Merge pull request #326 from frack113/Update-Mitre

Update mitre_attack to 16.1
SigmaHQ · Feb 25, 2025 · df4b67d · df4b67d
2 parents 286344f + 4744ad1
commit df4b67d
Showing 1 changed file with 84 additions and 2 deletions.
diff --git a/sigma/data/mitre_attack.py b/sigma/data/mitre_attack.py
@@ -1,6 +1,6 @@
 from typing import Dict, List
 
-mitre_attack_version: str = "15.1"
+mitre_attack_version: str = "16.1"
 mitre_attack_tactics: Dict[str, str] = {
     "TA0001": "initial-access",
     "TA0002": "execution",
@@ -21,7 +21,7 @@
     "T1001": "Data Obfuscation",
     "T1001.001": "Junk Data",
     "T1001.002": "Steganography",
-    "T1001.003": "Protocol Impersonation",
+    "T1001.003": "Protocol or Service Impersonation",
     "T1003": "OS Credential Dumping",
     "T1003.001": "LSASS Memory",
     "T1003.002": "Security Account Manager",
@@ -70,6 +70,7 @@
     "T1027.011": "Fileless Storage",
     "T1027.012": "LNK Icon Smuggling",
     "T1027.013": "Encrypted/Encoded File",
+    "T1027.014": "Polymorphic Code",
     "T1029": "Scheduled Transfer",
     "T1030": "Data Transfer Size Limits",
     "T1033": "System Owner/User Discovery",
@@ -83,6 +84,7 @@
     "T1036.007": "Double File Extension",
     "T1036.008": "Masquerade File Type",
     "T1036.009": "Break Process Trees",
+    "T1036.010": "Masquerade Account Name",
     "T1037": "Boot or Logon Initialization Scripts",
     "T1037.001": "Logon Script (Windows)",
     "T1037.002": "Login Hook",
@@ -137,6 +139,7 @@
     "T1059.008": "Network Device CLI",
     "T1059.009": "Cloud API",
     "T1059.010": "AutoHotKey & AutoIT",
+    "T1059.011": "Lua",
     "T1068": "Exploitation for Privilege Escalation",
     "T1069": "Permission Groups Discovery",
     "T1069.001": "Local Groups",
@@ -152,11 +155,13 @@
     "T1070.007": "Clear Network Connection History and Configurations",
     "T1070.008": "Clear Mailbox Data",
     "T1070.009": "Clear Persistence",
+    "T1070.010": "Relocate Malware",
     "T1071": "Application Layer Protocol",
     "T1071.001": "Web Protocols",
     "T1071.002": "File Transfer Protocols",
     "T1071.003": "Mail Protocols",
     "T1071.004": "DNS",
+    "T1071.005": "Publish/Subscribe Protocols",
     "T1072": "Software Deployment Tools",
     "T1074": "Data Staged",
     "T1074.001": "Local Data Staging",
@@ -189,6 +194,7 @@
     "T1098.004": "SSH Authorized Keys",
     "T1098.005": "Device Registration",
     "T1098.006": "Additional Container Cluster Roles",
+    "T1098.007": "Additional Local or Domain Groups",
     "T1102": "Web Service",
     "T1102.001": "Dead Drop Resolver",
     "T1102.002": "Bidirectional Communication",
@@ -216,6 +222,7 @@
     "T1125": "Video Capture",
     "T1127": "Trusted Developer Utilities Proxy Execution",
     "T1127.001": "MSBuild",
+    "T1127.002": "ClickOnce",
     "T1129": "Shared Modules",
     "T1132": "Data Encoding",
     "T1132.001": "Standard Encoding",
@@ -270,6 +277,8 @@
     "T1213.001": "Confluence",
     "T1213.002": "Sharepoint",
     "T1213.003": "Code Repositories",
+    "T1213.004": "Customer Relationship Management Software",
+    "T1213.005": "Messaging Applications",
     "T1216": "System Script Proxy Execution",
     "T1216.001": "PubPrn",
     "T1216.002": "SyncAppvPublishingServer",
@@ -297,11 +306,13 @@
     "T1222.002": "Linux and Mac File and Directory Permissions Modification",
     "T1480": "Execution Guardrails",
     "T1480.001": "Environmental Keying",
+    "T1480.002": "Mutual Exclusion",
     "T1482": "Domain Trust Discovery",
     "T1484": "Domain or Tenant Policy Modification",
     "T1484.001": "Group Policy Modification",
     "T1484.002": "Trust Modification",
     "T1485": "Data Destruction",
+    "T1485.001": "Lifecycle-Triggered Deletion",
     "T1486": "Data Encrypted for Impact",
     "T1489": "Service Stop",
     "T1490": "Inhibit System Recovery",
