "url": "https://attack.mitre.org/techniques/T1229", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1337", + "technique": "SSL certificate acquisition for domain", + "url": "https://attack.mitre.org/techniques/T1337", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1296", + "technique": "Assess targeting options", + "url": "https://attack.mitre.org/techniques/T1296", + "tactic": [ + "People Weakness Identification" + ] + }, + { + "technique_id": "T1386", + "technique": "Authorized user performs requested cyber action", + "url": "https://attack.mitre.org/techniques/T1386", + "tactic": [ + "Compromise" + ] + }, + { + "technique_id": "T1369", + "technique": "Spear phishing messages with malicious links", + "url": "https://attack.mitre.org/techniques/T1369", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1328", + "technique": "Buy domain name", + "url": "https://attack.mitre.org/techniques/T1328", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1366", + "technique": "Targeted social media phishing", + "url": "https://attack.mitre.org/techniques/T1366", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1312", + "technique": "Compromise 3rd party infrastructure to support delivery", + "url": "https://attack.mitre.org/techniques/T1312", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1359", + "technique": "Test malware to evade detection", + "url": "https://attack.mitre.org/techniques/T1359", + "tactic": [ + "Test Capabilities" + ] + }, + { + "technique_id": "T1226", + "technique": "Conduct cost/benefit analysis", + "url": "https://attack.mitre.org/techniques/T1226", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1376", + "technique": "Conduct social engineering or HUMINT operation", + "url": "https://attack.mitre.org/techniques/T1376", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1355", + "technique": "Create infected removable media", + "url": "https://attack.mitre.org/techniques/T1355", + "tactic": [ + "Build Capabilities" + ] + }, + { + "technique_id": "T1320", + "technique": "Data Hiding", + "url": "https://attack.mitre.org/techniques/T1320", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1245", + "technique": "Determine approach/attack vector", + "url": "https://attack.mitre.org/techniques/T1245", + "tactic": [ + "Target Selection" + ] + }, + { + "technique_id": "T1243", + "technique": "Determine highest level tactical element", + "url": "https://attack.mitre.org/techniques/T1243", + "tactic": [ + "Target Selection" + ] + }, + { + "technique_id": "T1227", + "technique": "Develop KITs/KIQs", + "url": "https://attack.mitre.org/techniques/T1227", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1394", + "technique": "Distribute malicious software development tools", + "url": "https://attack.mitre.org/techniques/T1394", + "tactic": [ + "Stage Capabilities" + ] + }, + { + "technique_id": "T1333", + "technique": "Dynamic DNS", + "url": "https://attack.mitre.org/techniques/T1333", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1344", + "technique": "Friend/Follow/Connect to targets of interest", + "url": "https://attack.mitre.org/techniques/T1344", + "tactic": [ + "Persona Development" + ] + }, + { + "technique_id": "T1385", + "technique": "Human performs requested action of physical nature", + "url": "https://attack.mitre.org/techniques/T1385", + "tactic": [ + "Compromise" + ] + }, + { + "technique_id": "T1225", + "technique": "Identify gap areas", + "url": "https://attack.mitre.org/techniques/T1225", + "tactic": [ + "Priority Definition Planning" + ] + }, + { + "technique_id": "T1269", + "technique": "Identify people of interest", + "url": "https://attack.mitre.org/techniques/T1269", + "tactic": [ + "People Information Gathering" + ] + }, + { + "technique_id": "T1276", + "technique": "Identify supply chains", + "url": "https://attack.mitre.org/techniques/T1276", + "tactic": [ + "Organizational Information Gathering" + ] + }, + { + "technique_id": "T1256", + "technique": "Identify web defensive services", + "url": "https://attack.mitre.org/techniques/T1256", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1257", + "technique": "Mine technical blogs/forums", + "url": "https://attack.mitre.org/techniques/T1257", + "tactic": [ + "Technical Information Gathering" + ] + }, + { + "technique_id": "T1309", + "technique": "Obfuscate infrastructure", + "url": "https://attack.mitre.org/techniques/T1309", + "tactic": [ + "Adversary Opsec" + ] + }, + { + "technique_id": "T1392", + "technique": "Obtain Apple iOS enterprise distribution key pair and certificate", + "url": "https://attack.mitre.org/techniques/T1392", + "tactic": [ + "Persona Development" + ] + }, + { + "technique_id": "T1363", + "technique": "Port redirector", + "url": "https://attack.mitre.org/techniques/T1363", + "tactic": [ + "Stage Capabilities" + ] + }, + { + "technique_id": "T1373", + "technique": "Push-notification client-side exploit", + "url": "https://attack.mitre.org/techniques/T1373", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1291", + "technique": "Research relevant vulnerabilities/CVEs", + "url": "https://attack.mitre.org/techniques/T1291", + "tactic": [ + "Technical Weakness Identification" + ] + }, + { + "technique_id": "T1338", + "technique": "SSL certificate acquisition for trust breaking", + "url": "https://attack.mitre.org/techniques/T1338", + "tactic": [ + "Establish & Maintain Infrastructure" + ] + }, + { + "technique_id": "T1368", + "technique": "Spear phishing messages with text only", + "url": "https://attack.mitre.org/techniques/T1368", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1240", + "technique": "Task requirements", + "url": "https://attack.mitre.org/techniques/T1240", + "tactic": [ + "Priority Definition Direction" + ] + }, + { + "technique_id": "T1360", + "technique": "Test physical access", + "url": "https://attack.mitre.org/techniques/T1360", + "tactic": [ + "Test Capabilities" + ] + }, + { + "technique_id": "T1370", + "technique": "Untargeted client-side exploitation", + "url": "https://attack.mitre.org/techniques/T1370", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1372", + "technique": "Unconditional client-side exploitation/Injected Website/Driveby", + "url": "https://attack.mitre.org/techniques/T1372", + "tactic": [ + "Launch" + ] + }, + { + "technique_id": "T1533", + "technique": "Data from Local System", + "url": "https://attack.mitre.org/techniques/T1533", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1532", + "technique": "Data Encrypted", + "url": "https://attack.mitre.org/techniques/T1532", + "tactic": [ + "Exfiltration" + ] + }, + { + "technique_id": "T1523", + "technique": "Evade Analysis Environment", + "url": "https://attack.mitre.org/techniques/T1523", + "tactic": [ + "Defense Evasion", + "Discovery" + ] + }, + { + "technique_id": "T1521", + "technique": "Standard