From 179961a9cd342207ecb485227b39fb7c3d4a0b86 Mon Sep 17 00:00:00 2001 From: mrblacyk Date: Sun, 10 Feb 2019 00:18:00 +0100 Subject: [PATCH] More fixes --- .../Data_Needed/DN_0005_7045_windows_service_insatalled.md | 2 +- ...6_2_windows_sysmon_process_changed_a_file_creation_time.md | 2 +- .../DN_0008_4_windows_sysmon_sysmon_service_state_changed.md | 2 +- .../DN_0009_5_windows_sysmon_process_terminated.md | 2 +- .../Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md | 2 +- .../DN_0012_8_windows_sysmon_CreateRemoteThread.md | 2 +- .../Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md | 2 +- .../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md | 2 +- .../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md | 2 +- .../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md | 2 +- .../DN_0019_15_windows_sysmon_FileCreateStreamHash.md | 2 +- .../Data_Needed/DN_0031_7036_service_started_stopped.md | 2 +- .../Data_Needed/DN_0034_104_log_file_was_cleared.md | 2 +- .../Data_Needed/DN_0035_106_task_scheduler_task_registered.md | 2 +- .../Data_Needed/DN_0036_150_dns_server_could_not_load_dll.md | 2 +- .../Data_Needed/DN_0080_5859_wmi_activity.md | 2 +- .../Data_Needed/DN_0081_5861_wmi_activity.md | 2 +- .../win_wmi_persistence_script_event_consumer.md | 2 +- scripts_v2/dataneeded.py | 3 +++ scripts_v2/templates/markdown_dataneeded_template.md.j2 | 4 ++-- 20 files changed, 23 insertions(+), 20 deletions(-) diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md b/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md index 49c4cbe..2eb6a06 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md @@ -1,7 +1,7 @@ | Title | DN_0005_7045_windows_service_insatalled | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | A service was installed in the system | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md b/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md index 33cb00b..af1c9a9 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md @@ -1,7 +1,7 @@ | Title | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Explicit modification of file creation timestamp by a process | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md index a4f0fdb..d60baca 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md @@ -1,7 +1,7 @@ | Title | DN_0008_4_windows_sysmon_sysmon_service_state_changed | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Sysmon service changed status | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md b/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md index fa899f7..e15a0a4 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md @@ -1,7 +1,7 @@ | Title | DN_0009_5_windows_sysmon_process_terminated | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Process has been terminated | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md b/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md index 5c6755f..a49d615 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md @@ -1,7 +1,7 @@ | Title | DN_0010_6_windows_sysmon_driver_loaded | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md b/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md index 07d37b2..60cfad5 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md @@ -1,7 +1,7 @@ | Title | DN_0012_8_windows_sysmon_CreateRemoteThread | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | The CreateRemoteThread event detects when a process creates a thread in another process | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md b/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md index 1535553..0c1d373 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md @@ -1,7 +1,7 @@ | Title | DN_0013_9_windows_sysmon_RawAccessRead | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md index a5a2a04..433acdd 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md @@ -1,7 +1,7 @@ | Title | DN_0016_12_windows_sysmon_RegistryEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md index f138d64..fca0d08 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md @@ -1,7 +1,7 @@ | Title | DN_0016_13_windows_sysmon_RegistryEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md index 28c0af3..19ad61a 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md @@ -1,7 +1,7 @@ | Title | DN_0018_14_windows_sysmon_RegistryEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md b/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md index 9b79e6a..bdb41d0 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md @@ -1,7 +1,7 @@ | Title | DN_0019_15_windows_sysmon_FileCreateStreamHash | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md b/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md index 8384634..09a3585 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md @@ -1,7 +1,7 @@ | Title | DN_0031_7036_service_started_stopped | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Service entered the running/stopped state | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0034_104_log_file_was_cleared.md b/Atomic_Threat_Coverage/Data_Needed/DN_0034_104_log_file_was_cleared.md index ffdf75a..13ba428 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0034_104_log_file_was_cleared.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0034_104_log_file_was_cleared.md @@ -1,7 +1,7 @@ | Title | DN_0034_104_log_file_was_cleared | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Windows log file was cleared | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0035_106_task_scheduler_task_registered.md b/Atomic_Threat_Coverage/Data_Needed/DN_0035_106_task_scheduler_task_registered.md index a8d7e9d..ed1a9bb 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0035_106_task_scheduler_task_registered.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0035_106_task_scheduler_task_registered.md @@ -1,7 +1,7 @@ | Title | DN_0035_106_task_scheduler_task_registered | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | General Windows Task Registration | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0036_150_dns_server_could_not_load_dll.md b/Atomic_Threat_Coverage/Data_Needed/DN_0036_150_dns_server_could_not_load_dll.md index 30eb8eb..64dee8d 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0036_150_dns_server_could_not_load_dll.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0036_150_dns_server_could_not_load_dll.md @@ -1,7 +1,7 @@ | Title | DN_0036_150_dns_server_could_not_load_dll | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Windows DNS server could not load or initialize the plug-in DLL | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0080_5859_wmi_activity.md b/Atomic_Threat_Coverage/Data_Needed/DN_0080_5859_wmi_activity.md index ad466f7..8e8f01b 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0080_5859_wmi_activity.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0080_5859_wmi_activity.md @@ -1,7 +1,7 @@ | Title | DN_0080_5859_wmi_activity | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0081_5861_wmi_activity.md b/Atomic_Threat_Coverage/Data_Needed/DN_0081_5861_wmi_activity.md index ca0f63d..8597ccd 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0081_5861_wmi_activity.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0081_5861_wmi_activity.md @@ -1,7 +1,7 @@ | Title | DN_0081_5861_wmi_activity | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | Windows | | Type | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md index 164c0c1..ad126b8 100644 --- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md +++ b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md @@ -3,7 +3,7 @@ | Description | Detects WMI script event consumers | | ATT&CK Tactic | | | ATT&CK Technique | | -| Data Needed | | +| Data Needed | | | Trigger | | | Severity Level | high | | False Positives | | diff --git a/scripts_v2/dataneeded.py b/scripts_v2/dataneeded.py index e457aaa..963c2f1 100755 --- a/scripts_v2/dataneeded.py +++ b/scripts_v2/dataneeded.py @@ -102,6 +102,9 @@ class DataNeeded: logging_policies = self.dn_fields.get("loggingpolicy") + if not logging_policies: + logging_policies = ["None", ] + logging_policies_with_id = [] for lp in logging_policies: diff --git a/scripts_v2/templates/markdown_dataneeded_template.md.j2 b/scripts_v2/templates/markdown_dataneeded_template.md.j2 index 805ded6..ec6cb39 100755 --- a/scripts_v2/templates/markdown_dataneeded_template.md.j2 +++ b/scripts_v2/templates/markdown_dataneeded_template.md.j2 @@ -1,10 +1,10 @@ | Title | {{ title }} | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | {{ description }} | -| Logging Policy | | +| Logging Policy | | | References | | | Platform | {{ platform }} | -| Type | {{ type }} | +| Type | {{ type }} | | Channel | {{ channel }} | | Provider | {{ provider }} | | Fields | |