[Rule Tuning] Missing MITRE ATT&CK Mappings

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/12"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/05"
 
 [rule]
 author = ["Elastic"]
@@ -23,3 +23,21 @@ query = '''
 event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*
 '''
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+id = "T1059"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.006"
+name = "Python"
+reference = "https://attack.mitre.org/techniques/T1059/006/"
+
+
+[rule.threat.tactic]
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+id = "TA0002"
+
+

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -28,7 +28,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/exfiltration_rds_snapshot_export.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/06"
 maturity = "production"
-updated_date = "2021/09/30"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta
 risk_score = 21
 rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/06/29"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
 author = ["Austin Songer"]
 description = """
 Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to
-exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an
+exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an
 unauthorized or unexpected AWS account.
 """
 false_positives = [
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
@@ -41,12 +41,19 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti
 event.outcome:success
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Modify Cloud Compute Infrastructure"
+reference = "https://attack.mitre.org/techniques/T1578/"
+id = "T1578"
+[[rule.threat.technique.subtechnique]]
+id = "T1578.004"
+name = "Revert Cloud Instance"
+reference = "https://attack.mitre.org/techniques/T1578/004/"
 
-[rule.threat.tactic]
-id = "TA0010"
-name = "Exfiltration"
-reference = "https://attack.mitre.org/tactics/TA0010/"
 
+[rule.threat.tactic]
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+id = "TA0005"

rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/17"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -32,7 +32,7 @@ references = [
 risk_score = 21
 rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"]
 timestamp_override = "event.ingested"
 type = "query"
 
@@ -45,7 +45,15 @@ event.outcome:success
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Service Stop"
+reference = "https://attack.mitre.org/techniques/T1489/"
+id = "T1489"
+
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+
+
+

rules/integrations/aws/persistence_rds_instance_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/06"
 maturity = "production"
-updated_date = "2021/09/30"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre
 risk_score = 21
 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/persistence_redshift_instance_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/04/12"
 maturity = "production"
-updated_date = "2022/04/12"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -32,7 +32,7 @@ risk_score = 21
 rule_id = "015cca13-8832-49ac-a01b-a396114809f6"
 severity = "low"
 timestamp_override = "event.ingested"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"]
 type = "query"
 
 query = '''

rules/integrations/aws/persistence_route_table_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/05"
 maturity = "production"
-updated_date = "2022/04/20"
+updated_date = "2022/07/05"
 integration = "aws"
 
 [rule]
@@ -32,7 +32,7 @@ references = [
 risk_score = 21
 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/persistence_route_table_modified_or_deleted.toml

@@ -36,7 +36,7 @@ references = [
 risk_score = 21
 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/azure/impact_azure_automation_runbook_deleted.toml → rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/07/13"
 integration = "azure"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
-disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.
+disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
 """
 from = "now-25m"
 index = ["filebeat-*", "logs-azure*"]
@@ -27,11 +27,20 @@ references = [
 risk_score = 21
 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
 severity = "low"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and event.outcome:(Success or success)
+event.dataset:azure.activitylogs and
+    azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and 
+    event.outcome:(Success or success)
 '''
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0005/"
+name = "Defense Evasion"
+id = "TA0005"

rules/integrations/azure/impact_virtual_network_device_modified.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/12"
 maturity = "production"
-updated_date = "2021/12/30"
+updated_date = "2022/07/05"
 integration = "azure"
 
 [rule]
@@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/
 risk_score = 21
 rule_id = "573f6e7a-7acf-4bcd-ad42-c4969124d3c0"
 severity = "low"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security", "Impact"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/06"
 integration = "azure"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/07/20"
 
 [rule]
 author = ["Elastic"]
@@ -48,7 +48,7 @@ id = "T1098"
 
     [[rule.threat.technique.subtechnique]]
     reference = "https://attack.mitre.org/techniques/T1098/003/"
-    name = "Add Office 365 Global Administrator Role"
+    name = "Additional Cloud Roles"
     id = "T1098.003"
 
 [rule.threat.tactic]

rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml

@@ -27,11 +27,25 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
 risk_score = 47
 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
 severity = "medium"
-tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1578"
+name = "Modify Cloud Compute Infrastructure"
+reference = "https://attack.mitre.org/techniques/T1578/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml → rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml

@@ -29,11 +29,30 @@ references = ["https://cloud.google.com/vpc/docs/vpc"]
 risk_score = 47
 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6"
 severity = "medium"
-tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml → rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml

@@ -29,11 +29,30 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.
 risk_score = 21
 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8"
 severity = "low"
-tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+