ATT&CK subtechniques v2

rules/cloud/aws_cloudtrail_disable_logging.yml

@@ -5,20 +5,21 @@ author: vitaliy0x1
 date: 2020/01/21
 description: Detects disabling, deleting and updating of a Trail
 references:
-  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 logsource:
-  service: cloudtrail
+    service: cloudtrail
 detection:
-  selection_source:
-    - eventSource: cloudtrail.amazonaws.com
-  events:
-    - eventName:
-        - StopLogging
-        - UpdateTrail
-        - DeleteTrail
-  condition: selection_source AND events
+    selection_source:
+        - eventSource: cloudtrail.amazonaws.com
+    events:
+        - eventName:
+            - StopLogging
+            - UpdateTrail
+            - DeleteTrail
+    condition: selection_source AND events
 level: medium
 falsepositives:
     - Valid change in a Trail
 tags:
-  - attack.t1089
+    - attack.t1089
+    - attack.t1562.001

rules/cloud/aws_config_disable_recording.yml

@@ -5,17 +5,18 @@ author: vitaliy0x1
 date: 2020/01/21
 description: Detects AWS Config Service disabling
 logsource:
-  service: cloudtrail
+    service: cloudtrail
 detection:
-  selection_source:
-    - eventSource: config.amazonaws.com
-  events:
-    - eventName:
-        - DeleteDeliveryChannel
-        - StopConfigurationRecorder
-  condition: selection_source AND events
+    selection_source:
+        - eventSource: config.amazonaws.com
+    events:
+        - eventName:
+            - DeleteDeliveryChannel
+            - StopConfigurationRecorder
+    condition: selection_source AND events
 level: high
 falsepositives:
     - Valid change in AWS Config Service
 tags:
-  - attack.t1089
+    - attack.t1089
+    - attack.t1562.001

rules/cloud/aws_ec2_startup_script_change.yml

@@ -21,3 +21,4 @@ falsepositives:
     - Valid changes to the startup script
 tags:
     - attack.t1064
+    - attack.t1059

rules/cloud/aws_guardduty_disruption.yml

@@ -19,3 +19,4 @@ falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
 tags:
     - attack.t1089
+    - attack.t1562.001

rules/linux/auditd/lnx_auditd_alter_bash_profile.yml

@@ -9,6 +9,7 @@ tags:
     - attack.s0003
     - attack.t1156
     - attack.persistence
+    - attack.t1546.004
 author: Peter Matkovski
 logsource:
     product: linux

rules/linux/auditd/lnx_auditd_auditing_config_change.yml

@@ -11,6 +11,7 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1054
+    - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental
 date: 2019/10/25

rules/linux/auditd/lnx_auditd_logging_config_change.yml

@@ -10,6 +10,7 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1054
+    - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental
 date: 2019/10/25

rules/linux/auditd/lnx_auditd_web_rce.yml

@@ -5,6 +5,7 @@ description: Detects posible command execution by web application/web shell
 tags:
     - attack.persistence
     - attack.t1100
+    - attack.t1505.003
 references:
     - personal experience
 author: Ilyas Ochkov, Beyu Denis, oscd.community

rules/linux/auditd/lnx_data_compressed.yml

@@ -1,8 +1,7 @@
 title: Data Compressed
 id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
 status: experimental
-description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
-    of data sent over the network
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 modified: 2019/11/04
@@ -30,3 +29,4 @@ level: low
 tags:
     - attack.exfiltration
     - attack.t1002
+    - attack.t1560

rules/linux/lnx_pers_systemd_reload.yml

@@ -5,6 +5,7 @@ status: experimental
 tags:
     - attack.persistence
     - attack.t1501
+    - attack.t1543.002
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:

