In this release version 3.1, we added 77 rules to cover more MITRE ATT&CK Techniques/sub-Techniques.
In this release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.
As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed below.
For a more user-friendly way of browsing this list, we recommend you to visit https://mitre.microfocus.com/.
We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.
Threat Intelligence Platform
This package is designed to detect security threat based on intelligence data feed from open source Malware Information Sharing Platform (MISP). It also follows MITRE ATT&CK framework.
This package requires installation of MIC for MISP. For more information on MIC, please refer to the documentation at https://community.microfocus.com/t5/ESM-and-ESM-Express/Model-Import-Connector-for-MISP-Malware-Information-Sharing/ta-p/2752381
Following use cases are covered in this package:
Following MITRE ATT&CK Techniques/sub-techniques are covered:
TA0001 Initial Access
-T1078-Valid Accounts
--T1078.001-Default Accounts
-T1091-Replication Through Removable Media
-T1133-External Remote Services
-T1189-Drive-by Compromise
-T1190-Exploit Public-Facing Application
-T1200-Hardware Additions
-T1566-Phishing
--T1566.001-Spearphishing Attachment
--T1566.002-Spearphishing Link
TA0002 Execution
-T1047-Windows Management Instrumentation
-T1053-Scheduled Task-Job
--T1053.005-Scheduled Task
-T1059-Command and Scripting Interpreter
--T1059.001-PowerShell
--T1059.003-Windows Command Shell
-T1072-Software Deployment Tools
-T1129-Shared Modules
-T1203-Exploitation for Client Execution
-T1204-User Execution
--T1204.001-Malicious Link
-T1559-Inter-Process Communication
--T1559.001-Component Object Model
--T1559.002-Dynamic Data Exchange
-T1569-System Services
--T1569.002-Service Execution
TA0003 Persistence
-T1053-Scheduled Task-Job
--T1053.005-Scheduled Task
-T1078-Valid Accounts
--T1078.001-Default Accounts
-T1098-Account Manipulation
-T1133-External Remote Services
-T1136-Create Account
-T1543-Create or Modify System Process
--T1543.003-Windows Service
-T1546-Event Triggered Execution
--T1546.011-Application Shimming
--T1546.012-Image File Execution Options Injection
-T1547-Boot or Logon Autostart Execution
--T1547.001-Registry Run Keys and Startup Folder
--T1547.006-Kernel Modules and Extensions
-T1574-Hijack Execution Flow
--T1574.001-DLL Search Order Hijacking
--T1574.009-Path Interception by Unquoted Path
TA0004 Privilege Escalation
-T1053-Scheduled Task-Job
--T1053.005-Scheduled Task
-T1055-Process Injection
--T1055.012-Process Hollowing
-T1068-Exploitation for Privilege Escalation
-T1078-Valid Accounts
--T1078.001-Default Accounts
-T1134-Access Token Manipulation
--T1134.002-Create Process with Token
-T1543-Create or Modify System Process
--T1543.003-Windows Service
-T1546-Event Triggered Execution
--T1546.011-Application Shimming
--T1546.012-Image File Execution Options Injection
-T1547-Boot or Logon Autostart Execution
--T1547.001-Registry Run Keys and Startup Folder
--T1547.006-Kernel Modules and Extensions
-T1548-Abuse Elevation Control Mechanism
--T1548.002-Bypass User Access Control
--T1548.003-Sudo and Sudo Caching
-T1574-Hijack Execution Flow
--T1574.001-DLL Search Order Hijacking
--T1574.009-Path Interception by Unquoted Path
TA0005 Defense Evasion
-T1027-Obfuscated Files or Information
--T1027.002-Software Packing
-T1036-Masquerading
--T1036.002-Right-to-Left Override
--T1036.003-Rename System Utilities
--T1036.005-Match Legitimate Name or Location
--T1036.006-Space after Filename
-T1055-Process Injection
--T1055.012-Process Hollowing
-T1070-Indicator Removal on Host
--T1070.004-File Deletion
-T1078-Valid Accounts
--T1078.001-Default Accounts
-T1090-Proxy
--T1090.001-Internal Proxy
--T1090.003-Multi-hop Proxy
-T1112-Modify Registry
-T1127-Trusted Developer Utilities Proxy Execution
--T1127.001-MSBuild
-T1134-Access Token Manipulation
--T1134.002-Create Process with Token
-T1140-Deobfuscate-Decode Files or Information
-T1202-Indirect Command Execution
-T1216-Signed Script Proxy Execution
--T1216.001-PubPrn
-T1218-Signed Binary Proxy Execution
