MITRE ATT&CK

June 2020

Following MITRE ATT&CK saved search changes for reducing the false postives:

MITRE T1016: System Network Configuration Discovery MITRE T1035: Service Execution MITRE T1043: Commonly Used Port MITRE T1047: Windows Management Instrumentation MITRE T1059: Command Line Interface MITRE T1020: Automated Exfiltration MITRE T1107: File Deletion MITRE T1096: NTFS File Attributes MITRE T1033: System Owner \ User Discovery MITRE T1082: System Information Discovery MITRE T1003: Credential Dumping

Following are the new MITRE ATT&CK saved searches:

MITRE T1076: Remote Desktop Protocol MITRE T1037: Logon Scripts MITRE T1044: File System Permissions Weakness MITRE T1053: Scheduled Task MITRE T1190: Exploit Public-Facing Application MITRE T1064: Scripting MITRE T1021: Remote Services MITRE T1093: Process Hollowing MITRE T1055: Process Injection MITRE T1219: Remote Access Tools MITRE T1193: Spearphishing Attachment MITRE T1210: Exploitation of Remote Services

Instruction for applying the update

1. Download Update
2. Place the Update ET93U20-030.exe in EventTracker manager
3. Execute the exe

April 2020

We have updated the following existing saved searches for reducing the false positive:

MITRE T1002: Data Compressed MITRE T1016: System Network Configuration Discovery MITRE T1028: Windows Remote Management MITRE T1035: Service Execution MITRE T1043: Commonly Used Port MITRE T1047: Windows Management Instrumentation MITRE T1059: Command Line Interface MITRE T1065: Uncommonly used port MITRE T1073: DLL Side-Loading MITRE T1077: Windows Admin Shares MITRE T1082: System Information Discovery MITRE T1489: Service Stop MITRE T1020: Automated Exfiltration

Instruction for applying the update

1. Download Update
2. Place the Update ET93U20-018.exe in EventTracker manager
3. Execute the exe

March 2020

Following are the updates for MITRE ATT&CK Framework in the month of march

Azure

AWS

MITRE-Azure ATP T1087: Account discovery MITRE-Azure ATP T1048: Exfiltration Over Alternative Protocol MITRE-Azure ATP T1210: Exploitation of Remote Services MITRE-Azure ATP T1110: Brute Force MITRE-Azure ATP T1105: Remote File Copy MITRE-Azure ATP T1098: Account Manipulation MITRE-Azure ATP T1003: Credential Dumping MITRE-Azure ATP T1018: Remote system discovery MITRE-Azure ATP T1203: Exploitation for Client Execution MITRE-Azure ATP T1208: Kerberoasting MITRE-Azure ATP T1207: DCShadow MITRE-Azure ATP T1097: Pass the ticket MITRE-Azure ATP T1075: Pass the Hash MITRE-Azure ATP T1076: Remote Desktop Protocol MITRE-Azure ATP T1135: Network Share Discovery

MITRE-AWS T1190: Exploit Public-Facing Application MITRE-AWS T1098: Account Manipulation MITRE-AWS T1078: Valid Accounts MITRE-AWS T1538: Cloud Service Dashboard MITRE-AWS T1537: Transfer Data to Cloud Account MITRE-AWS T1136: Create Account MITRE-AWS T1526: Cloud Service Discovery MITRE-AWS T1525: Implant Container Image MITRE-AWS T1535: Unused/Unsupported Cloud Regions MITRE-AWS T1081: Credentials in Files MITRE-AWS T1089: Disabling Security Tools MITRE-AWS T1020: Automated Exfiltration

We have updated the following existing saved searches for reducing the false positive:

MITRE T1018: Remote System Discovery MITRE T1023: Shortcut Modification MITRE T1070: Indicator Removal on Host MITRE T1096: NTFS File Attributes MITRE T1101: Security Support Provider MITRE T1117: regsvr32 MITRE T1118: Installutil MITRE T1130: Install Root Certificate MITRE T1131: Authentication Package

MITRE T1177: LSASS Driver MITRE T1180: Screensaver MITRE T1207: DCShadow MITRE T1209: Time Providers MITRE T1216: Signed Script Proxy Execution MITRE T1218: Signed Binary Proxy Execution MITRE T1490: Inhibit System Recovery MITRE T1497: Virtualization/Sandbox Evasion

