Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Update ATT&CK threat map to reflect changes #705

Closed
brokensound77 opened this issue Dec 9, 2020 · 3 comments · Fixed by #706
Closed

[Rule Tuning] Update ATT&CK threat map to reflect changes #705

brokensound77 opened this issue Dec 9, 2020 · 3 comments · Fixed by #706
Labels
Rule: Tuning tweaking or tuning an existing rule v7.11.0

Comments

@brokensound77
Copy link
Contributor

brokensound77 commented Dec 9, 2020
edited
Loading

Related to #215

Since ATT&CK data was refreshed (#330) and subtechnique support added (#337, #614), all rules using stale ATT&CK data can be refreshed (update IDs and names, many of which became subtechniques).

Up until now, a warning has been produced in unit tests for use of revoked rules. All of these will be updated and the warning will assert and fail when using a revoked technique

detection-rules/tests/test_all_rules.py

Line 189 in b8d2f6f

warnings.warn(warning_str)

Expand to see warning 
tests/test_all_rules.py::TestThreatMappings::test_technique_deprecations
  detection-rules-fork/tests/test_all_rules.py:223: UserWarning: The following rules are using deprecated ATT&CK techniques (https://attack.mitre.org/resources/updates/):
  {
    "T1015": [
      "7405ddf1-6c8e-41ce-818f-48bea6bcaed8 - Potential Modification of Accessibility Binaries",
      "7405ddf1-6c8e-41ce-818f-48bea6bcaed8 - Potential Modification of Accessibility Binaries"
    ],
    "T1035": [
      "55d551c6-333b-4665-ab7e-5d14a59715ce - PsExec Network Connection",
      "55d551c6-333b-4665-ab7e-5d14a59715ce - PsExec Network Connection",
      "aa9a274d-6b53-424d-ac5e-cb8ca4251650 - Remotely Started Services via RPC",
      "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc - Service Command Lateral Movement",
      "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2 - Suspicious Process Execution via Renamed PsExec Executable"
    ],
    "T1044": [
      "2bf78aa2-9c56-48de-b139-f169bf99cf86 - Adobe Hijack Persistence"
    ],
    "T1050": [
      "265db8f5-fc73-4d0d-b434-6483b56372e2 - Persistence via Update Orchestrator Service Hijack",
      "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc - Service Command Lateral Movement",
      "36a8e048-d888-4f61-a8b9-0f9e2e40f317 - Suspicious ImagePath Service Creation",
      "0022d47d-39c7-4f69-a232-4fe9dc7a3acd - System Shells via Services",
      "403ef0d3-8259-40c9-a5b6-d48354712e49 - Unusual Persistence via Services Registry"
    ],
    "T1060": [
      "e7125cea-9fe1-42a5-9a05-b0792cf86f5a - Execution of Persistent Suspicious Program",
      "25224a80-5a4a-4b8a-991e-6ab390465c4f - Lateral Movement via Startup Folder",
      "a9b05c3b-b304-4bf9-970d-acdfaef2944c - Persistence via Hidden Run Key Detected",
      "f7c4dc5a-a58d-491d-9f14-9b66507121c0 - Persistent Scripts in the Startup Directory",
      "440e2db4-bc7f-4c96-a068-65b78da59bde - Shortcut File Written or Modified for Persistence",
      "2fba96c0-ade5-4bce-b92f-a5df2509da3f - Startup Folder Persistence via Unsigned Process",
      "97fc44d3-8dae-4019-ae83-298c3015600f - Startup or Run Key Registry Modification"
    ],
    "T1077": [
      "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14 - Mounting Hidden or WebDav Remote Shares",
      "ab75c24b-2502-43a0-bf7c-e60e662c811e - Remote Execution via File Shares",
      "fa01341d-6662-426b-9d0c-6d81e33c8a9d - Remote File Copy to a Hidden Share"
    ],
    "T1081": [
      "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec - Azure Key Vault Modified"
    ],
    "T1085": [
      "f036953a-4615-4707-a1ca-dc53bf69dcd5 - Unusual Child Processes of RunDLL32",
      "52aaab7b-b51c-441a-89ce-4387b3aea886 - Unusual Network Connection via RunDLL32"
