Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update mitre_attack to 16.1 #326

Merged
merged 1 commit into from
Feb 25, 2025
Merged

Update mitre_attack to 16.1 #326

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 84 additions & 2 deletions sigma/data/mitre_attack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
from typing import Dict, List

mitre_attack_version: str = "15.1"
mitre_attack_version: str = "16.1"
mitre_attack_tactics: Dict[str, str] = {
"TA0001": "initial-access",
"TA0002": "execution",
Expand All @@ -21,7 +21,7 @@
"T1001": "Data Obfuscation",
"T1001.001": "Junk Data",
"T1001.002": "Steganography",
"T1001.003": "Protocol Impersonation",
"T1001.003": "Protocol or Service Impersonation",
"T1003": "OS Credential Dumping",
"T1003.001": "LSASS Memory",
"T1003.002": "Security Account Manager",
Expand Down Expand Up @@ -70,6 +70,7 @@
"T1027.011": "Fileless Storage",
"T1027.012": "LNK Icon Smuggling",
"T1027.013": "Encrypted/Encoded File",
"T1027.014": "Polymorphic Code",
"T1029": "Scheduled Transfer",
"T1030": "Data Transfer Size Limits",
"T1033": "System Owner/User Discovery",
Expand All @@ -83,6 +84,7 @@
"T1036.007": "Double File Extension",
"T1036.008": "Masquerade File Type",
"T1036.009": "Break Process Trees",
"T1036.010": "Masquerade Account Name",
"T1037": "Boot or Logon Initialization Scripts",
"T1037.001": "Logon Script (Windows)",
"T1037.002": "Login Hook",
Expand Down Expand Up @@ -137,6 +139,7 @@
"T1059.008": "Network Device CLI",
"T1059.009": "Cloud API",
"T1059.010": "AutoHotKey & AutoIT",
"T1059.011": "Lua",
"T1068": "Exploitation for Privilege Escalation",
"T1069": "Permission Groups Discovery",
"T1069.001": "Local Groups",
Expand All @@ -152,11 +155,13 @@
"T1070.007": "Clear Network Connection History and Configurations",
"T1070.008": "Clear Mailbox Data",
"T1070.009": "Clear Persistence",
"T1070.010": "Relocate Malware",
"T1071": "Application Layer Protocol",
"T1071.001": "Web Protocols",
"T1071.002": "File Transfer Protocols",
"T1071.003": "Mail Protocols",
"T1071.004": "DNS",
"T1071.005": "Publish/Subscribe Protocols",
"T1072": "Software Deployment Tools",
"T1074": "Data Staged",
"T1074.001": "Local Data Staging",
Expand Down Expand Up @@ -189,6 +194,7 @@
"T1098.004": "SSH Authorized Keys",
"T1098.005": "Device Registration",
"T1098.006": "Additional Container Cluster Roles",
"T1098.007": "Additional Local or Domain Groups",
"T1102": "Web Service",
"T1102.001": "Dead Drop Resolver",
"T1102.002": "Bidirectional Communication",
Expand Down Expand Up @@ -216,6 +222,7 @@
"T1125": "Video Capture",
"T1127": "Trusted Developer Utilities Proxy Execution",
"T1127.001": "MSBuild",
"T1127.002": "ClickOnce",
"T1129": "Shared Modules",
"T1132": "Data Encoding",
"T1132.001": "Standard Encoding",
Expand Down Expand Up @@ -270,6 +277,8 @@
"T1213.001": "Confluence",
"T1213.002": "Sharepoint",
"T1213.003": "Code Repositories",
"T1213.004": "Customer Relationship Management Software",
"T1213.005": "Messaging Applications",
"T1216": "System Script Proxy Execution",
"T1216.001": "PubPrn",
"T1216.002": "SyncAppvPublishingServer",
Expand Down Expand Up @@ -297,11 +306,13 @@
"T1222.002": "Linux and Mac File and Directory Permissions Modification",
"T1480": "Execution Guardrails",
"T1480.001": "Environmental Keying",
"T1480.002": "Mutual Exclusion",
"T1482": "Domain Trust Discovery",
"T1484": "Domain or Tenant Policy Modification",
"T1484.001": "Group Policy Modification",
"T1484.002": "Trust Modification",
"T1485": "Data Destruction",
"T1485.001": "Lifecycle-Triggered Deletion",
"T1486": "Data Encrypted for Impact",
