[Rule Tuning] Missing MITRE ATT&CK Mappings

[terrancedejesus]

Issues

• [Rule Tuning] Missing MITRE ATT&CK Mappings #1987

Summary

A few mitre att&ck mappings are missing from several detection rules and should be added. We should go through these and attempt to find a proper mapping and if not detail why and skip.

• Web Application Suspicious Activity: POST Request Declined
• Web Application Suspicious Activity: Unauthorized Method
• Web Application Suspicious Activity: No User Agent
• Web Application Suspicious Activity: sqlmap User Agent
• EggShell Backdoor Execution
• Threat Intel Filebeat Module (v8.x) Indicator Match
• Threat Intel Indicator Match
• AWS IAM User Addition to Group
• AWS RDS Snapshot Export
• AWS RDS Snapshot Restored
• AWS EventBridge Rule Disabled or Deleted
• Spike in AWS Error Messages
• Rare AWS Error Code
• Unusual City For an AWS Command
• Unusual Country For an AWS Command
• Unusual AWS Command for a User
• AWS Security Group Configuration Change Detection
• AWS RDS Instance Creation
• AWS Redshift Cluster Creation
• AWS Route Table Created
• AWS Route Table Modified or Deleted
• Azure Automation Runbook Deleted
• Azure Kubernetes Pods Deleted
• Azure Virtual Network Device Modified or Deleted
• Endpoint Security
• GCP Storage Bucket Configuration Modification
• GCP Virtual Private Cloud Network Deletion
• GCP Virtual Private Cloud Route Creation
• GCP Virtual Private Cloud Route Deletion
• Application Added to Google Workspace Domain
• Domain Added to Google Workspace Trusted Domains
• Google Workspace Admin Role Deletion
• Google Workspace MFA Enforcement Disabled
• Google Workspace Password Policy Modified
• MFA Disabled for Google Workspace Organization
• Microsoft 365 Exchange DKIM Signing Configuration Disabled
• Microsoft 365 Teams Custom Application Interaction Allowed
• Attempt to Deactivate an Okta Network Zone
• Attempt to Delete an Okta Network Zone
• Attempt to Deactivate an Okta Application
• Attempt to Deactivate an Okta Policy
• Attempt to Deactivate an Okta Policy Rule
• Attempt to Delete an Okta Application
• Attempt to Delete an Okta Policy
• Attempt to Delete an Okta Policy Rule
• Attempt to Modify an Okta Application
• Attempt to Modify an Okta Network Zone
• Attempt to Modify an Okta Policy
• Attempt to Modify an Okta Policy Rule
• Modification or Removal of an Okta Application Sign-On Policy
• Threat Detected by Okta ThreatInsight
• Potential DNS Tunneling via Iodine
• Netcat Network Activity
• Nping Process Activity
• Unusual Process Execution - Temp
• Potential Microsoft Office Sandbox Evasion
• Potential Persistence via Atom Init Script Modification
• Unusual Hour for a User to Logon
• Unusual Source IP for a User to Logon from
• Rare User Logon
• Spike in Failed Logon Events
• Spike in Logon Events
• Spike in Logon Events from a Source IP
• Spike in Firewall Denies
• Spike in Network Traffic
• Anomalous Linux Compiler Activity
• Unusual Linux Process Calling the Metadata Service
• Unusual Linux User Calling the Metadata Service
• Unusual Linux Network Activity
• Unusual Linux Network Port Activity
• Anomalous Process For a Linux Population
• Unusual Linux Username
• DNS Tunneling
• Unusual DNS Activity
• Unusual Network Destination Domain Name
• Unusual Web Request
• Unusual Web User Agent
• Network Traffic to Rare Destination Country
• Unusual Process For a Linux Host
• Unusual Process For a Windows Host
• Spike in Network Traffic To a Country
• Unusual Login Activity
• Unusual Windows Process Calling the Metadata Service
• Unusual Windows User Calling the Metadata Service
• Unusual Windows Network Activity
• Unusual Windows Path Activity
• Anomalous Process For a Windows Population
• Anomalous Windows Process Creation
• Suspicious Powershell Script
• Unusual Windows Service
• Unusual Windows Username
• Unusual Windows User Privilege Elevation Activity
• Unusual Windows Remote User
• Adversary Behavior - Detected - Elastic Endgame
• Credential Dumping - Detected - Elastic Endgame
• Credential Dumping - Prevented - Elastic Endgame
• Credential Manipulation - Detected - Elastic Endgame
• Credential Manipulation - Prevented - Elastic Endgame
• Exploit - Detected - Elastic Endgame
• Exploit - Prevented - Elastic Endgame
• Malware - Detected - Elastic Endgame
• Malware - Prevented - Elastic Endgame
• Permission Theft - Detected - Elastic Endgame
• Permission Theft - Prevented - Elastic Endgame
• Process Injection - Detected - Elastic Endgame
• Process Injection - Prevented - Elastic Endgame
• Ransomware - Detected - Elastic Endgame
• Ransomware - Prevented - Elastic Endgame
• External Alerts
• Process Execution from an Unusual Directory
• Execution from Unusual Directory - Command Line
• Suspicious Execution - Short Program Name

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[terrancedejesus]

