mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
2653 lines
55 KiB
JSON
2653 lines
55 KiB
JSON
{
|
|
"name": "SIGMA Rule Coverage",
|
|
"version": "2.1",
|
|
"domain": "mitre-enterprise",
|
|
"description": "Accurate to commit #: 81693d81b6823bb5f064919453eac70c1d097d3e\nhttps://github.com/Neo23x0/sigma/commit/81693d81b6823bb5f064919453eac70c1d097d3e",
|
|
"filters": {
|
|
"stages": [
|
|
"act"
|
|
],
|
|
"platforms": [
|
|
"windows",
|
|
"linux",
|
|
"mac"
|
|
]
|
|
},
|
|
"sorting": 0,
|
|
"viewMode": 0,
|
|
"hideDisabled": false,
|
|
"techniques": [
|
|
{
|
|
"techniqueID": "T1156",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1134",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1134",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1015",
|
|
"tactic": "persistence",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_stickykey_like_backdoor.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1015",
|
|
"tactic": "privilege-escalation",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_stickykey_like_backdoor.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1087",
|
|
"tactic": "discovery",
|
|
"score": 5,
|
|
"color": "",
|
|
"comment": "win_account_discovery.yml\nwin_alert_hacktool_use.yml\nwin_susp_net_recon_activity.yml\nwin_susp_commands_recon_activity.yml\nwin_susp_recon_activity.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1098",
|
|
"tactic": "credential-access",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1098",
|
|
"tactic": "persistence",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1182",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1182",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1103",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1103",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1155",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1155",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1017",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1138",
|
|
"tactic": "persistence",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_sdbinst_shim_persistence.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1138",
|
|
"tactic": "privilege-escalation",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_sdbinst_shim_persistence.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1010",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1123",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1131",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1119",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1020",
|
|
"tactic": "exfiltration",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1197",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_process_creation_bitsadmin_download.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1197",
|
|
"tactic": "persistence",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_process_creation_bitsadmin_download.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1139",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1009",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1067",
|
|
"tactic": "persistence",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_bcdedit.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1217",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1176",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1110",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1088",
|
|
"tactic": "defense-evasion",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1088",
|
|
"tactic": "privilege-escalation",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1191",
|
|
"tactic": "defense-evasion",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1191",
|
|
"tactic": "execution",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1042",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1146",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "lnx_shell_clear_cmd_history.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1115",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1116",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1059",
|
|
"tactic": "execution",
|
|
"score": 12,
|
|
"color": "",
|
|
"comment": "apt_babyshark.yml\napt_equationgroup_dll_u_load.yml\napt_equationgroup_lnx.yml\napt_sofacy.yml\napt_sofacy_zebrocy.yml\napt_turla_commands.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_alert_hacktool_use.yml\nwin_office_shell.yml\nwin_susp_cmd_http_appdata.yml\nwin_susp_outlook.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1043",
|
|
"tactic": "command-and-control",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_malware_backconnect_ports.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1092",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1223",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1223",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1109",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1109",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1122",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1122",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1090",
|
|
"tactic": "command-and-control",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_netsh_fw_add.yml\nwin_netsh_port_fwd.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1196",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1196",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1136",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1003",
|
|
"tactic": "credential-access",
|
|
"score": 23,
|
|
"color": "",
|
|
"comment": "apt_bear_activity_gtr19.yml\nwin_alert_lsass_access.yml\nwin_alert_mimikatz_keywords.yml\nwin_dcsync.yml\nwin_impacket_secretdump.yml\nwin_mal_creddumper.yml\nwin_mal_wceaux_dll.yml\nwin_susp_lsass_dump.yml\nwin_susp_sam_dump.yml\nav_password_dumper.yml\nwin_cmdkey_recon.yml\nwin_hack_rubeus.yml\nwin_malware_notpetya.yml\nwin_susp_ntdsutil.yml\nwin_susp_procdump.yml\nwin_susp_sysvol_access.yml\nwin_susp_vssadmin_ntds_activity.yml\nsysmon_ghostpack_safetykatz.yml\nsysmon_lsass_memdump.yml\nsysmon_mimikatz_detection_lsass.yml\nsysmon_mimikatz_inmemory_detection.yml\nsysmon_password_dumper_lsass.yml\nsysmon_quarkspw_filedump.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1081",
|
|
"tactic": "credential-access",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "apt_bear_activity_gtr19.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1214",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1094",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1024",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1207",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1038",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1038",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1038",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1073",
|
|
"tactic": "defense-evasion",
|
|
"score": 9,
|
|
"color": "",
|
|
"comment": "win_susp_dhcp_config.yml\nwin_susp_dhcp_config_failed.yml\nwin_susp_dns_config.yml\nwin_plugx_susp_exe_locations.yml\nwin_susp_control_dll_load.yml\nwin_susp_gup.yml\nsysmon_dhcp_calloutdll.yml\nsysmon_dns_serverlevelplugindll.yml\nsysmon_susp_image_load.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1002",
|
|
"tactic": "exfiltration",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "apt_judgement_panda_gtr19.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1132",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1022",
|
|
"tactic": "exfiltration",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1001",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1074",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1030",
|
|
