search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.2k stars 2.17k forks source link

Mitre Sub-Technique Mapping #974

Closed scottdermott closed 4 years ago

scottdermott commented 4 years ago

Hi, before I create a pull request, what do you think of this schema / format for Mitre Sub-Techniques?

Example below:

    {
        "technique_id": "T1059.007",
        "technique": "Command and Scripting Interpreter: JavaScript/JScript",
        "url": "https://attack.mitre.org/techniques/T1059/007",
        "parent_technique_id" : "T1059",
        "tactic": [
            "Execution"
        ]
    }
Neo23x0 commented 4 years ago

You mean as a component of all the public Sigma rules? I'd say that it would be too much.

A simple reference to the technique doesn't overload a Sigma rule. With a technique id one can programmatically lookup all the rest of the information related to that technique.

scottdermott commented 4 years ago

Hi @Neo23x0, as a definition within tools/config/mitre/techniques.json

For example : Sigma Tags for "MMC20 Lateral Movement" There is no explicit mention of the parent (obviously the string can be split by .) and currently no definition of the Mitre sub-technique within techniques.json

 - attack.execution
 - attack.t1175
 - attack.t1021.003 
 - attack.t1559.001

Mapping the sub-technique(s) by appending to the current flat JSON would be my preference but could also be nested within the technique. e.g.

    {
        "technique_id": "T1021",
        "technique": "Remote Services",
        "url": "https://attack.mitre.org/techniques/T1021",
        "tactic": [
            "Lateral Movement"
        ],
        "sub_techniques" :  [{
            "technique_id": "T1021.003",
            "technique" : "Distributed Component Object Model"
        },
        ....]
    }
Neo23x0 commented 4 years ago

@thomaspatzke : for what purpose do we use that file? 

 tools/config/mitre/techniques.json

e.g. the tests use live data provided by MITRE. I don't know for what purpose that json file is used.

thomaspatzke commented 4 years ago

As far as I know it's for the es rules Backend.

scottdermott commented 4 years ago

Yes @thomaspatzke ,

def find_technique(self, key_id=None):
        for technique in self.techniques:
            if key_id and key_id == technique.get("technique_id", ""):
                return technique

So if the sub-technique was declared at the same level as the parent within techniques.json no code change would be required to map a Mitre sub-technique using this method.

thomaspatzke commented 4 years ago

I think an explicit parent to subtechnique mapping isn't needed here for different reasons:

scottdermott commented 4 years ago

Understood @thomaspatzke, so would you agree there is value in appending the sub-techniques (without the parent reference) to the techniques.json file? E.g

    {
        "technique_id": "T1059.007",
        "technique": "Command and Scripting Interpreter: JavaScript/JScript",
        "url": "https://attack.mitre.org/techniques/T1059/007"
    }
thomaspatzke commented 4 years ago

Yes, definitely! This enables the backend to generate rules with names of rules tagged with subtechniques.

scottdermott commented 4 years ago

Thanks, glad we are on the same page @thomaspatzke

Will create a pull request with the Sub-Techniques added tomorrow 👌

thomaspatzke commented 4 years ago

Great, thanks for your contribution!