Merge pull request SigmaHQ#3903 from frack113/mitre_url

Clean attack.mitre.org techniques ref

rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml

@@ -3,8 +3,6 @@ id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
 status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
 references:
-    - https://attack.mitre.org/techniques/T1053/
-    - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
     - https://github.com/zeronetworks/rpcfirewall

rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml

@@ -3,7 +3,6 @@ id: f177f2bc-5f3e-4453-b599-57eefce9a59c
 status: experimental
 description: Detects remote RPC calls to read information about scheduled tasks via AtScv
 references:
-    - https://attack.mitre.org/tactics/TA0007/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/zeronetworks/rpcfirewall
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
@@ -12,6 +11,8 @@ references:
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
 modified: 2022/01/01
+tags:
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml

@@ -3,7 +3,6 @@ id: 56fda488-113e-4ce9-8076-afc2457922c3
 status: experimental
 description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
 references:
-    - https://attack.mitre.org/techniques/T1033/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
     - https://github.com/zeronetworks/rpcfirewall
@@ -13,6 +12,7 @@ date: 2022/01/01
 modified: 2022/01/01
 tags:
     - attack.t1033
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml

@@ -3,7 +3,6 @@ id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
 status: experimental
 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
 references:
-    - https://attack.mitre.org/tactics/TA0008/
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md
     - https://github.com/zeronetworks/rpcfirewall

rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml

@@ -3,12 +3,13 @@ id: 2053961f-44c7-4a64-b62d-f6e72800af0d
 status: experimental
 description: Detects remote RPC calls to get event log information via EVEN or EVEN6
 references:
-    - https://attack.mitre.org/tactics/TA0007/
     - https://github.com/zeronetworks/rpcfirewall
     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
 modified: 2022/01/01
+tags:
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml

@@ -3,8 +3,6 @@ id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
 status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task
 references:
-    - https://attack.mitre.org/techniques/T1053/
-    - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
     - https://github.com/zeronetworks/rpcfirewall

rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml

@@ -3,14 +3,15 @@ id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
 status: experimental
 description: Detects remote RPC calls to read information about scheduled tasks
 references:
-    - https://attack.mitre.org/tactics/TA0007/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
     - https://github.com/zeronetworks/rpcfirewall
     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
 modified: 2022/01/01
+tags:
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml

@@ -3,7 +3,6 @@ id: bc3a4b0c-e167-48e1-aa88-b3020950e560
 status: experimental
 description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
 references:
-    - https://attack.mitre.org/tactics/TA0008/
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8

rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml

@@ -3,9 +3,6 @@ id: 68050b10-e477-4377-a99b-3721b422d6ef
 status: experimental
 description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
 references:
-    - https://attack.mitre.org/tactics/TA0008/
-    - https://attack.mitre.org/techniques/T1021/003/
-    - https://attack.mitre.org/techniques/T1047/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
     - https://github.com/zeronetworks/rpcfirewall
     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/

rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml

@@ -3,8 +3,6 @@ id: 35c55673-84ca-4e99-8d09-e334f3c29539
 status: experimental
 description: Detects remote RPC calls to modify the registry and possible execute code
 references:
-    - https://attack.mitre.org/techniques/T1112/
-    - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
     - https://github.com/zeronetworks/rpcfirewall
@@ -14,6 +12,7 @@ date: 2022/01/01
 modified: 2022/01/01
 tags:
     - attack.lateral_movement
+    - attack.t1112
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml

@@ -3,14 +3,15 @@ id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
 status: experimental
 description: Detects remote RPC calls to collect information
 references:
-    - https://attack.mitre.org/tactics/TA0007/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
     - https://github.com/zeronetworks/rpcfirewall
     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
 modified: 2022/01/01
+tags:
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml

@@ -3,7 +3,6 @@ id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
 status: experimental
 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
 references:
-    - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
     - https://github.com/zeronetworks/rpcfirewall

rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml

@@ -3,8 +3,6 @@ id: 10018e73-06ec-46ec-8107-9172f1e04ff2
 status: experimental
 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
 references:
-    - https://attack.mitre.org/tactics/TA0008/
-    - https://attack.mitre.org/techniques/T1569/002/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
     - https://github.com/zeronetworks/rpcfirewall

rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml

@@ -3,8 +3,6 @@ id: aff229ab-f8cd-447b-b215-084d11e79eb0
 status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task via SASec
 references:
-    - https://attack.mitre.org/techniques/T1053/
-    - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
     - https://github.com/zeronetworks/rpcfirewall

rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml

@@ -3,14 +3,15 @@ id: 0a3ff354-93fc-4273-8a03-1078782de5b7
 status: experimental
 description: Detects remote RPC calls to read information about scheduled tasks via SASec
 references:
-    - https://attack.mitre.org/tactics/TA0007/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
     - https://github.com/zeronetworks/rpcfirewall
     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
 modified: 2022/11/17
+tags:
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml

@@ -3,7 +3,6 @@ id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
 status: experimental
 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
 references:
-    - https://attack.mitre.org/techniques/T1087/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
     - https://github.com/zeronetworks/rpcfirewall
@@ -13,6 +12,7 @@ date: 2022/01/01
 modified: 2022/01/01
 tags:
     - attack.t1087
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml

@@ -3,7 +3,6 @@ id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
 status: experimental
 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
 references:
-    - https://attack.mitre.org/techniques/T1033/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
     - https://github.com/zeronetworks/rpcfirewall

rules/cloud/aws/aws_ecs_task_definition_backdoor.yml

@@ -8,7 +8,6 @@ description: |
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
     - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
-    - https://attack.mitre.org/techniques/T1525
 author: Darin Smith
 date: 2022/06/07
 tags:

rules/cloud/aws/aws_snapshot_backup_exfiltration.yml

@@ -4,7 +4,6 @@ status: test
 description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
 references:
     - https://www.justice.gov/file/1080281/download
-    - https://attack.mitre.org/techniques/T1537/
 author: Darin Smith
 date: 2021/05/17
 modified: 2021/08/19

rules/cloud/azure/azure_ad_user_added_to_admin_role.yml

@@ -3,7 +3,6 @@ id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
 status: test
 description: User Added to an Administrator's Azure AD Role
 references:
-    - https://attack.mitre.org/techniques/T1098/003/
     - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
 author: Raphaël CALVET, @MetallicHack
 date: 2021/10/04

rules/cloud/azure/azure_federation_modified.yml

@@ -3,7 +3,6 @@ id: 352a54e1-74ba-4929-9d47-8193d67aba1e
 status: experimental
 description: Identifies when an user or application modified the federation settings on the domain.
 references:
-    - https://attack.mitre.org/techniques/T1078
     - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
 author: Austin Songer
 date: 2021/09/06

rules/cloud/azure/azure_mfa_disabled.yml

@@ -3,7 +3,6 @@ id: 7ea78478-a4f9-42a6-9dcd-f861816122bf
 status: experimental
 description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
 references:
-    - https://attack.mitre.org/techniques/T1556/
     - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
 author: '@ionsor'
 date: 2022/02/08

rules/linux/auditd/lnx_auditd_audio_capture.yml

@@ -5,7 +5,6 @@ description: Detects attempts to record audio with arecord utility
 references:
     - https://linux.die.net/man/1/arecord
     - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
-    - https://attack.mitre.org/techniques/T1123/
 author: 'Pawel Mazur'
 date: 2021/09/04
 modified: 2022/10/09

rules/linux/auditd/lnx_auditd_clipboard_collection.yml

@@ -6,7 +6,6 @@ description: |
   Xclip has to be installed.
   Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
 references:
-    - https://attack.mitre.org/techniques/T1115/
     - https://linux.die.net/man/1/xclip
     - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
 author: 'Pawel Mazur'

rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml

@@ -6,7 +6,6 @@ description: |
   Xclip has to be installed.
   Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
 references:
-    - https://attack.mitre.org/techniques/T1115/
     - https://linux.die.net/man/1/xclip
 author: 'Pawel Mazur'
 date: 2021/10/01

