Mappings to MITRE ATT&CK Data Sources/Components

Question

Closed this issue a year ago · 4 comments

Not sure how you want to integrate, but sharing some notes on potential mappings:

Hash Algorithms = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
MD5 = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
SHA = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
IMPHASH = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)

Registry Activity = https://attack.mitre.org/datasources/DS0024/
Key/Value Creation = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Creation
Key/Value Modification = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Modification
Key/Value Deletion = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Deletion

Schedule Task Activity = https://attack.mitre.org/datasources/DS0003/
Scheduled Task Creation = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Creation
Scheduled Task Modification = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification
Scheduled Task Deletion = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification (? 🤷)

Service Activity = https://attack.mitre.org/datasources/DS0019/
Service Creation = https://attack.mitre.org/datasources/DS0019/#Service%20Creation
Service Modification = https://attack.mitre.org/datasources/DS0019/#Service%20Modification
Service Deletion = https://attack.mitre.org/datasources/DS0019/#Service%20Modification (? 🤷)

Driver/Module Activity = https://attack.mitre.org/datasources/DS0027/
Driver Loaded = https://attack.mitre.org/datasources/DS0027/#Driver%20Load
Driver Modification = https://attack.mitre.org/datasources/DS0022/#File%20Modification (? 🤷)
Driver Unloaded = [null]

Device Operations = https://attack.mitre.org/datasources/DS0016/
Virtual Disk Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation
USB Device Unmount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation
USB Device Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation

Other Relevant Events
Group Policy Modification = https://attack.mitre.org/datasources/DS0026/#Active%20Directory%20Object%20Modification (? 🤷)

Named Pipe Activity = https://attack.mitre.org/datasources/DS0023/
Pipe Creation = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷)
Pipe Connection = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷)

WMI Activity = https://attack.mitre.org/datasources/DS0005/
WmiEventConsumerToFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation
WmiEventConsumer = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation
WmiEventFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation

BIT JOBS Activity = [null]
BIT JOBS Activity = [null]

PowerShell Activity = https://attack.mitre.org/datasources/DS0012/ + https://attack.mitre.org/datasources/DS0017/
Script-Block Activity = https://attack.mitre.org/datasources/DS0012/#Script%20Execution

Answer 1 · 2023-04-23T03:06:39.000Z

there's obviously always going to be differences in the level of abstraction, but also maybe some ideas to borrow each direction 👍

Answer 2 · 2023-04-24T05:55:59.000Z

Awesome work Jamie, thank you. We'll review and decide how to implement those and display in the main table.

Answer 3 · 2023-04-26T06:58:34.000Z

That came in faster than I thought! I am thinking about a visualization... oh wait! Heatmaps?! :P

Answer 4 · 2024-03-25T07:03:51.000Z

Thank you for taking the time to map all the sub-categories, @jwillyamz! Appreciate it 🙏 This is now implemented on the Google Sheet table: https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit#gid=1993314609