Merge pull request #263 from frack113/mitre

Update Mitre to v15.1
SigmaHQ · Aug 21, 2024 · c6a12b5 · c6a12b5
2 parents 272c814 + f9af895
commit c6a12b5
Showing 1 changed file with 64 additions and 4 deletions.
diff --git a/sigma/data/mitre_attack.py b/sigma/data/mitre_attack.py
@@ -1,6 +1,6 @@
 from typing import Dict, List
 
-mitre_attack_version: str = "14.1"
+mitre_attack_version: str = "15.1"
 mitre_attack_tactics: Dict[str, str] = {
     "TA0001": "initial-access",
     "TA0002": "execution",
@@ -69,6 +69,7 @@
     "T1027.010": "Command Obfuscation",
     "T1027.011": "Fileless Storage",
     "T1027.012": "LNK Icon Smuggling",
+    "T1027.013": "Encrypted/Encoded File",
     "T1029": "Scheduled Transfer",
     "T1030": "Data Transfer Size Limits",
     "T1033": "System Owner/User Discovery",
@@ -135,6 +136,7 @@
     "T1059.007": "JavaScript",
     "T1059.008": "Network Device CLI",
     "T1059.009": "Cloud API",
+    "T1059.010": "AutoHotKey & AutoIT",
     "T1068": "Exploitation for Privilege Escalation",
     "T1069": "Permission Groups Discovery",
     "T1069.001": "Local Groups",
@@ -270,6 +272,7 @@
     "T1213.003": "Code Repositories",
     "T1216": "System Script Proxy Execution",
     "T1216.001": "PubPrn",
+    "T1216.002": "SyncAppvPublishingServer",
     "T1217": "Browser Information Discovery",
     "T1218": "System Binary Proxy Execution",
     "T1218.001": "Compiled HTML File",
@@ -285,6 +288,7 @@
     "T1218.012": "Verclsid",
     "T1218.013": "Mavinject",
     "T1218.014": "MMC",
+    "T1218.015": "Electron Applications",
     "T1219": "Remote Access Software",
     "T1220": "XSL Script Processing",
     "T1221": "Template Injection",
@@ -294,9 +298,9 @@
     "T1480": "Execution Guardrails",
     "T1480.001": "Environmental Keying",
     "T1482": "Domain Trust Discovery",
-    "T1484": "Domain Policy Modification",
+    "T1484": "Domain or Tenant Policy Modification",
     "T1484.001": "Group Policy Modification",
-    "T1484.002": "Domain Trust Modification",
+    "T1484.002": "Trust Modification",
     "T1485": "Data Destruction",
     "T1486": "Data Encrypted for Impact",
     "T1489": "Service Stop",
@@ -348,6 +352,7 @@
     "T1543.002": "Systemd Service",
     "T1543.003": "Windows Service",
     "T1543.004": "Launch Daemon",
+    "T1543.005": "Container Service",
     "T1546": "Event Triggered Execution",
     "T1546.001": "Change Default File Association",
     "T1546.002": "Screensaver",
@@ -386,6 +391,7 @@
     "T1548.003": "Sudo and Sudo Caching",
     "T1548.004": "Elevated Execution with Prompt",
     "T1548.005": "Temporary Elevated Cloud Access",
+    "T1548.006": "TCC Manipulation",
     "T1550": "Use Alternate Authentication Material",
     "T1550.001": "Application Access Token",
     "T1550.002": "Pass the Hash",
@@ -407,7 +413,7 @@
     "T1553.004": "Install Root Certificate",
     "T1553.005": "Mark-of-the-Web Bypass",
     "T1553.006": "Code Signing Policy Modification",
-    "T1554": "Compromise Client Software Binary",
+    "T1554": "Compromise Host Software Binary",
     "T1555": "Credentials from Password Stores",
     "T1555.001": "Keychain",
     "T1555.002": "Securityd Memory",
@@ -424,6 +430,7 @@
     "T1556.006": "Multi-Factor Authentication",
     "T1556.007": "Hybrid Identity",
     "T1556.008": "Network Provider DLL",
+    "T1556.009": "Conditional Access Policies",
     "T1557": "Adversary-in-the-Middle",
