diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 4056115..1909da5 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,7 @@ **改善:** - RDPログオンとログオフの情報が`timeline-logon`タイムラインに追加された。 #209 (@fukusuket) +- MITRE ATT&CKをバージョン16.1に更新した。 (#219) (@fukusuket) ## 2.7.1 [2024/10/31] Halloween Release diff --git a/CHANGELOG.md b/CHANGELOG.md index 5bca209..df9846d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ **Enhancements:** - RDP logon and logoff information has been added to the `timeline-logon` timeline. #209 (@fukusuket) +- MITRE ATT&CK updated to version 16.1. (#219) (@fukusuket) ## 2.7.1 [2024/10/31] Halloween Release diff --git a/mitre-attack.json b/mitre-attack.json index d3dd209..b2ad7dd 100644 --- a/mitre-attack.json +++ b/mitre-attack.json @@ -15,7 +15,7 @@ "Technique": "Data Obfuscation" }, "T1001.003": { - "Sub-Technique": "Protocol Impersonation", + "Sub-Technique": "Protocol or Service Impersonation", "Tactic": "Command and Control", "Technique": "Data Obfuscation" }, @@ -259,6 +259,11 @@ "Tactic": "Defense Evasion", "Technique": "Obfuscated Files or Information" }, + "T1027.014": { + "Sub-Technique": "Polymorphic Code", + "Tactic": "Defense Evasion", + "Technique": "Obfuscated Files or Information" + }, "T1029": { "Sub-Technique": "-", "Tactic": "Exfiltration", @@ -324,6 +329,11 @@ "Tactic": "Defense Evasion", "Technique": "Masquerading" }, + "T1036.010": { + "Sub-Technique": "Masquerade Account Name", + "Tactic": "Defense Evasion", + "Technique": "Masquerading" + }, "T1037": { "Sub-Technique": "-", "Tactic": "Privilege Escalation", @@ -594,6 +604,11 @@ "Tactic": "Execution", "Technique": "Command and Scripting Interpreter" }, + "T1059.011": { + "Sub-Technique": "Lua", + "Tactic": "Execution", + "Technique": "Command and Scripting Interpreter" + }, "T1068": { "Sub-Technique": "-", "Tactic": "Discovery", @@ -669,6 +684,11 @@ "Tactic": "Defense Evasion", "Technique": "Indicator Removal" }, + "T1070.010": { + "Sub-Technique": "Relocate Malware", + "Tactic": "Defense Evasion", + "Technique": "Indicator Removal" + }, "T1071": { "Sub-Technique": "-", "Tactic": "Command and Control", @@ -694,6 +714,11 @@ "Tactic": "Command and Control", "Technique": "Application Layer Protocol" }, + "T1071.005": { + "Sub-Technique": "Publish/Subscribe Protocols", + "Tactic": "Command and Control", + "Technique": "Application Layer Protocol" + }, "T1072": { "Sub-Technique": "-", "Tactic": "Lateral Movement", @@ -854,6 +879,11 @@ "Tactic": "Privilege Escalation", "Technique": "Account Manipulation" }, + "T1098.007": { + "Sub-Technique": "Additional Local or Domain Groups", + "Tactic": "Privilege Escalation", + "Technique": "Account Manipulation" + }, "T1102": { "Sub-Technique": "-", "Tactic": "Command and Control", @@ -989,6 +1019,11 @@ "Tactic": "Defense Evasion", "Technique": "Trusted Developer Utilities Proxy Execution" }, + "T1127.002": { + "Sub-Technique": "ClickOnce", + "Tactic": "Defense Evasion", + "Technique": "Trusted Developer Utilities Proxy Execution" + }, "T1129": { "Sub-Technique": "-", "Tactic": "Defense Evasion", @@ -1259,6 +1294,16 @@ "Tactic": "Collection", "Technique": "Data from Information Repositories" }, + "T1213.004": { + "Sub-Technique": "Customer Relationship Management Software", + "Tactic": "Collection", + "Technique": "Data from Information Repositories" + }, + "T1213.005": { + "Sub-Technique": "Messaging Applications", + "Tactic": "Collection", + "Technique": "Data from Information Repositories" + }, "T1216": { "Sub-Technique": "-", "Tactic": "Defense Evasion", @@ -1394,6 +1439,11 @@ "Tactic": "Defense Evasion", "Technique": "Execution Guardrails" }, + "T1480.002": { + "Sub-Technique": "Mutual Exclusion", + "Tactic": "Defense Evasion", + "Technique": "Execution Guardrails" + }, "T1482": { "Sub-Technique": "-", "Tactic": "Discovery", @@ -1419,6 +1469,11 @@ "Tactic": "Impact", "Technique": "Data Destruction" }, + "T1485.001": { + "Sub-Technique": "Lifecycle-Triggered Deletion", + "Tactic": "Impact", + "Technique": "Data Destruction" + }, "T1486": { "Sub-Technique": "-", "Tactic": "Impact", @@ -1459,6 +1514,26 @@ "Tactic": "Impact", "Technique": "Resource Hijacking" }, + "T1496.001": { + "Sub-Technique": "Compute Hijacking", + "Tactic": "Impact", + "Technique": "Resource Hijacking" + }, + "T1496.002": { + "Sub-Technique": "Bandwidth Hijacking", + "Tactic": "Impact", + "Technique": "Resource Hijacking" + }, + "T1496.003": { + "Sub-Technique": "SMS Pumping", + "Tactic": "Impact", + "Technique": "Resource Hijacking" + }, + "T1496.004": { + "Sub-Technique": "Cloud Service Hijacking", + "Tactic": "Impact", + "Technique": "Resource Hijacking" + }, "T1497": { "Sub-Technique": "-", "Tactic": "Discovery", @@ -1759,6 +1834,11 @@ "Tactic": "Privilege Escalation", "Technique": "Event Triggered Execution" }, + "T1546.017": { + "Sub-Technique": "Udev Rules", + "Tactic": "Privilege Escalation", + "Technique": "Event Triggered Execution" + }, "T1547": { "Sub-Technique": "-", "Tactic": "Privilege Escalation", @@ -2084,6 +2164,11 @@ "Tactic": "Collection", "Technique": "Adversary-in-the-Middle" }, + "T1557.004": { + "Sub-Technique": "Evil Twin", + "Tactic": "Collection", + "Technique": "Adversary-in-the-Middle" + }, "T1558": { "Sub-Technique": "-", "Tactic": "Credential Access", @@ -2109,6 +2194,11 @@ "Tactic": "Credential Access", "Technique": "Steal or Forge Kerberos Tickets" }, + "T1558.005": { + "Sub-Technique": "Ccache Files", + "Tactic": "Credential Access", + "Technique": "Steal or Forge Kerberos Tickets" + }, "T1559": { "Sub-Technique": "-", "Tactic": "Execution", @@ -3184,6 +3274,11 @@ "Tactic": "Command and Control", "Technique": "Hide Infrastructure" }, + "T1666": { + "Sub-Technique": "-", + "Tactic": "Defense Evasion", + "Technique": "Modify Cloud Resource Hierarchy" + }, "TA0001": { "Sub-Technique": "-", "Tactic": "Initial Access",