Reasoning

• AWS RDS Snapshot Export - Includes tactic, Exfiltration, but does not map properly to any specific technique under Exfiltration. Included Exfiltration tag and left current mappings.
• AWS RDS Snapshot Restored - Includes tactic, Exfiltration, but does not map properly to any specific technique under Exfiltration. Included Exfiltration tag and left current mappings.
• Spike in AWS Error Messages - ML job looking for an unusually large amount of errors from AWS Cloudtrail. This does not directly map to any specific adversary tactic or technique.
• Unusual City For an AWS Command - Detects an AWS command executed from an unexpected city via geolocation. Not directly tied to an adversary tactic or technique.
• Unusual Country For an AWS Command - Detects an AWS command executed from an unexpected country via geolocation. Not directly tied to an adversary tactic or technique.
• Unusual AWS Command for a User- Detects an AWS command executed by a privileged user who does not usually execute that command. Not directly tied to an adversary tactic or technique without additional context.
• endgame malware detected - Detects presence of malware without additional context as to what it being detected therefore we can not properly map a tactic or technique to it.
• endgame malware prevented - Prevented malware but does not include additional context as to how that malware was detected therefore we can not properly map a tactic or technique to it.
• endgame ransomware detected - Detects presence of ransomware without additional context as to what it being detected therefore we can not properly map a tactic or technique to it.
• endgame ransomware prevented - Prevented ransomware but does not include additional context as to how that ransomware was detected therefore we can not properly map a tactic or technique to it.
• endgame adversary behavior detected - Detects the presence of a specific adversary but does not provide additional context about the techniques observed to properly map to mitre.
• external alerts - a rollup of external alerts for endgame users. No specific context about techniques since this is more of a catch all and therefore can not be properly mapped to mitre.
• Unusual Network Destination Domain Name - This is too generic to determine even what a specific tactic may be.
• Threat Intel Filebeat Module (v8.x) Indicator Match - Matches on user-managed IoC. No current way to determine what a potential tactic or technique is.
• Threat Intel Indicator Match - Matches on user-managed IoC. No current way to determine what a potential tactic or technique is.
• Unusual Windows Network Activity - Currently no indication of what specific tactic this would relate to as network activity could map to multiple tactics and techniques.
• Spike in Network Traffic To a Country - A spike in network traffic to a specific country may be an anomaly but does not map directly to any specific tactic.
• Network Traffic to Rare Destination Country - Network traffic to a host or server in an unusual destination country is specific to the client environment and does not map to any specific tactic.
• Attempt to Modify an Okta Application - This is too generic to determine the adversaries goal with modification of the application and depending on reasoning could map to multiple tactics and techniques.
• Threat Detected by Okta ThreatInsight - ThreatInsight IoC matching for requests to Okta. Currently no way to determine tactic or technique being used by adversary as this is based on reputation.
• Spike in Firewall Denies - Too generic to determine what tactic or technique and adversary would be attempting to accomplish and therefore could map to multiple tactics and techniques.
• Spike in Network Traffic - Too generic to determine what tactic or technique and adversary would be attempting to accomplish and therefore could map to multiple tactics and techniques.
• Unusual Linux Network Activity - Too generic to determine tactic or technique. Attempts to find process that usually does not generate network activity. With specifics on why this process is generating traffic or what protocols are being used, we can not map a tactic or technique.
• Unusual Linux Network Port Activity - Too generic to determine tactic or technique. We would need to know what specific port and direction to at least determine a tactic.
• Web Application Suspicious Activity: POST Request Declined - Too generic to determine tactic or technique. Identifies 403 response codes from a request which indicate a decline from the server.
• Web Application Suspicious Activity: Unauthorized Method - Too generic to determine what tactic to use. This would fall under Discovery if it specified traffic was ingress. It could also indicate Data Exfiltration or Command and Control is egress an depending on the method used.
• Web Application Suspicious Activity: No User Agent - Too generic to determine a tactic or technique.
• Web Application Suspicious Activity: sqlmap User Agent - Too generic to determine a tactic. Although this specifies a popular penetration testing tool, it does not indicate what it is being used for which could map across multiple tactics.

[Samirbous]

nice work!, added few suggestion, in addition to that some rule fille names need to be renamed to pass the test (e.g. tag persistence but rule file name starts with linux_something.toml)

[imays11]

Looks good!

[Mikaayenson]

This LGTM. Great work on updating the mappings. As you mentioned here:

• We are accepting that rules on older branches will fail with this new attack mapping and will have to address them separately.

One minor thing: a few rules look like the need \n added.

[terrancedejesus]

@Samirbous I have addressed your comments. Thanks for the feedback! Once you approve, I will merge this one in and address the manual backport issues with two specific rules.

[spong]

@spong Do you have to update mappings on your end?

Yeah, we'll need to on the Kibana side as well thanks for the ping! I'm currently on leave, @banderror can you take care of this please? Here's a PR where we've done it in the past -- just need to update one file and run a script: elastic/kibana#89876

[banderror]

@spong Of course, will do it on Monday!

Btw @spong is on leave till November, so please ping me instead or our area in #security-detection-rules-area (@elastic/security-detections-response-rules).

[banderror]

@terrancedejesus @Mikaayenson I don't know if you'd like to review the PR, but here it is:
elastic/kibana#137122

[terrancedejesus]

@terrancedejesus @Mikaayenson I don't know if you'd like to review the PR, but here it is:

elastic/kibana#137122

Hey there! Thanks for linking the PR. I don't think we need to review it at the moment as we already merged our changes. As a side note we are using tag 11.3 from ATT&CK so as long as those align we should be good!

[banderror]

Oh, that's actually good to know @terrancedejesus, because we used to pull the MITRE content from their master branch. I updated the script to pull from a specific version and made sure we use v11.3 in 8.4.0: elastic/kibana@1bda53f. Thank you!