7.0 KiB
MITRE ATT&CK Mapping for Sigma Rules
Table of Contents
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
Execution
T1059.001 - PowerShell
Description: Adversaries abuse PowerShell for execution
Log Sources: process_creation (Windows)
Detection Pattern:
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- 'FromBase64String'
- 'Invoke-Expression'
- 'IEX'
Tags:
tags:
- attack.execution
- attack.t1059.001
T1059.003 - Windows Command Shell
Description: Abuse of cmd.exe for execution
Detection Pattern:
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- '/c'
- '/k'
- '&'
- '|'
Persistence
T1053.005 - Scheduled Task
Description: Adversaries create scheduled tasks for persistence
Log Sources: process_creation, registry_event
Detection Pattern:
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/create'
- '/sc minute'
T1547.001 - Registry Run Keys
Description: Persistence via registry run keys
Log Sources: registry_event
Detection Pattern:
logsource:
category: registry_event
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Privilege Escalation
T1055 - Process Injection
Description: Adversaries inject code into processes
Detection Pattern:
detection:
selection:
EventID: 8 # CreateRemoteThread
TargetImage|endswith:
- '\lsass.exe'
- '\explorer.exe'
T1548.002 - Bypass User Account Control
Description: UAC bypass techniques
Detection Pattern:
detection:
selection:
CommandLine|contains:
- 'eventvwr.exe'
- 'fodhelper.exe'
IntegrityLevel: 'High'
Defense Evasion
T1027 - Obfuscated Files or Information
Description: Files or information made difficult to discover or analyze
Detection Pattern:
detection:
selection:
CommandLine|contains:
- '-enc'
- 'base64'
- 'FromBase64'
- 'convert]::FromBase64String'
T1070.001 - Clear Windows Event Logs
Description: Clearing Windows event logs
Detection Pattern:
detection:
selection:
EventID: 1102 # Security log cleared
Credential Access
T1003.001 - LSASS Memory
Description: Credential dumping from LSASS memory
Detection Pattern:
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1010'
- '0x1410'
- '0x147a'
T1558.003 - Kerberoasting
Description: Service principal name abuse for credential theft
Detection Pattern:
detection:
selection:
EventID: 4769
ServiceName|endswith: '$'
TicketEncryptionType: '0x17'
Discovery
T1087 - Account Discovery
Description: Adversaries enumerate account information
Detection Pattern:
detection:
selection:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains:
- 'user'
- 'group'
- 'localgroup administrators'
T1082 - System Information Discovery
Description: System and hardware information gathering
Detection Pattern:
detection:
selection:
Image|endswith:
- '\systeminfo.exe'
- '\wmic.exe'
CommandLine|contains:
- 'os get'
- 'computersystem'
Lateral Movement
T1021.001 - Remote Desktop Protocol
Description: Remote access via RDP
Log Sources: network_connection, authentication
Detection Pattern:
detection:
selection:
EventID: 4624
LogonType: 10 # RemoteInteractive
T1021.002 - SMB/Windows Admin Shares
Description: Lateral movement via SMB
Detection Pattern:
detection:
selection:
EventID: 5140
ShareName|endswith:
- 'ADMIN$'
- 'C$'
- 'IPC$'
Collection
T1560 - Archive Collected Data
Description: Data archiving before exfiltration
Detection Pattern:
detection:
selection:
Image|endswith:
- '\rar.exe'
- '\7z.exe'
CommandLine|contains:
- ' a ' # Add to archive
- '-p' # Password
Command and Control
T1071.001 - Web Protocols
Description: C2 over HTTP/HTTPS
Log Sources: network_connection, proxy
Detection Pattern:
detection:
selection:
DestinationPort:
- 80
- 443
Initiated: 'true'
filter:
DestinationIp|startswith:
- '10.'
- '172.16.'
- '192.168.'
condition: selection and not filter
Exfiltration
T1041 - Exfiltration Over C2 Channel
Description: Data exfiltration via existing C2
Detection Pattern:
detection:
selection:
Initiated: 'true'
DestinationPort:
- 4444
- 8080
- 8443
Impact
T1486 - Data Encrypted for Impact
Description: Ransomware encryption activity
Detection Pattern:
detection:
selection:
Image|endswith: '.exe'
TargetFilename|endswith:
- '.encrypted'
- '.locked'
- '.crypto'
condition: selection
Tag Format
When tagging rules with MITRE ATT&CK, use this format:
tags:
- attack.{tactic} # Lowercase tactic name
- attack.{technique_id} # Technique ID (T####) or sub-technique (T####.###)
Example:
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
Multiple Techniques
Rules can map to multiple tactics and techniques:
tags:
- attack.execution # Primary tactic
- attack.t1059.001 # PowerShell
- attack.defense_evasion # Secondary tactic
- attack.t1027 # Obfuscation
- attack.t1140 # Deobfuscate/Decode Files