From f47d0da3f7fd8f698c8ec3fd397e0bd66cecaa3c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 20 Nov 2021 12:26:01 +0100 Subject: [PATCH] add missing MITRE Techniques --- rules/windows/builtin/win_apt_gallium.yml | 1 + rules/windows/builtin/win_apt_slingshot.yml | 1 + .../win_exploit_cve_2021_1675_printspooler.yml | 1 + ...t_cve_2021_1675_printspooler_operational.yml | 1 + ...loit_cve_2021_1675_printspooler_security.yml | 1 + ...win_hybridconnectionmgr_svc_installation.yml | 1 + .../win_hybridconnectionmgr_svc_running.yml | 1 + .../builtin/win_scm_database_handle_failure.yml | 1 + .../builtin/win_susp_add_domain_trust.yml | 1 + rules/windows/builtin/win_vul_cve_2020_1472.yml | 1 + ...dns_query_hybridconnectionmgr_servicebus.yml | 1 + .../driver_load_vuln_dell_driver.yml | 4 ++++ .../file_event/file_event_susp_task_write.yml | 3 +++ .../win_cve_2021_1675_printspooler.yml | 3 +++ .../win_file_winword_cve_2021_40444.yml | 3 +++ .../image_load_silenttrinity_stage_use.yml | 1 + .../image_load/sysmon_foggyweb_nobelium.yml | 3 +++ .../image_load/win_susp_svchost_clfsw32.yml | 4 ++++ rules/windows/malware/av_hacktool.yml | 3 ++- .../win_net_crypto_mining.yml | 3 +++ .../other/win_exchange_cve_2021_42321.yml | 5 ++++- .../sysmon_apt_turla_namedpipes.yml | 3 +++ .../sysmon_susp_wmi_consumer_namedpipe.yml | 17 ++++++++++------- 23 files changed, 54 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_apt_gallium.yml b/rules/windows/builtin/win_apt_gallium.yml index 06c9a76d3..810af5f56 100644 --- a/rules/windows/builtin/win_apt_gallium.yml +++ b/rules/windows/builtin/win_apt_gallium.yml @@ -14,6 +14,7 @@ references: tags: - attack.credential_access - attack.command_and_control + - attack.t1071 logsource: product: windows service: dns-server diff --git a/rules/windows/builtin/win_apt_slingshot.yml b/rules/windows/builtin/win_apt_slingshot.yml index 5ad58b130..4345b4aa2 100644 --- a/rules/windows/builtin/win_apt_slingshot.yml +++ b/rules/windows/builtin/win_apt_slingshot.yml @@ -12,6 +12,7 @@ references: - https://securelist.com/apt-slingshot/84312/ tags: - attack.persistence + - attack.t1053 - attack.s0111 logsource: product: windows diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 72ac6b838..90bdfa6c0 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -12,6 +12,7 @@ date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution + - attack.t1569 - cve.2021.1675 logsource: product: windows diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 823418501..b10629f3c 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -9,6 +9,7 @@ references: date: 2021/07/01 tags: - attack.execution + - attack.t1569 - cve.2021.1675 logsource: product: windows diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml index 902544f90..0820f80fb 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml @@ -9,6 +9,7 @@ references: date: 2021/07/02 tags: - attack.execution + - attack.t1569 - cve.2021.1675 - cve.2021.34527 logsource: diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml index 151ec7dde..7b2b0166d 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml @@ -7,6 +7,7 @@ modified: 2021/08/09 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index de445a56a..12ed9a6da 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -6,6 +6,7 @@ date: 2021/04/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index e83eeec7e..90139b070 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -9,6 +9,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html tags: - attack.discovery + - attack.t1010 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_add_domain_trust.yml b/rules/windows/builtin/win_susp_add_domain_trust.yml index 4a2115b0e..fdf8a2768 100644 --- a/rules/windows/builtin/win_susp_add_domain_trust.yml +++ b/rules/windows/builtin/win_susp_add_domain_trust.yml @@ -6,6 +6,7 @@ author: Thomas Patzke date: 2019/12/03 tags: - attack.persistence + - attack.t1098 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_vul_cve_2020_1472.yml b/rules/windows/builtin/win_vul_cve_2020_1472.yml index 7210bd7ed..bff52b97e 100644 --- a/rules/windows/builtin/win_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/win_vul_cve_2020_1472.yml @@ -9,6 +9,7 @@ date: 2020/09/15 modified: 2021/08/09 tags: - attack.privilege_escalation + - attack.t1548 logsource: product: windows service: system diff --git a/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml index cd02807d2..fd8ae4cfe 100644 --- a/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml +++ b/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml @@ -7,6 +7,7 @@ modified: 2021/06/10 