add missing MITRE Techniques

2021-11-20 12:26:01 +01:00
parent ab663f9bcf
commit f47d0da3f7
23 changed files with 54 additions and 9 deletions
@@ -14,6 +14,7 @@ references:
 tags:
    - attack.credential_access
    - attack.command_and_control
+    - attack.t1071
 logsource:
    product: windows
    service: dns-server
@@ -12,6 +12,7 @@ references:
    - https://securelist.com/apt-slingshot/84312/
 tags:
    - attack.persistence
+    - attack.t1053
    - attack.s0111
 logsource:
    product: windows
@@ -12,6 +12,7 @@ date: 2021/06/30
 modified: 2021/07/08
 tags:
    - attack.execution
+    - attack.t1569    
    - cve.2021.1675
 logsource:
    product: windows
@@ -9,6 +9,7 @@ references:
 date: 2021/07/01
 tags:
    - attack.execution
+    - attack.t1569
    - cve.2021.1675
 logsource:
    product: windows
@@ -9,6 +9,7 @@ references:
 date: 2021/07/02
 tags:
    - attack.execution
+    - attack.t1569    
    - cve.2021.1675
    - cve.2021.34527
 logsource:
@@ -7,6 +7,7 @@ modified: 2021/08/09
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.persistence
+    - attack.t1554 
 references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
@@ -6,6 +6,7 @@ date: 2021/04/12
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.persistence
+    - attack.t1554 
 references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
@@ -9,6 +9,7 @@ references:
    - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
 tags:
    - attack.discovery
+    - attack.t1010
 logsource:
    product: windows
    service: security
@@ -6,6 +6,7 @@ author: Thomas Patzke
 date: 2019/12/03
 tags:
    - attack.persistence
+    - attack.t1098
 logsource:
    product: windows
    service: security
@@ -9,6 +9,7 @@ date: 2020/09/15
 modified: 2021/08/09
 tags:
    - attack.privilege_escalation
+    - attack.t1548
 logsource:
    product: windows
    service: system
@@ -7,6 +7,7 @@ modified: 2021/06/10
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.persistence
+    - attack.t1554 
 references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
@@ -27,3 +27,7 @@ detection:
 falsepositives:
    - legitimate BIOS driver updates (should be rare)
 level: high
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1542.001
@@ -22,3 +22,6 @@ detection:
 falsepositives:
    - Unknown
 level: high
+tags:
+    - attack.execution
+    - attack.t1053 
@@ -28,3 +28,6 @@ fields:
    - TargetFilename
 falsepositives:
    - Unknown
+tags:
+    - attack.resource_development
+    - attack.t1587
@@ -27,3 +27,6 @@ fields:
 falsepositives:
    - unknown
 level: critical
+tags:
+    - attack.resource_development
+    - attack.t1587
@@ -12,6 +12,7 @@ date: 2019/10/22
 modified: 2021/10/04
 tags:
    - attack.command_and_control
+    - attack.t1071
 logsource:
    category: image_load
    product: windows
@@ -16,3 +16,6 @@ detection:
 falsepositives:
    - Unlikely
 level: critical
+tags:
+    - attack.resource_development
+    - attack.t1587
@@ -17,3 +17,7 @@ detection:
 falsepositives:
    - Rarely observed
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
@@ -25,4 +25,5 @@ falsepositives:
    - Unlikely
 level: high
 tags:
-    - attack.execution
+    - attack.execution
+    - attack.t1204
@@ -38,3 +38,6 @@ detection:
 falsepositives:
    - Legitimate use of crypto miners
 level: high
+tags:
+    - attack.impact
+    - attack.t1496
@@ -16,4 +16,7 @@ detection:
    condition: keywords
 falsepositives:
    - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
-level: critical
+level: critical
+tags:
+    - attack.lateral_movement
+    - attack.t1210
@@ -4,9 +4,12 @@ status: experimental
 description: Detects a named pipe used by Turla group samples
 references:
    - Internal Research
+    - https://attack.mitre.org/groups/G0010/
 date: 2017/11/06
 tags:
    - attack.g0010
+    - attack.execution
+    - attack.t1106 
 author: Markus Neis
 logsource:
    product: windows
@@ -7,13 +7,16 @@ references:
 date: 2021/09/01
 author: Florian Roth
 logsource:
-   product: windows
-   category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
+    product: windows
+    category: pipe_created
+    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
 detection:
-   selection:
-      Image|endswith: '\scrcons.exe'
-   condition: selection
+    selection:
+        Image|endswith: '\scrcons.exe'
+    condition: selection
 falsepositives:
-   - Unknown
+    - Unknown
 level: high
+tags:
+    - attack.t1047 
+    - attack.execution