Mappings to MITRE ATT&CK Data Sources/Components

jwillyamz commented 1 year ago

Not sure how you want to integrate, but sharing some notes on potential mappings:

Hash Algorithms = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷) MD5 = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷) SHA = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷) IMPHASH = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)

Registry Activity = https://attack.mitre.org/datasources/DS0024/ Key/Value Creation = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Creation Key/Value Modification = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Modification Key/Value Deletion = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Deletion

Schedule Task Activity = https://attack.mitre.org/datasources/DS0003/ Scheduled Task Creation = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Creation Scheduled Task Modification = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification Scheduled Task Deletion = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification (? 🤷)

Service Activity = https://attack.mitre.org/datasources/DS0019/ Service Creation = https://attack.mitre.org/datasources/DS0019/#Service%20Creation Service Modification = https://attack.mitre.org/datasources/DS0019/#Service%20Modification Service Deletion = https://attack.mitre.org/datasources/DS0019/#Service%20Modification (? 🤷)

Driver/Module Activity = https://attack.mitre.org/datasources/DS0027/ Driver Loaded = https://attack.mitre.org/datasources/DS0027/#Driver%20Load Driver Modification = https://attack.mitre.org/datasources/DS0022/#File%20Modification (? 🤷) Driver Unloaded = [null]

Device Operations = https://attack.mitre.org/datasources/DS0016/ Virtual Disk Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation USB Device Unmount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation USB Device Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation

Other Relevant Events Group Policy Modification = https://attack.mitre.org/datasources/DS0026/#Active%20Directory%20Object%20Modification (? 🤷)

Named Pipe Activity = https://attack.mitre.org/datasources/DS0023/ Pipe Creation = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷) Pipe Connection = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷)

WMI Activity = https://attack.mitre.org/datasources/DS0005/ WmiEventConsumerToFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation WmiEventConsumer = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation WmiEventFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation

BIT JOBS Activity = [null] BIT JOBS Activity = [null]

PowerShell Activity = https://attack.mitre.org/datasources/DS0012/ + https://attack.mitre.org/datasources/DS0017/ Script-Block Activity = https://attack.mitre.org/datasources/DS0012/#Script%20Execution

jwillyamz commented 1 year ago

there's obviously always going to be differences in the level of abstraction, but also maybe some ideas to borrow each direction 👍

tsale commented 1 year ago

Awesome work Jamie, thank you. We'll review and decide how to implement those and display in the main table.

inodee commented 1 year ago

That came in faster than I thought! I am thinking about a visualization... oh wait! Heatmaps?! :P

Thanks @jwillyamz!

tsale commented 5 months ago

Thank you for taking the time to map all the sub-categories, @jwillyamz! Appreciate it 🙏 This is now implemented on the Google Sheet table: https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit#gid=1993314609

tsale / EDR-Telemetry