rules/linux/auditd/lnx_auditd_data_exfil_wget.yml

@@ -5,7 +5,6 @@ description: |
     Detects attempts to post the file with the usage of wget utility.
     The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
 references:
-    - https://attack.mitre.org/tactics/TA0010/
     - https://linux.die.net/man/1/wget
     - https://gtfobins.github.io/gtfobins/wget/
 author: 'Pawel Mazur'

rules/linux/auditd/lnx_auditd_disable_system_firewall.yml

@@ -4,7 +4,6 @@ status: experimental
 description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
-    - https://attack.mitre.org/techniques/T1562/004/
     - https://firewalld.org/documentation/man-pages/firewall-cmd.html
 author: 'Pawel Mazur'
 date: 2022/01/22

rules/linux/auditd/lnx_auditd_hidden_files_directories.yml

@@ -4,7 +4,6 @@ status: test
 description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
-    - https://attack.mitre.org/techniques/T1564/001/
 author: 'Pawel Mazur'
 date: 2021/09/06
 modified: 2022/10/09

rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml

@@ -3,7 +3,6 @@ id: 45810b50-7edc-42ca-813b-bdac02fb946b
 status: test
 description: Detects appending of zip file to image
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
 author: 'Pawel Mazur'
 date: 2021/09/09

rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml

@@ -4,7 +4,6 @@ status: test
 description: Detect attempt to enable auditing of TTY input
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
-    - https://attack.mitre.org/techniques/T1003/
     - https://linux.die.net/man/8/pam_tty_audit
     - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
     - https://access.redhat.com/articles/4409591#audit-record-types-2

rules/linux/auditd/lnx_auditd_load_module_insmod.yml

@@ -6,7 +6,6 @@ description: |
     Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
     Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
 references:
-    - https://attack.mitre.org/techniques/T1547/006/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
     - https://linux.die.net/man/8/insmod
     - https://man7.org/linux/man-pages/man8/kmod.8.html

rules/linux/auditd/lnx_auditd_password_policy_discovery.yml

@@ -4,7 +4,6 @@ status: stable
 description: Detects password policy discovery commands
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
-    - https://attack.mitre.org/techniques/T1201/
     - https://linux.die.net/man/1/chage
     - https://man7.org/linux/man-pages/man1/passwd.1.html
     - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu

rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml

@@ -3,7 +3,6 @@ id: 2625cc59-0634-40d0-821e-cb67382a3dd7
 status: test
 description: Detects a reload or a start of a service.
 references:
-    - https://attack.mitre.org/techniques/T1543/002/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23

rules/linux/auditd/lnx_auditd_screencapture_import.yml

@@ -7,7 +7,6 @@ description: |
   ImageMagick must be installed.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
-    - https://attack.mitre.org/techniques/T1113/
     - https://linux.die.net/man/1/import
     - https://imagemagick.org/
 author: 'Pawel Mazur'

rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml

@@ -4,7 +4,6 @@ status: test
 description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
-    - https://attack.mitre.org/techniques/T1113/
     - https://linux.die.net/man/1/xwd
 author: 'Pawel Mazur'
 date: 2021/09/13

rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml

@@ -3,7 +3,6 @@ id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
 status: test
 description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
 author: 'Pawel Mazur'
 date: 2021/09/11

rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml

@@ -3,7 +3,6 @@ id: a5a827d9-1bbe-4952-9293-c59d897eb41b
 status: test
 description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
 author: 'Pawel Mazur'
 date: 2021/09/11

rules/linux/auditd/lnx_auditd_system_info_discovery.yml

@@ -3,7 +3,6 @@ id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
 status: test
 description: Detects System Information Discovery commands
 references:
-    - https://attack.mitre.org/techniques/T1082/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
 author: 'Pawel Mazur'
 date: 2021/09/03

rules/linux/auditd/lnx_auditd_systemd_service_creation.yml

@@ -3,7 +3,6 @@ id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
 status: experimental
 description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
 references:
-    - https://attack.mitre.org/techniques/T1543/002/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
 author: 'Pawel Mazur'
 date: 2022/02/03

rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml

@@ -3,7 +3,6 @@ id: edd595d7-7895-4fa7-acb3-85a18a8772ca
 status: test
 description: Detects extracting of zip file from image file
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
 author: 'Pawel Mazur'
 date: 2021/09/09