     "T1557.001": "LLMNR/NBT-NS Poisoning and SMB Relay",
     "T1557.002": "ARP Cache Poisoning",
@@ -471,6 +478,7 @@
     "T1564.009": "Resource Forking",
     "T1564.010": "Process Argument Spoofing",
     "T1564.011": "Ignore Process Interrupts",
+    "T1564.012": "File/Path Exclusions",
     "T1565": "Data Manipulation",
     "T1565.001": "Stored Data Manipulation",
     "T1565.002": "Transmitted Data Manipulation",
@@ -511,6 +519,7 @@
     "T1574.011": "Services Registry Permissions Weakness",
     "T1574.012": "COR_PROFILER",
     "T1574.013": "KernelCallbackTable",
+    "T1574.014": "AppDomainManager",
     "T1578": "Modify Cloud Compute Infrastructure",
     "T1578.001": "Create Snapshot",
     "T1578.002": "Create Cloud Instance",
@@ -535,6 +544,7 @@
     "T1584.005": "Botnet",
     "T1584.006": "Web Services",
     "T1584.007": "Serverless",
+    "T1584.008": "Network Devices",
     "T1585": "Establish Accounts",
     "T1585.001": "Social Media Accounts",
     "T1585.002": "Email Accounts",
@@ -555,6 +565,7 @@
     "T1588.004": "Digital Certificates",
     "T1588.005": "Exploits",
     "T1588.006": "Vulnerabilities",
+    "T1588.007": "Artificial Intelligence",
     "T1589": "Gather Victim Identity Information",
     "T1589.001": "Credentials",
     "T1589.002": "Email Addresses",
@@ -643,6 +654,7 @@
     "T1656": "Impersonation",
     "T1657": "Financial Theft",
     "T1659": "Content Injection",
+    "T1665": "Hide Infrastructure",
 }
 mitre_attack_techniques_tactics_mapping: Dict[str, List[str]] = {
     "T1001": ["command-and-control"],
@@ -696,6 +708,7 @@
     "T1027.010": ["defense-evasion"],
     "T1027.011": ["defense-evasion"],
     "T1027.012": ["defense-evasion"],
+    "T1027.013": ["defense-evasion"],
     "T1029": ["exfiltration"],
     "T1030": ["exfiltration"],
     "T1033": ["discovery"],
@@ -762,6 +775,7 @@
     "T1059.007": ["execution"],
     "T1059.008": ["execution"],
     "T1059.009": ["execution"],
+    "T1059.010": ["execution"],
     "T1068": ["privilege-escalation"],
     "T1069": ["discovery"],
     "T1069.001": ["discovery"],
@@ -897,6 +911,7 @@
     "T1213.003": ["collection"],
     "T1216": ["defense-evasion"],
     "T1216.001": ["defense-evasion"],
+    "T1216.002": ["defense-evasion"],
     "T1217": ["discovery"],
     "T1218": ["defense-evasion"],
     "T1218.001": ["defense-evasion"],
@@ -912,6 +927,7 @@
     "T1218.012": ["defense-evasion"],
     "T1218.013": ["defense-evasion"],
     "T1218.014": ["defense-evasion"],
+    "T1218.015": ["defense-evasion"],
     "T1219": ["command-and-control"],
     "T1220": ["defense-evasion"],
     "T1221": ["defense-evasion"],
@@ -975,6 +991,7 @@
     "T1543.002": ["persistence", "privilege-escalation"],
     "T1543.003": ["persistence", "privilege-escalation"],
     "T1543.004": ["persistence", "privilege-escalation"],
+    "T1543.005": ["persistence", "privilege-escalation"],
     "T1546": ["privilege-escalation", "persistence"],
     "T1546.001": ["privilege-escalation", "persistence"],
     "T1546.002": ["privilege-escalation", "persistence"],
@@ -1013,6 +1030,7 @@
     "T1548.003": ["privilege-escalation", "defense-evasion"],
     "T1548.004": ["privilege-escalation", "defense-evasion"],
     "T1548.005": ["privilege-escalation", "defense-evasion"],
+    "T1548.006": ["defense-evasion", "privilege-escalation"],
     "T1550": ["defense-evasion", "lateral-movement"],
