Skip to content

Commit

Permalink
Normalize data sources and remove deprecation of PRE technique
Browse files Browse the repository at this point in the history
  • Loading branch information
Jennifer Burns committed Oct 31, 2018
1 parent 7137d39 commit f2c65fa
Show file tree
Hide file tree
Showing 65 changed files with 260 additions and 262 deletions.
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Process Monitoring",
"Process monitoring",
"Process command-line parameters",
"Process use of network"
],
Expand All @@ -46,7 +46,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--04ef4356-8926-45e2-9441-634b6f3dcecb.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Binary file metadata",
"Process Monitoring",
"Process monitoring",
"Process command-line parameters",
"File monitoring"
],
Expand All @@ -49,7 +49,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--06780952-177c-4247-b978-79c357fb311f.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Process Monitoring",
"Process monitoring",
"Process command-line parameters"
],
"x_mitre_detection": "File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like \"Knock Knock\" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.\n\nMonitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.",
Expand Down Expand Up @@ -57,7 +57,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--086952c4-5b90-4185-b573-02bad8e11953.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process Monitoring",
"Process monitoring",
"Authentication logs",
"File monitoring",
"Environment variable"
Expand All @@ -44,7 +44,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"API monitoring",
"DLL monitoring",
"File monitoring",
"Process Monitoring"
"Process monitoring"
],
"x_mitre_detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to <code>%SystemRoot%</code> and <code>%ProgramFiles%</code> directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
"x_mitre_permissions_required": [
Expand All @@ -47,7 +47,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-05-31T21:31:40.542Z"
}
]
Expand Down
8 changes: 4 additions & 4 deletions enterprise-attack/attack-pattern/attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,10 @@
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Disk Forensics",
"Disk forensics",
"API monitoring",
"Process Monitoring",
"Component Firmware"
"Process monitoring",
"Component firmware"
],
"x_mitre_defense_bypassed": [
"File monitoring",
Expand Down Expand Up @@ -65,7 +65,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-05-31T21:31:22.374Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Process Monitoring"
"Process monitoring"
],
"x_mitre_detection": "The <code>/etc/rc.common</code> file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.",
"x_mitre_platforms": [
Expand All @@ -47,7 +47,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--2715c335-1bf2-4efe-9f18-0691317ff83b.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process Monitoring"
"Process monitoring"
],
"x_mitre_platforms": [
"macOS"
Expand All @@ -50,7 +50,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
"Bartosz Jerzman"
],
"x_mitre_data_sources": [
"Process Monitoring",
"Process monitoring",
"Process command-line parameters",
"Windows Registry",
"File monitoring"
Expand All @@ -52,7 +52,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2018-01-16T16:13:52.465Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--2ba5aa71-9d15-4b22-b726-56af06d9ad2f.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Process Monitoring"
"Process monitoring"
],
"x_mitre_detection": "The <code>/Library/StartupItems</code> folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist. Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.",
"x_mitre_effective_permissions": [
Expand All @@ -54,7 +54,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--2edd9d6a-5674-4326-a600-ba56de467286.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
"x_mitre_data_sources": [
"Windows Registry",
"Process command-line parameters",
"Process Monitoring"
"Process monitoring"
],
"x_mitre_detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
"x_mitre_permissions_required": [
Expand All @@ -50,7 +50,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2018-04-18T17:59:24.739Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process Monitoring",
"Process monitoring",
"Process command-line parameters",
"Network protocol analysis",
"Process use of network"
Expand All @@ -50,7 +50,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
"Matthew Demaske, Adaptforward"
],
"x_mitre_data_sources": [
"Process Monitoring",
"Process monitoring",
"Process command-line parameters",
"Windows event logs"
],
Expand All @@ -61,7 +61,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2018-04-18T17:59:24.739Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
],
"x_mitre_data_sources": [
"File monitoring",
"Process Monitoring",
"Process monitoring",
"Process command-line parameters"
],
"x_mitre_defense_bypassed": [
Expand All @@ -63,7 +63,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
"Network intrusion detection system",
"Network protocol analysis",
"Process use of network",
"Process Monitoring"
"Process monitoring"
],
"x_mitre_detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\n[Domain Fronting](https://attack.mitre.org/techniques/T1172) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.",
"x_mitre_network_requirements": true,
Expand All @@ -60,7 +60,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2018-04-18T17:59:24.739Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@
"Windows Registry",
"File monitoring",
"DLL monitoring",
"Process Monitoring",
"Process monitoring",
"Named Pipes"
],
"x_mitre_defense_bypassed": [
Expand Down Expand Up @@ -154,7 +154,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-05-31T21:30:47.843Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--45d84c8b-c1e2-474d-a14d-69b5de0a2bc0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process Monitoring",
"Process monitoring",
"File monitoring",
"Process command-line parameters"
],
Expand All @@ -40,7 +40,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--4bf5845d-a814-4490-bc5c-ccdee6043025.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Loaded DLLs",
"Process Monitoring",
"Process monitoring",
"Windows Registry"
],
"x_mitre_detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
Expand All @@ -62,7 +62,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2018-01-16T16:13:52.465Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--52f3d5a6-8a0f-4f82-977e-750abf90d0b0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"API monitoring",
"Process Monitoring"
"Process monitoring"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
Expand All @@ -82,7 +82,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2018-01-16T16:13:52.465Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--53bfc8bf-8f76-4cd7-8958-49a884ddb3ee.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Process Monitoring",
"Process monitoring",
"Process command-line parameters"
],
"x_mitre_detection": "Knock Knock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk somewhere which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.",
Expand Down Expand Up @@ -58,7 +58,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
Expand Down
4 changes: 2 additions & 2 deletions enterprise-attack/attack-pattern/attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
"x_mitre_data_sources": [
"Authentication logs",
"Packet capture",
"Process Monitoring",
"Process monitoring",
"API monitoring"
],
"x_mitre_detection": "This is a difficult technique to detect because adversary traffic would be masked by normal user traffic. No new processes are created and no additional software touches disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for process injection against browser applications",
Expand All @@ -63,7 +63,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-31T13:45:13.024Z",
"created": "2018-01-16T16:13:52.465Z"
}
]
Expand Down
Loading

0 comments on commit f2c65fa

Please sign in to comment.