[FR] Update ATT&CK Package to v12.1 (#2422)

* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2022-12-16 12:04:20 -05:00
parent 06053fa0c6
commit ae4e59ec7d
23 changed files with 135 additions and 91 deletions
@@ -28,7 +28,7 @@ from eql.table import Table
 from kibana.connector import Kibana

 from . import attack, rule_loader, utils
-from .cli_utils import multi_collection, single_collection
+from .cli_utils import single_collection
 from .docs import IntegrationSecurityDocs
 from .endgame import EndgameSchemaManager
 from .eswrap import CollectEvents, add_range_to_dsl
@@ -1226,13 +1226,14 @@ def refresh_threat_mappings():


@attack_group.command('update-rules')
-@multi_collection
-def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]:
+def update_attack_in_rules() -> List[Optional[TOMLRule]]:
    """Update threat mappings attack data in all rules."""
    new_rules = []
    redirected_techniques = attack.load_techniques_redirect()
    today = time.strftime('%Y/%m/%d')

+    rules = RuleCollection.default()
+
    for rule in rules.rules:
        needs_update = False
        valid_threat: List[ThreatMapping] = []
@@ -1241,14 +1242,29 @@ def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]:

        for entry in threat:
            tactic = entry.tactic.name
-            techniques = []
+            technique_ids = []
+            technique_names = []
            for technique in entry.technique or []:
-                techniques.append(technique.id)
-                techniques.extend([st.id for st in technique.subtechnique or []])
+                technique_ids.append(technique.id)
+                technique_names.append(technique.name)
+                technique_ids.extend([st.id for st in technique.subtechnique or []])
+                technique_names.extend([st.name for st in technique.subtechnique or []])

-            if any([t for t in techniques if t in redirected_techniques]):
+            # check redirected techniques by ID
+            # redirected techniques are technique IDs that have changed but represent the same technique
+            if any([tid for tid in technique_ids if tid in redirected_techniques]):
                needs_update = True
-                threat_pending_update[tactic] = techniques
+                threat_pending_update[tactic] = technique_ids
+                click.echo(f"'{rule.contents.name}' requires update - technique ID change")
+
+            # check for name change
+            # happens if technique ID is the same but name changes
+            expected_technique_names = [attack.technique_lookup[str(tid)]["name"] for tid in technique_ids]
+            if any([tname for tname in technique_names if tname not in expected_technique_names]):
+                needs_update = True
+                threat_pending_update[tactic] = technique_ids
+                click.echo(f"'{rule.contents.name}' requires update - technique name change")
+
            else:
                valid_threat.append(entry)

@@ -1265,12 +1281,12 @@ def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]:
            new_meta = dataclasses.replace(rule.contents.metadata, updated_date=today)
            new_data = dataclasses.replace(rule.contents.data, threat=valid_threat)
            new_contents = dataclasses.replace(rule.contents, data=new_data, metadata=new_meta)
-            new_rule = TOMLRule(contents=new_contents)
+            new_rule = TOMLRule(contents=new_contents, path=rule.path)
            new_rule.save_toml()
            new_rules.append(new_rule)

    if new_rules:
-        click.echo(f'{len(new_rules)} rules updated')
+        click.echo(f'\nFinished - {len(new_rules)} rules updated!')
    else:
        click.echo('No rule changes needed')
    return new_rules
@@ -132,5 +132,5 @@
    "T1536": "T1578.004",
    "T1547.011": "T1647"
  },
-  "saved_date": "Tue Oct  4 21:58:48 2022"
+  "saved_date": "Mon Dec 12 12:29:00 2022"
 }
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -41,7 +41,7 @@ file where event.type == "deletion" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"


@@ -3,7 +3,7 @@ creation_date = "2020/05/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -47,7 +47,7 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.003"
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -40,7 +40,7 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.006"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/10"
+integration = "aws"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -12,8 +12,8 @@ description = "Identifies the creation of an AWS log trail that specifies the se
 false_positives = [
    """
    Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -45,7 +45,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1530"
-name = "Data from Cloud Storage Object"
+name = "Data from Cloud Storage"
 reference = "https://attack.mitre.org/techniques/T1530/"


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/27"
+integration = "aws"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/10"
+integration = "aws"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -119,7 +119,7 @@ reference = "https://attack.mitre.org/tactics/TA0040/"
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1530"
-name = "Data from Cloud Storage Object"
+name = "Data from Cloud Storage"
 reference = "https://attack.mitre.org/techniques/T1530/"


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/18"
+integration = "azure"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -47,7 +47,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1530"
-name = "Data from Cloud Storage Object"
+name = "Data from Cloud Storage"
 reference = "https://attack.mitre.org/techniques/T1530/"


