From f04ebf277c08aa4a8f4cc5454fa8b60ede9126f7 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 15 Feb 2023 14:58:29 -0500 Subject: [PATCH] [Rule Tuning] (#2537) add t1018 Remote system discovery --- .../discovery_enumerating_domain_trusts_via_dsquery.toml | 7 +++++-- .../discovery_enumerating_domain_trusts_via_nltest.toml | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 258fb593b..f8bec73ea 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/27" +updated_date = "2023/02/09" [rule] author = ["Elastic"] @@ -49,7 +49,10 @@ framework = "MITRE ATT&CK" id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index df7589298..9911c0564 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/09" [rule] author = ["Elastic"] @@ -54,7 +54,10 @@ framework = "MITRE ATT&CK" id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007"