diff --git a/generic/system/ksp-5g-network-service-scanning.yaml b/generic/system/ksp-5g-network-service-scanning.yaml index 8c016629..cacf98ef 100644 --- a/generic/system/ksp-5g-network-service-scanning.yaml +++ b/generic/system/ksp-5g-network-service-scanning.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-5g-network-service-scanning namespace: default # Change your namespace spec: - tags: ["MITRE", "FGT1046","5G"] + tags: ["MITRE", "FGT1046","FIGHT"] message: "Network service has been scanned!" selector: matchLabels: diff --git a/generic/system/ksp-mitre-5g-remote-services.yaml b/generic/system/ksp-mitre-5g-remote-services.yaml index c9c2bcad..ea680d46 100644 --- a/generic/system/ksp-mitre-5g-remote-services.yaml +++ b/generic/system/ksp-mitre-5g-remote-services.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-mitre-5g-remote-services namespace: default # Change your namespace spec: - tags: ["MITRE", "5G", "FGT1021"] + tags: ["MITRE", "FIGHT", "FGT1021"] message: "Warning! access sensitive files detected" selector: matchLabels: diff --git a/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml b/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml index 7d9fd45b..510f686f 100644 --- a/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml +++ b/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-mitre-5g-tactic-impair-defense namespace: default #change with your namespace spec: - tags: ["MITRE", "FGT1562","5G"] + tags: ["MITRE", "FGT1562","FIGHT"] message: "Selinux Files Accessed by Unknown Process" selector: matchLabels: diff --git a/generic/system/ksp-unsecured_credentials_access.yaml b/generic/system/ksp-unsecured_credentials_access.yaml index 503c12bc..972fb8b3 100644 --- a/generic/system/ksp-unsecured_credentials_access.yaml +++ b/generic/system/ksp-unsecured_credentials_access.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-mitre-tactic-credential-access-unsecured-credentials-private-keys namespace: default # Change your namespace spec: - tags: ["MITRE", "MITRE_T1552_unsecured_credentials", "FGT1555", "5G"] + tags: ["MITRE", "MITRE_T1552_unsecured_credentials", "FGT1555", "FIGHT"] message: "Credentials modification denied" selector: matchLabels: diff --git a/generic/system/metadata.yaml b/generic/system/metadata.yaml index 441c9186..2eca4cad 100644 --- a/generic/system/metadata.yaml +++ b/generic/system/metadata.yaml @@ -23,6 +23,7 @@ policyRules: - name: MITRE-TTP url: - https://attack.mitre.org/techniques/T1553/ + - https://fight.mitre.org/techniques/FGT1555 tldr: Restrict access to trusted certificated bundles in the OS image detailed: Operating systems maintain a list of trusted certificates (often called trust bundles) in file system. These bundles decides which authorities are trusted. @@ -36,22 +37,6 @@ policyRules: has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. yaml: ksp-unsecured_credentials_access.yaml -- name: credentials-from-password-stores - precondition: - - /etc/ssl/.* - - OPTSCAN - description: - refs: - - name: MITRE-5G - url: - - https://fight.mitre.org/techniques/FGT1555 - tldr: Adversaries may search for common password storage locations to obtain user credentials. - detailed: Adversaries may search for common password storage locations to obtain user credentials. - Passwords are stored in several places on a system, depending on the operating system or application - holding the credentials. There are also specific applications that store passwords to make it easier - for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement - and access restricted information. - yaml: ksp-unsecured_credentials_access.yaml - name: system-owner-discovery precondition: - /usr/bin/who diff --git a/tags.yaml b/tags.yaml index 699c3513..803bf8ae 100644 --- a/tags.yaml +++ b/tags.yaml @@ -647,7 +647,7 @@ tags: - MITRE_TA0003_Persistence - AWS_FSBP_cloudtrail.1 - FGT1555 - - 5G + - FIGHT - FGT1562 - FGT1609 - FGT1046