From 9d0c53bab253438777bba487a6096dc4c17c1408 Mon Sep 17 00:00:00 2001 From: Natalya Higdon Date: Wed, 20 Mar 2024 13:10:26 -0500 Subject: [PATCH] Update detection_rules.json --- detection_rules.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detection_rules.json b/detection_rules.json index 08d564334..fa09e6444 100644 --- a/detection_rules.json +++ b/detection_rules.json @@ -240,10 +240,10 @@ }, "rrn:cba:::detection-rule:LJJ5YK8MZWH7": { "alert_title": "Suspicious Process - WScript Runs JavaScript File from Temp Or Download Directory", - "tactic": "Tactic seen, not recorded", - "technique": "Technique seen, not recorded", - "sub_technique": "Sub-Technique seen, not recorded", - "mitigation": "Mitigation not recorded" + "tactic": "TA0002 - Execution\nThe adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.", + "technique": "T1059 - Command and Scripting Interpreter\nAdversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.\n\nThere are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.", + "sub_technique": "T1059.007 - JavaScript\nAdversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.", + "mitigation": "MITIGATION\nM1021 - Restrict Web-Based Content\nRestrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.\n\nMITIGATION\nM1038 - Execution Prevention\nBlock execution of code on a system through application control, and/or script blocking.\n\nMITIGATION\nM1040 - Behavior Prevention on Endpoint\nUse capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.\n\nMITIGATION\nM1042 - Disable or Remove Feature or Program\nRemove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries." } }, "alert_types": {