ATT&CK Techniques to Security Events


Importing Python Libraries

# Importing library to manipulate data
import pandas as pd

# Importing library to manipulate yaml data
import yaml
import requests

# Importing library for visualizations
from openhunt import visualizations as vis

Importing (Sub)Techniques to Security Events Mapping Yaml File

Using the attackcti Python library, we were able to collect all the techniques within the Enterprise matrix. After that, we mapped several security events to each data source/component/relationship. Here is the result:

yamlUrl = 'https://raw.githubusercontent.com/OTRF/OSSEM-DM/main/use-cases/mitre_attack/techniques_to_events_mapping.yaml'
yamlContent = requests.get(yamlUrl)
yamlMapping = yaml.safe_load(yamlContent.text)
mapping = pd.json_normalize(yamlMapping)
mapping.head()
technique_id x_mitre_is_subtechnique technique tactic platform data_source data_component name source relationship target event_id event_name event_platform audit_category audit_sub_category log_channel log_provider filter_in filter_in.ObjectType
0 T1553.006 True Code Signing Policy Modification [defense-evasion] [Windows, macOS] windows registry windows registry key modification Process modified Windows registry key process modified windows registry key 13 RegistryEvent (Value Set). Windows RegistryEvent NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
1 T1553.006 True Code Signing Policy Modification [defense-evasion] [Windows, macOS] windows registry windows registry key modification Process modified Windows registry key process modified windows registry key 14 RegistryEvent (Key and Value Rename). Windows RegistryEvent NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
2 T1553.006 True Code Signing Policy Modification [defense-evasion] [Windows, macOS] windows registry windows registry key modification Process modified Windows registry key process modified windows registry key 4670 Permissions on an object were changed. Windows Object Access Registry Security Microsoft-Windows-Security-Auditing NaN NaN
3 T1553.006 True Code Signing Policy Modification [defense-evasion] [Windows, macOS] windows registry windows registry key modification Process modified Windows registry key process modified windows registry key DeviceRegistryEvents DeviceRegistryEvents Windows None NaN None Windows Defender Advanced Threat Protection NaN NaN
4 T1553.006 True Code Signing Policy Modification [defense-evasion] [Windows, macOS] windows registry windows registry key modification Process modified Windows registry key value process modified windows registry key value 13 RegistryEvent (Value Set). Windows RegistryEvent NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN

Which are the most relevant data sources for Sub-Technqiues within the Enterprise Matrix?

enterprise_sub = mapping[mapping['x_mitre_is_subtechnique'] == True][['technique_id','data_source','data_component']].drop_duplicates()
top15_data_source = enterprise_sub['data_source'].value_counts().nlargest(15).to_frame().reset_index()
title = 'Most Relevant Data Sources (Top 15)\nEnterprise Techniques'
vis.barh_chart(top15_data_source,'data_source','index',title, xlabel = 'Count of Sub-Techniques')
../../_images/attack_techniques_to_events_8_0.png

Which are the most relevant data components for Sub-Technqiues within the Enterprise Matrix?

enterprise_sub = mapping[mapping['x_mitre_is_subtechnique'] == True][['technique_id','data_source','data_component']].drop_duplicates()
top15_data_source = enterprise_sub['data_component'].value_counts().nlargest(15).to_frame().reset_index()
title = 'Most Relevant Data Components (Top 15)\nEnterprise Techniques'
vis.barh_chart(top15_data_source,'data_component','index',title, xlabel = 'Count of Sub-Techniques')
../../_images/attack_techniques_to_events_10_0.png

Use Case: OS Credential Dumping: LSASS Memory (T1003.001)

What security events can we use to get more context about this technique?

