Rule Tuning Update MITRE Details (#2526)

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
2023-02-10 23:05:28 +05:30
parent 8a7ad13611
commit f8e97da549
9 changed files with 138 additions and 14 deletions
@@ -2,7 +2,7 @@
 creation_date = "2021/01/13"
 integration = ["endpoint"]
 maturity = "development"
-updated_date = "2022/12/14"
+updated_date = "2023/02/07"

 [rule]
 author = ["Elastic"]
@@ -43,6 +43,10 @@ reference = "https://attack.mitre.org/techniques/T1059/"
 id = "T1059.006"
 name = "Python"
 reference = "https://attack.mitre.org/techniques/T1059/006/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.003"
+name = "Windows Command Shell"
+reference = "https://attack.mitre.org/techniques/T1059/003/"



@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2022/08/24"
+updated_date = "2023/02/07"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -30,7 +30,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "Execution"]
 type = "machine_learning"

 [[rule.threat]]
@@ -51,3 +51,22 @@ reference = "https://attack.mitre.org/techniques/T1543/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1204.002"
+    name = "Malicious File"
+    reference = "https://attack.mitre.org/techniques/T1204/002/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2023/01/30"
+updated_date = "2023/02/07"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -89,7 +89,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "Execution"]
 type = "machine_learning"

 [[rule.threat]]
@@ -104,4 +104,22 @@ reference = "https://attack.mitre.org/techniques/T1543/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1204.002"
+    name = "Malicious File"
+    reference = "https://attack.mitre.org/techniques/T1204/002/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

@@ -56,7 +56,7 @@ references = [
 risk_score = 47
 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -88,4 +88,20 @@ reference = "https://attack.mitre.org/techniques/T1218/011/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"

+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/07"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -46,6 +46,10 @@ reference = "https://attack.mitre.org/techniques/T1059/"
 id = "T1059.001"
 name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.003"
+name = "Windows Command Shell"
+reference = "https://attack.mitre.org/techniques/T1059/003/"



@@ -53,4 +57,16 @@ reference = "https://attack.mitre.org/techniques/T1059/001/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

@@ -2,7 +2,7 @@
 creation_date = "2020/10/30"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/01/03"
+updated_date = "2023/02/07"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -203,6 +203,11 @@ framework = "MITRE ATT&CK"
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.003"
+name = "Windows Command Shell"
+reference = "https://attack.mitre.org/techniques/T1059/003/"
+


 [rule.threat.tactic]
@@ -82,7 +82,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 73
 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -105,4 +105,21 @@ reference = "https://attack.mitre.org/techniques/T1490/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.003"
+name = "NTDS"
+reference = "https://attack.mitre.org/techniques/T1003/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/07"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ name = "Windows Script Interpreter Executing Process via WMI"
 risk_score = 47
 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Execution"]
 type = "eql"

 query = '''
@@ -72,4 +72,16 @@ reference = "https://attack.mitre.org/techniques/T1566/001/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1047"
+name = "Windows Management Instrumentation"
+reference = "https://attack.mitre.org/techniques/T1047/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/07"

 [rule]
 author = ["Elastic"]
@@ -73,7 +73,7 @@ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"]
 risk_score = 47
 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Execution"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -107,4 +107,21 @@ reference = "https://attack.mitre.org/techniques/T1566/001/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.003"
+name = "Windows Command Shell"
+reference = "https://attack.mitre.org/techniques/T1059/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"