attack-datasources icon indicating copy to clipboard operation
attack-datasources copied to clipboard

Published 20 hours ago verified publisher icon mitre-attack

New relationships by Open Threat Research (OTR)

Open Cyb3rPandaH opened this issue 3 years ago • 4 comments

1- Data Source / Component: Driver / driver metadata

  • driver loaded: Sysmon event 6 gives us security context of a driver being loaded. It does not give us any context of other data element such as a user or process.

2- Data Source / Component: File / file creation

  • user created file: DeviceFileEvents (Windows Defender ATP) gives us security context of the user that created the file.

3- Data Source / Component: Firewall / firewall metadata

  • firewall started: Event 5024 (Security Auditing) represents this activity and it does not give us any context of other data element such as a user or process.
  • firewall stopped: Event 5025 (Security Auditing) represents this activity and it does not give us any context of other data element such as a user or process.
  • firewall rule added: Event 4946 (Security Auditing) represents this activity and it does not give us any context of other data element such as a user or process.
  • firewall rule modified: Event 4947 (Security Auditing) represents this activity and it does not give us any context of other data element such as a user or process.
  • firewall rule deleted: Event 4948 (Security Auditing) represents this activity and it does not give us any context of other data element such as a user or process.
  • process added firewall rule: Event 2004 (Windows Firewall) represents this activity and it does give us information of the process related to it.

4- Data surce / Component: Instance / instance creation

  • user created instance from ip: Runnstances (Cloud Trail Logs) represents this activity and it does give us information of the user and ip related to it.

5- Data Souce / Component: Logon Session / logon session metadata

  • logon session modified: Event 4672 (Security Auditing) represents this activity and it does not give us any context of other data element such as a user or process.

6- Data Source / Component: Process / process access

  • user accessed process: Event 4663 (Security Auditing) represents this activity and it does give us information of the user related to it.

7- Data Source /Component: User Account / user account authentication

  • application authenticated user: ConsoleLogin (Cloud Trail Logs) represents this activity and it does give us information of the application related to it.

Cyb3rPandaH avatar Jun 18 '21 17:06 Cyb3rPandaH

@Cyb3rPandaH & OTR thanks for sharing! Going forward we'll definitely start documenting more of these specific event examples for each component, so this info is super helpful!

I have some feedback and didn't want to make changes without running it by you first:

  • Driver - I think this aligns better with the driver load component since it's an event, what do you think?

  • Firewall - Would firewall stopped be a better fit under firewall disable? And similarly, firewall started seems like a component (since these two are events, vice just checking the status). Same idea for the last three regarding firewall rule changes, seems like that would be a better fit under firewall rule modification?

  • Logon Session - I see what you're going for, but I think that relationship could be more clear. Maybe instead, a relationship on logon session creation for user created login session as group?

  • Process - I see what you're going for, but I think that specific EID may align better with components like file access, windows registry key access, active directory object access, etc. based on the Object Type (process here just seems like metadata linking user and process).

  • User Account - I see what you're going for, but isn't this just the inverse of the above relationship between user and application? Looking at an example console sign-in events I think the other relationship may already cover it.

jcwilliamsATmitre avatar Jul 02 '21 16:07 jcwilliamsATmitre

You are welcome @jcwilliamsATmitre, we are currently mapping security events within the OSSEM-DM repository. Thank you for your feedback, here some comments:

  • Driver: We considered this relationship within the metadata component (Type: Information) because the data provided by the event log does not give us context to describe interaction among entities. However, it makes sense to consider the relationship under driver load because we can correlate it with other relationships under the same component.

  • Firewall: Same idea as Driver, it makes sense to consider firewall stopped under firewall disable, firewall started under a new component firewall enable, firewall rule added, deleted (removed) and modified under firewall rule modified.

  • Logon Session: What about creating a new component? Logon Session Modification. Even though this event is normal when accounts with high privileges (such as admin or system) are logging in, this component might help us to add more context when reviewing privilege escalation techniques.

  • Process: The object type field for EID 4663 also considers the type Process. Here an example: Screen Shot 2021-08-02 at 3 46 18 PM

  • User Account: Agree. I am removing it from the PR.

I will update the PR based on your feedback and my comments.

Cyb3rPandaH avatar Aug 02 '21 22:08 Cyb3rPandaH

PR files updated 👍

Cyb3rPandaH avatar Aug 02 '21 23:08 Cyb3rPandaH

Thanks @Cyb3rPandaH!! We just released the integrated data sources (https://attack.mitre.org/datasources/) 🥳 but I will review this for any additional updates we should consider 👍

jcwilliamsATmitre avatar Oct 21 '21 16:10 jcwilliamsATmitre

Admin note: closing all remaining issues and pull requests prior to archiving the repository

jondricek avatar Sep 13 '23 15:09 jondricek