From f8e97da549e2c79c1b050a461b6e04e81604acb8 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri, 10 Feb 2023 23:05:28 +0530 Subject: [PATCH] Rule Tuning Update MITRE Details (#2526) Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- .../execution_python_script_in_cmdline.toml | 6 ++++- ...ce_ml_windows_anomalous_path_activity.toml | 23 +++++++++++++++++-- ...l_windows_anomalous_process_all_hosts.toml | 22 ++++++++++++++++-- ...usual_network_connection_via_rundll32.toml | 18 ++++++++++++++- .../execution_command_shell_via_rundll32.toml | 20 ++++++++++++++-- .../execution_from_unusual_path_cmdline.toml | 7 +++++- ...copy_deletion_or_resized_via_vssadmin.toml | 19 ++++++++++++++- ...ccess_scripts_process_started_via_wmi.toml | 16 +++++++++++-- ...ss_suspicious_ms_office_child_process.toml | 21 +++++++++++++++-- 9 files changed, 138 insertions(+), 14 deletions(-) diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index e47ad6914..8668373dd 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "development" -updated_date = "2022/12/14" +updated_date = "2023/02/07" [rule] author = ["Elastic"] @@ -43,6 +43,10 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.006" name = "Python" reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 43a5dc8cf..c7bba243c 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/08/24" +updated_date = "2023/02/07" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -30,7 +30,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "Execution"] type = "machine_learning" [[rule.threat]] @@ -51,3 +51,22 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index a98fd63bb..25e9eea83 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/01/30" +updated_date = "2023/02/07" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -89,7 +89,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "Execution"] type = "machine_learning" [[rule.threat]] @@ -104,4 +104,22 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index b94cec378..f804fa245 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -56,7 +56,7 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control", "Investigation Guide"] type = "eql" query = ''' @@ -88,4 +88,20 @@ reference = "https://attack.mitre.org/techniques/T1218/011/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index cf46c7e4a..fd3816413 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/07" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -46,6 +46,10 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" @@ -53,4 +57,16 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index f780ec817..45ae94555 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/03" +updated_date = "2023/02/07" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -203,6 +203,11 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index efd3b162c..745b0ad86 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -82,7 +82,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -105,4 +105,21 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 7f9fff65c..d67dba175 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/07" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Execution"] type = "eql" query = ''' @@ -72,4 +72,16 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index d6e6ed8fa..d892565f3 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/07" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Execution"] timestamp_override = "event.ingested" type = "eql" @@ -107,4 +107,21 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"