  • Network Graph

vis.attack_network_graph(mapping[(mapping['technique_id']=='T1039')])
../../_images/attack_techniques_to_events_16_0.png
  • Table

mapping[mapping['technique_id']=='T1003.001']
technique_id x_mitre_is_subtechnique technique tactic platform data_source data_component name source relationship target event_id event_name event_platform audit_category audit_sub_category log_channel log_provider filter_in filter_in.ObjectType
3486 T1003.001 True LSASS Memory [credential-access] [Windows] process process creation User created Process user created process 4688 A new process has been created. Windows Detailed Tracking Process Creation Security Microsoft-Windows-Security-Auditing NaN NaN
3487 T1003.001 True LSASS Memory [credential-access] [Windows] process process creation User created Process user created process 1 Process Creation. Windows ProcessCreate NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
3488 T1003.001 True LSASS Memory [credential-access] [Windows] process process creation User created Process user created process DeviceProcessEvents DeviceProcessEvents Windows None NaN None Windows Defender Advanced Threat Protection NaN NaN
3489 T1003.001 True LSASS Memory [credential-access] [Windows] process process creation Process created Process process created process 4688 A new process has been created. Windows Detailed Tracking Process Creation Security Microsoft-Windows-Security-Auditing NaN NaN
3490 T1003.001 True LSASS Memory [credential-access] [Windows] process process creation Process created Process process created process 1 Process Creation. Windows ProcessCreate NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
3491 T1003.001 True LSASS Memory [credential-access] [Windows] process process creation Process created Process process created process DeviceProcessEvents DeviceProcessEvents Windows None NaN None Windows Defender Advanced Threat Protection NaN NaN
3492 T1003.001 True LSASS Memory [credential-access] [Windows] process process creation Process created Thread process created thread 8 CreateRemoteThread. Windows CreateRemoteThread NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
3493 T1003.001 True LSASS Memory [credential-access] [Windows] process process access Process requested access to Process process requested access to process 4656 A handle to an object was requested. Windows Object Access Kernel Object Security Microsoft-Windows-Security-Auditing [{'ObjectType': 'Process'}] NaN
3494 T1003.001 True LSASS Memory [credential-access] [Windows] process process access Process accessed Process process accessed process 10 ProcessAccess. Windows ProcessAccess NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
3495 T1003.001 True LSASS Memory [credential-access] [Windows] process process access Process accessed Process process accessed process 4663 An attempt was made to access an object. Windows Object Access Kernel Object Security Microsoft-Windows-Security-Auditing [{'ObjectType': 'Process'}] NaN
3496 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution User executed Command user executed command 4688 A new process has been created. Windows Detailed Tracking Process Creation Security Microsoft-Windows-Security-Auditing NaN NaN
3497 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution User executed Command user executed command 1 Process Creation. Windows ProcessCreate NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
3498 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution User executed Command user executed command 4103 Module logging. Windows Executing Pipeline NaN Microsoft-Windows-PowerShell/Operational Microsoft-Windows-PowerShell NaN NaN
3499 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution User executed Command user executed command DeviceProcessEvents DeviceProcessEvents Windows None NaN None Windows Defender Advanced Threat Protection NaN NaN
3500 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution Process executed Command process executed command 4688 A new process has been created. Windows Detailed Tracking Process Creation Security Microsoft-Windows-Security-Auditing NaN NaN
3501 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution Process executed Command process executed command 1 Process Creation. Windows ProcessCreate NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN
3502 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution Process executed Command process executed command 4103 Module logging. Windows Executing Pipeline NaN Microsoft-Windows-PowerShell/Operational Microsoft-Windows-PowerShell NaN NaN
3503 T1003.001 True LSASS Memory [credential-access] [Windows] command command execution Process executed Command process executed command DeviceProcessEvents DeviceProcessEvents Windows None NaN None Windows Defender Advanced Threat Protection NaN NaN
3504 T1003.001 True LSASS Memory [credential-access] [Windows] process os api execution Process executed Api call process executed api call 8 CreateRemoteThread. Windows CreateRemoteThread NaN Microsoft-Windows-Sysmon/Operational Microsoft-Windows-Sysmon NaN NaN

What other security event logs would you recommend for this data source/component? Contribute to the community through OSSEM :D

You can contribute and map more security events here