"tactic": "exfiltration",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1213",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1005",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1039",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1025",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1140",
|
|
"tactic": "defense-evasion",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "win_susp_mshta_execution.yml\nwin_susp_certutil_command.yml\nwin_susp_cli_escape.yml\nwin_susp_ping_hex_ip.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1089",
|
|
"tactic": "defense-evasion",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_alert_enable_weak_encryption.yml\nwin_susp_msmpeng_crash.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1175",
|
|
"tactic": "lateral-movement",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_mmc_source.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1172",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1189",
|
|
"tactic": "initial-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1157",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1157",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1173",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1114",
|
|
"tactic": "collection",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_alert_hacktool_use.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1106",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1129",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1048",
|
|
"tactic": "exfiltration",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1041",
|
|
"tactic": "exfiltration",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1011",
|
|
"tactic": "exfiltration",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_ssp_added_lsa_config.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1052",
|
|
"tactic": "exfiltration",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1190",
|
|
"tactic": "initial-access",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "web_cve_2018_2894_weblogic_exploit.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1203",
|
|
"tactic": "execution",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "av_exploiting.yml\nwin_exploit_cve_2017_8759.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1212",
|
|
"tactic": "credential-access",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "win_net_ntlm_downgrade.yml\nwin_susp_kerberos_manipulation.yml\nwin_susp_samr_pwset.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1211",
|
|
"tactic": "defense-evasion",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_susp_msmpeng_crash.yml\nwin_exploit_cve_2017_11882.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1068",
|
|
"tactic": "privilege-escalation",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "apt_hurricane_panda.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1210",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1133",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1181",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1181",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1008",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1107",
|
|
"tactic": "defense-evasion",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_susp_backup_delete.yml\nwin_susp_sdelete.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1222",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1006",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1044",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1044",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1083",
|
|
"tactic": "discovery",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "apt_turla_commands.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1187",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1144",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1061",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1148",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1200",
|
|
"tactic": "initial-access",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_usb_device_plugged.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1158",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_attrib_hiding_files.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1158",
|
|
"tactic": "persistence",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_attrib_hiding_files.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1147",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1143",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1179",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1179",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1179",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1062",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1183",
|
|
"tactic": "privilege-escalation",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_win_reg_persistence.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1183",
|
|
"tactic": "persistence",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_win_reg_persistence.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1183",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_win_reg_persistence.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1054",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_disable_event_logging.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1066",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_sdelete.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1070",
|
|
"tactic": "defense-evasion",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "win_susp_eventlog_cleared.yml\nwin_susp_security_eventlog_cleared.yml\nwin_malware_notpetya.yml\nwin_susp_bcdedit.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1202",
|
|
"tactic": "defense-evasion",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_office_shell.yml\nwin_susp_outlook.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1056",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1056",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1141",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1130",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1118",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_possible_applocker_bypass.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1118",
|
|
"tactic": "execution",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_possible_applocker_bypass.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1208",
|
|
"tactic": "credential-access",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_susp_rc4_kerberos.yml\nwin_spn_enum.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1215",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1142",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1161",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1149",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1171",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1177",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1177",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1159",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1160",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1160",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1152",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1152",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1152",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1168",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1168",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1162",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1037",
|
|
"tactic": "lateral-movement",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1037",
|
|
"tactic": "persistence",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1185",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1036",
