MITRE ATT&CK

Saved Search
Alert + Saved Search

Netsurion support for MITRE ATT&CK framework.

June 2020

Following MITRE ATT&CK saved search changes for reducing the false postives:

  • MITRE T1016: System Network Configuration Discovery
  • MITRE T1035: Service Execution
  • MITRE T1043: Commonly Used Port
  • MITRE T1047: Windows Management Instrumentation
  • MITRE T1059: Command Line Interface
  • MITRE T1020: Automated Exfiltration
  • MITRE T1107: File Deletion
  • MITRE T1096: NTFS File Attributes
  • MITRE T1033: System Owner \ User Discovery
  • MITRE T1082: System Information Discovery
  • MITRE T1003: Credential Dumping

Following are the new MITRE ATT&CK saved searches:

  • MITRE T1076: Remote Desktop Protocol
  • MITRE T1037: Logon Scripts
  • MITRE T1044: File System Permissions Weakness
  • MITRE T1053: Scheduled Task
  • MITRE T1190: Exploit Public-Facing Application
  • MITRE T1064: Scripting
  • MITRE T1021: Remote Services
  • MITRE T1093: Process Hollowing
  • MITRE T1055: Process Injection
  • MITRE T1219: Remote Access Tools
  • MITRE T1193: Spearphishing Attachment
  • MITRE T1210: Exploitation of Remote Services

Instruction for applying the update

  1. Download Update
  2. Place the Update ET93U20-030.exe in EventTracker manager
  3. Execute the exe

April 2020

We have updated the following existing saved searches for reducing the false positive:

  • MITRE T1002: Data Compressed
  • MITRE T1016: System Network Configuration Discovery
  • MITRE T1028: Windows Remote Management
  • MITRE T1035: Service Execution
  • MITRE T1043: Commonly Used Port
  • MITRE T1047: Windows Management Instrumentation
  • MITRE T1059: Command Line Interface
  • MITRE T1065: Uncommonly used port
  • MITRE T1073: DLL Side-Loading
  • MITRE T1077: Windows Admin Shares
  • MITRE T1082: System Information Discovery
  • MITRE T1489: Service Stop
  • MITRE T1020: Automated Exfiltration

Instruction for applying the update

  1. Download Update
  2. Place the Update ET93U20-018.exe in EventTracker manager
  3. Execute the exe

March 2020

Following are the updates for MITRE ATT&CK Framework in the month of march

Azure AWS
  • MITRE-Azure ATP T1087: Account discovery
  • MITRE-Azure ATP T1048: Exfiltration Over Alternative Protocol
  • MITRE-Azure ATP T1210: Exploitation of Remote Services
  • MITRE-Azure ATP T1110: Brute Force
  • MITRE-Azure ATP T1105: Remote File Copy
  • MITRE-Azure ATP T1098: Account Manipulation
  • MITRE-Azure ATP T1003: Credential Dumping
  • MITRE-Azure ATP T1018: Remote system discovery
  • MITRE-Azure ATP T1203: Exploitation for Client Execution
  • MITRE-Azure ATP T1208: Kerberoasting
  • MITRE-Azure ATP T1207: DCShadow
  • MITRE-Azure ATP T1097: Pass the ticket
  • MITRE-Azure ATP T1075: Pass the Hash
  • MITRE-Azure ATP T1076: Remote Desktop Protocol
  • MITRE-Azure ATP T1135: Network Share Discovery
  • MITRE-AWS T1190: Exploit Public-Facing Application
  • MITRE-AWS T1098: Account Manipulation
  • MITRE-AWS T1078: Valid Accounts
  • MITRE-AWS T1538: Cloud Service Dashboard
  • MITRE-AWS T1537: Transfer Data to Cloud Account
  • MITRE-AWS T1136: Create Account
  • MITRE-AWS T1526: Cloud Service Discovery
  • MITRE-AWS T1525: Implant Container Image
  • MITRE-AWS T1535: Unused/Unsupported Cloud Regions
  • MITRE-AWS T1081: Credentials in Files
  • MITRE-AWS T1089: Disabling Security Tools
  • MITRE-AWS T1020: Automated Exfiltration

We have updated the following existing saved searches for reducing the false positive:

  • MITRE T1018: Remote System Discovery
  • MITRE T1023: Shortcut Modification
  • MITRE T1070: Indicator Removal on Host
  • MITRE T1096: NTFS File Attributes
  • MITRE T1101: Security Support Provider
  • MITRE T1117: regsvr32
  • MITRE T1118: Installutil
  • MITRE T1130: Install Root Certificate
  • MITRE T1131: Authentication Package
  • MITRE T1177: LSASS Driver
  • MITRE T1180: Screensaver
  • MITRE T1207: DCShadow
  • MITRE T1209: Time Providers
  • MITRE T1216: Signed Script Proxy Execution
  • MITRE T1218: Signed Binary Proxy Execution
  • MITRE T1490: Inhibit System Recovery
  • MITRE T1497: Virtualization/Sandbox Evasion