"T1489": "Service Stop",
"T1490": "Inhibit System Recovery",
Expand All @@ -310,6 +321,10 @@
"T1491.002": "External Defacement",
"T1495": "Firmware Corruption",
"T1496": "Resource Hijacking",
"T1496.001": "Compute Hijacking",
"T1496.002": "Bandwidth Hijacking",
"T1496.003": "SMS Pumping",
"T1496.004": "Cloud Service Hijacking",
"T1497": "Virtualization/Sandbox Evasion",
"T1497.001": "System Checks",
"T1497.002": "User Activity Based Checks",
Expand Down Expand Up @@ -370,6 +385,7 @@
"T1546.014": "Emond",
"T1546.015": "Component Object Model Hijacking",
"T1546.016": "Installer Packages",
"T1546.017": "Udev Rules",
"T1547": "Boot or Logon Autostart Execution",
"T1547.001": "Registry Run Keys / Startup Folder",
"T1547.002": "Authentication Package",
Expand Down Expand Up @@ -435,11 +451,13 @@
"T1557.001": "LLMNR/NBT-NS Poisoning and SMB Relay",
"T1557.002": "ARP Cache Poisoning",
"T1557.003": "DHCP Spoofing",
"T1557.004": "Evil Twin",
"T1558": "Steal or Forge Kerberos Tickets",
"T1558.001": "Golden Ticket",
"T1558.002": "Silver Ticket",
"T1558.003": "Kerberoasting",
"T1558.004": "AS-REP Roasting",
"T1558.005": "Ccache Files",
"T1559": "Inter-Process Communication",
"T1559.001": "Component Object Model",
"T1559.002": "Dynamic Data Exchange",
Expand Down Expand Up @@ -655,6 +673,7 @@
"T1657": "Financial Theft",
"T1659": "Content Injection",
"T1665": "Hide Infrastructure",
"T1666": "Modify Cloud Resource Hierarchy",
}
mitre_attack_techniques_tactics_mapping: Dict[str, List[str]] = {
"T1001": ["command-and-control"],
Expand Down Expand Up @@ -709,6 +728,7 @@
"T1027.011": ["defense-evasion"],
"T1027.012": ["defense-evasion"],
"T1027.013": ["defense-evasion"],
"T1027.014": ["defense-evasion"],
"T1029": ["exfiltration"],
"T1030": ["exfiltration"],
"T1033": ["discovery"],
Expand All @@ -722,6 +742,7 @@
"T1036.007": ["defense-evasion"],
"T1036.008": ["defense-evasion"],
"T1036.009": ["defense-evasion"],
"T1036.010": ["defense-evasion"],
"T1037": ["persistence", "privilege-escalation"],
"T1037.001": ["persistence", "privilege-escalation"],
"T1037.002": ["persistence", "privilege-escalation"],
Expand Down Expand Up @@ -776,6 +797,7 @@
"T1059.008": ["execution"],
"T1059.009": ["execution"],
"T1059.010": ["execution"],
"T1059.011": ["execution"],
"T1068": ["privilege-escalation"],
"T1069": ["discovery"],
"T1069.001": ["discovery"],
Expand All @@ -791,11 +813,13 @@
"T1070.007": ["defense-evasion"],
"T1070.008": ["defense-evasion"],
"T1070.009": ["defense-evasion"],
"T1070.010": ["defense-evasion"],
"T1071": ["command-and-control"],
"T1071.001": ["command-and-control"],
"T1071.002": ["command-and-control"],
"T1071.003": ["command-and-control"],
"T1071.004": ["command-and-control"],
"T1071.005": ["command-and-control"],
"T1072": ["execution", "lateral-movement"],
"T1074": ["collection"],
"T1074.001": ["collection"],
Expand Down Expand Up @@ -828,6 +852,7 @@
"T1098.004": ["persistence", "privilege-escalation"],
"T1098.005": ["persistence", "privilege-escalation"],
"T1098.006": ["persistence", "privilege-escalation"],
"T1098.007": ["persistence", "privilege-escalation"],
"T1102": ["command-and-control"],
"T1102.001": ["command-and-control"],
"T1102.002": ["command-and-control"],
Expand Down Expand Up @@ -855,6 +880,7 @@
"T1125": ["collection"],
"T1127": ["defense-evasion"],
"T1127.001": ["defense-evasion"],
"T1127.002": ["defense-evasion"],
"T1129": ["execution"],
"T1132": ["command-and-control"],
"T1132.001": ["command-and-control"],
Expand Down Expand Up @@ -909,6 +935,8 @@
"T1213.001": ["collection"],
"T1213.002": ["collection"],
"T1213.003": ["collection"],
