Add MITRE ATT&CK tags to various rules that were missing them

rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml

@@ -10,6 +10,8 @@ modified: 2023/05/08
 tags:
     - cve.2021.26858
     - detection.emerging_threats
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml

@@ -10,6 +10,8 @@ modified: 2023/01/02
 tags:
     - cve.2021.40539
     - detection.emerging_threats
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml

@@ -10,6 +10,10 @@ modified: 2022/12/25
 tags:
     - cve.2021.42287
     - detection.emerging_threats
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1036
+    - attack.t1098
 logsource:
     product: windows
     service: security

rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml

@@ -9,6 +9,13 @@ date: 2022/02/25
 modified: 2023/02/08
 tags:
     - detection.emerging_threats
+    - attack.execution
+    - attack.defense_evasion
+    - attack..impact
+    - attack.t1485
+    - attack.t1498
+    - attack.t1059.001
+    - attack.t1140
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml

@@ -13,6 +13,8 @@ author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/07/28
 tags:
     - cve.2023.27997
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml

@@ -11,6 +11,8 @@ modified: 2023/07/28
 tags:
     - cve.2023.34362
     - detection.emerging_threats
+    - attack.persistence
+    - attack.t1505.003
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml

@@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
 date: 2023/01/21
 tags:
     - detection.emerging_threats
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: process_creation
     product: windows

rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml

@@ -7,6 +7,9 @@ references:
 author: Florian Roth (Nextron Systems)
 date: 2021/10/16
 modified: 2022/12/25
+tags:
+    - attack.execution
+    - attack.t1059.004
 logsource:
     product: linux
     category: network_connection

rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml

@@ -6,6 +6,9 @@ references:
     - https://www.poolwatch.io/coin/monero
 author: Florian Roth (Nextron Systems)
 date: 2021/10/26
+tags:
+    - attack.impact
+    - attack.t1496
 logsource:
     product: linux
     category: network_connection

rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml

@@ -7,6 +7,9 @@ references:
 author: Florian Roth (Nextron Systems)
 date: 2021/10/26
 modified: 2022/12/25
+tags:
+    - attack.impact
+    - attack.t1496
 logsource:
     product: linux
     category: process_creation

rules/linux/process_creation/proc_creation_lnx_nohup.yml

@@ -8,6 +8,9 @@ references:
     - https://www.computerhope.com/unix/unohup.htm
 author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
 date: 2022/06/06
+tags:
+    - attack.execution
+    - attack.t1059.004
 logsource:
     product: linux
     category: process_creation

rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml

@@ -9,6 +9,9 @@ references:
     - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2023/06/02
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 logsource:
     product: linux
     category: process_creation

rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml

@@ -6,6 +6,11 @@ references:
     - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2022/03/14
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1059.004
+    - attack.t1036
 logsource:
     product: linux
     category: process_creation

rules/web/product/apache/web_apache_threading_error.yml

@@ -7,6 +7,11 @@ references:
 author: Florian Roth (Nextron Systems)
 date: 2019/01/22
 modified: 2021/11/27
+tags:
+    - attack.initial_access
+    - attack.lateral_movement
+    - attack.t1190
+    - attack.t1210
 logsource:
     service: apache
     definition: 'Requirements: Must be able to collect the error.log file'

rules/web/webserver_generic/web_java_payload_in_access_logs.yml

@@ -14,6 +14,8 @@ modified: 2023/01/19
 tags:
     - cve.2022.26134
     - cve.2021.26084
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules/web/webserver_generic/web_jndi_exploit.yml

@@ -1,13 +1,16 @@
 title: JNDIExploit Pattern
 id: 412d55bc-7737-4d25-9542-5b396867ce55
 status: test
-description: Detects exploitation attempt using the JDNIExploiit Kit
+description: Detects exploitation attempt using the JNDI-Exploit-Kit
 references:
     - https://github.com/pimps/JNDI-Exploit-Kit
     - https://githubmemory.com/repo/FunctFan/JNDIExploit
 author: Florian Roth (Nextron Systems)
 date: 2021/12/12
 modified: 2022/12/25
+tags:
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules/web/webserver_generic/web_sql_injection_in_access_logs.yml

@@ -10,6 +10,9 @@ references:
 author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/02/22
 modified: 2022/07/25
+tags:
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules/web/webserver_generic/web_ssti_in_access_logs.yml