@@ -310,6 +321,10 @@
     "T1491.002": "External Defacement",
     "T1495": "Firmware Corruption",
     "T1496": "Resource Hijacking",
+    "T1496.001": "Compute Hijacking",
+    "T1496.002": "Bandwidth Hijacking",
+    "T1496.003": "SMS Pumping",
+    "T1496.004": "Cloud Service Hijacking",
     "T1497": "Virtualization/Sandbox Evasion",
     "T1497.001": "System Checks",
     "T1497.002": "User Activity Based Checks",
@@ -370,6 +385,7 @@
     "T1546.014": "Emond",
     "T1546.015": "Component Object Model Hijacking",
     "T1546.016": "Installer Packages",
+    "T1546.017": "Udev Rules",
     "T1547": "Boot or Logon Autostart Execution",
     "T1547.001": "Registry Run Keys / Startup Folder",
     "T1547.002": "Authentication Package",
@@ -435,11 +451,13 @@
     "T1557.001": "LLMNR/NBT-NS Poisoning and SMB Relay",
     "T1557.002": "ARP Cache Poisoning",
     "T1557.003": "DHCP Spoofing",
+    "T1557.004": "Evil Twin",
     "T1558": "Steal or Forge Kerberos Tickets",
     "T1558.001": "Golden Ticket",
     "T1558.002": "Silver Ticket",
     "T1558.003": "Kerberoasting",
     "T1558.004": "AS-REP Roasting",
+    "T1558.005": "Ccache Files",
     "T1559": "Inter-Process Communication",
     "T1559.001": "Component Object Model",
     "T1559.002": "Dynamic Data Exchange",
@@ -655,6 +673,7 @@
     "T1657": "Financial Theft",
     "T1659": "Content Injection",
     "T1665": "Hide Infrastructure",
+    "T1666": "Modify Cloud Resource Hierarchy",
 }
 mitre_attack_techniques_tactics_mapping: Dict[str, List[str]] = {
     "T1001": ["command-and-control"],
@@ -709,6 +728,7 @@
     "T1027.011": ["defense-evasion"],
     "T1027.012": ["defense-evasion"],
     "T1027.013": ["defense-evasion"],
+    "T1027.014": ["defense-evasion"],
     "T1029": ["exfiltration"],
     "T1030": ["exfiltration"],
     "T1033": ["discovery"],
@@ -722,6 +742,7 @@
     "T1036.007": ["defense-evasion"],
     "T1036.008": ["defense-evasion"],
     "T1036.009": ["defense-evasion"],
+    "T1036.010": ["defense-evasion"],
     "T1037": ["persistence", "privilege-escalation"],
     "T1037.001": ["persistence", "privilege-escalation"],
     "T1037.002": ["persistence", "privilege-escalation"],
@@ -776,6 +797,7 @@
     "T1059.008": ["execution"],
     "T1059.009": ["execution"],
     "T1059.010": ["execution"],
+    "T1059.011": ["execution"],
     "T1068": ["privilege-escalation"],
     "T1069": ["discovery"],
     "T1069.001": ["discovery"],
@@ -791,11 +813,13 @@
     "T1070.007": ["defense-evasion"],
     "T1070.008": ["defense-evasion"],
     "T1070.009": ["defense-evasion"],
+    "T1070.010": ["defense-evasion"],
     "T1071": ["command-and-control"],
     "T1071.001": ["command-and-control"],
     "T1071.002": ["command-and-control"],
     "T1071.003": ["command-and-control"],
     "T1071.004": ["command-and-control"],
+    "T1071.005": ["command-and-control"],
     "T1072": ["execution", "lateral-movement"],
     "T1074": ["collection"],
     "T1074.001": ["collection"],
@@ -828,6 +852,7 @@
     "T1098.004": ["persistence", "privilege-escalation"],
     "T1098.005": ["persistence", "privilege-escalation"],
     "T1098.006": ["persistence", "privilege-escalation"],
+    "T1098.007": ["persistence", "privilege-escalation"],
     "T1102": ["command-and-control"],
     "T1102.001": ["command-and-control"],
     "T1102.002": ["command-and-control"],
@@ -855,6 +880,7 @@
     "T1125": ["collection"],
     "T1127": ["defense-evasion"],
     "T1127.001": ["defense-evasion"],
+    "T1127.002": ["defense-evasion"],
     "T1129": ["execution"],
     "T1132": ["command-and-control"],
     "T1132.001": ["command-and-control"],
@@ -909,6 +935,8 @@
     "T1213.001": ["collection"],
     "T1213.002": ["collection"],
     "T1213.003": ["collection"],
+    "T1213.004": ["collection"],
+    "T1213.005": ["collection"],
     "T1216": ["defense-evasion"],