Cryptographic Protocol", + "url": "https://attack.mitre.org/techniques/T1521", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1520", + "technique": "Domain Generation Algorithms", + "url": "https://attack.mitre.org/techniques/T1520", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1516", + "technique": "Input Injection", + "url": "https://attack.mitre.org/techniques/T1516", + "tactic": [ + "Defense Evasion", + "Impact" + ] + }, + { + "technique_id": "T1517", + "technique": "Access Notifications", + "url": "https://attack.mitre.org/techniques/T1517", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1512", + "technique": "Capture Camera", + "url": "https://attack.mitre.org/techniques/T1512", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1513", + "technique": "Screen Capture", + "url": "https://attack.mitre.org/techniques/T1513", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1509", + "technique": "Uncommonly Used Port", + "url": "https://attack.mitre.org/techniques/T1509", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1510", + "technique": "Clipboard Modification", + "url": "https://attack.mitre.org/techniques/T1510", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1508", + "technique": "Suppress Application Icon", + "url": "https://attack.mitre.org/techniques/T1508", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1507", + "technique": "Network Information Discovery", + "url": "https://attack.mitre.org/techniques/T1507", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1481", + "technique": "Web Service", + "url": "https://attack.mitre.org/techniques/T1481", + "tactic": [ + "Command And Control" + ] + }, + { + "technique_id": "T1476", + "technique": "Deliver Malicious App via Other Means", + "url": "https://attack.mitre.org/techniques/T1476", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1475", + "technique": "Deliver Malicious App via Authorized App Store", + "url": "https://attack.mitre.org/techniques/T1475", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1474", + "technique": "Supply Chain Compromise", + "url": "https://attack.mitre.org/techniques/T1474", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1477", + "technique": "Exploit via Radio Interfaces", + "url": "https://attack.mitre.org/techniques/T1477", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1478", + "technique": "Install Insecure or Malicious Configuration", + "url": "https://attack.mitre.org/techniques/T1478", + "tactic": [ + "Defense Evasion", + "Initial Access" + ] + }, + { + "technique_id": "T1444", + "technique": "Masquerade as Legitimate Application", + "url": "https://attack.mitre.org/techniques/T1444", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1443", + "technique": "Remotely Install Application", + "url": "https://attack.mitre.org/techniques/T1443", + "tactic": [] + }, + { + "technique_id": "T1411", + "technique": "Input Prompt", + "url": "https://attack.mitre.org/techniques/T1411", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1424", + "technique": "Process Discovery", + "url": "https://attack.mitre.org/techniques/T1424", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1421", + "technique": "System Network Connections Discovery", + "url": "https://attack.mitre.org/techniques/T1421", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1437", + "technique": "Standard Application Layer Protocol", + "url": "https://attack.mitre.org/techniques/T1437", + "tactic": [ + "Command And Control", + "Exfiltration" + ] + }, + { + "technique_id": "T1422", + "technique": "System Network Configuration Discovery", + "url": "https://attack.mitre.org/techniques/T1422", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1406", + "technique": "Obfuscated Files or Information", + "url": "https://attack.mitre.org/techniques/T1406", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1416", + "technique": "Android Intent Hijacking", + "url": "https://attack.mitre.org/techniques/T1416", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1447", + "technique": "Delete Device Data", + "url": "https://attack.mitre.org/techniques/T1447", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1398", + "technique": "Modify OS Kernel or Boot Partition", + "url": "https://attack.mitre.org/techniques/T1398", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1400", + "technique": "Modify System Partition", + "url": "https://attack.mitre.org/techniques/T1400", + "tactic": [ + "Defense Evasion", + "Persistence", + "Impact" + ] + }, + { + "technique_id": "T1425", + "technique": "Insecure Third-Party Libraries", + "url": "https://attack.mitre.org/techniques/T1425", + "tactic": [] + }, + { + "technique_id": "T1402", + "technique": "App Auto-Start at Device Boot", + "url": "https://attack.mitre.org/techniques/T1402", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1401", + "technique": "Abuse Device Administrator Access to Prevent Removal", + "url": "https://attack.mitre.org/techniques/T1401", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1404", + "technique": "Exploit OS Vulnerability", + "url": "https://attack.mitre.org/techniques/T1404", + "tactic": [ + "Privilege Escalation" + ] + }, + { + "technique_id": "T1403", + "technique": "Modify Cached Executable Code", + "url": "https://attack.mitre.org/techniques/T1403", + "tactic": [ + "Persistence" + ] + }, + { + "technique_id": "T1442", + "technique": "Fake Developer Accounts", + "url": "https://attack.mitre.org/techniques/T1442", + "tactic": [] + }, + { + "technique_id": "T1419", + "technique": "Device Type Discovery", + "url": "https://attack.mitre.org/techniques/T1419", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1418", + "technique": "Application Discovery", + "url": "https://attack.mitre.org/techniques/T1418", + "tactic": [ + "Defense Evasion", + "Discovery" + ] + }, + { + "technique_id": "T1417", + "technique": "Input Capture", + "url": "https://attack.mitre.org/techniques/T1417", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1438", + "technique": "Alternate Network Mediums", + "url": "https://attack.mitre.org/techniques/T1438", + "tactic": [ + "Command And Control", + "Exfiltration" + ] + }, + { + "technique_id": "T1423", + "technique": "Network Service Scanning", + "url": "https://attack.mitre.org/techniques/T1423", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1440", + "technique": "Detect App Analysis Environment", + "url": "https://attack.mitre.org/techniques/T1440", + "tactic": [] + }, + { + "technique_id": "T1439", + "technique": "Eavesdrop on Insecure Network Communication", + "url": "https://attack.mitre.org/techniques/T1439", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1464", + "technique": "Jamming or Denial of Service", + "url": "https://attack.mitre.org/techniques/T1464", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1463", + "technique": "Manipulate