docs: MITRE ATT&CK(R) trademark references removed or adjusted

#1028

README.md

@@ -24,11 +24,11 @@ This repository contains:
 
 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")
 
-## SANS Webcast on MITRE ATT&CK and Sigma
+## SANS Webcast on MITRE ATT&CK® and Sigma
 
 The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
 
-[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
+[MITRE ATT&CK® and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK® and Sigma Alerting")
 
 # Use Cases
 
@@ -269,7 +269,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
 
 ## Sigma2attack
 
-Generates a [MITRE ATT&CK Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
+Generates a [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
 
 Requirements:
 - Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
@@ -284,7 +284,7 @@ Usage samples:
 ./tools/sigma2attack --rules-directory ~/hunting/rules
 ```
 
-Result once imported in the MITRE ATT&CK Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
+Result once imported in the MITRE ATT&CK® Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
 
 ![Sigma2attack result](./images/sigma2attack.png)
 
@@ -299,7 +299,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 
 # Next Steps
 
-* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration of MITRE ATT&CK® framework identifier to the rule set
 * Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
 

rules/linux/auditd/lnx_auditd_create_account.yml

@@ -1,7 +1,7 @@
 title: Creation Of An User Account
 id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
 status: experimental
-description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system"
+description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
 author: Marie Euler
 date: 2020/05/18
 references:

rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml

@@ -1,6 +1,6 @@
-title: MITRE BZAR Indicators for ATT&CK Execution
+title: MITRE BZAR Indicators for Execution
 id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
-description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
+description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
 author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:

rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml

@@ -1,6 +1,6 @@
-title: MITRE BZAR Indicators for ATT&CK Persistence
+title: MITRE BZAR Indicators for Persistence
 id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
-description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
+description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
 author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:

tests/test_rules.py

@@ -349,9 +349,9 @@ def test_invalid_logsource_attributes(self):
                     print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
 def get_mitre_data():
     """
-    Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data
+    Generate tags from live MITRE ATT&CK® TAXI service to get up-to-date data
     """
-    # Get MITRE ATT&CK information
+    # Get ATT&CK information
     lift = attack_client()
     # Techniques
     MITRE_TECHNIQUES = []
@@ -394,7 +394,7 @@ def get_mitre_data():
 
 if __name__ == "__main__":
     init(autoreset=True)
-    # Get Current Data from MITRE on ATT&CK
+    # Get Current Data from MITRE ATT&CK®
     MITRE_ALL = get_mitre_data()
     # Run the tests
     unittest.main()

tools/LONG_DESCRIPTION.md

@@ -5,6 +5,6 @@ This package contains the following tools for [Sigma](https://github.com/Neo23x0
 * sigmac: the Sigma converter
 * merge_sigma: Merge a Sigma collection into a minimal set of Sigma rules
 * sigma2misp: Import Sigma rules into MISP
-* sigma2attack: Create a MITRE ATT&CK coverage map
+* sigma2attack: Create a MITRE ATT&CK® coverage map
 * sigma_similarity: Measure similarity of Sigma rules
 * sigma_uuid: Check Sigma identifiers

tools/sigma/backends/elasticsearch.py

@@ -1228,7 +1228,7 @@ def create_threat_description(self, tactics_list, techniques_list):
                     "reference": tactic.get("url", ""),
                     "name": tactic.get("tactic", "")
                 },
-                "framework": "MITRE ATT&CK"
+                "framework": "MITRE ATT&CK®"
             }
             temp_techniques = list()
             for tech in techniques_list: