[Rule Tuning] Update ATT&CK threat map to reflect changes

[brokensound77]

Related to #215

Since ATT&CK data was refreshed (#330) and subtechnique support added (#337, #614), all rules using stale ATT&CK data can be refreshed (update IDs and names, many of which became subtechniques).

Up until now, a warning has been produced in unit tests for use of revoked rules. All of these will be updated and the warning will assert and fail when using a revoked technique

https://github.com/elastic/detection-rules/blob/b8d2f6fc9629994b9f76e22a946f71232fef41ab/tests/test_all_rules.py#L189

Expand to see warning

```json tests/test_all_rules.py::TestThreatMappings::test_technique_deprecations detection-rules-fork/tests/test_all_rules.py:223: UserWarning: The following rules are using deprecated ATT&CK techniques (https://attack.mitre.org/resources/updates/): { "T1015": [ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8 - Potential Modification of Accessibility Binaries", "7405ddf1-6c8e-41ce-818f-48bea6bcaed8 - Potential Modification of Accessibility Binaries" ], "T1035": [ "55d551c6-333b-4665-ab7e-5d14a59715ce - PsExec Network Connection", "55d551c6-333b-4665-ab7e-5d14a59715ce - PsExec Network Connection", "aa9a274d-6b53-424d-ac5e-cb8ca4251650 - Remotely Started Services via RPC", "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc - Service Command Lateral Movement", "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2 - Suspicious Process Execution via Renamed PsExec Executable" ], "T1044": [ "2bf78aa2-9c56-48de-b139-f169bf99cf86 - Adobe Hijack Persistence" ], "T1050": [ "265db8f5-fc73-4d0d-b434-6483b56372e2 - Persistence via Update Orchestrator Service Hijack", "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc - Service Command Lateral Movement", "36a8e048-d888-4f61-a8b9-0f9e2e40f317 - Suspicious ImagePath Service Creation", "0022d47d-39c7-4f69-a232-4fe9dc7a3acd - System Shells via Services", "403ef0d3-8259-40c9-a5b6-d48354712e49 - Unusual Persistence via Services Registry" ], "T1060": [ "e7125cea-9fe1-42a5-9a05-b0792cf86f5a - Execution of Persistent Suspicious Program", "25224a80-5a4a-4b8a-991e-6ab390465c4f - Lateral Movement via Startup Folder", "a9b05c3b-b304-4bf9-970d-acdfaef2944c - Persistence via Hidden Run Key Detected", "f7c4dc5a-a58d-491d-9f14-9b66507121c0 - Persistent Scripts in the Startup Directory", "440e2db4-bc7f-4c96-a068-65b78da59bde - Shortcut File Written or Modified for Persistence", "2fba96c0-ade5-4bce-b92f-a5df2509da3f - Startup Folder Persistence via Unsigned Process", "97fc44d3-8dae-4019-ae83-298c3015600f - Startup or Run Key Registry Modification" ], "T1077": [ "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14 - Mounting Hidden or WebDav Remote Shares", "ab75c24b-2502-43a0-bf7c-e60e662c811e - Remote Execution via File Shares", "fa01341d-6662-426b-9d0c-6d81e33c8a9d - Remote File Copy to a Hidden Share" ], "T1081": [ "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec - Azure Key Vault Modified" ], "T1085": [ "f036953a-4615-4707-a1ca-dc53bf69dcd5 - Unusual Child Processes of RunDLL32", "52aaab7b-b51c-441a-89ce-4387b3aea886 - Unusual Network Connection via RunDLL32" ], "T1086": [ "37b211e8-4e2f-440f-86d8-06cc8f158cfa - AWS Execution via System Manager", "9ccf3ce0-0057-440a-91f5-870c6ad39093 - Command Shell Activity Started via RunDLL32", "0f616aee-8161-4120-857e-742366f5eeb3 - PowerShell spawning Cmd", "33f306e8-417c-411b-965c-c2812d6d3f4d - Remote File Download via PowerShell", "852c1f19-68e8-43a6-9dce-340771fe1be3 - Suspicious PowerShell Engine ImageLoad" ], "T1088": [ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62 - Bypass UAC via Event Viewer", "9b54e002-034a-47ac-9307-ad12c03fa900 - Bypass UAC via Sdclt", "fc7c0fa4-8f03-4b3e-8336-c5feab0be022 - UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "5a14d01d-7ac8-4545-914c-b687c2cf66b3 - UAC Bypass Attempt via Privileged IFileOperation COM Interface", "290aca65-e94d-403b-ba0f-62f320e63f51 - UAC Bypass Attempt via Windows Directory Masquerading", "b90cdde7-7e0d-4359-8bf0-2c112ce2008a - UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "1dcc51f6-ba26-49e7-9ef4-2655abb2361e - UAC Bypass via DiskCleanup Scheduled Task Hijack", "68d56fdc-7ffa-4419-8e95-81641bd6f845 - UAC Bypass via ICMLuaUtil Elevated COM Interface", "1178ae09-5aff-460a-9f2f-455cd0ac4d8e - UAC Bypass via Windows Firewall Snap-In Hijack" ], "T1089": [ "7024e2a0-315d-4334-bb1a-441c593e16ab - AWS CloudTrail Log Deleted", "1aa8fa52-44a7-4dae-b058-f3333b91c8d7 - AWS CloudTrail Log Suspended", "f772ec8a-e182-483c-91d2-72058f76a44c - AWS CloudWatch Alarm Deletion", "68a7a5a5-a2fc-4a76-ba9f-26849de881b4 - AWS CloudWatch Log Group Deletion", "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17 - AWS CloudWatch Log Stream Deletion", "7024e2a0-315d-4334-bb1a-552d604f27bc - AWS Config Service Tampering", "fbd44836-0d69-4004-a0b4-03c20370c435 - AWS Configuration Recorder Stopped", "9395fd2c-9947-4472-86ef-4aceb2f7e872 - AWS EC2 Flow Log Deletion", "8623535c-1e17-44e1-aa97-7a0699c3037d - AWS EC2 Network Access Control List Deletion", "523116c0-d89d-4d7c-82c2-39e6845a78ef - AWS GuardDuty Detector Deletion", "91d04cd4-47a9-4334-ab14-084abe274d49 - AWS WAF Access Control List Deletion", "5beaebc1-cc13-4bfc-9949-776f9e0dc318 - AWS WAF Rule or Rule Group Deletion", "125417b8-d3df-479f-8418-12d7e034fee3 - Attempt to Disable IPTables or Firewall", "2f8a1226-5720-437d-9c20-e0029deb6194 - Attempt to Disable Syslog Service", "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7 - Attempt to Remove File Quarantine Attribute", "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de - Azure Diagnostic Settings Deletion", "e0f36de1-0342-453d-95a9-a068b257b053 - Azure Event Hub Deletion", "e02bd3ea-72c6-4181-ac2b-0f83d17ad969 - Azure Firewall Policy Deletion", "323cb487-279d-4218-bcbd-a568efe930c6 - Azure Network Watcher Deletion", "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f - Azure Resource Group Deletion", "4b438734-3793-4fda-bd42-ceeada0be8f9 - Disable Windows Firewall Rules via Netsh", "cd66a5af-e34b-4bb0-8931-57d0a043f2ef - Kernel Module Removal", "3535c8bb-3bd5-40f4-ae32-b7cd589d5372 - Port Forwarding Rule Addition", "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e - Potential Disabling of SELinux", "074464f9-f30d-4029-8c03-0ed237fffec7 - Remote Desktop Enabled in Windows Firewall", "9aa0e1f6-52ce-42e1-abb3-09657cee2698 - Scheduled Tasks AT Command Enabled" ], "T1093": [ "35df0dd8-092d-4a83-88c1-5151a804f31b - Unusual Parent-Child Relationship", "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7 - Unusual Service Host Child Process - Childless Service" ], "T1099": [ "b0046934-486e-462f-9487-0d4cf9e429c6 - Timestomping using Touch Command" ], "T1100": [ "231876e7-4d1f-4d63-a47c-47dd1acdc1cb - Potential Shell via Web Server" ], "T1101": [ "e86da94d-e54b-4fb5-b96c-cecff87e8787 - Installation of Security Support Provider" ], "T1103": [ "d0e159cf-73e9-40d1-a9ed-077e3158a855 - Registry Persistence via AppInit DLL" ], "T1107": [ "f675872f-6d85-40a3-b502-c0d2ef101e92 - Delete Volume USN Journal with Fsutil", "581add16-df76-42bb-af8e-c979bfb39a59 - Deleting Backup Catalogs with Wbadmin", "a1329140-8de3-4445-9f87-908fb6d824f4 - File Deletion via Shred", "69c251fb-a5d6-4035-b5ec-40438bd829ff - Modification of Boot Configuration", "5aee924b-6ceb-4633-980e-1bde8cdb40c5 - Potential Secure File Deletion via SDelete Utility", "dc9c1f74-dac3-48e3-b47f-eb79db358f57 - Volume Shadow Copy Deletion via WMIC" ], "T1116": [ "56557cde-d923-4b88-adee-c61b3f3b5dc3 - Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" ], "T1117": [ "fb02b8d3-71ee-4af1-bacd-215d23f17efa - Network Connection via Registration Utility" ], "T1118": [ "a13167f1-eec2-4015-9631-1fee60406dcf - InstallUtil Process Making Network Connections" ], "T1121": [ "47f09343-8d1f-4bb5-8bb0-00c9d18f5010 - Execution via Regsvcs/Regasm", "47f09343-8d1f-4bb5-8bb0-00c9d18f5010 - Execution via Regsvcs/Regasm", "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6 - Registration Tool Making Network Connections" ], "T1122": [ "16a52c14-7883-47af-8745-9357803f0d4c - Component Object Model Hijacking" ], "T1138": [ "c5ce48a6-7f57-4ee8-9313-3d0024caee10 - Installation of Custom Shim Databases", "fd4a992d-6130-4802-9ff8-829b89ae801f - Potential Application Shimming via Sdbinst", "fd4a992d-6130-4802-9ff8-829b89ae801f - Potential Application Shimming via Sdbinst" ], "T1142": [ "96e90768-c3b7-4df6-b5d9-6237f8bc36a8 - Compression of Keychain Credentials Directories" ], "T1145": [ "b83a7e96-2eb3-4edf-8346-427b6858d3bd - Creation or Modification of Domain Backup DPAPI private key" ], "T1146": [ "7bcbb3ac-e533-41ad-a612-d6c3bf666aba - Deletion of Bash Command Line History" ], "T1158": [ "4630d948-40d4-4cef-ac69-4002e29bc3db - Adding Hidden File Attribute via Attrib", "4630d948-40d4-4cef-ac69-4002e29bc3db - Adding Hidden File Attribute via Attrib", "b9666521-4742-49ce-9ddc-b8e84c35acae - Creation of Hidden Files and Directories", "b9666521-4742-49ce-9ddc-b8e84c35acae - Creation of Hidden Files and Directories" ], "T1159": [ "082e3f8c-6f80-485c-91eb-5b112cb79b28 - Launch Agent Creation or Modification and Immediate Loading" ], "T1166": [ "3a86e085-094c-412d-97ff-2439731e59cb - Setgid Bit Set via chmod", "3a86e085-094c-412d-97ff-2439731e59cb - Setgid Bit Set via chmod", "8a1b0278-0f9a-487d-96bd-d4833298e87a - Setuid Bit Set via chmod", "8a1b0278-0f9a-487d-96bd-d4833298e87a - Setuid Bit Set via chmod" ], "T1169": [ "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4 - Sudoers File Modification" ], "T1170": [ "c2d90150-0133-451c-a783-533e736c12d7 - Mshta Making Network Connections", "a4ec1382-4557-452b-89ba-e413b22ed4b8 - Network Connection via Mshta" ], "T1182": [ "513f0ffd-b317-4b9c-9494-92ce861f22c7 - Registry Persistence via AppCert DLL" ], "T1183": [ "6839c821-011d-43bd-bd5b-acff00257226 - Image File Execution Options Injection" ], "T1192": [ "6b1fd8e8-cefe-444c-bc4d-feaa2c497347 - Downloaded Shortcut Files", "cd82e3d6-1346-4afd-8f22-38388bbf34cb - Downloaded URL Files", "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5 - Execution of File Written or Modified by Microsoft Office", "1defdd62-cd8d-426e-a246-81a37751bb2b - Execution of File Written or Modified by PDF Reader", "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38 - Possible Consent Grant Attack via Azure-Registered Application", "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b - Suspicious Explorer Child Process" ], "T1193": [ "6b1fd8e8-cefe-444c-bc4d-feaa2c497347 - Downloaded Shortcut Files", "cd82e3d6-1346-4afd-8f22-38388bbf34cb - Downloaded URL Files", "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5 - Execution of File Written or Modified by Microsoft Office", "1defdd62-cd8d-426e-a246-81a37751bb2b - Execution of File Written or Modified by PDF Reader", "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b - Suspicious Explorer Child Process", "a624863f-a70d-417f-a7d2-7a404638d47f - Suspicious MS Office Child Process", "32f4675e-6c49-4ace-80f9-97c9259dca2e - Suspicious MS Outlook Child Process", "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - Windows Script Executing PowerShell", "b64b183e-1a76-422d-9179-7b389513e74d - Windows Script Interpreter Executing Process via WMI" ], "T1215": [ "37b0816d-af40-40b4-885f-bb162b3c88a9 - Anomalous Kernel Module Activity", "cd66a5af-e34b-4bb0-8931-57d0a043f2ef - Kernel Module Removal", "81cc58f5-8062-49a2-ba84-5cc4b4d31c40 - Persistence via Kernel Module Modification" ], "T1223": [ "b29ee2be-bf99-446c-ab1a-2dc0183394b8 - Network Connection via Compiled HTML File", "b29ee2be-bf99-446c-ab1a-2dc0183394b8 - Network Connection via Compiled HTML File", "e3343ab9-4245-4715-b344-e11c56b0a47f - Process Activity via Compiled HTML File", "e3343ab9-4245-4715-b344-e11c56b0a47f - Process Activity via Compiled HTML File" ], "T1483": [ "cf53f532-9cc9-445a-9ae7-fced307ec53c - Cobalt Strike Command and Control Beacon", "2e580225-2a58-48ef-938b-572933be06fe - Halfbaked Command and Control Beacon", "4a4e23cf-78a2-449c-bac3-701924c269d3 - Possible FIN7 DGA Command and Control Behavior" ], "T1492": [ "3e002465-876f-4f04-b016-84ef48ce7e5d - AWS CloudTrail Log Updated", "bb9b13b2-1700-48a8-a750-b43b0a72ab69 - AWS EC2 Encryption Disabled", "9c260313-c811-4ec8-ab89-8f6530e0246c - Hosts File Modified" ], "T1500": [ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6 - Microsoft Build Engine Started an Unusual Process" ] } warnings.warn(warning_str) ```

[rw-access]

Is this a duplicate of https://github.com/elastic/detection-rules/issues/215?

[brokensound77]

I don't think it is a duplicate, but they are definitely related (maybe more of a subset). This is more focused on removing techniques that have been revoked.

Add issue as related in description

(and thanks for reminding me about the crosswalk file!)

[brokensound77]

closed by #706