Skip to content

Commit

Permalink
[Security Solution][Detections] Updates MITRE Tactics, Techniques, an…
Browse files Browse the repository at this point in the history
…d Subtechniques for 7.13 (#97011)

## Summary

This PR updates the MITRE Tactics, Techniques, and Subtechniques used within Security Solution Detection Rules. See #89876 for details on automating this task. 🙂
  • Loading branch information
spong authored Apr 13, 2021
1 parent d80c257 commit 7e20bf8
Show file tree
Hide file tree
Showing 3 changed files with 129 additions and 38 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -718,12 +718,6 @@ export const technique = [
reference: 'https://attack.mitre.org/techniques/T1061',
tactics: ['execution'],
},
{
name: 'Group Policy Modification',
id: 'T1484',
reference: 'https://attack.mitre.org/techniques/T1484',
tactics: ['defense-evasion', 'privilege-escalation'],
},
{
name: 'Hardware Additions',
id: 'T1200',
Expand Down Expand Up @@ -1354,6 +1348,18 @@ export const technique = [
reference: 'https://attack.mitre.org/techniques/T1220',
tactics: ['defense-evasion'],
},
{
name: 'Domain Policy Modification',
id: 'T1484',
reference: 'https://attack.mitre.org/techniques/T1484',
tactics: ['defense-evasion', 'privilege-escalation'],
},
{
name: 'Forge Web Credentials',
id: 'T1606',
reference: 'https://attack.mitre.org/techniques/T1606',
tactics: ['credential-access'],
},
];

export const techniquesOptions: MitreTechniquesOptions[] = [
Expand Down Expand Up @@ -2259,17 +2265,6 @@ export const techniquesOptions: MitreTechniquesOptions[] = [
tactics: 'execution',
value: 'graphicalUserInterface',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackTechniques.groupPolicyModificationDescription',
{ defaultMessage: 'Group Policy Modification (T1484)' }
),
id: 'T1484',
name: 'Group Policy Modification',
reference: 'https://attack.mitre.org/techniques/T1484',
tactics: 'defense-evasion,privilege-escalation',
value: 'groupPolicyModification',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hardwareAdditionsDescription',
Expand Down Expand Up @@ -3425,6 +3420,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [
tactics: 'defense-evasion',
value: 'xslScriptProcessing',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainPolicyModificationDescription',
{ defaultMessage: 'Domain Policy Modification (T1484)' }
),
id: 'T1484',
name: 'Domain Policy Modification',
reference: 'https://attack.mitre.org/techniques/T1484',
tactics: 'defense-evasion,privilege-escalation',
value: 'domainPolicyModification',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackTechniques.forgeWebCredentialsDescription',
{ defaultMessage: 'Forge Web Credentials (T1606)' }
),
id: 'T1606',
name: 'Forge Web Credentials',
reference: 'https://attack.mitre.org/techniques/T1606',
tactics: 'credential-access',
value: 'forgeWebCredentials',
},
];

export const subtechniques = [
Expand Down Expand Up @@ -3477,13 +3494,6 @@ export const subtechniques = [
tactics: ['persistence'],
techniqueId: 'T1137',
},
{
name: 'Additional Cloud Credentials',
id: 'T1098.001',
reference: 'https://attack.mitre.org/techniques/T1098/001',
tactics: ['persistence'],
techniqueId: 'T1098',
},
{
name: 'AppCert DLLs',
id: 'T1546.009',
Expand Down Expand Up @@ -5864,6 +5874,41 @@ export const subtechniques = [
tactics: ['persistence', 'privilege-escalation'],
techniqueId: 'T1547',
},
{
name: 'Additional Cloud Credentials',
id: 'T1098.001',
reference: 'https://attack.mitre.org/techniques/T1098/001',
tactics: ['persistence'],
techniqueId: 'T1098',
},
{
name: 'Group Policy Modification',
id: 'T1484.001',
reference: 'https://attack.mitre.org/techniques/T1484/001',
tactics: ['defense-evasion', 'privilege-escalation'],
techniqueId: 'T1484',
},
{
name: 'Domain Trust Modification',
id: 'T1484.002',
reference: 'https://attack.mitre.org/techniques/T1484/002',
tactics: ['defense-evasion', 'privilege-escalation'],
techniqueId: 'T1484',
},
{
name: 'Web Cookies',
id: 'T1606.001',
reference: 'https://attack.mitre.org/techniques/T1606/001',
tactics: ['credential-access'],
techniqueId: 'T1606',
},
{
name: 'SAML Tokens',
id: 'T1606.002',
reference: 'https://attack.mitre.org/techniques/T1606/002',
tactics: ['credential-access'],
techniqueId: 'T1606',
},
];

