[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073)

* initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <[email protected]> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <[email protected]> Co-authored-by: Jonhnathan <[email protected]> Removed changes from: - rules/ml/ml_linux_anomalous_compiler_activity.toml - rules/ml/ml_linux_anomalous_metadata_process.toml - rules/ml/ml_linux_anomalous_metadata_user.toml - rules/ml/ml_linux_anomalous_process_all_hosts.toml - rules/ml/ml_linux_anomalous_sudo_activity.toml - rules/ml/ml_linux_anomalous_user_name.toml - rules/ml/ml_linux_system_information_discovery.toml - rules/ml/ml_linux_system_network_configuration_discovery.toml - rules/ml/ml_linux_system_network_connection_discovery.toml - rules/ml/ml_linux_system_process_discovery.toml - rules/ml/ml_linux_system_user_discovery.toml - rules/ml/ml_rare_process_by_host_linux.toml - rules/ml/ml_rare_process_by_host_windows.toml - rules/ml/ml_suspicious_login_activity.toml - rules/ml/ml_windows_anomalous_metadata_process.toml - rules/ml/ml_windows_anomalous_metadata_user.toml - rules/ml/ml_windows_anomalous_path_activity.toml - rules/ml/ml_windows_anomalous_process_all_hosts.toml - rules/ml/ml_windows_anomalous_process_creation.toml - rules/ml/ml_windows_anomalous_script.toml - rules/ml/ml_windows_anomalous_service.toml - rules/ml/ml_windows_anomalous_user_name.toml - rules/ml/ml_windows_rare_user_runas_event.toml - rules/ml/ml_windows_rare_user_type10_remote_login.toml (selectively cherry picked from commit e8c39d1)
elastic · Jul 22, 2022 · af46e7d · af46e7d
1 parent 499b52f
commit af46e7d
Show file tree

Hide file tree

Showing 88 changed files with 1,006 additions and 175 deletions.
diff --git a/detection_rules/etc/attack-v10.1.json.gz b/detection_rules/etc/attack-v10.1.json.gz
diff --git a/detection_rules/etc/attack-v11.3.json.gz b/detection_rules/etc/attack-v11.3.json.gz
diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/12"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/05"
 
 [rule]
 author = ["Elastic"]
@@ -23,3 +23,21 @@ query = '''
 event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*
 '''
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+id = "T1059"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.006"
+name = "Python"
+reference = "https://attack.mitre.org/techniques/T1059/006/"
+
+
+[rule.threat.tactic]
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+id = "TA0002"
+
+
diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
@@ -75,7 +75,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/06"
 maturity = "production"
-updated_date = "2021/09/30"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta
 risk_score = 21
 rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/06/29"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
 author = ["Austin Songer"]
 description = """
 Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to
-exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an
+exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an
 unauthorized or unexpected AWS account.
 """
 false_positives = [
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
@@ -41,12 +41,19 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti
 event.outcome:success
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Modify Cloud Compute Infrastructure"
+reference = "https://attack.mitre.org/techniques/T1578/"
+id = "T1578"
+[[rule.threat.technique.subtechnique]]
+id = "T1578.004"
+name = "Revert Cloud Instance"
+reference = "https://attack.mitre.org/techniques/T1578/004/"
 
-[rule.threat.tactic]
-id = "TA0010"
-name = "Exfiltration"
-reference = "https://attack.mitre.org/tactics/TA0010/"
 
+[rule.threat.tactic]
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+id = "TA0005"
diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/17"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -32,7 +32,7 @@ references = [
 risk_score = 21
 rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"]
 timestamp_override = "event.ingested"
 type = "query"
 
@@ -45,7 +45,15 @@ event.outcome:success
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Service Stop"
+reference = "https://attack.mitre.org/techniques/T1489/"
+id = "T1489"
+
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+
+
+
diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/06"
 maturity = "production"
-updated_date = "2021/09/30"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre
 risk_score = 21
 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/04/12"
 maturity = "production"
-updated_date = "2022/04/12"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -32,7 +32,7 @@ risk_score = 21
 rule_id = "015cca13-8832-49ac-a01b-a396114809f6"
 severity = "low"
 timestamp_override = "event.ingested"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"]
 type = "query"
 
 query = '''

diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/05"
 maturity = "production"
-updated_date = "2022/04/20"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -32,7 +32,7 @@ references = [
 risk_score = 21
 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
@@ -36,7 +36,7 @@ references = [
 risk_score = 21
 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/...act_azure_automation_runbook_deleted.toml → ...ion_azure_automation_runbook_deleted.toml b/...act_azure_automation_runbook_deleted.toml → ...ion_azure_automation_runbook_deleted.toml
@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/07/13"
 integration = "azure"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
-disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.
+disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
 """
 from = "now-25m"
 index = ["filebeat-*", "logs-azure*"]
@@ -27,11 +27,20 @@ references = [
 risk_score = 21
 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
 severity = "low"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and event.outcome:(Success or success)
+event.dataset:azure.activitylogs and
+    azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and 
+    event.outcome:(Success or success)
 '''
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0005/"
+name = "Defense Evasion"
+id = "TA0005"
diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/12"
 maturity = "production"
-updated_date = "2021/12/30"
+updated_date = "2022/07/05"
 integration = "azure"
 
 [rule]
@@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/
 risk_score = 21
 rule_id = "573f6e7a-7acf-4bcd-ad42-c4969124d3c0"
 severity = "low"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security", "Impact"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/01/06"
 integration = "azure"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/07/20"
 
 [rule]
 author = ["Elastic"]
@@ -48,7 +48,7 @@ id = "T1098"
 
     [[rule.threat.technique.subtechnique]]
     reference = "https://attack.mitre.org/techniques/T1098/003/"
-    name = "Add Office 365 Global Administrator Role"
+    name = "Additional Cloud Roles"
     id = "T1098.003"
 
 [rule.threat.tactic]

diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml
@@ -27,11 +27,25 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
 risk_score = 47
 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
 severity = "medium"
-tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1578"
+name = "Modify Cloud Compute Infrastructure"
+reference = "https://attack.mitre.org/techniques/T1578/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
diff --git a/...irtual_private_cloud_network_deleted.toml → ...irtual_private_cloud_network_deleted.toml b/...irtual_private_cloud_network_deleted.toml → ...irtual_private_cloud_network_deleted.toml
@@ -29,11 +29,30 @@ references = ["https://cloud.google.com/vpc/docs/vpc"]
 risk_score = 47
 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6"
 severity = "medium"
-tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
diff --git a/..._virtual_private_cloud_route_created.toml → ..._virtual_private_cloud_route_created.toml b/..._virtual_private_cloud_route_created.toml → ..._virtual_private_cloud_route_created.toml
@@ -29,11 +29,30 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.
 risk_score = 21
 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8"
 severity = "low"
-tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+