--T1218.001-Compiled HTML File
--T1218.002-Control Panel
--T1218.003-CMSTP
--T1218.004-InstallUtil
--T1218.005-Mshta
--T1218.007-Msiexec
--T1218.009-RegsvcsRegasm
--T1218.010-Regsvr32
--T1218.011-Rundll32
-T1220-XSL Script Processing
-T1497-Virtualization-Sandbox Evasion
--T1497.002-User Activity Based Checks
-T1548-Abuse Elevation Control Mechanism
--T1548.002-Bypass User Access Control
--T1548.003-Sudo and Sudo Caching
-T1550-Use Alternate Authentication Material
--T1550.002-Pass the Hash
-T1562-Impair Defenses
--T1562.001-Disable or Modify Tools
--T1562.002-Disable Windows Event Logging
--T1562.004-Disable or Modify System Firewall
-T1574-Hijack Execution Flow
--T1574.001-DLL Search Order Hijacking
--T1574.009-Path Interception by Unquoted Path
TA0006 Credential Access
-T1003-OS Credential Dumping
--T1003.001-LSASS Memory
--T1003.002-Security Account Manager
--T1003.003-NTDS
-T1040-Network Sniffing
-T1056-Input Capture
--T1056.001-Keylogging
--T1056.004-Credential API Hooking
-T1110-Brute Force
--T1110.001-Password Guessing
--T1110.003-Password Spraying
-T1555-Credentials from Password Stores
--T1555.003-Credentials from Web Browsers
TA0007 Discovery
-T1010-Application Window Discovery
-T1012-Query Registry
-T1016-System Network Configuration Discovery
-T1018-Remote System Discovery
-T1033-System Owner-User Discovery
-T1040-Network Sniffing
-T1046-Network Service Scanning
-T1057-Process Discovery
-T1069-Permission Groups Discovery
-T1082-System Information Discovery
-T1083-File and Directory Discovery
-T1087-Account Discovery
--T1087.001-Local Account
-T1135-Network Share Discovery
-T1201-Password Policy Discovery
-T1217-Browser Bookmark Discovery
-T1497-Virtualization-Sandbox Evasion
--T1497.002-User Activity Based Checks
-T1518-Software Discovery
--T1518.001-Security Software Discovery
TA0008 Lateral Movement
-T1021-Remote Services
--T1021.001-Remote Desktop Protocol
--T1021.002-SMB-Windows Admin Shares
--T1021.003-Distributed Component Object Model
--T1021.006-Windows Remote Management
-T1072-Software Deployment Tools
-T1091-Replication Through Removable Media
-T1210-Exploitation of Remote Services
-T1550-Use Alternate Authentication Material
--T1550.002-Pass the Hash
TA0009 Collection
-T1005-Data from Local System
-T1039-Data from Network Shared Drive
-T1056-Input Capture
--T1056.001-Keylogging
--T1056.004-Credential API Hooking
-T1074-Data Staged
-T1113-Screen Capture
-T1114-Email Collection
-T1115-Clipboard Data
-T1560-Archive Collected Data
--T1560.001-Archive via Utility
TA0010 Exfiltration
-T1041-Exfiltration Over Command and Control Channel
-T1048-Exfiltration Over Alternative Protocol
--T1048.003-Exfiltration Over Unencrypted or Obfuscated Non-C2
-T1052-Exfiltration Over Physical Medium
--T1052.001-Exfiltration over USB
TA0011 Command and Control
-T1071-Application Layer Protocol
--T1071.004-DNS
-T1090-Proxy
--T1090.001-Internal Proxy
--T1090.003-Multi-hop Proxy
-T1105-Ingress Tool Transfer
-T1132-Data Encoding
--T1132.001-Standard Encoding
-T1219-Remote Access Software
-T1568-Dynamic Resolution
--T1568.002-Domain Generation Algorithms
-T1571-Non-Standard Port
-T1573-Encrypted Channel
--T1573.002-Assymetric Cryptography
TA0040 Impact
-T1486-Data Encrypted for Impact
-T1489-Service Stop
-T1490-Inhibit System Recovery
-T1498-Network Denial of Service
--T1498.001-Direct Network Flood
In the release version 3.1, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1003.001, T1003.003, T1005, T1010, T1018, T1021.001, T1021.002, T1021.003, T1027.002, T1033, T1036, T1041, T1047, T1055, T1055.012, T1056.004, T1057, T1059.001, T1069, T1070.004, T1071, T1071.004, T1074, T1082, T1083, T1087, T1090, T1105, T1110, T1112, T1134.002, T1135, T1202, T1204, T1217, T1219, T1497.002, T1543, T1543.003, T1546.011, T1548.002, T1548.003, T1550.002, T1555.003, T1560, T1562.004, T1569.002, T1571, T1573.002
In the release version 2.4, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1027, T1036, T1047, T1050, T1053, T1086, T1088, T1173
In the release version 2.3, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1034, T1056, T1060, T1068, T1076, T1077, T1078, T1085, T1088, T1089, T1090, T1093, T1105, T1113, T1188, T1193, T1490