|
|
"tactic": "defense-evasion",
|
|
"score": 14,
|
|
"color": "",
|
|
"comment": "apt_ta17_293a_ps.yml\nwin_exploit_cve_2015_1641.yml\nwin_powershell_b64_shellcode.yml\nwin_susp_calc.yml\nwin_susp_csc.yml\nwin_susp_execution_path.yml\nwin_susp_exec_folder.yml\nwin_susp_procdump.yml\nwin_susp_prog_location_process_starts.yml\nwin_susp_run_locations.yml\nwin_susp_svchost.yml\nwin_susp_taskmgr_localsystem.yml\nwin_susp_taskmgr_parent.yml\nwin_system_exe_anomaly.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1031",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1112",
|
|
"tactic": "defense-evasion",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "apt_chafer_mar18.yml\nwin_mal_ursnif.yml\nsysmon_dhcp_calloutdll.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1170",
|
|
"tactic": "defense-evasion",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1170",
|
|
"tactic": "execution",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1104",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1188",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1026",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1079",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1096",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "powershell_ntfs_ads_access.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1128",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1046",
|
|
"tactic": "discovery",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_vul_java_remote_debugging.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1126",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1135",
|
|
"tactic": "discovery",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "apt_turla_commands.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1040",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1040",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1050",
|
|
"tactic": "persistence",
|
|
"score": 7,
|
|
"color": "",
|
|
"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1050",
|
|
"tactic": "privilege-escalation",
|
|
"score": 7,
|
|
"color": "",
|
|
"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1027",
|
|
"tactic": "defense-evasion",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_susp_ping_hex_ip.yml\nsysmon_ads_executable.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1137",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1075",
|
|
"tactic": "lateral-movement",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "win_alert_hacktool_use.yml\nwin_overpass_the_hash.yml\nwin_pass_the_hash.yml\nwin_susp_ntlm_auth.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1097",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1174",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1201",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1034",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1034",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1120",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1069",
|
|
"tactic": "discovery",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_net_recon_activity.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1150",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1150",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1150",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1205",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1205",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1205",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1013",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1013",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1086",
|
|
"tactic": "execution",
|
|
"score": 28,
|
|
"color": "",
|
|
"comment": "apt_apt29_thinktanks.yml\napt_babyshark.yml\napt_empiremonkey.yml\npowershell_downgrade_attack.yml\npowershell_exe_calling_ps.yml\npowershell_malicious_commandlets.yml\npowershell_malicious_keywords.yml\npowershell_prompt_credentials.yml\npowershell_psattack.yml\npowershell_shellcode_b64.yml\npowershell_suspicious_download.yml\npowershell_suspicious_invocation_generic.yml\npowershell_suspicious_invocation_specific.yml\npowershell_suspicious_keywords.yml\npowershell_xor_commandline.yml\nwin_powershell_amsi_bypass.yml\nwin_powershell_dll_execution.yml\nwin_powershell_download.yml\nwin_powershell_renamed_ps.yml\nwin_powershell_suspicious_parameter_variation.yml\nwin_susp_powershell_enc_cmd.yml\nwin_susp_powershell_hidden_b64_cmd.yml\nwin_susp_powershell_parent_combo.yml\nwin_susp_ps_appdata.yml\nsysmon_powershell_exploit_scripts.yml\nsysmon_powershell_network_connection.yml\nsysmon_powersploit_schtasks.yml\nsysmon_susp_powershell_rundll32.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1145",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1057",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1186",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1093",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1055",
|
|
"tactic": "defense-evasion",
|
|
"score": 8,
|
|
"color": "",
|
|
"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1055",
|
|
"tactic": "privilege-escalation",
|
|
"score": 8,
|
|
"color": "",
|
|
"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1012",
|
|
"tactic": "discovery",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "apt_babyshark.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1163",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1164",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1108",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1108",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1060",
|
|
"tactic": "persistence",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "sysmon_susp_reg_persist_explorer_run.yml\nsysmon_susp_run_key_img_folder.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1121",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_possible_applocker_bypass.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1121",
|
|
"tactic": "execution",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_possible_applocker_bypass.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1117",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_regsvr32_anomalies.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1117",
|
|
"tactic": "execution",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_regsvr32_anomalies.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1219",
|
|
"tactic": "command-and-control",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "av_exploiting.yml\nwin_susp_tscon_localsystem.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1076",
|
|
"tactic": "lateral-movement",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "win_rdp_localhost_login.yml\nwin_rdp_reverse_tunnel.yml\nwin_susp_tscon_rdp_redirect.yml\nsysmon_rdp_reverse_tunnel.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1105",
|
|
"tactic": "command-and-control",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1105",
|
|
"tactic": "lateral-movement",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1021",
|
|
"tactic": "lateral-movement",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_netsh_port_fwd_3389.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1018",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1091",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1091",
|
|
"tactic": "initial-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1014",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1085",
|
|
"tactic": "defense-evasion",
|
|
"score": 11,
|
|
"color": "",
|
|
"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1085",
|
|
"tactic": "execution",
|
|
"score": 11,
|
|
"color": "",
|
|
"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1178",
|
|
