From 0ee720e52671686e64a536c8c42a440795d86b7c Mon Sep 17 00:00:00 2001 From: "Natalya Higdon @ Security Tapestry" Date: Tue, 2 Jan 2024 09:15:52 -0600 Subject: [PATCH] Update detection_rules.json --- detection_rules.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detection_rules.json b/detection_rules.json index 00d3703ae..07cb07c15 100644 --- a/detection_rules.json +++ b/detection_rules.json @@ -184,10 +184,10 @@ }, "rrn:cba:::detection-rule:TC5BN3FTWZDC": { "alert_title": "Suspicious Authentication - Performive", - "tactic": "Tactic seen, not recorded", - "technique": "Technique seen, not recorded", - "sub_technique": "Sub-Technique seen, not recorded", - "mitigation": "Mitigation not recorded" + "tactic": "TA0001 - Initial Access\nThe adversary is trying to get into your network.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.", + "technique": "T1078 - Valid Accounts\nAdversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.", + "sub_technique": "T1078.001 - Default Accounts\nAdversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.", + "mitigation": "MITIGATION\nM1027 - Password Policies\nSet and enforce secure password policies for accounts.\n\nMITIGATION\nM1017 - User Training\nTrain users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.\n\nMITIGATION\nM1026 - Privileged Account Management\nManage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.\n\nMITIGATION\nM1032 - Multi-factor Authentication\nUse two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator." }, "rrn:cba:::detection-rule:L7NH1T75UATF": { "alert_title": "Attacker Technique - Inbox Forwarding Rule Created", @@ -319,4 +319,4 @@ "mitigation": "Mitigation not recorded" } } -} \ No newline at end of file +}