Merge pull request #219 from Yamato-Security/update-mitre-attack

feat: update to MITRE ATT&CK v16.1
Yamato-Security · Dec 5, 2024 · 37800d8 · 37800d8
2 parents 0b0d990 + f540e54
commit 37800d8
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 1 deletion.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -5,6 +5,7 @@
 **改善:**
 
 - RDPログオンとログオフの情報が`timeline-logon`タイムラインに追加された。 #209 (@fukusuket)
+- MITRE ATT&CKをバージョン16.1に更新した。 (#219) (@fukusuket) 
 
 ## 2.7.1 [2024/10/31] Halloween Release
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 **Enhancements:**
 
 - RDP logon and logoff information has been added to the `timeline-logon` timeline. #209 (@fukusuket)
+- MITRE ATT&CK updated to version 16.1. (#219) (@fukusuket) 
 
 ## 2.7.1 [2024/10/31] Halloween Release
 

diff --git a/mitre-attack.json b/mitre-attack.json
@@ -15,7 +15,7 @@
         "Technique": "Data Obfuscation"
     },
     "T1001.003": {
-        "Sub-Technique": "Protocol Impersonation",
+        "Sub-Technique": "Protocol or Service Impersonation",
         "Tactic": "Command and Control",
         "Technique": "Data Obfuscation"
     },
@@ -259,6 +259,11 @@
         "Tactic": "Defense Evasion",
         "Technique": "Obfuscated Files or Information"
     },
+    "T1027.014": {
+        "Sub-Technique": "Polymorphic Code",
+        "Tactic": "Defense Evasion",
+        "Technique": "Obfuscated Files or Information"
+    },
     "T1029": {
         "Sub-Technique": "-",
         "Tactic": "Exfiltration",
@@ -324,6 +329,11 @@
         "Tactic": "Defense Evasion",
         "Technique": "Masquerading"
     },
+    "T1036.010": {
+        "Sub-Technique": "Masquerade Account Name",
+        "Tactic": "Defense Evasion",
+        "Technique": "Masquerading"
+    },
     "T1037": {
         "Sub-Technique": "-",
         "Tactic": "Privilege Escalation",
@@ -594,6 +604,11 @@
         "Tactic": "Execution",
         "Technique": "Command and Scripting Interpreter"
     },
+    "T1059.011": {
+        "Sub-Technique": "Lua",
+        "Tactic": "Execution",
+        "Technique": "Command and Scripting Interpreter"
+    },
     "T1068": {
         "Sub-Technique": "-",
         "Tactic": "Discovery",
@@ -669,6 +684,11 @@
         "Tactic": "Defense Evasion",
         "Technique": "Indicator Removal"
     },
+    "T1070.010": {
+        "Sub-Technique": "Relocate Malware",
+        "Tactic": "Defense Evasion",
+        "Technique": "Indicator Removal"
+    },
     "T1071": {
         "Sub-Technique": "-",
         "Tactic": "Command and Control",
@@ -694,6 +714,11 @@
         "Tactic": "Command and Control",
         "Technique": "Application Layer Protocol"
     },
+    "T1071.005": {
+        "Sub-Technique": "Publish/Subscribe Protocols",
+        "Tactic": "Command and Control",
+        "Technique": "Application Layer Protocol"
+    },
     "T1072": {
         "Sub-Technique": "-",
         "Tactic": "Lateral Movement",
@@ -854,6 +879,11 @@
         "Tactic": "Privilege Escalation",
         "Technique": "Account Manipulation"
     },
+    "T1098.007": {
+        "Sub-Technique": "Additional Local or Domain Groups",
+        "Tactic": "Privilege Escalation",
+        "Technique": "Account Manipulation"
+    },
     "T1102": {
         "Sub-Technique": "-",
         "Tactic": "Command and Control",
@@ -989,6 +1019,11 @@
         "Tactic": "Defense Evasion",
         "Technique": "Trusted Developer Utilities Proxy Execution"
     },
+    "T1127.002": {
+        "Sub-Technique": "ClickOnce",
+        "Tactic": "Defense Evasion",
+        "Technique": "Trusted Developer Utilities Proxy Execution"
