Threat Intelligence Platform
This package is designed to detect security threat based on intelligence data feed from open source Malware Information Sharing Platform (MISP). It also follows MITRE ATT&CK framework.
This package requires installation of MIC for MISP. For more information on MIC, please refer to the documentation at https://community.microfocus.com/t5/ESM-and-ESM-Express/Model-Import-Connector-for-MISP-Malware-Information-Sharing/ta-p/2752381
Following use cases are covered in this package:
- Botnet Activity
- Dangerous Browsing
- Internal Asset Found in Reputation List
- Phishing
- Ransomware
- Suspicious Activity
- Suspicious DNS Query
- Suspicious Email
- Suspicious File Hash
Following MITRE ATT&CK Techniques are covered:
TA0001 Initial Access
- T1192-Spearphishing Link
- T1193-Spearphishing Attachment
TA0008 Lateral Movement
TA0010 Exfiltration
- T1041-Exfiltration Over Command and Control Channel
- T1048-Exfiltration Over Alternative Protocol
TA0011 Command and Control
- T1026-Multiband Communication
- T1043-Commonly Used Port
- T1065-Uncommonly Used Port
- T1092-Communication Through Removable Media
- T1105-Remote File Copy
- T1219-Remote Access Tools
TA0040 Impact
- T1486-Data Encrypted for Impact
Following MITRE ATT&CK Techniques were added to Threat Intelligence Platform release 2.0:
T1041, T1043, T1065, T1092, T1193
In the release version 2.1, following MITRE ID was added:
T1105
In the release version 2.3, following MITRE ID was added:
T1026
Security Threat Monitoring:
This package monitors security threats based on security log events from firewall, IDS/IPS, OS, Application, Scanner, Anti-Virus etc.
Following use cases are included in this package:
- Application Monitoring
- Entity Monitoring
- Host Monitoring
- Malware Monitoring
- Network Monitoring
- Perimeter Monitoring
- Vulnerability Monitoring
Following MITRE ATT&CK Techniques are covered as well:
TA0001 Initial Access
- T1078-Valid Accounts
- T1091-Replication Through Removable Media
- T1189-Drive-by Compromise
- T1190-Exploit Public-Facing Application
- T1193-Spearphishing Attachment
- T1200-Hardware Additions
TA0002 Execution
- T1028-Windows Remote Management
- T1035-Service Execution
- T1047-Windows Management Instrumentation
- T1053-Scheduled Task
- T1059-Command-Line Interface
- T1061-Graphical User Interface
- T1064-Scripting
- T1072-Third-party Software
- T1085-Rundll32
- T1086-PowerShell
- T1117-Regsvr32
- T1118-InstallUtil
- T1121-Regsvcs Regasm
- T1127-Trusted Developer Utilities
- T1129-Execution through Module Load
- T1151-Space after Filename
- T1168-Local Job Scheduling
- T1170-Mshta
- T1173-Dynamic Data Exchange
- T1175-Component Object Model and Distributed COM
- T1191-CMSTP
- T1196-Control Panel Items
- T1203-Exploitation for Client Execution
- T1204-User Execution
- T1216-Signed Script Proxy Execution
- T1218-Signed Binary Proxy Execution
- T1220-XSL Script Processing
- T1223-Compiled HTML File
TA0003 Persistence
- T1031-Modify Existing Service
- T1034-Path Interception
- T1038-DLL Search Order Hijacking
- T1050-New Service
- T1053-Scheduled Task
- T1060-Registry Run Keys and Startup Folder
- T1078-Valid Accounts
- T1098-Account Manipulation
- T1136-Create Account
- T1168-Local Job Scheduling
- T1179-Hooking
- T1183-Image File Execution Options Injection
- T1215-Kernel Modules and Extensions
TA0004 Privilege Escalation
- T1034-Path Interception
- T1038-DLL Search Order Hijacking
- T1050-New Service
- T1053-Scheduled Task
- T1055-Process Injection
- T1068-Exploitation for Privilege Escalation
- T1078-Valid Accounts
- T1088-Bypass User Account Control
- T1179-Hooking
- T1183-Image File Execution Options Injection
TA0005 Defense Evasion
- T1036-Masquerading
- T1038-DLL Search Order Hijacking
- T1045-Software Packing
- T1055-Process Injection
- T1064-Scripting
- T1078-Valid Accounts
- T1085-Rundll32
- T1088-Bypass User Account Control
