[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules

rules/windows/collection_email_powershell_exchange_mailbox.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -104,3 +104,21 @@ id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/collection_mailbox_export_winlog.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -77,6 +77,11 @@ event.category:process and host.os.type:windows and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
 [[rule.threat.technique]]
 id = "T1114"
 name = "Email Collection"

rules/windows/collection_posh_audio_capture.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/17"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -117,6 +117,11 @@ name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"
 
 
+[[rule.threat.technique]]
+id = "T1106"
+name = "Native API"
+reference = "https://attack.mitre.org/techniques/T1106/"
+
 
 [rule.threat.tactic]
 id = "TA0002"

rules/windows/collection_posh_keylogger.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/21"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -128,6 +128,11 @@ name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"
 
 
+[[rule.threat.technique]]
+id = "T1106"
+name = "Native API"
+reference = "https://attack.mitre.org/techniques/T1106/"
+
 
 [rule.threat.tactic]
 id = "TA0002"

rules/windows/collection_winrar_encryption.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -90,6 +90,11 @@ id = "T1560.001"
 name = "Archive via Utility"
 reference = "https://attack.mitre.org/techniques/T1560/001/"
 
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
 
 
 [rule.threat.tactic]

rules/windows/command_and_control_certreq_postdata.toml

@@ -4,18 +4,18 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.
+Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Exfiltration via Certreq"
+name = "Potential File Transfer via Certreq"
 references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"]
 risk_score = 47
 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c"
@@ -56,3 +56,16 @@ reference = "https://attack.mitre.org/techniques/T1218/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1567"
+name = "Exfiltration Over Web Service"
+reference = "https://attack.mitre.org/techniques/T1567/"
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+

rules/windows/command_and_control_common_webservices.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [transform]
 [[transform.osquery]]
@@ -180,6 +180,15 @@ id = "T1102"
 name = "Web Service"
 reference = "https://attack.mitre.org/techniques/T1102/"
 
+[[rule.threat.technique]]
+id = "T1568"
+name = "Dynamic Resolution"
+reference = "https://attack.mitre.org/techniques/T1568/"
+
+  [[rule.threat.technique.subtechnique]]
+  id = "T1568.002"
+  name = "Domain Generation Algorithms"
+  reference = "https://attack.mitre.org/techniques/T1568/002/"
 
 [rule.threat.tactic]
 id = "TA0011"

rules/windows/command_and_control_dns_tunneling_nslookup.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,10 @@ id = "T1071.004"
 name = "DNS"
 reference = "https://attack.mitre.org/techniques/T1071/004/"
 
-
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
 
 [rule.threat.tactic]
 id = "TA0011"

rules/windows/command_and_control_port_forwarding_added_registry.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -102,3 +102,15 @@ id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1112"
+name = "Modify Registry"
+reference = "https://attack.mitre.org/techniques/T1112/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/command_and_control_rdp_tunnel_plink.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -93,3 +93,20 @@ id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

rules/windows/command_and_control_remote_file_copy_scripts.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/29"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -121,3 +121,21 @@ id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.005"
+name = "Visual Basic"
+reference = "https://attack.mitre.org/techniques/T1059/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/credential_access_cmdline_dump_tool.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -130,3 +130,21 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.011"
+name = "Rundll32"
+reference = "https://attack.mitre.org/techniques/T1218/011/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -57,6 +57,11 @@ id = "T1003.002"
 name = "Security Account Manager"
 reference = "https://attack.mitre.org/techniques/T1003/002/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1003.003"
+name = "NTDS"
+reference = "https://attack.mitre.org/techniques/T1003/003/"
+
 
 
 [rule.threat.tactic]

rules/windows/credential_access_credential_dumping_msbuild.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/06/22"
+updated_date = "2023/09/10"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -118,9 +118,41 @@ id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1003.002"
+name = "Security Account Manager"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+
+
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.004"
+name = "Windows Credential Manager"
+reference = "https://attack.mitre.org/techniques/T1555/004/"
 
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1127"
+name = "Trusted Developer Utilities Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1127/"
+[[rule.threat.technique.subtechnique]]
+id = "T1127.001"
+name = "MSBuild"
+reference = "https://attack.mitre.org/techniques/T1127/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+