     "T1550.001": ["defense-evasion", "lateral-movement"],
     "T1550.002": ["defense-evasion", "lateral-movement"],
@@ -1051,6 +1069,7 @@
     "T1556.006": ["credential-access", "defense-evasion", "persistence"],
     "T1556.007": ["credential-access", "defense-evasion", "persistence"],
     "T1556.008": ["credential-access", "defense-evasion", "persistence"],
+    "T1556.009": ["credential-access", "defense-evasion", "persistence"],
     "T1557": ["credential-access", "collection"],
     "T1557.001": ["credential-access", "collection"],
     "T1557.002": ["credential-access", "collection"],
@@ -1098,6 +1117,7 @@
     "T1564.009": ["defense-evasion"],
     "T1564.010": ["defense-evasion"],
     "T1564.011": ["defense-evasion"],
+    "T1564.012": ["defense-evasion"],
     "T1565": ["impact"],
     "T1565.001": ["impact"],
     "T1565.002": ["impact"],
@@ -1138,6 +1158,7 @@
     "T1574.011": ["persistence", "privilege-escalation", "defense-evasion"],
     "T1574.012": ["persistence", "privilege-escalation", "defense-evasion"],
     "T1574.013": ["persistence", "privilege-escalation", "defense-evasion"],
+    "T1574.014": ["persistence", "privilege-escalation", "defense-evasion"],
     "T1578": ["defense-evasion"],
     "T1578.001": ["defense-evasion"],
     "T1578.002": ["defense-evasion"],
@@ -1162,6 +1183,7 @@
     "T1584.005": ["resource-development"],
     "T1584.006": ["resource-development"],
     "T1584.007": ["resource-development"],
+    "T1584.008": ["resource-development"],
     "T1585": ["resource-development"],
     "T1585.001": ["resource-development"],
     "T1585.002": ["resource-development"],
@@ -1182,6 +1204,7 @@
     "T1588.004": ["resource-development"],
     "T1588.005": ["resource-development"],
     "T1588.006": ["resource-development"],
+    "T1588.007": ["resource-development"],
     "T1589": ["reconnaissance"],
     "T1589.001": ["reconnaissance"],
     "T1589.002": ["reconnaissance"],
@@ -1270,6 +1293,7 @@
     "T1656": ["defense-evasion"],
     "T1657": ["impact"],
     "T1659": ["initial-access", "command-and-control"],
+    "T1665": ["command-and-control"],
 }
 mitre_attack_intrusion_sets: Dict[str, str] = {
     "G0001": "Axiom",
@@ -1414,6 +1438,13 @@
     "G1017": "Volt Typhoon",
     "G1018": "TA2541",
     "G1019": "MoustachedBouncer",
+    "G1020": "Mustard Tempest",
+    "G1021": "Cinnamon Tempest",
+    "G1022": "ToddyCat",
+    "G1023": "APT5",
+    "G1024": "Akira",
+    "G1026": "Malteiro",
+    "G1028": "APT-C-23",
 }
 mitre_attack_software: Dict[str, str] = {
     "S0001": "Trojan.Mebromi",
@@ -2065,4 +2096,33 @@
     "S1089": "SharpDisco",
     "S1090": "NightClub",
     "S1091": "Pacu",
+    "S1096": "Cheerscrypt",
+    "S1097": "HUI Loader",
+    "S1099": "Samurai",
+    "S1100": "Ninja",
+    "S1101": "LoFiSe",
+    "S1102": "Pcexter",
+    "S1104": "SLOWPULSE",
+    "S1105": "COATHANGER",
+    "S1106": "NGLite",
+    "S1107": "NKAbuse",
+    "S1108": "PULSECHECK",
+    "S1109": "PACEMAKER",
+    "S1110": "SLIGHTPULSE",
+    "S1111": "DarkGate",
+    "S1112": "STEADYPULSE",
+    "S1113": "RAPIDPULSE",
+    "S1114": "ZIPLINE",
+    "S1115": "WIREFIRE",
+    "S1116": "WARPWIRE",
+    "S1117": "GLASSTOKEN",
+    "S1118": "BUSHWALK",
+    "S1119": "LIGHTWIRE",
+    "S1120": "FRAMESTING",
+    "S1121": "LITTLELAMB.WOOLTEA",
+    "S1122": "Mispadu",
+    "S1123": "PITSTOP",
+    "S1124": "SocGholish",
+    "S1125": "AcidRain",
+    "S1129": "Akira",
 }