    ],
    "T1086": [
      "37b211e8-4e2f-440f-86d8-06cc8f158cfa - AWS Execution via System Manager",
      "9ccf3ce0-0057-440a-91f5-870c6ad39093 - Command Shell Activity Started via RunDLL32",
      "0f616aee-8161-4120-857e-742366f5eeb3 - PowerShell spawning Cmd",
      "33f306e8-417c-411b-965c-c2812d6d3f4d - Remote File Download via PowerShell",
      "852c1f19-68e8-43a6-9dce-340771fe1be3 - Suspicious PowerShell Engine ImageLoad"
    ],
    "T1088": [
      "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62 - Bypass UAC via Event Viewer",
      "9b54e002-034a-47ac-9307-ad12c03fa900 - Bypass UAC via Sdclt",
      "fc7c0fa4-8f03-4b3e-8336-c5feab0be022 - UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
      "5a14d01d-7ac8-4545-914c-b687c2cf66b3 - UAC Bypass Attempt via Privileged IFileOperation COM Interface",
      "290aca65-e94d-403b-ba0f-62f320e63f51 - UAC Bypass Attempt via Windows Directory Masquerading",
      "b90cdde7-7e0d-4359-8bf0-2c112ce2008a - UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
      "1dcc51f6-ba26-49e7-9ef4-2655abb2361e - UAC Bypass via DiskCleanup Scheduled Task Hijack",
      "68d56fdc-7ffa-4419-8e95-81641bd6f845 - UAC Bypass via ICMLuaUtil Elevated COM Interface",
      "1178ae09-5aff-460a-9f2f-455cd0ac4d8e - UAC Bypass via Windows Firewall Snap-In Hijack"
    ],
    "T1089": [
      "7024e2a0-315d-4334-bb1a-441c593e16ab - AWS CloudTrail Log Deleted",
      "1aa8fa52-44a7-4dae-b058-f3333b91c8d7 - AWS CloudTrail Log Suspended",
      "f772ec8a-e182-483c-91d2-72058f76a44c - AWS CloudWatch Alarm Deletion",
      "68a7a5a5-a2fc-4a76-ba9f-26849de881b4 - AWS CloudWatch Log Group Deletion",
      "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17 - AWS CloudWatch Log Stream Deletion",
      "7024e2a0-315d-4334-bb1a-552d604f27bc - AWS Config Service Tampering",
      "fbd44836-0d69-4004-a0b4-03c20370c435 - AWS Configuration Recorder Stopped",
      "9395fd2c-9947-4472-86ef-4aceb2f7e872 - AWS EC2 Flow Log Deletion",
      "8623535c-1e17-44e1-aa97-7a0699c3037d - AWS EC2 Network Access Control List Deletion",
      "523116c0-d89d-4d7c-82c2-39e6845a78ef - AWS GuardDuty Detector Deletion",
      "91d04cd4-47a9-4334-ab14-084abe274d49 - AWS WAF Access Control List Deletion",
      "5beaebc1-cc13-4bfc-9949-776f9e0dc318 - AWS WAF Rule or Rule Group Deletion",
      "125417b8-d3df-479f-8418-12d7e034fee3 - Attempt to Disable IPTables or Firewall",
      "2f8a1226-5720-437d-9c20-e0029deb6194 - Attempt to Disable Syslog Service",
      "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7 - Attempt to Remove File Quarantine Attribute",
      "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de - Azure Diagnostic Settings Deletion",
      "e0f36de1-0342-453d-95a9-a068b257b053 - Azure Event Hub Deletion",
      "e02bd3ea-72c6-4181-ac2b-0f83d17ad969 - Azure Firewall Policy Deletion",
      "323cb487-279d-4218-bcbd-a568efe930c6 - Azure Network Watcher Deletion",
      "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f - Azure Resource Group Deletion",
      "4b438734-3793-4fda-bd42-ceeada0be8f9 - Disable Windows Firewall Rules via Netsh",
      "cd66a5af-e34b-4bb0-8931-57d0a043f2ef - Kernel Module Removal",
      "3535c8bb-3bd5-40f4-ae32-b7cd589d5372 - Port Forwarding Rule Addition",
      "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e - Potential Disabling of SELinux",
      "074464f9-f30d-4029-8c03-0ed237fffec7 - Remote Desktop Enabled in Windows Firewall",
      "9aa0e1f6-52ce-42e1-abb3-09657cee2698 - Scheduled Tasks AT Command Enabled"
    ],
    "T1093": [
      "35df0dd8-092d-4a83-88c1-5151a804f31b - Unusual Parent-Child Relationship",
      "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7 - Unusual Service Host Child Process - Childless Service"
