startbootstrap
startbootstrap copied to clipboard
BlackrockDigital
New tag added for windows
One line description of pull request
I added new tag for windows (tagging plugin).
Description:
Just new tag for windows (tagging plugin).
Related issue (if applicable): fixes #
Notes:
All contributions to Plaso undergo code review. This makes sure that the code has appropriate test coverage and conforms to the Plaso style guide.
One of the maintainers will examine your code, and may request changes. Check off the items below in order, and then a maintainer will review your code.
Checklist:
- [ ] Automated checks (Travis, Codecov, Codefactor )pass
- [ ] No new new dependencies are required or l2tdevtools has been updated
- [ ] Reviewer assigned
@lprat thx for the PR, I'll have a look as soon as the AppVeyor tests are running again log2timeline/l2tdevtools#794
log2timeline/l2tdevtools#794 has been resolved and tests are pasing.
@lprat can you write/reference to some accompanying documentation regarding these new tagging rules. E.g. "user_suspect_file" why a ".lnk" file is suspect. This might not be clear to all plaso users and this information might get lost easily over time.
Sorry for my late reply. Can i add information (to explain) in Analysis-plugin-tagging.md ? I am trying to do it next week!
Sorry for my late reply. Can i add information (to explain) in Analysis-plugin-tagging.md ?
Yes please do, at least let's capture the intent/idea behind the tagging rules
I am trying to do it next week!
Great, thx, no hurries
@lprat thx, from a brief assessment the json file adds more questions than answers. I'm mainly looking for a simple explanation of the tagging rule, similar to a docstring. E.g. for the user_suspect_file rule
Name: user_suspect_file
Description: tagging rule to flag potential suspicious files based on their extension as defined by MITRE ATTACK
...
URL: http://something
@lprat have a look at https://github.com/log2timeline/plaso/pull/2874/files#diff-24e74273f21e8afeef14136aee3a4e0b just a small description for every new tagging rule will be sufficient for now. I'll have a look to backfill the existing tagging rules.
@lprat thx for adding some descriptions, let me know when you are ready.
I've started adding tests and doing some clean up of the tag_windows.txt file https://github.com/log2timeline/plaso/pull/2883
I had a look at https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Flprat%2Fplaso%2Fmaster%2Fdata%2Fplaso_tagging_windows_coverage_mitre.json
It yields the following warning:
WARNING: Uploaded layer version (2.1) does not match Navigator's layer version (2.2). The layer configuration may not be fully restored.
I opt we move this file to config/mitre-attack equiv in combination with the README. It is becoming a bit more clear what you are implementing now. You want to map the Windows event tagging labels to the Mitre Attack ontology?
Sorry for the delays between each response! I fixed warning on version 2.2 (Mitre Attack). Yes, I would like to map tagging labels to the Mitre Attack ontologoy. Good idea to make test, because when i added description, i found errors in some rules... Thanks
So https://github.com/log2timeline/plaso/pull/2883 was pushed, please rebase with HEAD. If you need help with that let me know.
Hi, Just to make sure you understand what you want. I get new tag file: tag_windows.txt pushed in #2883 and add my last modifications?
There is a warning for this PR now "This branch has conflicts that must be resolved" since changes to Plaso codebase were made in #2883 that affect this PR, these conflicts need to be resolved. One way of resolving them is to rebase or follow the github instructions if you're not too familiar with git.
If you allow edit by maintainers, I can make these changes as well if you're not comfortable with git.
Ok, thank you for your explanations. I never did 'rebase' with git. Could you do , please? "Allow edits by maintainers" option is enable. Sorry, I will try to inquire about 'git rebase' for the next time. If you can't, I'll be watching this next week.
I've update the PR, have a look if everything is still fine. Was a bit of a merging challenge
Moved the MITRE ATT&CK configuration file and README into config directory since they are not data files directly used by plaso tools
Also please read "How should I reference the name ATT&CK?" on https://attack.mitre.org/resources/faq/
Thank you for your work! I'm sorry I couldn't do it. I have the bad habit of writing mitre attack instead of MITRE ATT&CK. Do you think that it's a problem in this context?
Do you think that it's a problem in this context?
Per https://attack.mitre.org/resources/faq/, yes, we likely need to add a registered trademark symbol (®) as well. Unless there is another way or referring to this framework in a non-trademark conflicting way? Does it have a common nickname?
Looking at other references mentioning this framework the registered trademark symbol might not be required.
Hi, Sorry for my late response, again! I also saw reference "MITRE ATT&CK(TM)". Do you want me to add at the beginning of the file tag_windows.txt: "#some tags may refer to the MITRE ATT&CK(TM)" ?
I think you deleted two files (plaso_tagging_windows_coverage_mitre.json, tag_windows.README) instead of moving them. But finally, for "tag_windows.README" it doesn't matter because "tag_windows.txt" already contains the same informations in the comments "#". For the json, I don't know.
I see I did not git add them after a file system move, should be fixed now.
Per their documentation each file seems to have one reference to MITRE ATT&CK. Now if (R), not (TM) that is a different thing, needs to be added, I"m not sure according to https://www.trademarknow.com/blog/tm-versus-r-whats-the-difference-and-why-does-it-matter:
It must only be used in the case of registered trademarks and by the owner or licensee.
But unclear if we should consider ourselves to be a "licensee". Per https://attack.mitre.org/resources/faq/,
Your first references in writing must include "MITRE" preceding "ATT&CK®" - but subsequently should just reference "ATT&CK" (no registered trademark symbol required).
So let's include (R) for the first mention. That's also means most of the sources out there seem to be non-compliant.
It is also quite ironic that it looks like Mitre is violating its own terms with "@MITREattack" twitter account
Do not modify the trademark, such as through hyphenation or abbreviation. For example, "ATT&CK'd!", "Plan-of-ATT&CK", "ATTK".
I've mailed Mitre asking for clarification and if they can drop the administrative overhead.
OK more inconsistency from Mitre https://github.com/mitre-attack/attack-navigator/issues/165
@lprat I've stared to do some clean up. Let's add the URL to the different techniques instead of mentioning the name of the framework so instead or T1195 add https://attack.mitre.org/techniques/T1195/
Mitre asking for clarification and if they can drop the administrative overhead.
Reply from Mitre that they are unwilling to drop the administrative burden on others so they can "enforce" their intellectual property and trademark status.
This makes me wonder if it easier to remove the attack-navigator config and just have the URLs in tag_windows.txt and make no reference to the name of this framework. To avoid having to deal with the administrative burden of ensuring the name is used correctly.
@lprat let's try to get this PR ready for merge. I've remove the config due previous conversation about the trademark.
What is open is:
- cleaning up the descriptions of the tagging rules
- adding unit tests
Descriptions of tagging rules was cleaned in "d769fe6c4c4e6be21dbfef0caaad0a9a8cd6ed4a"
Descriptions of tagging rules was cleaned in "d769fe6c4c4e6be21dbfef0caaad0a9a8cd6ed4a"
Yeah there is more to be done. For sake of getting these changes merged and not making it a very long process of back and forths. I'll break this up in separate PRs, for the tagging rules that are clear to me. We can discuss the remainder after that. How does this sound?