search

mitre / cti

Cyber Threat Intelligence Repository expressed in STIX 2.0
Other
1.71k stars 410 forks source link

Sub-technique 'Sudo and Sudo Caching (T1548.003)' has its mitigations listed 3 different times in version 11.0 #192

Closed grimlock81 closed 2 years ago

grimlock81 commented 2 years ago

While processing the latest v11.0 enterprise-attack.json file, I found that the 'Sudo and Sudo Caching' subtechnique (T1548.003) has its 3 mitigations listed 3 times each, each with an unique relationship id. The descriptions are all the same for the same mitigation. Version 10 has the same 3 mitigations but each only listed once.

No other technique or sub-technique has replicated their mitigations which leads me to conclude this is an error.

Here are the 3 mitigations repeated, with their unique ids: Mitigation 1: Privileged Account Management [M1026] Instance 1: 

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--448b7967-1a0b-4ea9-9d7f-b5c4a721673b",
    "type": "relationship",
    "created": "2022-03-14T16:28:20.033Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-03-14T16:28:20.033Z",
    "description": "By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the <code>timestamp_timeout</code> to 0 will require the user to input their password every time <code>sudo</code> is executed.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Instance 2: 

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--f5316001-db89-4c59-8a58-abf12f439c58",
    "type": "relationship",
    "created": "2020-01-30T14:34:45.427Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-03-14T16:28:20.030Z",
    "description": "By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the <code>timestamp_timeout</code> to 0 will require the user to input their password every time <code>sudo</code> is executed.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Instance 3: 

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--f1336c9a-0654-42fe-a0a9-c4ecbf0d5879",
    "type": "relationship",
    "created": "2022-01-06T18:35:20.157Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-01-06T18:35:20.157Z",
    "description": "By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the <code>timestamp_timeout</code> to 0 will require the user to input their password every time <code>sudo</code> is executed.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Mitigation 2: Operating System Configuration [M1028] Instance 1:

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--b69490a4-3768-405e-856d-da11d95183e7",
    "type": "relationship",
    "created": "2020-01-30T14:34:45.390Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-03-14T16:28:19.976Z",
    "description": "Ensuring that the <code>tty_tickets</code> setting is enabled will prevent this leakage across tty sessions.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Instance 2:

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--bb64215b-1a72-494d-991c-2b36c9a634cd",
    "type": "relationship",
    "created": "2022-01-06T18:35:20.146Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-01-06T18:35:20.146Z",
    "description": "Ensuring that the <code>tty_tickets</code> setting is enabled will prevent this leakage across tty sessions.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Instance 3:

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--ae91d26f-15ad-47c0-857d-223d2968bc57",
    "type": "relationship",
    "created": "2022-03-14T16:28:20.000Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-03-14T16:28:20.000Z",
    "description": "Ensuring that the <code>tty_tickets</code> setting is enabled will prevent this leakage across tty sessions.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Mitigation 3: Restrict File and Directory Permissions [M1022] Instance 1:

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--39c61f6f-152a-4dd8-9728-0e2b721fb504",
    "type": "relationship",
    "created": "2022-01-06T18:35:20.156Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-01-06T18:35:20.156Z",
    "description": "The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Instance 2:

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--ea876b54-34d5-402f-bfa0-ffc5db6ead2e",
    "type": "relationship",
    "created": "2022-03-14T16:28:19.997Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-03-14T16:28:19.997Z",
    "description": "The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

Instance 3:

{
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "id": "relationship--800f4061-3347-4816-a633-179ede275505",
    "type": "relationship",
    "created": "2020-01-30T14:34:45.415Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references": [],
    "modified": "2022-03-14T16:28:20.020Z",
    "description": "The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.",
    "relationship_type": "mitigates",
    "source_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448",
    "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
    "x_mitre_version": "1.0",
    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
jondricek commented 2 years ago

Dang it, you're right! Definitely slipped through the cracks. For the record, I believe this was due in part to our recent migration from an older system to using Workbench for the first time officially, and those duplicate Relationships may have been introduced at that time. Regardless though, I'll mark this as needing to be addressed with the upcoming v11.1 release.

grimlock81 commented 2 years ago

Confirmed 2 duplicates removed from all 3 listed mitigations in 11.1