diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index bac0fd15b..238a269f5 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -28,7 +28,7 @@ from eql.table import Table from kibana.connector import Kibana from . import attack, rule_loader, utils -from .cli_utils import multi_collection, single_collection +from .cli_utils import single_collection from .docs import IntegrationSecurityDocs from .endgame import EndgameSchemaManager from .eswrap import CollectEvents, add_range_to_dsl @@ -1226,13 +1226,14 @@ def refresh_threat_mappings(): @attack_group.command('update-rules') -@multi_collection -def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]: +def update_attack_in_rules() -> List[Optional[TOMLRule]]: """Update threat mappings attack data in all rules.""" new_rules = [] redirected_techniques = attack.load_techniques_redirect() today = time.strftime('%Y/%m/%d') + rules = RuleCollection.default() + for rule in rules.rules: needs_update = False valid_threat: List[ThreatMapping] = [] @@ -1241,14 +1242,29 @@ def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]: for entry in threat: tactic = entry.tactic.name - techniques = [] + technique_ids = [] + technique_names = [] for technique in entry.technique or []: - techniques.append(technique.id) - techniques.extend([st.id for st in technique.subtechnique or []]) + technique_ids.append(technique.id) + technique_names.append(technique.name) + technique_ids.extend([st.id for st in technique.subtechnique or []]) + technique_names.extend([st.name for st in technique.subtechnique or []]) - if any([t for t in techniques if t in redirected_techniques]): + # check redirected techniques by ID + # redirected techniques are technique IDs that have changed but represent the same technique + if any([tid for tid in technique_ids if tid in redirected_techniques]): needs_update = True - threat_pending_update[tactic] = techniques + threat_pending_update[tactic] = technique_ids + click.echo(f"'{rule.contents.name}' requires update - technique ID change") + + # check for name change + # happens if technique ID is the same but name changes + expected_technique_names = [attack.technique_lookup[str(tid)]["name"] for tid in technique_ids] + if any([tname for tname in technique_names if tname not in expected_technique_names]): + needs_update = True + threat_pending_update[tactic] = technique_ids + click.echo(f"'{rule.contents.name}' requires update - technique name change") + else: valid_threat.append(entry) @@ -1265,12 +1281,12 @@ def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]: new_meta = dataclasses.replace(rule.contents.metadata, updated_date=today) new_data = dataclasses.replace(rule.contents.data, threat=valid_threat) new_contents = dataclasses.replace(rule.contents, data=new_data, metadata=new_meta) - new_rule = TOMLRule(contents=new_contents) + new_rule = TOMLRule(contents=new_contents, path=rule.path) new_rule.save_toml() new_rules.append(new_rule) if new_rules: - click.echo(f'{len(new_rules)} rules updated') + click.echo(f'\nFinished - {len(new_rules)} rules updated!') else: click.echo('No rule changes needed') return new_rules diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index 5334ba13b..598bf5df9 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -132,5 +132,5 @@ "T1536": "T1578.004", "T1547.011": "T1647" }, - "saved_date": "Tue Oct 4 21:58:48 2022" + "saved_date": "Mon Dec 12 12:29:00 2022" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v11.3.json.gz b/detection_rules/etc/attack-v11.3.json.gz deleted file mode 100644 index f4e205b80..000000000 Binary files a/detection_rules/etc/attack-v11.3.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v12.1.json.gz b/detection_rules/etc/attack-v12.1.json.gz new file mode 100644 index 000000000..52512918e Binary files /dev/null and b/detection_rules/etc/attack-v12.1.json.gz differ diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 9f049370e..57049b01d 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ file where event.type == "deletion" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 0bb02a8a5..fc3a47d28 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ process where event.type in ("start", "process_started") and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.003" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 1922928ea..16bbd0cb7 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ process where event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.006" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 9d44f4936..888017198 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/10" +integration = "aws" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -12,8 +12,8 @@ description = "Identifies the creation of an AWS log trail that specifies the se false_positives = [ """ Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" @@ -45,7 +45,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1530" -name = "Data from Cloud Storage Object" +name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index c2560f914..ab10ce280 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/27" +integration = "aws" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 138eea2cf..f92545245 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/10" +integration = "aws" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -119,7 +119,7 @@ reference = "https://attack.mitre.org/tactics/TA0040/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1530" -name = "Data from Cloud Storage Object" +name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index 0af85cdf4..ffb55f482 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = "azure" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1530" -name = "Data from Cloud Storage Object" +name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" @@ -55,6 +55,7 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 32844d95e..7fa94db47 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/23" +integration = "gcp" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1530" -name = "Data from Cloud Storage Object" +name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index b12ea3ed0..9dc42a54b 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/23" +integration = "gcp" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ used to forward messages from publishers to subscribers. false_positives = [ """ Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, - and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-gcp*"] @@ -44,7 +44,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1530" -name = "Data from Cloud Storage Object" +name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index c8e00083e..87c63779d 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ event.category:process and event.type:(start or process_started) and process.nam framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.004" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 94b77fed6..6137d45bc 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/17" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -54,13 +54,15 @@ file where event.type == "deletion" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index cb70fa212..dfe01cd61 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/12" [rule] author = ["Austin Songer"] @@ -68,7 +68,15 @@ references = [ risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -85,7 +93,7 @@ process where event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.003" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 0a7f9138c..bdfd16014 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -86,7 +94,7 @@ process where event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.001" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 00c8518eb..7ca07e48f 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/12" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -70,13 +70,13 @@ event.action:("audit-log-cleared" or "Log clear") framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.001" +name = "Clear Windows Event Logs" +reference = "https://attack.mitre.org/techniques/T1070/001/" - [[rule.threat.technique.subtechnique]] - id = "T1070.001" - name = "Clear Windows Event Logs" - reference = "https://attack.mitre.org/techniques/T1070/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index fad3b0c69..28fd03f29 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ process where event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.004" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 534f26945..404674639 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/12" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -58,13 +58,21 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", ] risk_score = 21 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -86,23 +94,24 @@ process where event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.001" +name = "Clear Windows Event Logs" +reference = "https://attack.mitre.org/techniques/T1070/001/" - [[rule.threat.technique.subtechnique]] - id = "T1070.001" - name = "Clear Windows Event Logs" - reference = "https://attack.mitre.org/techniques/T1070/001/" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" + - [[rule.threat.technique.subtechnique]] - id = "T1562.006" - name = "Indicator Blocking" - reference = "https://attack.mitre.org/techniques/T1562/006/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 5b630ac27..7275f7a4a 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -45,13 +45,13 @@ sequence by host.id with maxspan=5s framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" - [[rule.threat.technique.subtechnique]] - id = "T1070.004" - name = "File Deletion" - reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index b279fc1c0..e167cd758 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ file where event.type == "change" and file.name : "*AAA.AAA" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -name = "Indicator Removal on Host" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.004" diff --git a/rules/windows/defense_evasion_persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml similarity index 96% rename from rules/windows/defense_evasion_persistence_temp_scheduled_task.toml rename to rules/windows/persistence_temp_scheduled_task.toml index 8957ebf4f..7964a3f73 100644 --- a/rules/windows/defense_evasion_persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -3,7 +3,7 @@ creation_date = "2022/08/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/28" +updated_date = "2022/12/12" [rule] author = ["Elastic"] @@ -30,18 +30,6 @@ sequence by host.id, winlog.event_data.TaskName with maxspan=5m [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal on Host" -reference = "https://attack.mitre.org/techniques/T1070/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -55,9 +43,21 @@ name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +