-
Notifications
You must be signed in to change notification settings - Fork 7
/
mitre-attck-initial-access-attack-paths.json
326 lines (326 loc) · 14.5 KB
/
mitre-attck-initial-access-attack-paths.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
[
{
"name": "initial-access-content-injection-encrypt-sensitive-information-aws",
"description": "M1041 - Encrypt Sensitive Information - Where possible, ensure that online traffic is appropriately encrypted using SSL/TLS enforcement in AWS.",
"queries": [
{
"name": "query0",
"query": "FIND * WITH _integrationType = 'aws' THAT USES Configuration WITH parameter.ssl != 1 OR parameter.rds.force_ssl != 1",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-content-injection-encrypt-sensitive-information-azure",
"description": "M1041 - Encrypt Sensitive Information - Where possible, ensure that online traffic is appropriately encrypted using SSL/TLS enforcement in Azure.",
"queries": [
{
"name": "query0",
"query": "FIND * WITH _integrationType = 'azure' AND sslEnforced != true OR sslEnforcement != 'Enabled'",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-content-injection-encrypt-sensitive-information-google-cloud",
"description": "M1041 - Encrypt Sensitive Information - Where possible, ensure that online traffic is appropriately encrypted using SSL/TLS enforcement in GCP.",
"queries": [
{
"name": "query0",
"query": "FIND * WITH _integrationType = 'google_cloud' AND sslEnforced != true OR sslEnforcement != 'Enabled'",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-exploit-public-facing-application-exploit-protection-storage",
"description": "M1050 - Exploit Protection - Ensure that public facing instances are not allowed access to non-public S3 buckets.",
"queries": [
{
"name": "query0",
"query": "FIND Internet THAT ALLOWS aws_security_group THAT PROTECTS aws_instance WITH active = true THAT USES aws_iam_role THAT ASSIGNED AccessPolicy THAT ALLOWS (aws_s3|aws_s3_bucket) WITH classification != 'public' ",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-exploit-public-facing-application-exploit-protection",
"description": "M1050 - Exploit Protection - Ensure that public facing instances aren not allowed access to non-public applications.",
"queries": [
{
"name": "query0",
"query": "FIND Internet THAT ALLOWS aws_security_group THAT PROTECTS aws_instance WITH active = true THAT USES aws_iam_role THAT ASSIGNED AccessPolicy THAT ALLOWS (Application|ApplicationEndpoint) WITH classification != 'public'",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-exploit-public-facing-application-network-segmentation",
"description": "M1030 - Network Segmentation - Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.",
"queries": [
{
"name": "query0",
"query": "FIND Network WITH wireless = true THAT (HAS|CONTAINS|CONNECTS|PROTECTS) (Gateway|Firewall) WITH category = 'network' THAT !(CONNECTS|ALLOWS|PERMITS|DENIES|REJECTS) AS rule *",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-exploit-public-facing-application-update-software",
"description": "M1051 - Update Software - Update software regularly by employing patch management for externally exposed applications.",
"queries": [
{
"name": "query0",
"query": "FIND aws_patch_group THAT HAS aws_instance",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-exploit-public-facing-application-vulnerability-scanning-host",
"description": "M1016 - Vulnerability Scanning - Regularly scan externally facing HOSTS for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.",
"queries": [
{
"name": "query0",
"query": "FIND HOST WITH public = true THAT PROTECTS HostAgent WITH function ~= ('av' OR 'anti-malware') AND active = true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-exploit-public-facing-application-vulnerability-scanning-endpoint",
"description": "M1016 - Vulnerability Scanning - Regularly scan externally facing ENDPOINTS for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.",
"queries": [
{
"name": "query0",
"query": "FIND user_endpoint WITH publicIp != undefined THAT PROTECTS HostAgent WITH function=('av' OR 'anti-malware') AND active=true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-external-remote-services-limit-access-to-resources",
"description": "M1035 - Limit Access to Resources Over Network - Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.",
"queries": [
{
"name": "query0",
"query": "FIND (Host | Device | Network) WITH displayName ~= /vpn/i",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-external-remote-services-use-mfa-aws",
"description": "M1035 - Limit Access to Resources Over Network - Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations in AWS.",
"queries": [
{
"name": "query0",
"query": "FIND aws_iam_user WITH mfaEnabled!=true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-external-remote-services-use-mfa-azure",
"description": "M1035 - Limit Access to Resources Over Network - Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations in Azure.",
"queries": [
{
"name": "query0",
"query": "FIND azure_user WITH mfaEnabled!=true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-external-remote-services-use-mfa-google-cloud",