    ],
    "T1099": [
      "b0046934-486e-462f-9487-0d4cf9e429c6 - Timestomping using Touch Command"
    ],
    "T1100": [
      "231876e7-4d1f-4d63-a47c-47dd1acdc1cb - Potential Shell via Web Server"
    ],
    "T1101": [
      "e86da94d-e54b-4fb5-b96c-cecff87e8787 - Installation of Security Support Provider"
    ],
    "T1103": [
      "d0e159cf-73e9-40d1-a9ed-077e3158a855 - Registry Persistence via AppInit DLL"
    ],
    "T1107": [
      "f675872f-6d85-40a3-b502-c0d2ef101e92 - Delete Volume USN Journal with Fsutil",
      "581add16-df76-42bb-af8e-c979bfb39a59 - Deleting Backup Catalogs with Wbadmin",
      "a1329140-8de3-4445-9f87-908fb6d824f4 - File Deletion via Shred",
      "69c251fb-a5d6-4035-b5ec-40438bd829ff - Modification of Boot Configuration",
      "5aee924b-6ceb-4633-980e-1bde8cdb40c5 - Potential Secure File Deletion via SDelete Utility",
      "dc9c1f74-dac3-48e3-b47f-eb79db358f57 - Volume Shadow Copy Deletion via WMIC"
    ],
    "T1116": [
      "56557cde-d923-4b88-adee-c61b3f3b5dc3 - Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)"
    ],
    "T1117": [
      "fb02b8d3-71ee-4af1-bacd-215d23f17efa - Network Connection via Registration Utility"
    ],
    "T1118": [
      "a13167f1-eec2-4015-9631-1fee60406dcf - InstallUtil Process Making Network Connections"
    ],
    "T1121": [
      "47f09343-8d1f-4bb5-8bb0-00c9d18f5010 - Execution via Regsvcs/Regasm",
      "47f09343-8d1f-4bb5-8bb0-00c9d18f5010 - Execution via Regsvcs/Regasm",
      "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6 - Registration Tool Making Network Connections"
    ],
    "T1122": [
      "16a52c14-7883-47af-8745-9357803f0d4c - Component Object Model Hijacking"
    ],
    "T1138": [
      "c5ce48a6-7f57-4ee8-9313-3d0024caee10 - Installation of Custom Shim Databases",
      "fd4a992d-6130-4802-9ff8-829b89ae801f - Potential Application Shimming via Sdbinst",
      "fd4a992d-6130-4802-9ff8-829b89ae801f - Potential Application Shimming via Sdbinst"
    ],
    "T1142": [
      "96e90768-c3b7-4df6-b5d9-6237f8bc36a8 - Compression of Keychain Credentials Directories"
    ],
    "T1145": [
      "b83a7e96-2eb3-4edf-8346-427b6858d3bd - Creation or Modification of Domain Backup DPAPI private key"
    ],
    "T1146": [
      "7bcbb3ac-e533-41ad-a612-d6c3bf666aba - Deletion of Bash Command Line History"
    ],
    "T1158": [
      "4630d948-40d4-4cef-ac69-4002e29bc3db - Adding Hidden File Attribute via Attrib",
      "4630d948-40d4-4cef-ac69-4002e29bc3db - Adding Hidden File Attribute via Attrib",
      "b9666521-4742-49ce-9ddc-b8e84c35acae - Creation of Hidden Files and Directories",
      "b9666521-4742-49ce-9ddc-b8e84c35acae - Creation of Hidden Files and Directories"
    ],
    "T1159": [
      "082e3f8c-6f80-485c-91eb-5b112cb79b28 - Launch Agent Creation or Modification and Immediate Loading"
    ],
    "T1166": [
      "3a86e085-094c-412d-97ff-2439731e59cb - Setgid Bit Set via chmod",
      "3a86e085-094c-412d-97ff-2439731e59cb - Setgid Bit Set via chmod",
      "8a1b0278-0f9a-487d-96bd-d4833298e87a - Setuid Bit Set via chmod",
      "8a1b0278-0f9a-487d-96bd-d4833298e87a - Setuid Bit Set via chmod"
    ],
    "T1169": [
      "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4 - Sudoers File Modification"
    ],
    "T1170": [
      "c2d90150-0133-451c-a783-533e736c12d7 - Mshta Making Network Connections",
      "a4ec1382-4557-452b-89ba-e413b22ed4b8 - Network Connection via Mshta"
    ],
    "T1182": [
      "513f0ffd-b317-4b9c-9494-92ce861f22c7 - Registry Persistence via AppCert DLL"
    ],
    "T1183": [
      "6839c821-011d-43bd-bd5b-acff00257226 - Image File Execution Options Injection"
    ],
    "T1192": [