rules/linux/lnx_shell_clear_cmd_history.yml

@@ -22,7 +22,7 @@ detection:
     keywords:
         - 'rm *bash_history'
         - 'echo "" > *bash_history'
-        - 'cat /dev/null > *bash_history' 
+        - 'cat /dev/null > *bash_history'
         - 'ln -sf /dev/null *bash_history'
         - 'truncate -s0 *bash_history'
         # - 'unset HISTFILE'  # prone to false positives
@@ -38,3 +38,4 @@ level: high
 tags:
     - attack.defense_evasion
     - attack.t1146
+    - attack.t1551.003

rules/network/cisco/aaa/cisco_cli_clear_logs.yml

@@ -11,6 +11,8 @@ tags:
     - attack.defense_evasion
     - attack.t1146
     - attack.t1070
+    - attack.t1551.003
+    - attack.t1551
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_collect_data.yml

@@ -17,6 +17,7 @@ tags:
     - attack.t1003
     - attack.t1081
     - attack.t1005
+    - attack.t1552.001
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_crypto_actions.yml

@@ -12,6 +12,8 @@ tags:
     - attack.defense_evasion
     - attack.t1130
     - attack.t1145
+    - attack.t1553.004
+    - attack.t1552.004
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_disable_logging.yml

@@ -9,6 +9,7 @@ date: 2019/08/11
 tags:
     - attack.defense_evasion
     - attack.t1089
+    - attack.t1562.001
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_file_deletion.yml

@@ -14,6 +14,9 @@ tags:
     - attack.t1107
     - attack.t1488
     - attack.t1487
+    - attack.t1561.002
+    - attack.t1551.004
+    - attack.t1561.001
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_input_capture.yml

@@ -12,6 +12,7 @@ tags:
     - attack.credential_access
     - attack.t1139
     - attack.t1056
+    - attack.t1552.003
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_modify_config.yml

@@ -16,6 +16,9 @@ tags:
     - attack.t1100
     - attack.t1168
     - attack.t1490
+    - attack.t1565.002
+    - attack.t1505
+    - attack.t1053
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_moving_data.yml

@@ -19,6 +19,8 @@ tags:
     - attack.t1105
     - attack.t1492
     - attack.t1002
+    - attack.t1560
+    - attack.t1565.001
 logsource:
     product: cisco
     service: aaa

rules/network/net_susp_dns_txt_exec_strings.yml

@@ -7,17 +7,18 @@ references:
     - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
 tags:
     - attack.t1071
+    - attack.t1071.004
 author: Markus Neis
 date: 2018/08/08
 logsource:
     category: dns
 detection:
     selection:
-            record_type: 'TXT'
-            answer:
-                - '*IEX*'
-                - '*Invoke-Expression*'
-                - '*cmd.exe*'
+        record_type: 'TXT'
+        answer:
+            - '*IEX*'
+            - '*Invoke-Expression*'
+            - '*cmd.exe*'
     condition: selection
 falsepositives:
     - Unknown

rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml

@@ -6,46 +6,48 @@ date: 2020/03/19
 references:
     - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
 tags:
-  - attack.execution
-  - attack.t1035
-  - attack.t1047
-  - attack.t1053
+    - attack.execution
+    - attack.t1035
+    - attack.t1047
+    - attack.t1053
+    - attack.t1053.002
+    - attack.t1569.002
 logsource:
-  product: zeek
-  service: dce_rpc
+    product: zeek
+    service: dce_rpc
 detection:
-  op1:
-    endpoint: 'JobAdd'
-    operation: 'atsvc'
-  op2:
-    endpoint: 'ITaskSchedulerService'
-    operation: 'SchRpcEnableTask'
-  op3:
-    endpoint: 'ITaskSchedulerService'
-    operation: 'SchRpcRegisterTask'
-  op4:
-    endpoint: 'ITaskSchedulerService'
-    operation: 'SchRpcRun'
-  op5:
-    endpoint: 'IWbemServices'
-    operation: 'ExecMethod'
-  op6:
-    endpoint: 'IWbemServices'
-    operation: 'ExecMethodAsync'
-  op7:
-    endpoint: 'svcctl'
-    operation: 'CreateServiceA'
-  op8:
-    endpoint: 'svcctl'
-    operation: 'CreateServiceW'
-  op9:
-    endpoint: 'svcctl'
-    operation: 'StartServiceA'
-  op10:
-    endpoint: 'svcctl'
-    operation: 'StartServiceW'
-  condition: 1 of them
+    op1:
+        endpoint: 'JobAdd'
+        operation: 'atsvc'
+    op2:
+        endpoint: 'ITaskSchedulerService'
+        operation: 'SchRpcEnableTask'
+    op3:
+        endpoint: 'ITaskSchedulerService'
+        operation: 'SchRpcRegisterTask'
+    op4:
+        endpoint: 'ITaskSchedulerService'
+        operation: 'SchRpcRun'
+    op5:
+        endpoint: 'IWbemServices'
+        operation: 'ExecMethod'
+    op6:
+        endpoint: 'IWbemServices'
+        operation: 'ExecMethodAsync'
+    op7:
+        endpoint: 'svcctl'
+        operation: 'CreateServiceA'
+    op8:
+        endpoint: 'svcctl'
+        operation: 'CreateServiceW'
+    op9:
+        endpoint: 'svcctl'
+        operation: 'StartServiceA'
+    op10:
+        endpoint: 'svcctl'
+        operation: 'StartServiceW'
+    condition: 1 of them
 falsepositives:
     - 'Windows administrator tasks or troubleshooting'
     - 'Windows management scripts or software'
-level: medium
+level: medium

rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml

@@ -8,30 +8,31 @@ references:
 tags:
     - attack.persistence
     - attack.t1004
+    - attack.t1547.004
 logsource:
-  product: zeek
-  service: dce_rpc
+    product: zeek
+    service: dce_rpc
 detection:
-  op1:
-    endpoint: 'spoolss'
-    operation: 'RpcAddMonitor'
-  op2:
-    endpoint: 'spoolss'
-    operation: 'RpcAddPrintProcessor'
-  op3:
-    endpoint: 'IRemoteWinspool'
-    operation: 'RpcAsyncAddMonitor'
-  op4:
-    endpoint: 'IRemoteWinspool'
-    operation: 'RpcAsyncAddPrintProcessor'
-  op5:
-    endpoint: 'ISecLogon'
-    operation: 'SeclCreateProcessWithLogonW'
-  op6:
-    endpoint: 'ISecLogon'
-    operation: 'SeclCreateProcessWithLogonExW'
-  condition: 1 of them
+    op1:
+        endpoint: 'spoolss'
+        operation: 'RpcAddMonitor'
+    op2:
+        endpoint: 'spoolss'
+        operation: 'RpcAddPrintProcessor'
+    op3:
+        endpoint: 'IRemoteWinspool'
+        operation: 'RpcAsyncAddMonitor'
+    op4:
+        endpoint: 'IRemoteWinspool'
+        operation: 'RpcAsyncAddPrintProcessor'
+    op5:
+        endpoint: 'ISecLogon'
+        operation: 'SeclCreateProcessWithLogonW'
+    op6:
+        endpoint: 'ISecLogon'
+        operation: 'SeclCreateProcessWithLogonExW'
+    condition: 1 of them
 falsepositives:
     - 'Windows administrator tasks or troubleshooting'
     - 'Windows management scripts or software'
-level: medium
+level: medium

rules/network/zeek/zeek_http_executable_download_from_webdav.yml

@@ -8,9 +8,10 @@ references:
 tags:
     - attack.command_and_control
     - attack.t1043
+    - attack.t1571
 logsource:
-  product: zeek
-  service: http
+    product: zeek
+    service: http
 date: 2020/05/01
 detection:
     selection_webdav:
@@ -23,4 +24,4 @@ detection:
 falsepositives:
     - unknown
 level: medium
-status: experimental
+status: experimental