"T1213.004": ["collection"],
"T1213.005": ["collection"],
"T1216": ["defense-evasion"],
"T1216.001": ["defense-evasion"],
"T1216.002": ["defense-evasion"],
Expand Down Expand Up @@ -936,11 +964,13 @@
"T1222.002": ["defense-evasion"],
"T1480": ["defense-evasion"],
"T1480.001": ["defense-evasion"],
"T1480.002": ["defense-evasion"],
"T1482": ["discovery"],
"T1484": ["defense-evasion", "privilege-escalation"],
"T1484.001": ["defense-evasion", "privilege-escalation"],
"T1484.002": ["defense-evasion", "privilege-escalation"],
"T1485": ["impact"],
"T1485.001": ["impact"],
"T1486": ["impact"],
"T1489": ["impact"],
"T1490": ["impact"],
Expand All @@ -949,6 +979,10 @@
"T1491.002": ["impact"],
"T1495": ["impact"],
"T1496": ["impact"],
"T1496.001": ["impact"],
"T1496.002": ["impact"],
"T1496.003": ["impact"],
"T1496.004": ["impact"],
"T1497": ["defense-evasion", "discovery"],
"T1497.001": ["defense-evasion", "discovery"],
"T1497.002": ["defense-evasion", "discovery"],
Expand Down Expand Up @@ -1009,6 +1043,7 @@
"T1546.014": ["privilege-escalation", "persistence"],
"T1546.015": ["privilege-escalation", "persistence"],
"T1546.016": ["privilege-escalation", "persistence"],
"T1546.017": ["persistence", "privilege-escalation"],
"T1547": ["persistence", "privilege-escalation"],
"T1547.001": ["persistence", "privilege-escalation"],
"T1547.002": ["persistence", "privilege-escalation"],
Expand Down Expand Up @@ -1074,11 +1109,13 @@
"T1557.001": ["credential-access", "collection"],
"T1557.002": ["credential-access", "collection"],
"T1557.003": ["credential-access", "collection"],
"T1557.004": ["credential-access", "collection"],
"T1558": ["credential-access"],
"T1558.001": ["credential-access"],
"T1558.002": ["credential-access"],
"T1558.003": ["credential-access"],
"T1558.004": ["credential-access"],
"T1558.005": ["credential-access"],
"T1559": ["execution"],
"T1559.001": ["execution"],
"T1559.002": ["execution"],
Expand Down Expand Up @@ -1294,6 +1331,7 @@
"T1657": ["impact"],
"T1659": ["initial-access", "command-and-control"],
"T1665": ["command-and-control"],
"T1666": ["defense-evasion"],
}
mitre_attack_intrusion_sets: Dict[str, str] = {
"G0001": "Axiom",
Expand Down Expand Up @@ -1445,6 +1483,17 @@
"G1024": "Akira",
"G1026": "Malteiro",
"G1028": "APT-C-23",
"G1030": "Agrius",
"G1031": "Saint Bear",
"G1032": "INC Ransom",
"G1033": "Star Blizzard",
"G1034": "Daggerfly",
"G1035": "Winter Vivern",
"G1036": "Moonstone Sleet",
"G1037": "TA577",
"G1038": "TA578",
"G1039": "RedCurl",
"G1040": "Play",
}
mitre_attack_software: Dict[str, str] = {
"S0001": "Trojan.Mebromi",
Expand Down Expand Up @@ -2031,6 +2080,7 @@
"S0697": "HermeticWiper",
"S0698": "HermeticWizard",
"S0699": "Mythic",
"S1010": "VPNFilter",
"S1011": "Tarrask",
"S1012": "PowerLess",
"S1013": "ZxxZ",
Expand Down Expand Up @@ -2125,4 +2175,36 @@
"S1124": "SocGholish",
"S1125": "AcidRain",
"S1129": "Akira",
"S1130": "Raspberry Robin",
"S1131": "NPPSPY",
"S1132": "IPsec Helper",
"S1133": "Apostle",
"S1134": "DEADWOOD",
"S1135": "MultiLayer Wiper",
"S1136": "BFG Agonizer",
"S1137": "Moneybird",
"S1138": "Gootloader",
"S1139": "INC Ransomware",
"S1140": "Spica",
"S1141": "LunarWeb",
"S1142": "LunarMail",
"S1143": "LunarLoader",
"S1144": "FRP",
"S1145": "Pikabot",
"S1146": "MgBot",
"S1147": "Nightdoor",
"S1148": "Raccoon Stealer",
"S1149": "CHIMNEYSWEEP",
"S1150": "ROADSWEEP",
"S1151": "ZeroCleare",
"S1152": "IMAPLoader",
"S1153": "Cuckoo Stealer",
"S1154": "VersaMem",
"S1155": "Covenant",
"S1156": "Manjusaka",
"S1158": "DUSTPAN",
"S1159": "DUSTTRAP",
"S1160": "Latrodectus",
"S1161": "BPFDoor",
"S1162": "Playcrypt",
}