[Security Solution][Detections] Updates MITRE Tactics, Techniques, an…

…d Subtechniques for 7.13 (elastic#97011) ## Summary This PR updates the MITRE Tactics, Techniques, and Subtechniques used within Security Solution Detection Rules. See elastic#89876 for details on automating this task. 🙂
kibanamachine · Apr 13, 2021 · 228ead6 · 228ead6
1 parent 3f063ea
commit 228ead6
Show file tree

Hide file tree

Showing 3 changed files with 129 additions and 38 deletions.
diff --git a/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts b/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts
@@ -718,12 +718,6 @@ export const technique = [
     reference: 'https://attack.mitre.org/techniques/T1061',
     tactics: ['execution'],
   },
-  {
-    name: 'Group Policy Modification',
-    id: 'T1484',
-    reference: 'https://attack.mitre.org/techniques/T1484',
-    tactics: ['defense-evasion', 'privilege-escalation'],
-  },
   {
     name: 'Hardware Additions',
     id: 'T1200',
@@ -1354,6 +1348,18 @@ export const technique = [
     reference: 'https://attack.mitre.org/techniques/T1220',
     tactics: ['defense-evasion'],
   },
+  {
+    name: 'Domain Policy Modification',
+    id: 'T1484',
+    reference: 'https://attack.mitre.org/techniques/T1484',
+    tactics: ['defense-evasion', 'privilege-escalation'],
+  },
+  {
+    name: 'Forge Web Credentials',
+    id: 'T1606',
+    reference: 'https://attack.mitre.org/techniques/T1606',
+    tactics: ['credential-access'],
+  },
 ];
 
 export const techniquesOptions: MitreTechniquesOptions[] = [
@@ -2259,17 +2265,6 @@ export const techniquesOptions: MitreTechniquesOptions[] = [
     tactics: 'execution',
     value: 'graphicalUserInterface',
   },
-  {
-    label: i18n.translate(
-      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.groupPolicyModificationDescription',
-      { defaultMessage: 'Group Policy Modification (T1484)' }
-    ),
-    id: 'T1484',
-    name: 'Group Policy Modification',
-    reference: 'https://attack.mitre.org/techniques/T1484',
-    tactics: 'defense-evasion,privilege-escalation',
-    value: 'groupPolicyModification',
-  },
   {
     label: i18n.translate(
       'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hardwareAdditionsDescription',
@@ -3425,6 +3420,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [
     tactics: 'defense-evasion',
     value: 'xslScriptProcessing',
   },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainPolicyModificationDescription',
+      { defaultMessage: 'Domain Policy Modification (T1484)' }
+    ),
+    id: 'T1484',
+    name: 'Domain Policy Modification',
+    reference: 'https://attack.mitre.org/techniques/T1484',
+    tactics: 'defense-evasion,privilege-escalation',
+    value: 'domainPolicyModification',
+  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.forgeWebCredentialsDescription',
+      { defaultMessage: 'Forge Web Credentials (T1606)' }
+    ),
+    id: 'T1606',
+    name: 'Forge Web Credentials',
+    reference: 'https://attack.mitre.org/techniques/T1606',
+    tactics: 'credential-access',
+    value: 'forgeWebCredentials',
+  },
 ];
 
 export const subtechniques = [
@@ -3477,13 +3494,6 @@ export const subtechniques = [
     tactics: ['persistence'],
     techniqueId: 'T1137',
   },
-  {
-    name: 'Additional Cloud Credentials',
-    id: 'T1098.001',
-    reference: 'https://attack.mitre.org/techniques/T1098/001',
-    tactics: ['persistence'],
-    techniqueId: 'T1098',
-  },
   {
     name: 'AppCert DLLs',
     id: 'T1546.009',
@@ -5864,6 +5874,41 @@ export const subtechniques = [
     tactics: ['persistence', 'privilege-escalation'],
     techniqueId: 'T1547',
   },
+  {
+    name: 'Additional Cloud Credentials',
+    id: 'T1098.001',
+    reference: 'https://attack.mitre.org/techniques/T1098/001',
+    tactics: ['persistence'],
+    techniqueId: 'T1098',
+  },
+  {
+    name: 'Group Policy Modification',
+    id: 'T1484.001',
+    reference: 'https://attack.mitre.org/techniques/T1484/001',
+    tactics: ['defense-evasion', 'privilege-escalation'],
+    techniqueId: 'T1484',
+  },
+  {
+    name: 'Domain Trust Modification',
+    id: 'T1484.002',
+    reference: 'https://attack.mitre.org/techniques/T1484/002',
+    tactics: ['defense-evasion', 'privilege-escalation'],
+    techniqueId: 'T1484',
+  },
+  {
+    name: 'Web Cookies',
+    id: 'T1606.001',
+    reference: 'https://attack.mitre.org/techniques/T1606/001',
+    tactics: ['credential-access'],
+    techniqueId: 'T1606',
+  },
+  {
+    name: 'SAML Tokens',
+    id: 'T1606.002',
+    reference: 'https://attack.mitre.org/techniques/T1606/002',
+    tactics: ['credential-access'],
+    techniqueId: 'T1606',
+  },
 ];
 
