security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)

Browse Source 
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules

* Fix dates

* Fix unit test errors

* updated tags and fixed branch conflicts

updated tags and fixed branch conflicts

* description nit

* Reverting unintended changes

* Update initial_access_suspicious_ms_office_child_process.toml

---------

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>

(cherry picked from commit f584fb6e31)
This commit is contained in:
Jonhnathan
2023-10-15 18:12:20 -03:00
committed by github-actions[bot]
parent 2f7471e749
commit ef715864f4
174 changed files with 2893 additions and 351 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/initial_access_script_executing_powershell.toml
+25 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/10/13"
[rule]
author = ["Elastic"]
@@ -74,7 +74,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 21
rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
@@ -102,3 +102,26 @@ id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.005"
name = "Visual Basic"
reference = "https://attack.mitre.org/techniques/T1059/005/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"