Further subtechnique updates

2024-11-07 09:48:58 +00:00 · 2020-06-17 11:31:40 -06:00 · 2020-06-17 11:31:40 -06:00 · b343df2225
commit b343df2225
parent 5c0bb0e94f
11 changed files with 12 additions and 0 deletions
--- a/rules/windows/malware/win_mal_octopus_scanner.yml
+++ b/rules/windows/malware/win_mal_octopus_scanner.yml
@ -6,6 +6,7 @@ references:
  - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
 tags:
  - attack.t1195
+  - attack.t1195.001
 author: NVISO
 date: 2020/06/09
 logsource:
--- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
+++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
@ -7,6 +7,7 @@ references:
 tags:
    - attack.defense_evasion
    - attack.t1036
+    - attack.t1036.005
 author: Trent Liffick (@tliffick)
 date: 2020/06/03
 logsource:
--- a/rules/windows/process_creation/win_commandline_path_traversal.yml
+++ b/rules/windows/process_creation/win_commandline_path_traversal.yml
@ -9,6 +9,7 @@ references:
    - https://twitter.com/Oddvarmoe/status/1270633613449723905
 tags:
    - attack.t1059
+    - attack.t1059.003
    - attack.execution
 logsource:
    category: process_creation
--- a/rules/windows/process_creation/win_hktl_createminidump.yml
+++ b/rules/windows/process_creation/win_hktl_createminidump.yml
@ -9,6 +9,7 @@ date: 2019/12/22
 tags:
    - attack.credential_access
    - attack.t1003
+    - attack.t1003.001
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/process_creation/win_mal_adwind.yml
+++ b/rules/windows/process_creation/win_mal_adwind.yml
@ -12,6 +12,7 @@ modified: 2018/12/11
 tags:
    - attack.execution
    - attack.t1064
+    - attack.t1059.005
 detection:
    condition: selection
 level: high
--- a/rules/windows/process_creation/win_susp_covenant.yml
+++ b/rules/windows/process_creation/win_susp_covenant.yml
@ -9,6 +9,7 @@ date: 2020/06/04
 tags:
  - attack.execution
  - attack.t1086
+  - attack.t1059.001
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
+++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
@ -10,6 +10,7 @@ references:
 tags:
    - attack.command_and_control
    - attack.t1071
+    - attack.t1071.004
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/sysmon/sysmon_hack_dumpert.yml
+++ b/rules/windows/sysmon/sysmon_hack_dumpert.yml
@ -10,6 +10,7 @@ date: 2020/02/04
 tags:
    - attack.credential_access
    - attack.t1003
+    - attack.t1003.001
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_hack_wce.yml
+++ b/rules/windows/sysmon/sysmon_hack_wce.yml
@ -9,6 +9,7 @@ date: 2019/12/31
 tags:
    - attack.credential_access
    - attack.t1003
+    - attack.t1558
    - attack.s0005
 falsepositives:
    - 'Another service that uses a single -s command line switch'
--- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
@ -7,6 +7,7 @@ references:
    - https://attack.mitre.org/techniques/T1037/
 tags:
    - attack.t1037
+    - attack.t1037.001
    - attack.persistence
    - attack.lateral_movement
 author: Tom Ueltschi (@c_APT_ure)
--- a/rules/windows/sysmon/sysmon_susp_fax_dll.yml
+++ b/rules/windows/sysmon/sysmon_susp_fax_dll.yml
@ -12,6 +12,8 @@ tags:
  - attack.t1073
  - attack.t1038
  - attack.t1112
+  - attack.t1574.001
+  - attack.t1574.002
 logsource:
  product: windows
  service: sysmon