MITRE ATT&CK
Saved Search |
Alert + Saved Search |
Netsurion support for MITRE ATT&CK framework.
June 2020
Following MITRE ATT&CK saved search changes for reducing the false postives:
- MITRE T1016: System Network Configuration Discovery
- MITRE T1035: Service Execution
- MITRE T1043: Commonly Used Port
- MITRE T1047: Windows Management Instrumentation
- MITRE T1059: Command Line Interface
- MITRE T1020: Automated Exfiltration
- MITRE T1107: File Deletion
- MITRE T1096: NTFS File Attributes
- MITRE T1033: System Owner \ User Discovery
- MITRE T1082: System Information Discovery
- MITRE T1003: Credential Dumping
|
Following are the new MITRE ATT&CK saved searches:
- MITRE T1076: Remote Desktop Protocol
- MITRE T1037: Logon Scripts
- MITRE T1044: File System Permissions Weakness
- MITRE T1053: Scheduled Task
- MITRE T1190: Exploit Public-Facing Application
- MITRE T1064: Scripting
- MITRE T1021: Remote Services
- MITRE T1093: Process Hollowing
- MITRE T1055: Process Injection
- MITRE T1219: Remote Access Tools
- MITRE T1193: Spearphishing Attachment
- MITRE T1210: Exploitation of Remote Services
|
Instruction for applying the update
- Download Update
- Place the Update ET93U20-030.exe in EventTracker manager
- Execute the exe
April 2020
We have updated the following existing saved searches for reducing the false positive:
- MITRE T1002: Data Compressed
- MITRE T1016: System Network Configuration Discovery
- MITRE T1028: Windows Remote Management
- MITRE T1035: Service Execution
- MITRE T1043: Commonly Used Port
- MITRE T1047: Windows Management Instrumentation
- MITRE T1059: Command Line Interface
- MITRE T1065: Uncommonly used port
- MITRE T1073: DLL Side-Loading
- MITRE T1077: Windows Admin Shares
- MITRE T1082: System Information Discovery
- MITRE T1489: Service Stop
- MITRE T1020: Automated Exfiltration
|
Instruction for applying the update
- Download Update
- Place the Update ET93U20-018.exe in EventTracker manager
- Execute the exe
March 2020
Following are the updates for MITRE ATT&CK Framework in the month of march
Azure |
AWS |
- MITRE-Azure ATP T1087: Account discovery
- MITRE-Azure ATP T1048: Exfiltration Over Alternative Protocol
- MITRE-Azure ATP T1210: Exploitation of Remote Services
- MITRE-Azure ATP T1110: Brute Force
- MITRE-Azure ATP T1105: Remote File Copy
- MITRE-Azure ATP T1098: Account Manipulation
- MITRE-Azure ATP T1003: Credential Dumping
- MITRE-Azure ATP T1018: Remote system discovery
- MITRE-Azure ATP T1203: Exploitation for Client Execution
- MITRE-Azure ATP T1208: Kerberoasting
- MITRE-Azure ATP T1207: DCShadow
- MITRE-Azure ATP T1097: Pass the ticket
- MITRE-Azure ATP T1075: Pass the Hash
- MITRE-Azure ATP T1076: Remote Desktop Protocol
- MITRE-Azure ATP T1135: Network Share Discovery
|
- MITRE-AWS T1190: Exploit Public-Facing Application
- MITRE-AWS T1098: Account Manipulation
- MITRE-AWS T1078: Valid Accounts
- MITRE-AWS T1538: Cloud Service Dashboard
- MITRE-AWS T1537: Transfer Data to Cloud Account
- MITRE-AWS T1136: Create Account
- MITRE-AWS T1526: Cloud Service Discovery
- MITRE-AWS T1525: Implant Container Image
- MITRE-AWS T1535: Unused/Unsupported Cloud Regions
- MITRE-AWS T1081: Credentials in Files
- MITRE-AWS T1089: Disabling Security Tools
- MITRE-AWS T1020: Automated Exfiltration
|
We have updated the following existing saved searches for reducing the false positive:
- MITRE T1018: Remote System Discovery
- MITRE T1023: Shortcut Modification
- MITRE T1070: Indicator Removal on Host
- MITRE T1096: NTFS File Attributes
- MITRE T1101: Security Support Provider
- MITRE T1117: regsvr32
- MITRE T1118: Installutil
- MITRE T1130: Install Root Certificate
- MITRE T1131: Authentication Package
|
- MITRE T1177: LSASS Driver
- MITRE T1180: Screensaver
- MITRE T1207: DCShadow
- MITRE T1209: Time Providers
- MITRE T1216: Signed Script Proxy Execution
- MITRE T1218: Signed Binary Proxy Execution
- MITRE T1490: Inhibit System Recovery
- MITRE T1497: Virtualization/Sandbox Evasion
|
Instruction for applying the update
- Download Update
- Place the Update ET93U20-009.exe in EventTracker manager
- Execute the exe
February 2020
EventTracker 9.3 Release
Windows
Office 365
- MITRE-O365 T1087: Account Discovery
- MITRE-O365 T1098: Account Manipulation
- MITRE-O365 T1110: Brute Force
- MITRE-O365 T1136: Create Account
- MITRE-O365 T1114: Email Collection
- MITRE-O365 T1534: Internal Spearphishing
- MITRE-O365 T1137: Office Application Startup
- MITRE-O365 T1069: Permission Group Discovery
- MITRE-O365 T1192: Spearphishing Link