"tactic": "privilege-escalation",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_add_sid_history.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1198",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1198",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1184",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1053",
|
|
"tactic": "execution",
|
|
"score": 8,
|
|
"color": "",
|
|
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1053",
|
|
"tactic": "persistence",
|
|
"score": 8,
|
|
"color": "",
|
|
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1053",
|
|
"tactic": "privilege-escalation",
|
|
"score": 8,
|
|
"color": "",
|
|
"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1029",
|
|
"tactic": "exfiltration",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1113",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1180",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1064",
|
|
"tactic": "defense-evasion",
|
|
"score": 10,
|
|
"color": "",
|
|
"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1064",
|
|
"tactic": "execution",
|
|
"score": 10,
|
|
"color": "",
|
|
"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1063",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1101",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1167",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1035",
|
|
"tactic": "execution",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "win_hack_smbexec.yml\nwin_tool_psexec.yml\nwin_psexesvc_start.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1058",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1058",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1166",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1166",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1051",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1023",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1218",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_mavinject_proc_inj.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1218",
|
|
"tactic": "execution",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_mavinject_proc_inj.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1216",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1216",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1045",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1153",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1151",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1151",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1193",
|
|
"tactic": "initial-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1192",
|
|
"tactic": "initial-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1194",
|
|
"tactic": "initial-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1071",
|
|
"tactic": "command-and-control",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "net_susp_dns_txt_exec_strings.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1032",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1095",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1165",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1165",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1169",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1206",
|
|
"tactic": "privilege-escalation",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1195",
|
|
"tactic": "initial-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1019",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1082",
|
|
"tactic": "discovery",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_commands_recon_activity.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1016",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1049",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1033",
|
|
"tactic": "discovery",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_whoami.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1007",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1124",
|
|
"tactic": "discovery",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1080",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1221",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1072",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1072",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1209",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1099",
|
|
"tactic": "defense-evasion",
|
|
"score": 1,
|
|
"color": "",
|
|
"comment": "win_susp_time_modification.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1154",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1154",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1127",
|
|
"tactic": "defense-evasion",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1127",
|
|
"tactic": "execution",
|
|
"score": 2,
|
|
"color": "",
|
|
"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1199",
|
|
"tactic": "initial-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1111",
|
|
"tactic": "credential-access",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1065",
|
|
"tactic": "command-and-control",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1204",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "defense-evasion",
|
|
"score": 6,
|
|
"color": "",
|
|
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "persistence",
|
|
"score": 6,
|
|
"color": "",
|
|
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "privilege-escalation",
|
|
"score": 6,
|
|
"color": "",
|
|
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1078",
|
|
"tactic": "initial-access",
|
|
"score": 6,
|
|
"color": "",
|
|
"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1125",
|
|
"tactic": "collection",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1102",
|
|
"tactic": "command-and-control",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1102",
|
|
"tactic": "defense-evasion",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1100",
|
|
"tactic": "persistence",
|
|
"score": 6,
|
|
"color": "",
|
|
"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1100",
|
|
"tactic": "privilege-escalation",
|
|
"score": 6,
|
|
"color": "",
|
|
"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1077",
|
|
"tactic": "lateral-movement",
|
|
"score": 5,
|
|
"color": "",
|
|
"comment": "apt_turla_commands.yml\nwin_admin_share_access.yml\nwin_hack_smbexec.yml\nwin_lm_namedpipe.yml\nwin_susp_psexec.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1047",
|
|
"tactic": "execution",
|
|
"score": 4,
|
|
"color": "",
|
|
"comment": "win_wmi_persistence.yml\nwin_bypass_squiblytwo.yml\nwin_susp_wmi_execution.yml\nwin_wmi_persistence_script_event_consumer.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1084",
|
|
"tactic": "persistence",
|
|
"score": 3,
|
|
"color": "",
|
|
"comment": "sysmon_wmi_event_subscription.yml\nsysmon_wmi_persistence_commandline_event_consumer.yml\nsysmon_wmi_persistence_script_event_consumer_write.yml",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1028",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1028",
|
|
"tactic": "lateral-movement",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1004",
|
|
"tactic": "persistence",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1220",
|
|
"tactic": "defense-evasion",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
},
|
|
{
|
|
"techniqueID": "T1220",
|
|
"tactic": "execution",
|
|
"score": 0,
|
|
"color": "",
|
|
"comment": "",
|
|
"enabled": true,
|
|
"metadata": []
|
|
}
|
|
],
|
|
"gradient": {
|
|
"colors": [
|
|
"#ffffff",
|
|
"#66b1ff"
|
|
],
|
|
"minValue": 0,
|
|
"maxValue": 2
|
|
},
|
|
"legendItems": [],
|
|
"metadata": [],
|
|
"showTacticRowBackground": false,
|
|
"tacticRowBackground": "#dddddd",
|
|
"selectTechniquesAcrossTactics": true
|
|
} |