      "6b1fd8e8-cefe-444c-bc4d-feaa2c497347 - Downloaded Shortcut Files",
      "cd82e3d6-1346-4afd-8f22-38388bbf34cb - Downloaded URL Files",
      "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5 - Execution of File Written or Modified by Microsoft Office",
      "1defdd62-cd8d-426e-a246-81a37751bb2b - Execution of File Written or Modified by PDF Reader",
      "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38 - Possible Consent Grant Attack via Azure-Registered Application",
      "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b - Suspicious Explorer Child Process"
    ],
    "T1193": [
      "6b1fd8e8-cefe-444c-bc4d-feaa2c497347 - Downloaded Shortcut Files",
      "cd82e3d6-1346-4afd-8f22-38388bbf34cb - Downloaded URL Files",
      "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5 - Execution of File Written or Modified by Microsoft Office",
      "1defdd62-cd8d-426e-a246-81a37751bb2b - Execution of File Written or Modified by PDF Reader",
      "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b - Suspicious Explorer Child Process",
      "a624863f-a70d-417f-a7d2-7a404638d47f - Suspicious MS Office Child Process",
      "32f4675e-6c49-4ace-80f9-97c9259dca2e - Suspicious MS Outlook Child Process",
      "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - Windows Script Executing PowerShell",
      "b64b183e-1a76-422d-9179-7b389513e74d - Windows Script Interpreter Executing Process via WMI"
    ],
    "T1215": [
      "37b0816d-af40-40b4-885f-bb162b3c88a9 - Anomalous Kernel Module Activity",
      "cd66a5af-e34b-4bb0-8931-57d0a043f2ef - Kernel Module Removal",
      "81cc58f5-8062-49a2-ba84-5cc4b4d31c40 - Persistence via Kernel Module Modification"
    ],
    "T1223": [
      "b29ee2be-bf99-446c-ab1a-2dc0183394b8 - Network Connection via Compiled HTML File",
      "b29ee2be-bf99-446c-ab1a-2dc0183394b8 - Network Connection via Compiled HTML File",
      "e3343ab9-4245-4715-b344-e11c56b0a47f - Process Activity via Compiled HTML File",
      "e3343ab9-4245-4715-b344-e11c56b0a47f - Process Activity via Compiled HTML File"
    ],
    "T1483": [
      "cf53f532-9cc9-445a-9ae7-fced307ec53c - Cobalt Strike Command and Control Beacon",
      "2e580225-2a58-48ef-938b-572933be06fe - Halfbaked Command and Control Beacon",
      "4a4e23cf-78a2-449c-bac3-701924c269d3 - Possible FIN7 DGA Command and Control Behavior"
    ],
    "T1492": [
      "3e002465-876f-4f04-b016-84ef48ce7e5d - AWS CloudTrail Log Updated",
      "bb9b13b2-1700-48a8-a750-b43b0a72ab69 - AWS EC2 Encryption Disabled",
      "9c260313-c811-4ec8-ab89-8f6530e0246c - Hosts File Modified"
    ],
    "T1500": [
      "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6 - Microsoft Build Engine Started an Unusual Process"
    ]
  }
    warnings.warn(warning_str)
@brokensound77 brokensound77 added Rule: Tuning tweaking or tuning an existing rule v7.11.0 labels Dec 9, 2020
@brokensound77 brokensound77 mentioned this issue Dec 9, 2020
Merged
@rw-access
Copy link
Contributor

Is this a duplicate of #215?

@brokensound77
Copy link
Contributor Author

brokensound77 commented Dec 10, 2020
edited
Loading

I don't think it is a duplicate, but they are definitely related (maybe more of a subset). This is more focused on removing techniques that have been revoked.

Add issue as related in description

(and thanks for reminding me about the crosswalk file!)

@brokensound77
Copy link
Contributor Author

closed by #706

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Rule: Tuning tweaking or tuning an existing rule v7.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Rule Tuning] Update ATT&CK threat mappings to reflect changes brokensound77/detection-rules
2 participants
@brokensound77 @rw-access