@@ -55,6 +55,7 @@ reference = "https://attack.mitre.org/techniques/T1530/"
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/23"
+integration = "gcp"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "gcp"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -44,7 +44,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1530"
-name = "Data from Cloud Storage Object"
+name = "Data from Cloud Storage"
 reference = "https://attack.mitre.org/techniques/T1530/"


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/23"
+integration = "gcp"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "gcp"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -16,8 +16,8 @@ used to forward messages from publishers to subscribers.
 false_positives = [
    """
    Topic creations may be done by a system or network administrator. Verify whether the user email, resource name,
-    and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 index = ["filebeat-*", "logs-gcp*"]
@@ -44,7 +44,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1530"
-name = "Data from Cloud Storage Object"
+name = "Data from Cloud Storage"
 reference = "https://attack.mitre.org/techniques/T1530/"


@@ -3,7 +3,7 @@ creation_date = "2020/04/27"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ event.category:process and event.type:(start or process_started) and process.nam
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.004"
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/17"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -54,13 +54,15 @@ file where event.type == "deletion" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.002"
 name = "Clear Linux or Mac System Logs"
 reference = "https://attack.mitre.org/techniques/T1070/002/"

+
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
@@ -3,7 +3,7 @@ creation_date = "2021/11/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/12/12"

 [rule]
 author = ["Austin Songer"]
@@ -68,7 +68,15 @@ references = [
 risk_score = 47
 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
+tags = [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Defense Evasion",
+    "Investigation Guide",
+    "Elastic Endgame",
+]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -85,7 +93,7 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.003"
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -65,7 +65,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
+tags = [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Defense Evasion",
+    "Investigation Guide",
+    "Elastic Endgame",
+]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -86,7 +94,7 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.001"
@@ -3,7 +3,7 @@ creation_date = "2020/11/12"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -70,13 +70,13 @@ event.action:("audit-log-cleared" or "Log clear")
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.001"
+name = "Clear Windows Event Logs"
+reference = "https://attack.mitre.org/techniques/T1070/001/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.001"
-  name = "Clear Windows Event Logs"
-  reference = "https://attack.mitre.org/techniques/T1070/001/"


 [rule.threat.tactic]
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -38,7 +38,7 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.004"
@@ -3,7 +3,7 @@ creation_date = "2021/05/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
@@ -58,13 +58,21 @@ mean time to respond (MTTR).
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
-  "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman",
-  "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63",
+    "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman",
+    "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63",
 ]
 risk_score = 21
 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
+tags = [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Defense Evasion",
+    "Investigation Guide",
+    "Elastic Endgame",
+]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -86,23 +94,24 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.001"
+name = "Clear Windows Event Logs"
+reference = "https://attack.mitre.org/techniques/T1070/001/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.001"
-  name = "Clear Windows Event Logs"
-  reference = "https://attack.mitre.org/techniques/T1070/001/"

 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.006"
+name = "Indicator Blocking"
+reference = "https://attack.mitre.org/techniques/T1562/006/"
+

-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.006"
-  name = "Indicator Blocking"
-  reference = "https://attack.mitre.org/techniques/T1562/006/"

 [rule.threat.tactic]
 id = "TA0005"
@@ -3,7 +3,7 @@ creation_date = "2020/11/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -45,13 +45,13 @@ sequence by host.id with maxspan=5s
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.004"
+name = "File Deletion"
+reference = "https://attack.mitre.org/techniques/T1070/004/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.004"
-  name = "File Deletion"
-  reference = "https://attack.mitre.org/techniques/T1070/004/"


 [rule.threat.tactic]
@@ -3,7 +3,7 @@ creation_date = "2020/08/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -40,7 +40,7 @@ file where event.type == "change" and file.name : "*AAA.AAA"
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.004"
@@ -3,7 +3,7 @@ creation_date = "2022/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/28"
+updated_date = "2022/12/12"

 [rule]
 author = ["Elastic"]
@@ -30,18 +30,6 @@ sequence by host.id, winlog.event_data.TaskName with maxspan=5m
   [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"]
 '''

-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1070"
-name = "Indicator Removal on Host"
-reference = "https://attack.mitre.org/techniques/T1070/"
-
-
-[rule.threat.tactic]
-id = "TA0005"
-name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"

 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -55,9 +43,21 @@ name = "Scheduled Task"
 reference = "https://attack.mitre.org/techniques/T1053/005/"


+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1070"
+name = "Indicator Removal"
+reference = "https://attack.mitre.org/techniques/T1070/"


+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+