     "T1216.001": ["defense-evasion"],
     "T1216.002": ["defense-evasion"],
@@ -936,11 +964,13 @@
     "T1222.002": ["defense-evasion"],
     "T1480": ["defense-evasion"],
     "T1480.001": ["defense-evasion"],
+    "T1480.002": ["defense-evasion"],
     "T1482": ["discovery"],
     "T1484": ["defense-evasion", "privilege-escalation"],
     "T1484.001": ["defense-evasion", "privilege-escalation"],
     "T1484.002": ["defense-evasion", "privilege-escalation"],
     "T1485": ["impact"],
+    "T1485.001": ["impact"],
     "T1486": ["impact"],
     "T1489": ["impact"],
     "T1490": ["impact"],
@@ -949,6 +979,10 @@
     "T1491.002": ["impact"],
     "T1495": ["impact"],
     "T1496": ["impact"],
+    "T1496.001": ["impact"],
+    "T1496.002": ["impact"],
+    "T1496.003": ["impact"],
+    "T1496.004": ["impact"],
     "T1497": ["defense-evasion", "discovery"],
     "T1497.001": ["defense-evasion", "discovery"],
     "T1497.002": ["defense-evasion", "discovery"],
@@ -1009,6 +1043,7 @@
     "T1546.014": ["privilege-escalation", "persistence"],
     "T1546.015": ["privilege-escalation", "persistence"],
     "T1546.016": ["privilege-escalation", "persistence"],
+    "T1546.017": ["persistence", "privilege-escalation"],
     "T1547": ["persistence", "privilege-escalation"],
     "T1547.001": ["persistence", "privilege-escalation"],
     "T1547.002": ["persistence", "privilege-escalation"],
@@ -1074,11 +1109,13 @@
     "T1557.001": ["credential-access", "collection"],
     "T1557.002": ["credential-access", "collection"],
     "T1557.003": ["credential-access", "collection"],
+    "T1557.004": ["credential-access", "collection"],
     "T1558": ["credential-access"],
     "T1558.001": ["credential-access"],
     "T1558.002": ["credential-access"],
     "T1558.003": ["credential-access"],
     "T1558.004": ["credential-access"],
+    "T1558.005": ["credential-access"],
     "T1559": ["execution"],
     "T1559.001": ["execution"],
     "T1559.002": ["execution"],
@@ -1294,6 +1331,7 @@
     "T1657": ["impact"],
     "T1659": ["initial-access", "command-and-control"],
     "T1665": ["command-and-control"],
+    "T1666": ["defense-evasion"],
 }
 mitre_attack_intrusion_sets: Dict[str, str] = {
     "G0001": "Axiom",
@@ -1445,6 +1483,17 @@
     "G1024": "Akira",
     "G1026": "Malteiro",
     "G1028": "APT-C-23",
+    "G1030": "Agrius",
+    "G1031": "Saint Bear",
+    "G1032": "INC Ransom",
+    "G1033": "Star Blizzard",
+    "G1034": "Daggerfly",
+    "G1035": "Winter Vivern",
+    "G1036": "Moonstone Sleet",
+    "G1037": "TA577",
+    "G1038": "TA578",
+    "G1039": "RedCurl",
+    "G1040": "Play",
 }
 mitre_attack_software: Dict[str, str] = {
     "S0001": "Trojan.Mebromi",
@@ -2031,6 +2080,7 @@
     "S0697": "HermeticWiper",
     "S0698": "HermeticWizard",
     "S0699": "Mythic",
+    "S1010": "VPNFilter",
     "S1011": "Tarrask",
     "S1012": "PowerLess",
     "S1013": "ZxxZ",
@@ -2125,4 +2175,36 @@
     "S1124": "SocGholish",
     "S1125": "AcidRain",
     "S1129": "Akira",
+    "S1130": "Raspberry Robin",
+    "S1131": "NPPSPY",
+    "S1132": "IPsec Helper",
+    "S1133": "Apostle",
+    "S1134": "DEADWOOD",
+    "S1135": "MultiLayer Wiper",
+    "S1136": "BFG Agonizer",
+    "S1137": "Moneybird",
+    "S1138": "Gootloader",
+    "S1139": "INC Ransomware",
+    "S1140": "Spica",
+    "S1141": "LunarWeb",
+    "S1142": "LunarMail",
+    "S1143": "LunarLoader",
+    "S1144": "FRP",
+    "S1145": "Pikabot",
+    "S1146": "MgBot",
+    "S1147": "Nightdoor",
+    "S1148": "Raccoon Stealer",
+    "S1149": "CHIMNEYSWEEP",
+    "S1150": "ROADSWEEP",
+    "S1151": "ZeroCleare",
+    "S1152": "IMAPLoader",
+    "S1153": "Cuckoo Stealer",
+    "S1154": "VersaMem",
+    "S1155": "Covenant",
+    "S1156": "Manjusaka",
+    "S1158": "DUSTPAN",
+    "S1159": "DUSTTRAP",
+    "S1160": "Latrodectus",
+    "S1161": "BPFDoor",
+    "S1162": "Playcrypt",
 }