+    },
     "T1129": {
         "Sub-Technique": "-",
         "Tactic": "Defense Evasion",
@@ -1259,6 +1294,16 @@
         "Tactic": "Collection",
         "Technique": "Data from Information Repositories"
     },
+    "T1213.004": {
+        "Sub-Technique": "Customer Relationship Management Software",
+        "Tactic": "Collection",
+        "Technique": "Data from Information Repositories"
+    },
+    "T1213.005": {
+        "Sub-Technique": "Messaging Applications",
+        "Tactic": "Collection",
+        "Technique": "Data from Information Repositories"
+    },
     "T1216": {
         "Sub-Technique": "-",
         "Tactic": "Defense Evasion",
@@ -1394,6 +1439,11 @@
         "Tactic": "Defense Evasion",
         "Technique": "Execution Guardrails"
     },
+    "T1480.002": {
+        "Sub-Technique": "Mutual Exclusion",
+        "Tactic": "Defense Evasion",
+        "Technique": "Execution Guardrails"
+    },
     "T1482": {
         "Sub-Technique": "-",
         "Tactic": "Discovery",
@@ -1419,6 +1469,11 @@
         "Tactic": "Impact",
         "Technique": "Data Destruction"
     },
+    "T1485.001": {
+        "Sub-Technique": "Lifecycle-Triggered Deletion",
+        "Tactic": "Impact",
+        "Technique": "Data Destruction"
+    },
     "T1486": {
         "Sub-Technique": "-",
         "Tactic": "Impact",
@@ -1459,6 +1514,26 @@
         "Tactic": "Impact",
         "Technique": "Resource Hijacking"
     },
+    "T1496.001": {
+        "Sub-Technique": "Compute Hijacking",
+        "Tactic": "Impact",
+        "Technique": "Resource Hijacking"
+    },
+    "T1496.002": {
+        "Sub-Technique": "Bandwidth Hijacking",
+        "Tactic": "Impact",
+        "Technique": "Resource Hijacking"
+    },
+    "T1496.003": {
+        "Sub-Technique": "SMS Pumping",
+        "Tactic": "Impact",
+        "Technique": "Resource Hijacking"
+    },
+    "T1496.004": {
+        "Sub-Technique": "Cloud Service Hijacking",
+        "Tactic": "Impact",
+        "Technique": "Resource Hijacking"
+    },
     "T1497": {
         "Sub-Technique": "-",
         "Tactic": "Discovery",
@@ -1759,6 +1834,11 @@
         "Tactic": "Privilege Escalation",
         "Technique": "Event Triggered Execution"
     },
+    "T1546.017": {
+        "Sub-Technique": "Udev Rules",
+        "Tactic": "Privilege Escalation",
+        "Technique": "Event Triggered Execution"
+    },
     "T1547": {
         "Sub-Technique": "-",
         "Tactic": "Privilege Escalation",
@@ -2084,6 +2164,11 @@
         "Tactic": "Collection",
         "Technique": "Adversary-in-the-Middle"
     },
+    "T1557.004": {
+        "Sub-Technique": "Evil Twin",
+        "Tactic": "Collection",
+        "Technique": "Adversary-in-the-Middle"
+    },
     "T1558": {
         "Sub-Technique": "-",
         "Tactic": "Credential Access",
@@ -2109,6 +2194,11 @@
         "Tactic": "Credential Access",
         "Technique": "Steal or Forge Kerberos Tickets"
     },
+    "T1558.005": {
+        "Sub-Technique": "Ccache Files",
+        "Tactic": "Credential Access",
+        "Technique": "Steal or Forge Kerberos Tickets"
+    },
     "T1559": {
         "Sub-Technique": "-",
         "Tactic": "Execution",
@@ -3184,6 +3274,11 @@
         "Tactic": "Command and Control",
         "Technique": "Hide Infrastructure"
     },
+    "T1666": {
+        "Sub-Technique": "-",
+        "Tactic": "Defense Evasion",
+        "Technique": "Modify Cloud Resource Hierarchy"
+    },
     "TA0001": {
         "Sub-Technique": "-",
         "Tactic": "Initial Access",