security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166)

Browse Source 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
This commit is contained in:
Ruben Groenewoud
2024-10-18 17:02:26 +02:00
committed by GitHub
parent 601254488b
commit b309bcb7ae
12 changed files with 89 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_setuid_setgid_capability_set.toml
+8 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/05"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -141,13 +141,14 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl")
process.name == "setcap" and process.args : "cap_set?id+ep" and not (
process.parent.name in ("jem", "vzctl") or
process.args like "/usr/bin/new?idmap"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -155,21 +156,21 @@ framework = "MITRE ATT&CK"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/linux/persistence_user_password_change.toml → rules/linux/persistence_shadow_file_modification.toml
+4 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/05"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -56,35 +56,33 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and
file.path == "/etc/shadow" and file.Ext.original.path != null
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/linux/persistence_shared_object_creation.toml
+13 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -163,26 +163,30 @@ type = "new_terms"
query = '''
host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and
file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (
process.name:("dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or
"apt-get" or "dnf" or "podman" or "platform-python") or
(process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)
process.name:(
"dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or
platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or
"systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or
"installer.bin.inst" or "uninstall-bin" or "linux_agent.inst"
) or
(process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or
process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
@@ -190,9 +194,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "file.path", "process.executable"]
value = ["file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/linux/persistence_shell_configuration_modification.toml
+4 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -59,7 +59,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : (
// system-wide configurations
@@ -94,27 +93,26 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
"/usr/libexec/platform-python*"
) or
process.executable == null or
process.name in ("adclient", "mkhomedir_helper", "teleport", "mkhomedir", "adduser", "desktopDaemon") or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.004"
name = "Unix Shell Configuration Modification"
reference = "https://attack.mitre.org/techniques/T1546/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_ssh_netcon.toml
+5 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/06"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/18"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -41,7 +41,10 @@ sequence by host.id with maxspan=1s
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8", "172.31.0.0/16"
)
) and not process.executable in ("/bin/yum", "/usr/bin/yum")
) and not (
process.executable in ("/bin/yum", "/usr/bin/yum") or
process.name in ("login_duo", "ssh", "sshd", "sshd-session")
)
] by process.parent.entity_id
'''
rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
+13 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -40,63 +40,65 @@ sequence by host.id, user.id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and
process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and
process.executable != null and
not process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") and
process.command_line != "sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"] by process.parent.pid, process.parent.entity_id
process.executable != null and not (
process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") or
process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or
process.command_line like "sh -c /usr/bin/env -i PATH=*"
)] by process.parent.pid, process.parent.entity_id
[process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id
[network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/linux/persistence_systemd_generator_creation.toml
+8 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/19"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -60,7 +60,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : (
"/run/systemd/system-generators/*", "/etc/systemd/system-generators/*",
@@ -75,9 +74,9 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
"/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
"/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
"/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
"/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
"/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/usr/sbin/sshd",
"/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd"
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/platform-python"
) or
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
file.Ext.original.extension == "dpkg-new" or
@@ -85,39 +84,38 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/linux/persistence_systemd_netcon.toml
+7 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2024/02/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -57,7 +57,6 @@ tags = [
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -65,33 +64,33 @@ sequence by host.id with maxspan=5s
"python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk"
)
] by process.entity_id
[network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start"
] by process.parent.entity_id
[network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and
not process.executable == "/tmp/newroot/bin/curl"] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -99,6 +98,7 @@ framework = "MITRE ATT&CK"
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -106,4 +106,3 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_systemd_scheduled_timer_created.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/24"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -40,7 +40,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
@@ -156,7 +155,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : (
"/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*",
@@ -176,6 +174,10 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
"/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor",
"/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe"
) or
process.name like (
"python*", "crio", "apt-get", "install", "snapd", "cloudflared", "sshd", "convert-usrmerge", "docker-init",
"google_metadata_script_runner"
) or
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
file.Ext.original.extension == "dpkg-new" or
process.executable : (
@@ -187,22 +189,20 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.006"
name = "Systemd Timers"
reference = "https://attack.mitre.org/techniques/T1053/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_systemd_service_creation.toml
+11 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -185,7 +185,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : (
"/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*",
@@ -213,44 +212,48 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
"/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
) or
process.executable == null or
process.name like (
"ssm-agent-worker", "python*", "platform-python*", "dnf_install", "cloudflared", "lxc-pve-prestart-hook",
"convert-usrmerge", "elastic-agent", "google_metadata_script_runner", "update-alternatives", "gitlab-runner",
"install", "crio", "apt-get", "package-cleanup", "dcservice", "dcregister", "jumpcloud-agent", "executor"
) or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/linux/persistence_udev_rule_creation.toml
+3 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -56,7 +56,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and
process.executable != null and file.extension == "rules" and
@@ -79,14 +78,15 @@ file.path : (
process.executable : (
"/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*"
) or
process.name in ("systemd", "netplan", "apt-get", "vmware-config-tools.pl", "systemd-hwdb") or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
@@ -97,9 +97,7 @@ id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
+6 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -60,7 +60,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and
file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not (
@@ -75,6 +74,8 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not (
) or
process.name == "yumBackend.py" or
file.extension in ("swp", "swpx", "swx") or
file.Ext.original.name like ".ansible*" or
file.name like ".ansible_tmp*" or
process.executable : (
"/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*",
"/etc/kernel/*"
@@ -85,9 +86,9 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -97,22 +98,22 @@ reference = "https://attack.mitre.org/techniques/T1543/"
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -120,4 +121,3 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"