thomaspatzke
commented
4 years ago There are some issues with how ATT&CK tags are used in Sigma rules. Some are just semantic questions - e.g., if multiple tactics and techniques are included, how do these relate?
Generally, all tactics assigned to techniques used in tags should also be contained as tags
Are all techniques valid for each tactic, or only a subset?
If multiple techniques are mapped to different sets of tactics, all tactics are (or should be) contained in the rule tags. This means that unrealted tactic/technique pairs are contained in the list.
From my perspective this is ok, because the intention of the tags is not the reflection of relationships from MITRE ATT&CK, but enabling to filter for specific tactics/techniques. Furthermore there might be detections for techniques that don't map 1:1 to ATT&CK techniques, but may be assigned to ATT&CK tactics.
One way to fix this with the existing structure is to simply combine tactics/techniques into a single string to make this apparent. E.g.,
attack.execution/attack.t1087.
This would add complexity to Sigma tools and the rules:
- Redundant tags, one for each technique/tactic combination.
- Increased effort in tagging, especially if assignments in tactics would be changed for techniques.
- Filtering of rules would require parsing of tags instead of simple matching.
On the other side I see only a small win and no really use case. I mostly use tags to filter for specific techniques I want to hunt for.
Also, there are some apparent accuracy issues with how certain rules are tagged. For example: https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_rdp_reverse_tunnel.yml
This rule includes the tactics of Defense Evasion & Command and Control, as well as the technique (T1076) of Remote Desktop Protocol. However, Remote Desktop Protocol is valid only under the Lateral Movement tactic, which is not included.
Added this to the rule and furthermore also added T1090 tagging to it, because of the local proxying of the connection.
I think there is also further room for improvement in tagging of rules.
There are some issues with how ATT&CK tags are used in Sigma rules. Some are just semantic questions - e.g., if multiple tactics and techniques are included, how do these relate? Are all techniques valid for each tactic, or only a subset? One way to fix this with the existing structure is to simply combine tactics/techniques into a single string to make this apparent. E.g.,
attack.execution/attack.t1087.Also, there are some apparent accuracy issues with how certain rules are tagged. For example: https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_rdp_reverse_tunnel.yml
This rule includes the tactics of Defense Evasion & Command and Control, as well as the technique (T1076) of Remote Desktop Protocol. However, Remote Desktop Protocol is valid only under the Lateral Movement tactic, which is not included.