 export const subtechniquesOptions: MitreSubtechniquesOptions[] = [
@@ -5951,18 +5996,6 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [
     techniqueId: 'T1137',
     value: 'addIns',
   },
-  {
-    label: i18n.translate(
-      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description',
-      { defaultMessage: 'Additional Cloud Credentials (T1098.001)' }
-    ),
-    id: 'T1098.001',
-    name: 'Additional Cloud Credentials',
-    reference: 'https://attack.mitre.org/techniques/T1098/001',
-    tactics: 'persistence',
-    techniqueId: 'T1098',
-    value: 'additionalCloudCredentials',
-  },
   {
     label: i18n.translate(
       'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appCertDlLsT1546Description',
@@ -10043,6 +10076,66 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [
     techniqueId: 'T1547',
     value: 'winlogonHelperDll',
   },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description',
+      { defaultMessage: 'Additional Cloud Credentials (T1098.001)' }
+    ),
+    id: 'T1098.001',
+    name: 'Additional Cloud Credentials',
+    reference: 'https://attack.mitre.org/techniques/T1098/001',
+    tactics: 'persistence',
+    techniqueId: 'T1098',
+    value: 'additionalCloudCredentials',
+  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.groupPolicyModificationT1484Description',
+      { defaultMessage: 'Group Policy Modification (T1484.001)' }
+    ),
+    id: 'T1484.001',
+    name: 'Group Policy Modification',
+    reference: 'https://attack.mitre.org/techniques/T1484/001',
+    tactics: 'defense-evasion,privilege-escalation',
+    techniqueId: 'T1484',
+    value: 'groupPolicyModification',
+  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.domainTrustModificationT1484Description',
+      { defaultMessage: 'Domain Trust Modification (T1484.002)' }
+    ),
+    id: 'T1484.002',
+    name: 'Domain Trust Modification',
+    reference: 'https://attack.mitre.org/techniques/T1484/002',
+    tactics: 'defense-evasion,privilege-escalation',
+    techniqueId: 'T1484',
+    value: 'domainTrustModification',
+  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.webCookiesT1606Description',
+      { defaultMessage: 'Web Cookies (T1606.001)' }
+    ),
+    id: 'T1606.001',
+    name: 'Web Cookies',
+    reference: 'https://attack.mitre.org/techniques/T1606/001',
+    tactics: 'credential-access',
+    techniqueId: 'T1606',
+    value: 'webCookies',
+  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.samlTokensT1606Description',
+      { defaultMessage: 'SAML Tokens (T1606.002)' }
+    ),
+    id: 'T1606.002',
+    name: 'SAML Tokens',
+    reference: 'https://attack.mitre.org/techniques/T1606/002',
+    tactics: 'credential-access',
+    techniqueId: 'T1606',
+    value: 'samlTokens',
+  },
 ];
 
 /**

diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
@@ -19053,7 +19053,6 @@
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimNetworkInformationDescription": "被害者ネットワーク情報の収集 (T1590) ",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimOrgInformationDescription": "被害者組織情報の収集 (T1591) ",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.graphicalUserInterfaceDescription": "グラフィカルユーザーインターフェイス (T1061) ",
-    "xpack.securitySolution.detectionEngine.mitreAttackTechniques.groupPolicyModificationDescription": "グループポリシー修正 (T1484) ",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.hardwareAdditionsDescription": "ハードウェア追加 (T1200) ",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.hideArtifactsDescription": "アーチファクトの非表示 (T1564) ",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.hijackExecutionFlowDescription": "ハイジャック実行フロー (T1574) ",

diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
@@ -19322,7 +19322,6 @@
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimNetworkInformationDescription": "Gather Victim Network Information (T1590)",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimOrgInformationDescription": "Gather Victim Org Information (T1591)",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.graphicalUserInterfaceDescription": "Graphical User Interface (T1061)",
-    "xpack.securitySolution.detectionEngine.mitreAttackTechniques.groupPolicyModificationDescription": "Group Policy Modification (T1484)",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.hardwareAdditionsDescription": "Hardware Additions (T1200)",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.hideArtifactsDescription": "Hide Artifacts (T1564)",
     "xpack.securitySolution.detectionEngine.mitreAttackTechniques.hijackExecutionFlowDescription": "Hijack Execution Flow (T1574)",