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index 4a64d8dab..8ed85ec97 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -27,3 +27,7 @@ detection: falsepositives: - legitimate BIOS driver updates (should be rare) level: high +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1542.001 \ No newline at end of file diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml index 40e5b8f90..b3c9bff4c 100644 --- a/rules/windows/file_event/file_event_susp_task_write.yml +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -22,3 +22,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.execution + - attack.t1053 \ No newline at end of file diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 25264ba50..f9acfa4af 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -28,3 +28,6 @@ fields: - TargetFilename falsepositives: - Unknown +tags: + - attack.resource_development + - attack.t1587 \ No newline at end of file diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index ca52a1a02..3da25ade8 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -27,3 +27,6 @@ fields: falsepositives: - unknown level: critical +tags: + - attack.resource_development + - attack.t1587 diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index 806fee1fb..f6b55d616 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -12,6 +12,7 @@ date: 2019/10/22 modified: 2021/10/04 tags: - attack.command_and_control + - attack.t1071 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/sysmon_foggyweb_nobelium.yml b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml index 81bbdf87c..f982cb390 100644 --- a/rules/windows/image_load/sysmon_foggyweb_nobelium.yml +++ b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml @@ -16,3 +16,6 @@ detection: falsepositives: - Unlikely level: critical +tags: + - attack.resource_development + - attack.t1587 diff --git a/rules/windows/image_load/win_susp_svchost_clfsw32.yml b/rules/windows/image_load/win_susp_svchost_clfsw32.yml index 2a58dabcd..ae9008a44 100644 --- a/rules/windows/image_load/win_susp_svchost_clfsw32.yml +++ b/rules/windows/image_load/win_susp_svchost_clfsw32.yml @@ -17,3 +17,7 @@ detection: falsepositives: - Rarely observed level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 \ No newline at end of file diff --git a/rules/windows/malware/av_hacktool.yml b/rules/windows/malware/av_hacktool.yml index e3427bf99..8aecae9ee 100644 --- a/rules/windows/malware/av_hacktool.yml +++ b/rules/windows/malware/av_hacktool.yml @@ -25,4 +25,5 @@ falsepositives: - Unlikely level: high tags: - - attack.execution \ No newline at end of file + - attack.execution + - attack.t1204 diff --git a/rules/windows/network_connection/win_net_crypto_mining.yml b/rules/windows/network_connection/win_net_crypto_mining.yml index 3ec3eb2f5..10fbd6fe1 100644 --- a/rules/windows/network_connection/win_net_crypto_mining.yml +++ b/rules/windows/network_connection/win_net_crypto_mining.yml @@ -38,3 +38,6 @@ detection: falsepositives: - Legitimate use of crypto miners level: high +tags: + - attack.impact + - attack.t1496 \ No newline at end of file diff --git a/rules/windows/other/win_exchange_cve_2021_42321.yml b/rules/windows/other/win_exchange_cve_2021_42321.yml index 2db0b1597..f717cef10 100644 --- a/rules/windows/other/win_exchange_cve_2021_42321.yml +++ b/rules/windows/other/win_exchange_cve_2021_42321.yml @@ -16,4 +16,7 @@ detection: condition: keywords falsepositives: - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues -level: critical \ No newline at end of file +level: critical +tags: + - attack.lateral_movement + - attack.t1210 \ No newline at end of file diff --git a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index 66e600c1d..a8dea10d8 100755 --- a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -4,9 +4,12 @@ status: experimental description: Detects a named pipe used by Turla group samples references: - Internal Research + - https://attack.mitre.org/groups/G0010/ date: 2017/11/06 tags: - attack.g0010 + - attack.execution + - attack.t1106 author: Markus Neis logsource: product: windows diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index 87933c08a..20ee7ade7 100644 --- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -7,13 +7,16 @@ references: date: 2021/09/01 author: Florian Roth logsource: - product: windows - category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection: - Image|endswith: '\scrcons.exe' - condition: selection + selection: + Image|endswith: '\scrcons.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.t1047 + - attack.execution \ No newline at end of file