@@ -7,6 +7,9 @@ references:
     - https://github.com/payloadbox/ssti-payloads
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/14
+tags:
+    - attack.defense_evasion
+    - attack.t1221
 logsource:
     category: webserver
 detection:

rules/web/webserver_generic/web_xss_in_access_logs.yml

@@ -8,6 +8,9 @@ references:
 author: Saw Win Naung, Nasreddine Bencherchali
 date: 2021/08/15
 modified: 2022/06/14
+tags:
+    - attack.initial_access
+    - attack.t1189
 logsource:
     category: webserver
 detection:

rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml

@@ -7,6 +7,9 @@ references:
 author: frack113
 date: 2022/02/19
 modified: 2023/04/21
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml

@@ -11,6 +11,9 @@ references:
 author: frack113
 date: 2023/02/26
 modified: 2023/05/30
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml

@@ -7,6 +7,9 @@ references:
 author: frack113
 date: 2022/02/19
 modified: 2023/04/21
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml

@@ -7,6 +7,9 @@ references:
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/17
 modified: 2023/04/21
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml

@@ -7,6 +7,9 @@ references:
 author: frack113
 date: 2022/02/19
 modified: 2023/06/12
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml

@@ -7,6 +7,9 @@ references:
 author: frack113
 date: 2022/02/19
 modified: 2023/01/17
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml

@@ -7,6 +7,9 @@ references:
 author: frack113
 date: 2022/02/19
 modified: 2023/04/21
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml

@@ -7,6 +7,9 @@ references:
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2022/02/19
 modified: 2023/04/21
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
 logsource:
     product: windows
     service: firewall-as

rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml

@@ -13,6 +13,9 @@ references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
 author: Alexandr Yampolskyi, SOC Prime
 date: 2023/04/26
+tags:
+    - attack.persistence
+    - attack.t1098
 logsource:
     product: windows
     service: security

rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml

@@ -13,6 +13,9 @@ references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
 author: Alexandr Yampolskyi, SOC Prime
 date: 2023/04/26
+tags:
+    - attack.persistence
+    - attack.t1098
 logsource:
     product: windows
     service: security

rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml

@@ -13,6 +13,9 @@ references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
 author: Alexandr Yampolskyi, SOC Prime
 date: 2023/04/26
+tags:
+    - attack.persistence
+    - attack.t1098
 logsource:
     product: windows
     service: security

rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml

@@ -6,6 +6,10 @@ references:
     - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
 author: Max Altgelt (Nextron Systems)
 date: 2022/04/06
+tags:
+    - attack.defense_evasion
+    - attack.lateral_movement
+    - attack.t1550
 logsource:
     product: windows
     service: security

rules/windows/builtin/security/win_security_add_remove_computer.yml

@@ -8,6 +8,9 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
 author: frack113
 date: 2022/10/14
+tags:
+    - attack.defense_evasion
+    - attack.t1207
 logsource:
     service: security
     product: windows

rules/windows/builtin/security/win_security_admin_logon.yml

@@ -9,6 +9,13 @@ references:
 author: frack113
 date: 2022/10/14
 modified: 2022/10/22
+tags:
+    - attack.defense_evasion
+    - attack.lateral_movement
+    - attack.credential_access
+    - attack.t1558
+    - attack.t1649
+    - attack.t1550
 logsource:
     service: security
     product: windows

rules/windows/builtin/security/win_security_device_installation_blocked.yml

@@ -7,6 +7,9 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423
 author: frack113
 date: 2022/10/14
+tags:
+    - attack.initial_access
+    - attack.t1200
 logsource:
     service: security
     product: windows

rules/windows/builtin/security/win_security_replay_attack_detected.yml

@@ -7,6 +7,9 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649
 author: frack113
 date: 2022/10/14
+tags:
+    - attack.credential_access
+    - attack.t1558
 logsource:
     service: security
     product: windows

rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml

@@ -6,6 +6,9 @@ references:
     - https://twitter.com/sbousseaden/status/1523383197513379841
 author: Florian Roth (Nextron Systems)
 date: 2022/05/09
+tags:
+    - attack.defense_evasion
+    - attack.t1027
 logsource:
     product: windows
     service: security

rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml

@@ -6,6 +6,12 @@ references:
     - https://twitter.com/sbousseaden/status/1523383197513379841
 author: Florian Roth (Nextron Systems)
 date: 2022/05/09
+tags:
+    - attack.command_and_control
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.t1105
+    - attack.t1036
 logsource:
     product: windows
     service: security