"description": "M1035 - Limit Access to Resources Over Network - Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations in Google cloud.",
"queries": [
{
"name": "query0",
"query": "FIND google_user WITH mfaEnabled!=true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-supply-chain-compromise-boot-integrity",
"description": "M1046 - Boot Integrity - Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
"queries": [
{
"name": "query0",
"query": "FIND google_compute_instance WITH secureBootEnabled != true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-supply-chain-compromise-limit-software-installation",
"description": "M1033 - Limit Software Installation - Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.",
"queries": [
{
"name": "query0",
"query": "FIND github_repo WITH mergeCommitAllowed = true AND visibility = 'PUBLIC'",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-supply-chain-compromise-vulnerability-scanning-sources",
"description": "M1016 - Vulnerability Scanning - Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.",
"queries": [
{
"name": "query0",
"query": "FIND CodeRepo THAT !SCANS << *",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-use-policies",
"description": "M1036 - Account Use Policies - Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.",
"queries": [
{
"name": "query0",
"query": "FIND Device THAT !ALLOWS AccessPolicy",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-mfa-configuration-general",
"description": "M1015 - Active Directory Configuration - Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.",
"queries": [
{
"name": "query0",
"query": "FIND Account WITH mfaEnabled != true AND active = true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-mfa-configuration-google-cloud",
"description": "M1015 - Active Directory Configuration - Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.",
"queries": [
{
"name": "query0",
"query": "FIND google_user WITH mfaEnabled != true OR isEnrolledIn2Sv != true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-password-policies-password-update",
"description": "M1027 - Password Policies - When possible, passwords should be updated periodically.",
"queries": [
{
"name": "query0",
"query": "FIND aws_iam_user WITH passwordLastChanged < date.now - 30 days",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-password-policies-reuse-general",
"description": "M1027 - Password Policies - Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.",
"queries": [
{
"name": "query0",
"query": "FIND PasswordPolicy WITH historyCount < 10 OR historyCount=undefined",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-password-policies-google-cloud",
"description": "M1027 - Password Policies - Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.[72] When possible, applications that use SSH keys should be updated periodically and properly secured in google cloud.",
"queries": [
{
"name": "query0",
"query": "FIND google_user WITH createdOn > date.now-7days AND changePasswordAtNextLogin = false",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-password-policies-aws",
"description": "M1027 - Password Policies - Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.[72] When possible, applications that use SSH keys should be updated periodically and properly secured in aws.",
"queries": [
{
"name": "query0",
"query": "FIND aws_iam_user WITH createdOn < date.now - 7 days and passwordLastChanged < date.now - 7days",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-password-policies-azure",
"description": "M1027 - Password Policies - Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.[72] When possible, applications that use SSH keys should be updated periodically and properly secured in azure.",
"queries": [
{
"name": "query0",
"query": "FIND azure_user WITH createdOn < date.now - 7 days AND passwordLastChanged < date.now - 7days",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-user-account-management-google-cloud",
"description": "M1018 - User Account Management - Regularly audit user accounts for activity and deactivate or remove any that are no longer needed in google cloud.",
"queries": [
{
"name": "query0",
"query": "FIND google_user WITH lastLogOn < date.now-90days AND active != true",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "initial-access-valid-accounts-user-account-management-aws",
"description": "M1018 - User Account Management - Regularly audit user accounts for activity and deactivate or remove any that are no longer needed in aws.",
"queries": [
{
"name": "query0",
"query": "FIND aws_iam_user WITH passwordEnabled = true AND passwordLastUsed < date.now-90days",
"version": "v1"
}
],
"alertLevel": "MEDIUM"
},
{
"name": "initial-access-valid-accounts-user-account-management-general",
"description": "M1018 - User Account Management - Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.",
"queries": [
{
"name": "query0",
"query": "FIND * WITH lastLogin < date.now - 90 days",
"version": "v1"
}
],
"alertLevel": "HIGH"
}
]