Device Communication", + "url": "https://attack.mitre.org/techniques/T1463", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1462", + "technique": "Malicious Software Development Tools", + "url": "https://attack.mitre.org/techniques/T1462", + "tactic": [] + }, + { + "technique_id": "T1461", + "technique": "Lockscreen Bypass", + "url": "https://attack.mitre.org/techniques/T1461", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1460", + "technique": "Biometric Spoofing", + "url": "https://attack.mitre.org/techniques/T1460", + "tactic": [] + }, + { + "technique_id": "T1459", + "technique": "Device Unlock Code Guessing or Brute Force", + "url": "https://attack.mitre.org/techniques/T1459", + "tactic": [] + }, + { + "technique_id": "T1458", + "technique": "Exploit via Charging Station or PC", + "url": "https://attack.mitre.org/techniques/T1458", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1405", + "technique": "Exploit TEE Vulnerability", + "url": "https://attack.mitre.org/techniques/T1405", + "tactic": [ + "Credential Access", + "Privilege Escalation" + ] + }, + { + "technique_id": "T1467", + "technique": "Rogue Cellular Base Station", + "url": "https://attack.mitre.org/techniques/T1467", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1420", + "technique": "File and Directory Discovery", + "url": "https://attack.mitre.org/techniques/T1420", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1466", + "technique": "Downgrade to Insecure Protocols", + "url": "https://attack.mitre.org/techniques/T1466", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1465", + "technique": "Rogue Wi-Fi Access Points", + "url": "https://attack.mitre.org/techniques/T1465", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1468", + "technique": "Remotely Track Device Without Authorization", + "url": "https://attack.mitre.org/techniques/T1468", + "tactic": [ + "Remote Service Effects" + ] + }, + { + "technique_id": "T1435", + "technique": "Access Calendar Entries", + "url": "https://attack.mitre.org/techniques/T1435", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1451", + "technique": "SIM Card Swap", + "url": "https://attack.mitre.org/techniques/T1451", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1414", + "technique": "Capture Clipboard Data", + "url": "https://attack.mitre.org/techniques/T1414", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1457", + "technique": "Malicious Media Content", + "url": "https://attack.mitre.org/techniques/T1457", + "tactic": [] + }, + { + "technique_id": "T1426", + "technique": "System Information Discovery", + "url": "https://attack.mitre.org/techniques/T1426", + "tactic": [ + "Discovery" + ] + }, + { + "technique_id": "T1472", + "technique": "Generate Fraudulent Advertising Revenue", + "url": "https://attack.mitre.org/techniques/T1472", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1399", + "technique": "Modify Trusted Execution Environment", + "url": "https://attack.mitre.org/techniques/T1399", + "tactic": [ + "Defense Evasion", + "Persistence" + ] + }, + { + "technique_id": "T1470", + "technique": "Obtain Device Cloud Backups", + "url": "https://attack.mitre.org/techniques/T1470", + "tactic": [ + "Remote Service Effects" + ] + }, + { + "technique_id": "T1446", + "technique": "Device Lockout", + "url": "https://attack.mitre.org/techniques/T1446", + "tactic": [ + "Impact", + "Defense Evasion" + ] + }, + { + "technique_id": "T1415", + "technique": "URL Scheme Hijacking", + "url": "https://attack.mitre.org/techniques/T1415", + "tactic": [ + "Credential Access" + ] + }, + { + "technique_id": "T1413", + "technique": "Access Sensitive Data in Device Logs", + "url": "https://attack.mitre.org/techniques/T1413", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1436", + "technique": "Commonly Used Port", + "url": "https://attack.mitre.org/techniques/T1436", + "tactic": [ + "Command And Control", + "Exfiltration" + ] + }, + { + "technique_id": "T1445", + "technique": "Abuse of iOS Enterprise App Signing Key", + "url": "https://attack.mitre.org/techniques/T1445", + "tactic": [] + }, + { + "technique_id": "T1412", + "technique": "Capture SMS Messages", + "url": "https://attack.mitre.org/techniques/T1412", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1409", + "technique": "Access Stored Application Data", + "url": "https://attack.mitre.org/techniques/T1409", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1410", + "technique": "Network Traffic Capture or Redirection", + "url": "https://attack.mitre.org/techniques/T1410", + "tactic": [ + "Collection", + "Credential Access" + ] + }, + { + "technique_id": "T1407", + "technique": "Download New Code at Runtime", + "url": "https://attack.mitre.org/techniques/T1407", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1408", + "technique": "Disguise Root/Jailbreak Indicators", + "url": "https://attack.mitre.org/techniques/T1408", + "tactic": [ + "Defense Evasion" + ] + }, + { + "technique_id": "T1427", + "technique": "Attack PC via USB Connection", + "url": "https://attack.mitre.org/techniques/T1427", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1428", + "technique": "Exploit Enterprise Resources", + "url": "https://attack.mitre.org/techniques/T1428", + "tactic": [ + "Lateral Movement" + ] + }, + { + "technique_id": "T1429", + "technique": "Capture Audio", + "url": "https://attack.mitre.org/techniques/T1429", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1430", + "technique": "Location Tracking", + "url": "https://attack.mitre.org/techniques/T1430", + "tactic": [ + "Collection", + "Discovery" + ] + }, + { + "technique_id": "T1431", + "technique": "App Delivered via Web Download", + "url": "https://attack.mitre.org/techniques/T1431", + "tactic": [] + }, + { + "technique_id": "T1432", + "technique": "Access Contact List", + "url": "https://attack.mitre.org/techniques/T1432", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1433", + "technique": "Access Call Log", + "url": "https://attack.mitre.org/techniques/T1433", + "tactic": [ + "Collection" + ] + }, + { + "technique_id": "T1434", + "technique": "App Delivered via Email Attachment", + "url": "https://attack.mitre.org/techniques/T1434", + "tactic": [] + }, + { + "technique_id": "T1471", + "technique": "Data Encrypted for Impact", + "url": "https://attack.mitre.org/techniques/T1471", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1450", + "technique": "Exploit SS7 to Track Device Location", + "url": "https://attack.mitre.org/techniques/T1450", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1473", + "technique": "Malicious or Vulnerable Built-in Device Functionality", + "url": "https://attack.mitre.org/techniques/T1473", + "tactic": [] + }, + { + "technique_id": "T1448", + "technique": "Premium