Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/incident-response/detection-sigma/references/mitre-attack-mapping.md
+++ b/skills/incident-response/detection-sigma/references/mitre-attack-mapping.md
@@ -0,0 +1,362 @@
+# MITRE ATT&CK Mapping for Sigma Rules
+
+## Table of Contents
+- [Execution](#execution)
+- [Persistence](#persistence)
+- [Privilege Escalation](#privilege-escalation)
+- [Defense Evasion](#defense-evasion)
+- [Credential Access](#credential-access)
+- [Discovery](#discovery)
+- [Lateral Movement](#lateral-movement)
+- [Collection](#collection)
+- [Command and Control](#command-and-control)
+- [Exfiltration](#exfiltration)
+- [Impact](#impact)
+
+## Execution
+
+### T1059.001 - PowerShell
+
+**Description**: Adversaries abuse PowerShell for execution
+
+**Log Sources**: process_creation (Windows)
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Image|endswith: '\powershell.exe'
+        CommandLine|contains:
+            - '-enc'
+            - '-EncodedCommand'
+            - 'FromBase64String'
+            - 'Invoke-Expression'
+            - 'IEX'
+```
+
+**Tags**:
+```yaml
+tags:
+    - attack.execution
+    - attack.t1059.001
+```
+
+### T1059.003 - Windows Command Shell
+
+**Description**: Abuse of cmd.exe for execution
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - '/c'
+            - '/k'
+            - '&'
+            - '|'
+```
+
+## Persistence
+
+### T1053.005 - Scheduled Task
+
+**Description**: Adversaries create scheduled tasks for persistence
+
+**Log Sources**: process_creation, registry_event
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains:
+            - '/create'
+            - '/sc minute'
+```
+
+### T1547.001 - Registry Run Keys
+
+**Description**: Persistence via registry run keys
+
+**Log Sources**: registry_event
+
+**Detection Pattern**:
+```yaml
+logsource:
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains:
+            - '\Software\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
+```
+
+## Privilege Escalation
+
+### T1055 - Process Injection
+
+**Description**: Adversaries inject code into processes
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        EventID: 8  # CreateRemoteThread
+        TargetImage|endswith:
+            - '\lsass.exe'
+            - '\explorer.exe'
+```
+
+### T1548.002 - Bypass User Account Control
+
+**Description**: UAC bypass techniques
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        CommandLine|contains:
+            - 'eventvwr.exe'
+            - 'fodhelper.exe'
+        IntegrityLevel: 'High'
+```
+
+## Defense Evasion
+
+### T1027 - Obfuscated Files or Information
+
+**Description**: Files or information made difficult to discover or analyze
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        CommandLine|contains:
+            - '-enc'
+            - 'base64'
+            - 'FromBase64'
+            - 'convert]::FromBase64String'
+```
+
+### T1070.001 - Clear Windows Event Logs
+
+**Description**: Clearing Windows event logs
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        EventID: 1102  # Security log cleared
+```
+
+## Credential Access
+
+### T1003.001 - LSASS Memory
+
+**Description**: Credential dumping from LSASS memory
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        TargetImage|endswith: '\lsass.exe'
+        GrantedAccess:
+            - '0x1010'
+            - '0x1410'
+            - '0x147a'
+```
+
+### T1558.003 - Kerberoasting
+
+**Description**: Service principal name abuse for credential theft
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        EventID: 4769
+        ServiceName|endswith: '$'
+        TicketEncryptionType: '0x17'
+```
+
+## Discovery
+
+### T1087 - Account Discovery
+
+**Description**: Adversaries enumerate account information
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+        CommandLine|contains:
+            - 'user'
+            - 'group'
+            - 'localgroup administrators'
+```
+
+### T1082 - System Information Discovery
+
+**Description**: System and hardware information gathering
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Image|endswith:
+            - '\systeminfo.exe'
+            - '\wmic.exe'
+        CommandLine|contains:
+            - 'os get'
+            - 'computersystem'
+```
+
+## Lateral Movement
+
+### T1021.001 - Remote Desktop Protocol
+
+**Description**: Remote access via RDP
+
+**Log Sources**: network_connection, authentication
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 10  # RemoteInteractive
+```
+
+### T1021.002 - SMB/Windows Admin Shares
+
+**Description**: Lateral movement via SMB
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        EventID: 5140
+        ShareName|endswith:
+            - 'ADMIN$'
+            - 'C$'
+            - 'IPC$'
+```
+
+## Collection
+
+### T1560 - Archive Collected Data
+
+**Description**: Data archiving before exfiltration
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Image|endswith:
+            - '\rar.exe'
+            - '\7z.exe'
+        CommandLine|contains:
+            - ' a '  # Add to archive
+            - '-p'   # Password
+```
+
+## Command and Control
+
+### T1071.001 - Web Protocols
+
+**Description**: C2 over HTTP/HTTPS
+
+**Log Sources**: network_connection, proxy
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        DestinationPort:
+            - 80
+            - 443
+        Initiated: 'true'
+    filter:
+        DestinationIp|startswith:
+            - '10.'
+            - '172.16.'
+            - '192.168.'
+    condition: selection and not filter
+```
+
+## Exfiltration
+
+### T1041 - Exfiltration Over C2 Channel
+
+**Description**: Data exfiltration via existing C2
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationPort:
+            - 4444
+            - 8080
+            - 8443
+```
+
+## Impact
+
+### T1486 - Data Encrypted for Impact
+
+**Description**: Ransomware encryption activity
+
+**Detection Pattern**:
+```yaml
+detection:
+    selection:
+        Image|endswith: '.exe'
+        TargetFilename|endswith:
+            - '.encrypted'
+            - '.locked'
+            - '.crypto'
+    condition: selection
+```
+
+## Tag Format
+
+When tagging rules with MITRE ATT&CK, use this format:
+
+```yaml
+tags:
+    - attack.{tactic}           # Lowercase tactic name
+    - attack.{technique_id}     # Technique ID (T####) or sub-technique (T####.###)
+```
+
+**Example**:
+```yaml
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.defense_evasion
+    - attack.t1027
+```
+
+## Multiple Techniques
+
+Rules can map to multiple tactics and techniques:
+
+```yaml
+tags:
+    - attack.execution          # Primary tactic
+    - attack.t1059.001         # PowerShell
+    - attack.defense_evasion   # Secondary tactic
+    - attack.t1027             # Obfuscation
+    - attack.t1140             # Deobfuscate/Decode Files
+```
+
+## Resources
+
+- [MITRE ATT&CK Framework](https://attack.mitre.org/)
+- [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
+- [Sigma ATT&CK Correlation](https://github.com/SigmaHQ/sigma/wiki/Tags)