[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)

* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules

* Fix dates

* Fix unit test errors

* updated tags and fixed branch conflicts

updated tags and fixed branch conflicts

* description nit

* Reverting unintended changes

* Update initial_access_suspicious_ms_office_child_process.toml

---------

Co-authored-by: imays11 <[email protected]>

Removed changes from:
- rules/windows/credential_access_suspicious_lsass_access_memdump.toml
- rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

(selectively cherry picked from commit f584fb6)

rules/windows/collection_email_powershell_exchange_mailbox.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/13"
 
 [rule]
 author = ["Elastic"]
@@ -70,7 +70,7 @@ references = [
 risk_score = 47
 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -104,3 +104,21 @@ id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/collection_mailbox_export_winlog.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/11"
+updated_date = "2023/10/13"
 
 [rule]
 author = ["Elastic"]
@@ -80,6 +80,11 @@ event.category:process and host.os.type:windows and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
 [[rule.threat.technique]]
 id = "T1114"
 name = "Email Collection"

rules/windows/collection_posh_audio_capture.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/17"
+updated_date = "2023/10/09"
 
 [rule]
 author = ["Elastic"]
@@ -117,6 +117,11 @@ name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"
 
 
+[[rule.threat.technique]]
+id = "T1106"
+name = "Native API"
+reference = "https://attack.mitre.org/techniques/T1106/"
+
 
 [rule.threat.tactic]
 id = "TA0002"

rules/windows/collection_posh_keylogger.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/21"
+updated_date = "2023/10/09"
 
 [rule]
 author = ["Elastic"]
@@ -128,6 +128,11 @@ name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"
 
 
+[[rule.threat.technique]]
+id = "T1106"
+name = "Native API"
+reference = "https://attack.mitre.org/techniques/T1106/"
+
 
 [rule.threat.tactic]
 id = "TA0002"

rules/windows/collection_winrar_encryption.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/09"
 
 [rule]
 author = ["Elastic"]
@@ -90,6 +90,11 @@ id = "T1560.001"
 name = "Archive via Utility"
 reference = "https://attack.mitre.org/techniques/T1560/001/"
 
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
 
 
 [rule.threat.tactic]

rules/windows/command_and_control_certreq_postdata.toml

@@ -4,23 +4,23 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/13"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.
+Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Exfiltration via Certreq"
+name = "Potential File Transfer via Certreq"
 references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"]
 risk_score = 47
 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -56,3 +56,16 @@ reference = "https://attack.mitre.org/techniques/T1218/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1567"
+name = "Exfiltration Over Web Service"
+reference = "https://attack.mitre.org/techniques/T1567/"
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+

rules/windows/command_and_control_common_webservices.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/09"
 
 [transform]
 [[transform.osquery]]
@@ -180,6 +180,15 @@ id = "T1102"
 name = "Web Service"
 reference = "https://attack.mitre.org/techniques/T1102/"
 
+[[rule.threat.technique]]
+id = "T1568"
+name = "Dynamic Resolution"
+reference = "https://attack.mitre.org/techniques/T1568/"
+
+  [[rule.threat.technique.subtechnique]]
+  id = "T1568.002"
+  name = "Domain Generation Algorithms"
+  reference = "https://attack.mitre.org/techniques/T1568/002/"
 
 [rule.threat.tactic]
 id = "TA0011"

rules/windows/command_and_control_dns_tunneling_nslookup.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/09"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,10 @@ id = "T1071.004"
 name = "DNS"
 reference = "https://attack.mitre.org/techniques/T1071/004/"
 
-
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
 
 [rule.threat.tactic]
 id = "TA0011"

rules/windows/command_and_control_port_forwarding_added_registry.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/13"
 
 [rule]
 author = ["Elastic"]
@@ -74,6 +74,7 @@ tags = [
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Command and Control",
+    "Tactic: Defense Evasion",
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend"
@@ -102,3 +103,15 @@ id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1112"
+name = "Modify Registry"
+reference = "https://attack.mitre.org/techniques/T1112/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/command_and_control_rdp_tunnel_plink.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/13"
 
 [rule]
 author = ["Elastic"]
@@ -65,6 +65,7 @@ tags = [
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Command and Control",
+    "Tactic: Lateral Movement",
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend"
@@ -93,3 +94,20 @@ id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

rules/windows/command_and_control_remote_file_copy_scripts.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/29"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/06/22"
+updated_date = "2023/10/13"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -96,7 +96,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr
 risk_score = 47
 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 type = "eql"
 
 query = '''
@@ -121,3 +121,21 @@ id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.005"
+name = "Visual Basic"
+reference = "https://attack.mitre.org/techniques/T1059/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/credential_access_cmdline_dump_tool.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/13"
 
 [rule]
 author = ["Elastic"]
@@ -64,6 +64,7 @@ tags = [
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",
+    "Tactic: Defense Evasion",
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend"
@@ -130,3 +131,21 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.011"
+name = "Rundll32"
+reference = "https://attack.mitre.org/techniques/T1218/011/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/09"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -57,6 +57,11 @@ id = "T1003.002"
 name = "Security Account Manager"
 reference = "https://attack.mitre.org/techniques/T1003/002/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1003.003"
+name = "NTDS"
+reference = "https://attack.mitre.org/techniques/T1003/003/"
+
 
 
 [rule.threat.tactic]