Skip to content

Adding additional mitre tags for 9 rules #5390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nasbench merged 9 commits into from
May 20, 2025
Merged

Adding additional mitre tags for 9 rules #5390

nasbench merged 9 commits into from
May 20, 2025

Conversation

@david-syk
Copy link
Contributor

@david-syk david-syk commented Apr 28, 2025

Summary of the Pull Request

Adding some missing mitre tags for tactics to rules that have specific techniques enabled.

For most of the rules listed below i've added: attack.command-and-control & attack.credential-access because they have a technique tag refers to this tactic.

Changelog

Update: Hidden Flag Set On File/Directory Via Chflags - MacOS
Update: Suspicious Curl File Upload - Linux
Update: Connection Proxy
Update: OpenCanary - HTTPPROXY Login Attempt
Update: Remote File Download Via Findstr.EXE
Update: Insensitive Subfolder Search Via Findstr.EXE
Update: Atera Agent Installation
Update: DNS Query Request By QuickAssist.EXE
Update: Outbound Network Connection Initiated By Microsoft Dialer

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@david-syk
Update proc_creation_macos_chflags_hidden_flag.yml
a1705db 
adding tags
     - attack.credential-access
    - attack.command-and-control

Since rule have tags:
- Technique: attack.t1552.001
- Technique: attack.t1105
@david-syk
Update proc_creation_lnx_susp_curl_fileupload.yml
36a749c 
Adding attack.command-and-control because tag attack.t1105  is enabled on the rule.
@david-syk
Update proc_creation_lnx_proxy_connection.yml
706712d 
Adding attack.command-and-control tag since attack.t1090 is active for this rule.
@david-syk
Update opencanary_httpproxy_login_attempt.yml
040af00 
Adding tag attack.command-and-control since tag attack.t1090 is enabled for the rule.
@david-syk
Update proc_creation_win_findstr_download.yml
2301ff8 
adding tags:
    - attack.credential-access
    - attack.command-and-control

since technique tags area already active for the rule:
  - Technique: attack.t1552.001 
  - Technique: attack.t1105
@david-syk
Update proc_creation_win_findstr_subfolder_search.yml
e3970fe 
adding tags
attack.credential-access
attack.command-and-control

because technique tags already active for the rule:
attack.t1552.001
attack.t1105
@david-syk
Update win_software_atera_rmm_agent_install.yml
94209c1 
Adding attack.command-and-control since T1219 is enabled on this rule.
@david-syk
Update dns_query_win_quickassist.yml
3020c65 
adding command-and-control tag since rule already have tag attack.t1071.001 enabled.
@david-syk
Update net_connection_win_dialer_initiated_connection.yml
46ab8df 
Adding tag attack.command-and-control since rule already has tag attack.t1071.001 enabled.
@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules Linux Pull request add/update linux related rules MacOS Pull request add/update macos related rules labels Apr 28, 2025
@nasbench nasbench merged commit f255ba2 into SigmaHQ:master May 20, 2025
13 checks passed
@david-syk david-syk deleted the command-and-control branch May 26, 2025 06:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench approved these changes

@frack113 frack113 frack113 approved these changes

Assignees

No one assigned

Labels

Linux Pull request add/update linux related rules MacOS Pull request add/update macos related rules Ready to Merge Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@david-syk @nasbench @frack113