In the release version 2.2, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1003, T1012, T1036, T1045, T1063, T1083, T1086, T1089, T1105, T1112, T1132, T1201, T1503, T1518
In the release version 2.1, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1016, T1018, T1036, T1040, T1046, T1057, T1068, T1098, T1132, T1498
In the release version 2.0, following MITRE IDs were added:
T1002, T1003, T1028, T1031, T1035, T1038, T1039, T1047, T1048, T1050, T1052, T1053, T1055, T1059, T1061, T1064, T1072, T1078
T1085, T1086, T1087, T1089, T1090, T1091, T1107, T1113, T1114, T1115, T1117, T1118, T1121, T1127, T1129, T1140, T1151, T1168
T1170, T1173, T1175, T1179, T1183, T1191, T1196, T1200, T1203, T1204, T1215, T1216, T1218, T1220, T1223
-------------------------------------------------------------------------------
System Requirements
========================
Micro Focus ArcSight ESM 6.9.1c or above.
-------------------------------------------------------------------------------
To install this package:
===========================
The zip file contains three files: package arb file, signature of arb file, and Readme.
Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:
https://entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do
It is required to log in using a Microfocus/Software passport (It gives the option to create an account)
Perform the following steps in the ArcSight Console.
1. Go to the ArcSight Console.
2. Click on Packages
3. Click Import
4. Select package arb file from the zip file
5. Follow prompt to import and install this package
To upgrade this package from version 1.x or 2.x
============================
Uninstall the following old version packages:
Security Monitoring - Base - Active Lists
Note: following 3 packages will be uninstalled automatically as well:
Security Monitoring - Base
Security Threat Monitoring
Threat Intelligence Platform
Then install the latest version package through console
To upgrade this package from version 3.0
You can install new version packages through console directly without uninstall old version package
To uninstall:
=============================
Right click package from ArcSight Console, then select "Uninstall Package".
Sample replay events
This zip file contains four files: two replay events, one arb package, and readme.
In order to trigger/test rules in the default content, you need to:
1) Enable rules which you want to test
2) Install package in this zip file for testing rules in the Threat Intelligence Platform package
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
Bug fixing.
In the release version 3.1, 77 following MITRE IDs were added or rules were added to existing MITRE IDs:
T1003.001, T1003.003, T1005, T1010, T1018, T1021.001, T1021.002, T1021.003, T1027.002, T1033, T1036, T1041, T1047, T1055, T1055.012, T1056.004, T1057, T1059.001, T1069, T1070.004, T1071, T1071.004, T1074, T1082, T1083, T1087, T1090, T1105, T1110, T1112, T1134.002, T1135, T1202, T1204, T1217, T1219, T1497.002, T1543, T1543.003, T1546.011, T1548.002, T1548.003, T1550.002, T1555.003, T1560, T1562.004, T1569.002, T1571, T1573.002
We are excited to announce that ArcSight now supports MITRE ATT&CK with sub-techniques.
In this release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.
As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed at https://mitre.microfocus.com/.
We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.
We are excited to announce that ArcSight now supports MITRE ATT&CK with sub-techniques.
In this release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.
As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed at https://mitre.microfocus.com/.
We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.
Bug fixing.
Bug fixing, and following MITRE IDs were added or rules were added to existing MITRE IDs:
T1027, T1036, T1047, T1050, T1053, T1086, T1088, T1173
Those replay events are used to test rules in the default content.
Related content and resources
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox