Skip to content

mitre-attack-mapping.md

Latest commit

 

History

History
362 lines (281 loc) · 6.98 KB

mitre-attack-mapping.md

File metadata and controls

362 lines (281 loc) · 6.98 KB

MITRE ATT&CK Mapping for Sigma Rules

Table of Contents

Execution

T1059.001 - PowerShell

Description: Adversaries abuse PowerShell for execution

Log Sources: process_creation (Windows)

Detection Pattern:

detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - '-enc'
            - '-EncodedCommand'
            - 'FromBase64String'
            - 'Invoke-Expression'
            - 'IEX'

Tags:

tags:
    - attack.execution
    - attack.t1059.001

T1059.003 - Windows Command Shell

Description: Abuse of cmd.exe for execution

Detection Pattern:

detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains:
            - '/c'
            - '/k'
            - '&'
            - '|'

Persistence

T1053.005 - Scheduled Task

Description: Adversaries create scheduled tasks for persistence

Log Sources: process_creation, registry_event

Detection Pattern:

detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains:
            - '/create'
            - '/sc minute'

T1547.001 - Registry Run Keys

Description: Persistence via registry run keys

Log Sources: registry_event

Detection Pattern:

logsource:
    category: registry_event
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'

Privilege Escalation

T1055 - Process Injection

Description: Adversaries inject code into processes

Detection Pattern:

detection:
    selection:
        EventID: 8  # CreateRemoteThread
        TargetImage|endswith:
            - '\lsass.exe'
            - '\explorer.exe'

T1548.002 - Bypass User Account Control

Description: UAC bypass techniques

Detection Pattern:

detection:
    selection:
        CommandLine|contains:
            - 'eventvwr.exe'
            - 'fodhelper.exe'
        IntegrityLevel: 'High'

Defense Evasion

T1027 - Obfuscated Files or Information

Description: Files or information made difficult to discover or analyze

Detection Pattern:

detection:
    selection:
        CommandLine|contains:
            - '-enc'
            - 'base64'
            - 'FromBase64'
            - 'convert]::FromBase64String'

T1070.001 - Clear Windows Event Logs

Description: Clearing Windows event logs

Detection Pattern:

detection:
    selection:
        EventID: 1102  # Security log cleared

Credential Access

T1003.001 - LSASS Memory

Description: Credential dumping from LSASS memory

Detection Pattern:

detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess:
            - '0x1010'
            - '0x1410'
            - '0x147a'

T1558.003 - Kerberoasting

Description: Service principal name abuse for credential theft

Detection Pattern:

detection:
    selection:
        EventID: 4769
        ServiceName|endswith: '$'
        TicketEncryptionType: '0x17'

Discovery

T1087 - Account Discovery

Description: Adversaries enumerate account information

Detection Pattern:

detection:
    selection:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains:
            - 'user'
            - 'group'
            - 'localgroup administrators'

T1082 - System Information Discovery

Description: System and hardware information gathering

Detection Pattern:

detection:
    selection:
        Image|endswith:
            - '\systeminfo.exe'
            - '\wmic.exe'
        CommandLine|contains:
            - 'os get'
            - 'computersystem'

Lateral Movement

T1021.001 - Remote Desktop Protocol

Description: Remote access via RDP

Log Sources: network_connection, authentication

Detection Pattern:

detection:
    selection:
        EventID: 4624
        LogonType: 10  # RemoteInteractive

T1021.002 - SMB/Windows Admin Shares

Description: Lateral movement via SMB

Detection Pattern:

detection:
    selection:
        EventID: 5140
        ShareName|endswith:
            - 'ADMIN$'
            - 'C$'
            - 'IPC$'

Collection

T1560 - Archive Collected Data

Description: Data archiving before exfiltration

Detection Pattern:

detection:
    selection:
        Image|endswith:
            - '\rar.exe'
            - '\7z.exe'
        CommandLine|contains:
            - ' a '  # Add to archive
            - '-p'   # Password

Command and Control

T1071.001 - Web Protocols

Description: C2 over HTTP/HTTPS

Log Sources: network_connection, proxy

Detection Pattern:

detection:
    selection:
        DestinationPort:
            - 80
            - 443
        Initiated: 'true'
    filter:
        DestinationIp|startswith:
            - '10.'
            - '172.16.'
            - '192.168.'
    condition: selection and not filter

Exfiltration

T1041 - Exfiltration Over C2 Channel

Description: Data exfiltration via existing C2

Detection Pattern:

detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 4444
            - 8080
            - 8443

Impact

T1486 - Data Encrypted for Impact

Description: Ransomware encryption activity

Detection Pattern:

detection:
    selection:
        Image|endswith: '.exe'
        TargetFilename|endswith:
            - '.encrypted'
            - '.locked'
            - '.crypto'
    condition: selection

Tag Format

When tagging rules with MITRE ATT&CK, use this format:

tags:
    - attack.{tactic}           # Lowercase tactic name
    - attack.{technique_id}     # Technique ID (T####) or sub-technique (T####.###)

Example:

tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense_evasion
    - attack.t1027

Multiple Techniques

Rules can map to multiple tactics and techniques:

tags:
    - attack.execution          # Primary tactic
    - attack.t1059.001         # PowerShell
    - attack.defense_evasion   # Secondary tactic
    - attack.t1027             # Obfuscation
    - attack.t1140             # Deobfuscate/Decode Files

Resources