sysmon-modular icon indicating copy to clipboard operation
sysmon-modular copied to clipboard

Published 20 hours ago verified publisher icon olafhartong

[Feature] Enrich rule names with Tactics and Sub-techniques ⚗️

Open nicpenning opened this issue 3 years ago • 0 comments

The goal of this feature is to include tactic name, tactic id, sub-technique name and sub-technique id to every single rule.

Benefits:

  • Allow for checking Sysmon rules against the latest MITRE ATT&CK for valid and invalid Tactics, Techniques, and Sub-techniques
  • Allow for full MITRE ATT&CK Mappings to Sysmon Events into a SIEM (For alerting and dashboarding)
  • Allow for scripting to automatically export an attack navigator file

So the rule: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName>

Would become: <OriginalFileName name="tactic_id=TA0007,tactic_name=Discovery,technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName>

The example of a sub-technique would then be: <OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">netsh.exe</OriginalFileName>

Which would become: <OriginalFileName name="tactic_id=TA0007,tactic_name=Discovery,technique_id=T1518,technique_name=Software Discovery,subtechnique_id=T1518.001,subtechnique_name=Security Software Discovery" condition="is">netsh.exe</OriginalFileName>

This format works well with all of the current rules. This pairs well with: https://github.com/olafhartong/sysmon-modular/issues/79

Any questions or issues with this feature? 🤔

nicpenning avatar Apr 13 '21 02:04 nicpenning