Instruction for applying the update

1. Download Update
2. Place the Update ET93U20-009.exe in EventTracker manager
3. Execute the exe

February 2020

EventTracker 9.3 Release

Windows

MITRE T1002: Data Compressed MITRE T1003: Credential Dumping MITRE T1010: Application Window Discovery MITRE T1012: Query Registry MITRE T1013: Port Monitors MITRE T1014: Rootkit MITRE T1015: Accessibility Features MITRE T1018: Remote System Discovery MITRE T1020: Automated Exfiltration MITRE T1022: Data Encrypted MITRE T1023: Shortcut Modification MITRE T1027: Obfuscated Files or Information MITRE T1028: Windows Remote Management MITRE T1031: Modify Existing Service MITRE T1034: Path Interception MITRE T1035: Service Execution MITRE T1036: Masquerading MITRE T1040: Network Sniffing MITRE T1043: Commonly Used Port MITRE T1047: Windows Management Instrumentation MITRE T1048: Exfiltration Over Alternative Protocol MITRE T1050: New Service MITRE T1056: Input Capture MITRE T1057: Process Discovery MITRE T1059: Command Line Interface MITRE T1062: Hypervisor MITRE T1063: Security Software Discovery MITRE T1065: Process connecting to known CnC server MITRE T1065: Uncommonly used port MITRE T1066: Indicator Removal from Tools MITRE T1069: Permission Groups Discovery MITRE T1070: Indicator Removal on Host MITRE T1071: Standard Application Layer Protocol MITRE T1073: DLL Side-Loading MITRE T1075: Pass the Hash MITRE T1077: Windows Admin Shares MITRE T1081: Credentials in Files MITRE T1081: File dump by New Process MITRE T1083: File and Directory Discovery MITRE T1085: Rundll32 MITRE T1087: Account Discovery MITRE T1088: Bypass User Account Control MITRE T1089: Disabling Security Tools MITRE T1090: Connection Proxy MITRE T1096: NTFS File Attributes MITRE T1100: Web shell MITRE T1101: Security Support Provider MITRE T1107: File Deletion MITRE T1110: Brute Force MITRE T1112: Modify Registry MITRE T1113: Screen Capture

MITRE T1115: Clipboard Data MITRE T1117: regsvr32 MITRE T1118: Installutil MITRE T1119: Automated Collection MITRE T1121: regsvcs/regasm MITRE T1123: Audio Capture MITRE T1126: Network Share Connection Removal MITRE T1127: Trusted Developer Utilities MITRE T1128: Netsh Helper DLL MITRE T1130: Install Root Certificate MITRE T1131: Authentication Package MITRE T1135: Network Share Discovery MITRE T1136: Create account MITRE T1137: Office Application Startup MITRE T1138: Application Shimming MITRE T1140: Deobfuscate/Decode Files or Information MITRE T1141: Input Prompt MITRE T1158: Hidden Files and Directories MITRE T1170: mshta MITRE T1173: Dynamic Data Exchange MITRE T1175: Distributed Component Object Model MITRE T1177: LSASS Driver MITRE T1178: SID-History Injection MITRE T1179: Hooking MITRE T1180: Screensaver MITRE T1181: Extra Window Memory Injection MITRE T1191: CMSTP MITRE T1196: Control panel items MITRE T1197: BITS Jobs MITRE T1198: SIP and Trust Provider Hijacking MITRE T1201: Password Policy Discovery MITRE T1202: Indirect Command Execution MITRE T1207: DCShadow MITRE T1209: Time Providers MITRE T1214: Credentials in Registry MITRE T1216: Signed Script Proxy Execution MITRE T1218: Signed Binary Proxy Execution MITRE T1220: XSL Script Processing MITRE T1222: File Permissions Modification MITRE T1223: Compiled HTML File MITRE T1482: Domain Trust Discovery MITRE T1484: Group Policy Modification MITRE T1485: Data Destruction MITRE T1489: Service Stop MITRE T1490: Inhibit System Recovery MITRE T1497: Virtualization/Sandbox Evasion MITRE T1060: Registry Run Keys \ Startup Folder MITRE T1082: System Information Discovery MITRE T1033: System Owner \ User Discovery MITRE T1016: System Network Configuration Discovery MITRE T1132: Data Encoding

Office 365

• MITRE-O365 T1087: Account Discovery
• MITRE-O365 T1098: Account Manipulation
• MITRE-O365 T1110: Brute Force
• MITRE-O365 T1136: Create Account
• MITRE-O365 T1114: Email Collection
• MITRE-O365 T1534: Internal Spearphishing
• MITRE-O365 T1137: Office Application Startup
• MITRE-O365 T1069: Permission Group Discovery
• MITRE-O365 T1192: Spearphishing Link