SMS Toll Fraud", + "url": "https://attack.mitre.org/techniques/T1448", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1453", + "technique": "Abuse Accessibility Features", + "url": "https://attack.mitre.org/techniques/T1453", + "tactic": [ + "Collection", + "Credential Access", + "Impact", + "Defense Evasion" + ] + }, + { + "technique_id": "T1454", + "technique": "Malicious SMS Message", + "url": "https://attack.mitre.org/techniques/T1454", + "tactic": [] + }, + { + "technique_id": "T1469", + "technique": "Remotely Wipe Data Without Authorization", + "url": "https://attack.mitre.org/techniques/T1469", + "tactic": [ + "Remote Service Effects" + ] + }, + { + "technique_id": "T1452", + "technique": "Manipulate App Store Rankings or Ratings", + "url": "https://attack.mitre.org/techniques/T1452", + "tactic": [ + "Impact" + ] + }, + { + "technique_id": "T1455", + "technique": "Exploit Baseband Vulnerability", + "url": "https://attack.mitre.org/techniques/T1455", + "tactic": [] + }, + { + "technique_id": "T1456", + "technique": "Drive-by Compromise", + "url": "https://attack.mitre.org/techniques/T1456", + "tactic": [ + "Initial Access" + ] + }, + { + "technique_id": "T1449", + "technique": "Exploit SS7 to Redirect Phone Calls/SMS", + "url": "https://attack.mitre.org/techniques/T1449", + "tactic": [ + "Network Effects" + ] + }, + { + "technique_id": "T1441", + "technique": "Stolen Developer Credentials or Signing Keys", + "url": "https://attack.mitre.org/techniques/T1441", + "tactic": [] + } +] \ No newline at end of file diff --git a/tools/config/netwitness.yml b/tools/config/netwitness.yml new file mode 100644 index 000000000..e4123d546 --- /dev/null +++ b/tools/config/netwitness.yml @@ -0,0 +1,92 @@ +title: NetWitness +order: 20 +backends: + - netwitness +logsources: + linux: + product: linux + conditions: + device.class: rhlinux + linux-sshd: + product: linux + service: sshd + conditions: + device.class: rhlinux + client: sshd + linux-auth: + product: linux + service: auth + conditions: + device.class: rhlinux + linux-clamav: + product: linux + service: clamav + conditions: + device.class: rhlinux + windows-sys: + product: windows + service: sysmon + conditions: + device.type: winevent_nic + event.source: microsoft-windows-security-auditing + windows-power: + product: windows + service: powershell + conditions: + device.type: winevent_nic + windows-dhcp: + product: windows + service: dhcp + conditions: + device.type: winevent_nic + event.source: microsoft-windows-dhcp-server + windows-sec: + product: windows + service: security + conditions: + device.type: winevent_nic + event.source: microsoft-windows-security-auditing + windows-system: + product: windows + service: system + conditions: + device.type: winevent_nic +fieldmappings: + dst: + - ip.dst + dst_ip: + - ip.dst + src: + - ip.src + src_ip: + - ip.src + DestinationPort: + - ip.dstport + EventID: + - reference.id + NewProcessName: + - process + LogonType: + - logon.type + AccountName: + - user.dst + c-uri-extension: + - extension + c-useragent: + - user.agent + r-dns: + - alias.host + DestinationHostname: + - alias.host + cs-host: + - alias.host + c-uri-query: + - web.page + c-uri: + - web.page + cs-method: + - action + cs-cookie: + - web.cookie + SubjectUserName: + - user.dst diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml new file mode 100644 index 000000000..5cb0ea758 --- /dev/null +++ b/tools/config/powershell.yml @@ -0,0 +1,71 @@ +title: Logsource to LogName mappings for PowerShell backend +order: 20 +backends: + - powershell +logsources: + windows-application: + product: windows + service: application + conditions: + LogName: 'Application' + windows-security: + product: windows + service: security + conditions: + LogName: 'Security' + windows-system: + product: windows + service: system + conditions: + LogName: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + LogName: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + LogName: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + LogName: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + LogName: 'Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + LogName: 'Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + category: dns + conditions: + LogName: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + LogName: 'Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + LogName: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + LogName: 'Microsoft-Windows-DHCP-Server/Operational' diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml new file mode 100644 index 000000000..df9d7bf55 --- /dev/null +++ b/tools/config/qradar.yml @@ -0,0 +1,77 @@ +title: QRadar +backends: + - qradar +order: 20 +logsources: + apache: + product: apache + conditions: + LOGSOURCETYPENAME(devicetype): ilike '%apache%' + + windows: + product: windows + conditions: + LOGSOURCETYPENAME(devicetype): 'Microsoft Windows Security Event Log' + + qflow: + product: qflow + index: flows + + netflow: + product: netflow + index: flows + + ipfix: + product: ipfix + index: flows + + flow: + category: flow + index: flows + +fieldmappings: +<<<<<<< HEAD + EventID: + - Event ID Code + dst: + - destinationIP + dst_ip: + - destinationIP + src: + - sourceIP + src_ip: + - sourceIP + c-ip: sourceIP + cs-ip: sourceIP + cs-uri: url + c-uri: sourceIP + c-uri-extension: file_extension + UserAgent: user_agent + c-uri-query: uri_query + HttpMethod: Method + URL: URL + r-dns: FQDN + ClientIP: sourceIP + ServiceFileName: Service Name +======= + EventID: + - Event ID Code + dst: + - destinationIP + dst_ip: + - destinationIP + src: + - sourceIP + src_ip: + - sourceIP + c-ip: sourceIP + cs-ip: sourceIP + c-uri: url + c-uri-extension: file_extension + c-useragent: user_agent + c-uri-query: uri_query + cs-method: Method + r-dns: FQDN + ClientIP: sourceIP + ServiceFileName: Service Name +>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c diff --git a/tools/config/qualys.yml b/tools/config/qualys.yml new file mode 100644 index 000000000..a5cf1d924 --- /dev/null +++ b/tools/config/qualys.yml @@ -0,0 +1,20 @@ +title: Qualys +order: 20 +backends: + - qualys +fieldmappings: + dst: + - network.remote.address.ip + dst_ip: + - network.remote.address.ip + src: + - network.local.address.ip + src_ip: + - network.local.address.ip + file_hash: + - file.hash.md5 + - file.hash.sha256 + NewProcessName: process.name + ServiceName: process.name + ServiceFileName: process.name + TargetObject: registry.path diff --git a/tools/config/splunk-windows-index.yml b/tools/config/splunk-windows-index.yml new file mode 100644 index 000000000..cf1959abf --- /dev/null +++ b/tools/config/splunk-windows-index.yml @@ -0,0 +1,11 @@ +title: Splunk Windows index and EventID field mapping +order: 20 +backends: + - splunk + - splunkxml +logsources: + windows: + product: windows + index: windows +fieldmappings: + EventID: EventCode diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml new file mode 100644 index 000000000..f1373489e --- /dev/null +++ b/tools/config/splunk-windows.yml @@ -0,0 +1,74 @@ +title: Splunk Windows log source conditions +order: 20 +backends: + - splunk + - splunkxml +logsources: + windows-application: + product: windows + service: application + conditions: + source: 'WinEventLog:Application' + windows-security: + product: windows + service: security + conditions: + source: 'WinEventLog:Security' + windows-system: + product: windows + service: system + conditions: + source: 'WinEventLog:System' + windows-sysmon: + product: windows + service: sysmon + conditions: + source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + source: 'WinEventLog:Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + source: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + category: dns + conditions: + source: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + source: 'Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + source: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' +fieldmappings: + EventID: EventCode diff --git a/tools/config/splunk-zeek.yml b/tools/config/splunk-zeek.yml new file mode 100644 index 000000000..1653f329c --- /dev/null +++ b/tools/config/splunk-zeek.yml @@ -0,0 +1,46 @@ +title: Splunk Zeek sourcetype mappings +order: 20 +backends: + - splunk + - splunkxml +logsources: + zeek-conn: + product: zeek + service: conn + conditions: + sourcetype: 'bro:conn:json' + zeek-dns: + product: zeek + service: dns + conditions: + sourcetype: 'bro:dns:json' + zeek-files: + product: zeek + service: files + conditions: + sourcetype: 'bro:files:json' + zeek-kerberos: + product: zeek + service: kerberos + conditions: + sourcetype: 'bro:kerberos:json' + zeek-http: + product: zeek + service: http + conditions: + sourcetype: 'bro:http:json' + zeek-rdp: + product: zeek + service: rdp + conditions: + sourcetype: 'bro:rdp:json' + zeek-ssl: + product: zeek + service: ssl + conditions: + sourcetype: 'bro:ssl:json' + zeek-x509: + product: zeek + service: x509 + conditions: + sourcetype: 'bro:x509:json' diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml new file mode 100644 index 000000000..297fb9ed6 --- /dev/null +++ b/tools/config/sumologic.yml @@ -0,0 +1,110 @@ +title: SumoLogic +order: 20 +backends: + - sumologic +# Sumulogic mapping depends on customer configuration. Adapt to your context! +# typically rule on _sourceCategory, _index or Field Extraction Rules (FER) +# supposing existing FER for service, EventChannel, EventID +logsources: + unix: + product: unix + index: UNIX + linux: + product: linux + index: LINUX + linux-sshd: + product: linux + service: sshd + index: LINUX + linux-auth: + product: linux + service: auth + index: LINUX + linux-clamav: + product: linux + service: clamav + index: LINUX + windows: + product: windows + index: WINDOWS + windows-sysmon: + product: windows + service: sysmon + conditions: + EventChannel: Microsoft-Windows-Sysmon + index: WINDOWS + windows-security: + product: windows + service: security + conditions: + EventChannel: Security + index: WINDOWS + windows-powershell: + product: windows + service: powershell + conditions: + EventChannel: Microsoft-Windows-Powershell + index: WINDOWS + windows-system: + product: windows + service: system + conditions: + EventChannel: System + index: WINDOWS + windows-dhcp: + product: windows + service: dhcp + conditions: + EventChannel: Microsoft-Windows-DHCP-Server + index: WINDOWS + apache: + product: apache + service: apache + index: WEBSERVER + apache2: + product: apache + index: WEBSERVER + webserver: + category: webserver + index: WEBSERVER + firewall: + category: firewall + index: FIREWALL + firewall2: + product: firewall + index: FIREWALL + network-dns: + category: dns + index: DNS + network-dns2: + product: dns + index: DNS + proxy: + category: proxy + index: PROXY + antivirus: + product: antivirus + index: ANTIVIRUS + application-sql: + product: sql + index: DATABASE + application-python: + product: python + index: APPLICATIONS + application-django: + product: django + index: DJANGO + application-rails: + product: rails + index: RAILS +<<<<<<< HEAD + application-rails: + category: application + product: ruby_on_rails + index: RAILS +======= +>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c + application-spring: + product: spring + index: SPRING +# if no index, search in all indexes diff --git a/tools/config/thor.yml b/tools/config/thor.yml new file mode 100644 index 000000000..7cfe52993 --- /dev/null +++ b/tools/config/thor.yml @@ -0,0 +1,90 @@ +title: THOR +order: 20 +backends: + - thor +# this configuration differs from other configurations and can not be used +# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK. +logsources: + # log source configurations for generic sigma rules + process_creation_1: + category: process_creation + product: windows + conditions: + EventID: 1 + rewrite: + product: windows + service: sysmon + process_creation_2: + category: process_creation + product: windows + conditions: + EventID: 4688 + rewrite: + product: windows + service: security + fieldmappings: + Image: NewProcessName + ParentImage: ParentProcessName + # target system configurations + windows-application: + product: windows + service: application + sources: + - 'WinEventLog:Application' + windows-security: + product: windows + service: security + sources: + - 'WinEventLog:Security' + windows-system: + product: windows + service: system + sources: + - 'WinEventLog:System' + windows-sysmon: + product: windows + service: sysmon + sources: + - 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + sources: + - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' + windows-taskscheduler: + product: windows + service: taskscheduler + sources: + - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + sources: + - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + windows-dhcp: + product: windows + service: dhcp + sources: + - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' + apache: + category: webserver + sources: + - 'File:/var/log/apache/*.log' + - 'File:/var/log/apache2/*.log' + - 'File:/var/log/httpd/*.log' + linux-auth: + product: linux + service: auth + sources: + - 'File:/var/log/auth.log' + - 'File:/var/log/auth.log.?' + linux-syslog: + product: linux + service: syslog + sources: + - 'File:/var/log/syslog' + - 'File:/var/log/syslog.?' + logfiles: + category: logfile + sources: + - 'File:*.log' diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml new file mode 100644 index 000000000..a51d409fe --- /dev/null +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -0,0 +1,215 @@ +title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules +order: 20 +backends: + - es-qs + - es-dsl +<<<<<<< HEAD +======= + - es-rule +>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +<<<<<<< HEAD +======= + - elasticsearch-rule +>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c +logsources: + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + winlog.channel: Application + windows-security: + product: windows + service: security + conditions: + winlog.channel: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + winlog.channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational' +defaultindex: winlogbeat-* +# Extract all field names qith yq: +# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' +# Keep EventID! Clean up the list afterwards! +fieldmappings: +<<<<<<< HEAD + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: process.args + ComputerName: winlog.ComputerName + CurrentDirectory: process.working_directory + Description: winlog.event_data.Description + DestinationHostname: destination.domain + DestinationIp: destination.ip + #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + DestinationPort: destination.port + DestinationPortName: network.protocol + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: file.path + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: process.executable + ImageLoaded: file.path + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: source.ip + IpPort: source.port + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: process.parent.args + ParentProcessName: process.parent.name + ParentImage: process.parent.executable + Path: winlog.event_data.Path + PipeName: file.name + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: process.executable + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceHostname: source.domain + SourceImage: process.executable + SourceIp: source.ip + SourcePort: source.port + #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectDomainName: user.domain + SubjectUserName: user.name + SubjectUserSid: user.id + TargetFilename: file.path + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + TargetDomainName: user.domain + TargetUserName: user.name + TargetUserSid: user.id + User: user.name + WorkstationName: source.domain +======= + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: process.args + ComputerName: winlog.computer_name + ContextInfo: winlog.event_data.ContextInfo + CurrentDirectory: process.working_directory + Description: winlog.event_data.Description + DestinationHostname: destination.domain + DestinationIp: destination.ip + #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + DestinationPort: destination.port + DestinationPortName: network.protocol + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: file.path + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: process.executable + ImageLoaded: file.path + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: source.ip + IpPort: source.port + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + Message: winlog.event_data.Message + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: process.parent.args + ParentProcessName: process.parent.name + ParentImage: process.parent.executable + Path: winlog.event_data.Path + PipeName: file.name + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: process.executable + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceHostname: source.domain + SourceImage: process.executable + SourceIp: source.ip + SourcePort: source.port + #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectDomainName: user.domain + SubjectUserName: user.name + SubjectUserSid: user.id + TargetFilename: file.path + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + TargetDomainName: user.domain + TargetUserName: user.name + TargetUserSid: user.id + User: user.name + WorkstationName: source.domain +>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml new file mode 100644 index 000000000..c89adad67 --- /dev/null +++ b/tools/config/winlogbeat-old.yml @@ -0,0 +1,188 @@ +title: Elastic Winlogbeat (<=6.x) index pattern and field mapping +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' +defaultindex: winlogbeat-* +# Extract all field names qith yq: +# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' +# Keep EventID! Clean up the list afterwards! +fieldmappings: +<<<<<<< HEAD + EventID: event_id + AccessMask: event_data.AccessMask + AccountName: event_data.AccountName + AllowedToDelegateTo: event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName + AuditPolicyChanges: event_data.AuditPolicyChanges + AuthenticationPackageName: event_data.AuthenticationPackageName + CallingProcessName: event_data.CallingProcessName + CallTrace: event_data.CallTrace + CommandLine: event_data.CommandLine + ComputerName: event_data.ComputerName + CurrentDirectory: event_data.CurrentDirectory + Description: event_data.Description + DestinationHostname: event_data.DestinationHostname + DestinationIp: event_data.DestinationIp + DestinationIsIpv6: event_data.DestinationIsIpv6 + DestinationPort: event_data.DestinationPort + Details: event_data.Details + EngineVersion: event_data.EngineVersion + EventType: event_data.EventType + FailureCode: event_data.FailureCode + FileName: event_data.FileName + GrantedAccess: event_data.GrantedAccess + GroupName: event_data.GroupName + GroupSid: event_data.GroupSid + Hashes: event_data.Hashes + HiveName: event_data.HiveName + HostVersion: event_data.HostVersion + Image: event_data.Image + ImageLoaded: event_data.ImageLoaded + ImagePath: event_data.ImagePath + Imphash: event_data.Imphash + IpAddress: event_data.IpAddress + KeyLength: event_data.KeyLength + LogonProcessName: event_data.LogonProcessName + LogonType: event_data.LogonType + NewProcessName: event_data.NewProcessName + ObjectClass: event_data.ObjectClass + ObjectName: event_data.ObjectName + ObjectType: event_data.ObjectType + ObjectValueName: event_data.ObjectValueName + ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName + ParentImage: event_data.ParentImage + Path: event_data.Path + PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine + ProcessName: event_data.ProcessName + Properties: event_data.Properties + SecurityID: event_data.SecurityID + ServiceFileName: event_data.ServiceFileName + ServiceName: event_data.ServiceName + ShareName: event_data.ShareName + Signature: event_data.Signature + Source: event_data.Source + SourceImage: event_data.SourceImage + StartModule: event_data.StartModule + Status: event_data.Status + SubjectUserName: event_data.SubjectUserName + SubjectUserSid: event_data.SubjectUserSid + TargetFilename: event_data.TargetFilename + TargetImage: event_data.TargetImage + TargetObject: event_data.TargetObject + TicketEncryptionType: event_data.TicketEncryptionType + TicketOptions: event_data.TicketOptions + User: event_data.User + WorkstationName: event_data.WorkstationName +======= + EventID: event_id + AccessMask: event_data.AccessMask + AccountName: event_data.AccountName + AllowedToDelegateTo: event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName + AuditPolicyChanges: event_data.AuditPolicyChanges + AuthenticationPackageName: event_data.AuthenticationPackageName + CallingProcessName: event_data.CallingProcessName + CallTrace: event_data.CallTrace + CommandLine: event_data.CommandLine + ComputerName: computer_name + ContextInfo: event_data.ContextInfo + CurrentDirectory: event_data.CurrentDirectory + Description: event_data.Description + DestinationHostname: event_data.DestinationHostname + DestinationIp: event_data.DestinationIp + DestinationIsIpv6: event_data.DestinationIsIpv6 + DestinationPort: event_data.DestinationPort + Details: event_data.Details + EngineVersion: event_data.EngineVersion + EventType: event_data.EventType + FailureCode: event_data.FailureCode + FileName: event_data.FileName + GrantedAccess: event_data.GrantedAccess + GroupName: event_data.GroupName + GroupSid: event_data.GroupSid + Hashes: event_data.Hashes + HiveName: event_data.HiveName + HostVersion: event_data.HostVersion + Image: event_data.Image + ImageLoaded: event_data.ImageLoaded + ImagePath: event_data.ImagePath + Imphash: event_data.Imphash + IpAddress: event_data.IpAddress + KeyLength: event_data.KeyLength + LogonProcessName: event_data.LogonProcessName + LogonType: event_data.LogonType + Message: event_data.Message + NewProcessName: event_data.NewProcessName + ObjectClass: event_data.ObjectClass + ObjectName: event_data.ObjectName + ObjectType: event_data.ObjectType + ObjectValueName: event_data.ObjectValueName + ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName + ParentImage: event_data.ParentImage + Path: event_data.Path + PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine + ProcessName: event_data.ProcessName + Properties: event_data.Properties + SecurityID: event_data.SecurityID + ServiceFileName: event_data.ServiceFileName + ServiceName: event_data.ServiceName + ShareName: event_data.ShareName + Signature: event_data.Signature + Source: event_data.Source + SourceImage: event_data.SourceImage + StartModule: event_data.StartModule + Status: event_data.Status + SubjectUserName: event_data.SubjectUserName + SubjectUserSid: event_data.SubjectUserSid + TargetFilename: event_data.TargetFilename + TargetImage: event_data.TargetImage + TargetObject: event_data.TargetObject + TicketEncryptionType: event_data.TicketEncryptionType + TicketOptions: event_data.TicketOptions + User: event_data.User + WorkstationName: event_data.WorkstationName +>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml new file mode 100644 index 000000000..2f74612ad --- /dev/null +++ b/tools/config/winlogbeat.yml @@ -0,0 +1,188 @@ +title: Elastic Winlogbeat (from 7.x) index pattern and field mapping +order: 20 +backends: + - es-qs + - es-dsl + - es-rule + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + winlog.channel: Application + windows-security: + product: windows + service: security + conditions: + winlog.channel: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + winlog.channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational' +defaultindex: winlogbeat-* +# Extract all field names qith yq: +# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' +# Keep EventID! Clean up the list afterwards! +fieldmappings: +<<<<<<< HEAD + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: winlog.event_data.CommandLine + ComputerName: winlog.ComputerName + CurrentDirectory: winlog.event_data.CurrentDirectory + Description: winlog.event_data.Description + DestinationHostname: winlog.event_data.DestinationHostname + DestinationIp: winlog.event_data.DestinationIp + DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 + DestinationPort: winlog.event_data.DestinationPort + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: winlog.event_data.FileName + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: winlog.event_data.Image + ImageLoaded: winlog.event_data.ImageLoaded + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: winlog.event_data.IpAddress + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: winlog.event_data.ParentCommandLine + ParentProcessName: winlog.event_data.ParentProcessName + ParentImage: winlog.event_data.ParentImage + Path: winlog.event_data.Path + PipeName: winlog.event_data.PipeName + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: winlog.event_data.ProcessName + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceImage: winlog.event_data.SourceImage + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectUserName: winlog.event_data.SubjectUserName + SubjectUserSid: winlog.event_data.SubjectUserSid + TargetFilename: winlog.event_data.TargetFilename + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + User: winlog.event_data.User + WorkstationName: winlog.event_data.WorkstationName +======= + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: winlog.event_data.CommandLine + ComputerName: winlog.computer_name + ContextInfo: winlog.event_data.ContextInfo + CurrentDirectory: winlog.event_data.CurrentDirectory + Description: winlog.event_data.Description + DestinationHostname: winlog.event_data.DestinationHostname + DestinationIp: winlog.event_data.DestinationIp + DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 + DestinationPort: winlog.event_data.DestinationPort + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: winlog.event_data.FileName + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: winlog.event_data.Image + ImageLoaded: winlog.event_data.ImageLoaded + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: winlog.event_data.IpAddress + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + Message: winlog.event_data.Message + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: winlog.event_data.ParentCommandLine + ParentProcessName: winlog.event_data.ParentProcessName + ParentImage: winlog.event_data.ParentImage + Path: winlog.event_data.Path + PipeName: winlog.event_data.PipeName + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: winlog.event_data.ProcessName + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceImage: winlog.event_data.SourceImage + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectUserName: winlog.event_data.SubjectUserName + SubjectUserSid: winlog.event_data.SubjectUserSid + TargetFilename: winlog.event_data.TargetFilename + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + User: winlog.event_data.User + WorkstationName: winlog.event_data.WorkstationName +>>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py index e30dca2a8..a0a27e4c1 100644 --- a/tools/sigma/backends/carbonblack.py +++ b/tools/sigma/backends/carbonblack.py @@ -1,4 +1,3 @@ -<<<<<<< HEAD # Output backends for sigmac # Copyright 