- T1089-Disabling Security Tools
- T1090-Connection Proxy
- T1093-Process Hollowing
- T1107-File Deletion
- T1112-Modify Registry
- T1117-Regsvr32
- T1118-InstallUtil
- T1121-Regsvcs Regasm
- T1127-Trusted Developer Utilities
- T1140-DeobfuscateDecode Files or Information
- T1151-Space after Filename
- T1170-Mshta
- T1183-Image File Execution Options Injection
- T1191-CMSTP
- T1196-Control Panel Items
- T1216-Signed Script Proxy Execution
- T1218-Signed Binary Proxy Execution
- T1220-XSL Script Processing
- T1223-Compiled HTML File
TA0006 Credential Access
- T1003-Credential Dumping
- T1040-Network Sniffing
- T1098-Account Manipulation
- T1110-Brute Force
- T1179-Hooking
- T1503-Credentials from Web Browsers
TA0007 Discovery
- T1012-Query Registry
- T1016-System Network Configuration Discovery
- T1018-Remote System Discovery
- T1040-Network Sniffing
- T1046-Network Service Scanning
- T1057-Process Discovery
- T1063-Security Software Discovery
- T1083-File and Directory Discovery
- T1087-Account Discovery
- T1201-Password Policy Discovery
- T1518-Software Discovery
TA0008 Lateral Movement
- T1028-Windows Remote Management
- T1072-Third-party Software
- T1075-Pass the Hash
- T1076-Remote Desktop Protocol
- T1077-Windows Admin Shares
- T1091-Replication Through Removable Media
- T1105-Remote File Copy
- T1210-Exploitation of Remote Services
TA0009 Collection
- T1039-Data from Network Shared Drive
- T1056-Input Capture
- T1113-Screen Capture
- T1114-Email Collection
- T1115-Clipboard Data
TA0010 Exfiltration
- T1002-Data Compressed
- T1048-Exfiltration Over Alternative Protocol
- T1052-Exfiltration Over Physical Medium
TA0011 Command and Control
- T1090-Connection Proxy
- T1105-Remote File Copy
- T1132-Data Encoding
- T1188-Multi-hop Proxy
- T1483-Domain Generation Algorithms
TA0040 Impact
- T1486-Data Encrypted for Impact
- T1489-Service Stop
- T1490-Inhibit System Recovery
- T1498-Network Denial of Service
Following MITRE ATT&CK Techniques were added to Security Threat Monitoring release 2.0:
T1002, T1003, T1028, T1031, T1035, T1038, T1039, T1047, T1050, T1052, T1053, T1055, T1059, T1061, T1064, T1072, T1078, T1085, T1086, T1087, T1089, T1090, T1091, T1107, T1113, T1114, T1115, T1117, T1118, T1121, T1127, T1129, T1140, T1151, T1168, T1170, T1173, T1175, T1179, T1183, T1191, T1196, T1200, T1203, T1204, T1215, T1216, T1218, T1220, T1223
In the release version 2.1, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1016, T1018, T1036, T1040, T1046, T1057, T1068, T1098, T1132, T1498
In the release version 2.2, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1003, T1012, T1036, T1045, T1063, T1083, T1086, T1089, T1105, T1112, T1132, T1201, T1503, T1518
In the release version 2.3, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1034, T1056, T1060, T1068, T1076, T1077, T1078, T1085, T1088, T1089, T1090, T1093, T1105, T1113, T1188, T1193, T1490
Note: To upgrade from version 1.0 to 2.3,
It is recommended to uninstall the old version package below:
Security Monitoring - Base - Active Lists (version 1.0, do not uninstall if it is v2.3 already)
Keep in mind, following 3 packages will be uninstalled automatically as well:
Security Monitoring - Base
Security Threat Monitoring
Threat Intelligence Platform
Then install the version 2.3 package through console
To upgrade from version 2.0 or 2.1 or 2.2 to 2.3
You can install new version packages through console directly without uninstall old version package
Sample replay events
This zip file contains four files: two replay events, one arb package, and readme.
In order to trigger/test rules in the default content, you need to:
1) Enable rules which you want to test
2) Install package in this zip file for testing rules in the Threat Intelligence Platform package
289 items
42 item
15 item
45 item
1 item
20 item
14 item
96 item
32 item
10 item
1 item
29 item
16 item
1 item
