gh-agentsecops-secopsagentkit/skills/incident-response/detection-sigma/references/mitre-attack-mapping.md

# MITRE ATT&CK Mapping for Sigma Rules

## Table of Contents
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Command and Control](#command-and-control)
- [Exfiltration](#exfiltration)
- [Impact](#impact)

## Execution

### T1059.001 - PowerShell

**Description**: Adversaries abuse PowerShell for execution

**Log Sources**: process_creation (Windows)

**Detection Pattern**:
```yaml
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - '-enc'
            - '-EncodedCommand'
            - 'FromBase64String'
            - 'Invoke-Expression'
            - 'IEX'
```

**Tags**:
```yaml
tags:
    - attack.execution
    - attack.t1059.001
```

### T1059.003 - Windows Command Shell

**Description**: Abuse of cmd.exe for execution

**Detection Pattern**:
```yaml
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains:
            - '/c'
            - '/k'
            - '&'
            - '|'
```

## Persistence

### T1053.005 - Scheduled Task

**Description**: Adversaries create scheduled tasks for persistence

**Log Sources**: process_creation, registry_event

**Detection Pattern**:
```yaml
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains:
            - '/create'
            - '/sc minute'
```

### T1547.001 - Registry Run Keys

**Description**: Persistence via registry run keys

**Log Sources**: registry_event

**Detection Pattern**:
```yaml
logsource:
    category: registry_event
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
```

## Privilege Escalation

### T1055 - Process Injection

**Description**: Adversaries inject code into processes

**Detection Pattern**:
```yaml
detection:
    selection:
        EventID: 8  # CreateRemoteThread
        TargetImage|endswith:
            - '\lsass.exe'
            - '\explorer.exe'
```

### T1548.002 - Bypass User Account Control

**Description**: UAC bypass techniques

**Detection Pattern**:
```yaml
detection:
    selection:
        CommandLine|contains:
            - 'eventvwr.exe'
            - 'fodhelper.exe'
        IntegrityLevel: 'High'
```

## Defense Evasion

### T1027 - Obfuscated Files or Information

**Description**: Files or information made difficult to discover or analyze

**Detection Pattern**:
```yaml
detection:
    selection:
        CommandLine|contains:
            - '-enc'
            - 'base64'
            - 'FromBase64'
            - 'convert]::FromBase64String'
```

### T1070.001 - Clear Windows Event Logs

**Description**: Clearing Windows event logs

**Detection Pattern**:
```yaml
detection:
    selection:
        EventID: 1102  # Security log cleared
```

## Credential Access

### T1003.001 - LSASS Memory

**Description**: Credential dumping from LSASS memory

**Detection Pattern**:
```yaml
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess:
            - '0x1010'
            - '0x1410'
            - '0x147a'
```

### T1558.003 - Kerberoasting

**Description**: Service principal name abuse for credential theft

**Detection Pattern**:
```yaml
detection:
    selection:
        EventID: 4769
        ServiceName|endswith: '$'
        TicketEncryptionType: '0x17'
```

## Discovery

### T1087 - Account Discovery

**Description**: Adversaries enumerate account information

**Detection Pattern**:
```yaml
detection:
    selection:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains:
            - 'user'
            - 'group'
            - 'localgroup administrators'
```

### T1082 - System Information Discovery

**Description**: System and hardware information gathering

**Detection Pattern**:
```yaml
detection:
    selection:
        Image|endswith:
            - '\systeminfo.exe'
            - '\wmic.exe'
        CommandLine|contains:
            - 'os get'
            - 'computersystem'
```

## Lateral Movement

### T1021.001 - Remote Desktop Protocol

**Description**: Remote access via RDP

**Log Sources**: network_connection, authentication

**Detection Pattern**:
```yaml
detection:
    selection:
        EventID: 4624
        LogonType: 10  # RemoteInteractive
```

### T1021.002 - SMB/Windows Admin Shares

**Description**: Lateral movement via SMB

**Detection Pattern**:
```yaml
detection:
    selection:
        EventID: 5140
        ShareName|endswith:
            - 'ADMIN$'
            - 'C$'
            - 'IPC$'
```

## Collection

### T1560 - Archive Collected Data

**Description**: Data archiving before exfiltration

**Detection Pattern**:
```yaml
detection:
    selection:
        Image|endswith:
            - '\rar.exe'
            - '\7z.exe'
        CommandLine|contains:
            - ' a '  # Add to archive
            - '-p'   # Password
```

## Command and Control

### T1071.001 - Web Protocols

**Description**: C2 over HTTP/HTTPS

**Log Sources**: network_connection, proxy

**Detection Pattern**:
```yaml
detection:
    selection:
        DestinationPort:
            - 80
            - 443
        Initiated: 'true'
    filter:
        DestinationIp|startswith:
            - '10.'
            - '172.16.'
            - '192.168.'
    condition: selection and not filter
```

## Exfiltration

### T1041 - Exfiltration Over C2 Channel

**Description**: Data exfiltration via existing C2

**Detection Pattern**:
```yaml
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 4444
            - 8080
            - 8443
```

## Impact

### T1486 - Data Encrypted for Impact

**Description**: Ransomware encryption activity

**Detection Pattern**:
```yaml
detection:
    selection:
        Image|endswith: '.exe'
        TargetFilename|endswith:
            - '.encrypted'
            - '.locked'
            - '.crypto'
    condition: selection
```

## Tag Format

When tagging rules with MITRE ATT&CK, use this format:

```yaml
tags:
    - attack.{tactic}           # Lowercase tactic name
    - attack.{technique_id}     # Technique ID (T####) or sub-technique (T####.###)
```

**Example**:
```yaml
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense_evasion
    - attack.t1027
```

## Multiple Techniques

Rules can map to multiple tactics and techniques:

```yaml
tags:
    - attack.execution          # Primary tactic
    - attack.t1059.001         # PowerShell
    - attack.defense_evasion   # Secondary tactic
    - attack.t1027             # Obfuscation
    - attack.t1140             # Deobfuscate/Decode Files
```

## Resources

- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
- [Sigma ATT&CK Correlation](https://github.com/SigmaHQ/sigma/wiki/Tags)