export const subtechniquesOptions: MitreSubtechniquesOptions[] = [
Expand Down Expand Up @@ -5951,18 +5996,6 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [
techniqueId: 'T1137',
value: 'addIns',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description',
{ defaultMessage: 'Additional Cloud Credentials (T1098.001)' }
),
id: 'T1098.001',
name: 'Additional Cloud Credentials',
reference: 'https://attack.mitre.org/techniques/T1098/001',
tactics: 'persistence',
techniqueId: 'T1098',
value: 'additionalCloudCredentials',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appCertDlLsT1546Description',
Expand Down Expand Up @@ -10043,6 +10076,66 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [
techniqueId: 'T1547',
value: 'winlogonHelperDll',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description',
{ defaultMessage: 'Additional Cloud Credentials (T1098.001)' }
),
id: 'T1098.001',
name: 'Additional Cloud Credentials',
reference: 'https://attack.mitre.org/techniques/T1098/001',
tactics: 'persistence',
techniqueId: 'T1098',
value: 'additionalCloudCredentials',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.groupPolicyModificationT1484Description',
{ defaultMessage: 'Group Policy Modification (T1484.001)' }
),
id: 'T1484.001',
name: 'Group Policy Modification',
reference: 'https://attack.mitre.org/techniques/T1484/001',
tactics: 'defense-evasion,privilege-escalation',
techniqueId: 'T1484',
value: 'groupPolicyModification',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.domainTrustModificationT1484Description',
{ defaultMessage: 'Domain Trust Modification (T1484.002)' }
),
id: 'T1484.002',
name: 'Domain Trust Modification',
reference: 'https://attack.mitre.org/techniques/T1484/002',
tactics: 'defense-evasion,privilege-escalation',
techniqueId: 'T1484',
value: 'domainTrustModification',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.webCookiesT1606Description',
{ defaultMessage: 'Web Cookies (T1606.001)' }
),
id: 'T1606.001',
name: 'Web Cookies',
reference: 'https://attack.mitre.org/techniques/T1606/001',
tactics: 'credential-access',
techniqueId: 'T1606',
value: 'webCookies',
},
{
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.samlTokensT1606Description',
{ defaultMessage: 'SAML Tokens (T1606.002)' }
),
id: 'T1606.002',
name: 'SAML Tokens',
reference: 'https://attack.mitre.org/techniques/T1606/002',
tactics: 'credential-access',
techniqueId: 'T1606',
value: 'samlTokens',
},
];

/**
Expand Down
1 change: 0 additions & 1 deletion x-pack/plugins/translations/translations/ja-JP.json
Original file line number Diff line number Diff line change
Expand Up @@ -19058,7 +19058,6 @@
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimNetworkInformationDescription": "被害者ネットワーク情報の収集 (T1590) ",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimOrgInformationDescription": "被害者組織情報の収集 (T1591) ",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.graphicalUserInterfaceDescription": "グラフィカルユーザーインターフェイス (T1061) ",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.groupPolicyModificationDescription": "グループポリシー修正 (T1484) ",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.hardwareAdditionsDescription": "ハードウェア追加 (T1200) ",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.hideArtifactsDescription": "アーチファクトの非表示 (T1564) ",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.hijackExecutionFlowDescription": "ハイジャック実行フロー (T1574) ",
Expand Down
1 change: 0 additions & 1 deletion x-pack/plugins/translations/translations/zh-CN.json
Original file line number Diff line number Diff line change
Expand Up @@ -19328,7 +19328,6 @@
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimNetworkInformationDescription": "Gather Victim Network Information (T1590)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimOrgInformationDescription": "Gather Victim Org Information (T1591)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.graphicalUserInterfaceDescription": "Graphical User Interface (T1061)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.groupPolicyModificationDescription": "Group Policy Modification (T1484)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.hardwareAdditionsDescription": "Hardware Additions (T1200)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.hideArtifactsDescription": "Hide Artifacts (T1564)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.hijackExecutionFlowDescription": "Hijack Execution Flow (T1574)",
Expand Down

0 comments on commit 7e20bf8

Please sign in to comment.