Instruction for applying the update

  1. Download Update
  2. Place the Update ET93U20-009.exe in EventTracker manager
  3. Execute the exe

February 2020

EventTracker 9.3 Release

Windows

  • MITRE T1002: Data Compressed
  • MITRE T1003: Credential Dumping
  • MITRE T1010: Application Window Discovery
  • MITRE T1012: Query Registry
  • MITRE T1013: Port Monitors
  • MITRE T1014: Rootkit
  • MITRE T1015: Accessibility Features
  • MITRE T1018: Remote System Discovery
  • MITRE T1020: Automated Exfiltration
  • MITRE T1022: Data Encrypted
  • MITRE T1023: Shortcut Modification
  • MITRE T1027: Obfuscated Files or Information
  • MITRE T1028: Windows Remote Management
  • MITRE T1031: Modify Existing Service
  • MITRE T1034: Path Interception
  • MITRE T1035: Service Execution
  • MITRE T1036: Masquerading
  • MITRE T1040: Network Sniffing
  • MITRE T1043: Commonly Used Port
  • MITRE T1047: Windows Management Instrumentation
  • MITRE T1048: Exfiltration Over Alternative Protocol
  • MITRE T1050: New Service
  • MITRE T1056: Input Capture
  • MITRE T1057: Process Discovery
  • MITRE T1059: Command Line Interface
  • MITRE T1062: Hypervisor
  • MITRE T1063: Security Software Discovery
  • MITRE T1065: Process connecting to known CnC server
  • MITRE T1065: Uncommonly used port
  • MITRE T1066: Indicator Removal from Tools
  • MITRE T1069: Permission Groups Discovery
  • MITRE T1070: Indicator Removal on Host
  • MITRE T1071: Standard Application Layer Protocol
  • MITRE T1073: DLL Side-Loading
  • MITRE T1075: Pass the Hash
  • MITRE T1077: Windows Admin Shares
  • MITRE T1081: Credentials in Files
  • MITRE T1081: File dump by New Process
  • MITRE T1083: File and Directory Discovery
  • MITRE T1085: Rundll32
  • MITRE T1087: Account Discovery
  • MITRE T1088: Bypass User Account Control
  • MITRE T1089: Disabling Security Tools
  • MITRE T1090: Connection Proxy
  • MITRE T1096: NTFS File Attributes
  • MITRE T1100: Web shell
  • MITRE T1101: Security Support Provider
  • MITRE T1107: File Deletion
  • MITRE T1110: Brute Force
  • MITRE T1112: Modify Registry
  • MITRE T1113: Screen Capture
  • MITRE T1115: Clipboard Data
  • MITRE T1117: regsvr32
  • MITRE T1118: Installutil
  • MITRE T1119: Automated Collection
  • MITRE T1121: regsvcs/regasm
  • MITRE T1123: Audio Capture
  • MITRE T1126: Network Share Connection Removal
  • MITRE T1127: Trusted Developer Utilities
  • MITRE T1128: Netsh Helper DLL
  • MITRE T1130: Install Root Certificate
  • MITRE T1131: Authentication Package
  • MITRE T1135: Network Share Discovery
  • MITRE T1136: Create account
  • MITRE T1137: Office Application Startup
  • MITRE T1138: Application Shimming
  • MITRE T1140: Deobfuscate/Decode Files or Information
  • MITRE T1141: Input Prompt
  • MITRE T1158: Hidden Files and Directories
  • MITRE T1170: mshta
  • MITRE T1173: Dynamic Data Exchange
  • MITRE T1175: Distributed Component Object Model
  • MITRE T1177: LSASS Driver
  • MITRE T1178: SID-History Injection
  • MITRE T1179: Hooking
  • MITRE T1180: Screensaver
  • MITRE T1181: Extra Window Memory Injection
  • MITRE T1191: CMSTP
  • MITRE T1196: Control panel items
  • MITRE T1197: BITS Jobs
  • MITRE T1198: SIP and Trust Provider Hijacking
  • MITRE T1201: Password Policy Discovery
  • MITRE T1202: Indirect Command Execution
  • MITRE T1207: DCShadow
  • MITRE T1209: Time Providers
  • MITRE T1214: Credentials in Registry
  • MITRE T1216: Signed Script Proxy Execution
  • MITRE T1218: Signed Binary Proxy Execution
  • MITRE T1220: XSL Script Processing
  • MITRE T1222: File Permissions Modification
  • MITRE T1223: Compiled HTML File
  • MITRE T1482: Domain Trust Discovery
  • MITRE T1484: Group Policy Modification
  • MITRE T1485: Data Destruction
  • MITRE T1489: Service Stop
  • MITRE T1490: Inhibit System Recovery
  • MITRE T1497: Virtualization/Sandbox Evasion
  • MITRE T1060: Registry Run Keys \ Startup Folder
  • MITRE T1082: System Information Discovery
  • MITRE T1033: System Owner \ User Discovery
  • MITRE T1016: System Network Configuration Discovery
  • MITRE T1132: Data Encoding

Office 365

  • MITRE-O365 T1087: Account Discovery
  • MITRE-O365 T1098: Account Manipulation
  • MITRE-O365 T1110: Brute Force
  • MITRE-O365 T1136: Create Account
  • MITRE-O365 T1114: Email Collection
  • MITRE-O365 T1534: Internal Spearphishing
  • MITRE-O365 T1137: Office Application Startup
  • MITRE-O365 T1069: Permission Group Discovery
  • MITRE-O365 T1192: Spearphishing Link

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.

I Accept