2016-2018 Thomas Patzke, Florian Roth, Roey @@ -77,7 +76,10 @@ class CarbonBlackBackend(SingleTextQueryBackend): def generateMapItemNode(self, node): fieldname, value = node - value = self.cleanValue(value) + if(fieldname == "path"): + value = self.cleanValuePath(value) + else: + value = self.cleanValue(value) print(str(value)) if(fieldname == "EventID" and (type(value) is str or type(value) is int )): fieldname = self.generateEventKey(value) @@ -136,8 +138,25 @@ class CarbonBlackBackend(SingleTextQueryBackend): new_value = '"' + new_value +'"' new_value = new_value.replace("(", "\(") new_value = new_value.replace(")", "\)") - new_value = new_value.replace(" ", "\ ") + if ('"' not in new_value): + new_value = new_value.replace(" ", "\ ") + new_value = new_value.strip() + if type(new_value) is list: + for index, vl in enumerate(new_value): + new_value[index] = self.cleanValue(vl) + return new_value + def cleanValuePath(self, value): + new_value = value + if type(new_value) is str: + # double backslash convention + if (new_value[:2] in ("*\/","*\\")): + new_value = new_value[2:] + if (new_value[:1] == '*'): + new_value = new_value.replace("*", "", 1) + # need tuning + if("*" in new_value and " " in new_value): + new_value=re.escape(new_value) new_value = new_value.strip() if type(new_value) is list: for index, vl in enumerate(new_value): @@ -157,6 +176,8 @@ class CarbonBlackBackend(SingleTextQueryBackend): return '' def cleanIPRange(self,value): + if('*' not in value): + return value new_value = value if type(new_value) is str and value.find('*') : sub = value.count('.') @@ -174,7 +195,7 @@ class CarbonBlackBackend(SingleTextQueryBackend): return new_value def postAPI(self,result,title,desc): - url = 'https://10.14.132.6//api/v1/watchlist' + url = 'https://10.14.132.35//api/v1/watchlist' body = { "name":title, "search_query":"q="+str(result), @@ -182,7 +203,7 @@ class CarbonBlackBackend(SingleTextQueryBackend): "index_type":"events" } header = { - "X-Auth-Token": "6ff62a0dd9cf895b806fbd3190f3c0b18d98a9ae" + "X-Auth-Token": "099c366b1e56c0bca3ae61ce1fb7435af7a5926c" } print(title) x = requests.post(url, data =json.dumps(body), headers = header, verify=False) @@ -209,148 +230,7 @@ class CarbonBlackBackend(SingleTextQueryBackend): result += after # if mapped is not None: # result += fields - self.postAPI(result,title,desc) + # self.postAPI(result,title,desc) # print (title) - # print (str(result)) - return result -======= -import re - -from fnmatch import fnmatch - -from sigma.backends.base import SingleTextQueryBackend -from sigma.backends.exceptions import NotSupportedError -from sigma.parser.modifiers.type import SigmaRegularExpressionModifier -from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression - -from sigma.parser.modifiers.base import SigmaTypeModifier - - -class CarbonBlackWildcardHandlingMixin: - """ - Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further, - provide configurability with backend parameters. - """ - # options = SingleTextQueryBackend.options + ( - # ("keyword_field", None, "Keyword sub-field name", None), - # ("keyword_blacklist", None, "Fields that don't have a keyword subfield (wildcards * and ? allowed)", None) - # ) - reContainsWildcard = re.compile("(?:(?]") - andToken = " AND " - orToken = " OR " - notToken = " -" - subExpression = "(%s)" - listExpression = "%s" - listSeparator = " OR " - valueExpression = '%s' - typedValueExpression = { - SigmaRegularExpressionModifier: "/%s/" - } - nullExpression = "NOT _exists_:%s" - notNullExpression = "_exists_:%s" - mapExpression = "%s:%s" - mapListsSpecialHandling = False - - def __init__(self, *args, **kwargs): - """Initialize field mappings.""" - super().__init__(*args, **kwargs) - self.category = None - self.excluded_fields = None - - - def cleanValue(self, val): - val = super().cleanValue(val) - if isinstance(val, str): - if val.startswith("*\\"): - val = val.replace("*\\", "*") - if val.startswith("*/"): - val = val.replace("*/", "*") - if val.endswith("\\*"): - val = val.replace("\\*", "*") - if val.endswith("/*"): - val = val.replace("/*", "*") - return val - - def generateValueNode(self, node): - result = super().generateValueNode(node) - if result == "" or result.isspace(): - return '""' - else: - if self.matchKeyword: # don't quote search value on keyword field - return result - else: - return "%s" % result - - def generateMapItemNode(self, node): - fieldname, value = node - if fieldname.lower() in self.excluded_fields: - return - else: - transformed_fieldname = self.fieldNameMapping(fieldname, value) - if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): - #return self.mapExpression % (transformed_fieldname, self.generateNode(value)) - if isinstance(value, list): - return self.generateNode([self.mapExpression % (transformed_fieldname, self.cleanValue(item)) for item in value]) - elif isinstance(value, str) or isinstance(value, int): - return self.mapExpression % (transformed_fieldname, self.generateNode(value)) - elif type(value) == list: - return self.generateMapItemListNode(transformed_fieldname, value) - elif isinstance(value, SigmaTypeModifier): - return self.generateMapItemTypedNode(transformed_fieldname, value) - elif value is None: - return self.nullExpression % (transformed_fieldname,) - else: - raise TypeError("Backend does not support map values of type " + str(type(value))) - - def generateNOTNode(self, node): - expression = super().generateNode(node.item) - if expression: - return "(%s%s)" % (self.notToken, expression) - - - def generate(self, sigmaparser): - """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" - try: - self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None) - self.counted = sigmaparser.parsedyaml.get('counted', None) - self.excluded_fields = [item.lower() for item in sigmaparser.config.config.get("excludedfields", [])] - except KeyError: - self.category = None - if self.category == "process_creation": - for parsed in sigmaparser.condparsed: - query = self.generateQuery(parsed) - result = "" - - if query is not None: - result += query - return result - else: - raise NotSupportedError("Not supported logsource category.") ->>>>>>> 9e86170d7937bf37694a5763e82ca6635735129c + print (str(result)) + return result \ No newline at end of file diff --git a/tools/sigma/eventdict.py b/tools/sigma/eventdict.py index d55404fd4..c6f52286c 100644 --- a/tools/sigma/eventdict.py +++ b/tools/sigma/eventdict.py @@ -6,9 +6,9 @@ event = { # 5: Process termincated 6: ('modload_count','[1 to *]'), 7: ('modload_count','[1 to *]'), - 8: ('crossproc_type', 'remote_thread'), + 8: ('crossproc_count', '[1 to *]'), # 9: Raw Access Read - 10: ('crossproc_type', 'process_open'), + 10: ('crossproc_count', '[1 to *]'), 11: ('filemod_count','[1 to *]'), 12: ('regmod_count','[1 to *]'), 13: ('regmod_count','[1 to *]'),