Skip to content

Commit

Permalink
docs: MITRE ATT&CK(R) trademark references removed or adjusted
Browse files Browse the repository at this point in the history
  • Loading branch information
Neo23x0 committed Sep 30, 2020
1 parent c17ca6d commit d3ee1ab
Show file tree
Hide file tree
Showing 7 changed files with 15 additions and 15 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ This repository contains:

[![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

## SANS Webcast on MITRE ATT&CK and Sigma
## SANS Webcast on MITRE ATT&CK® and Sigma

The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)

[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
[MITRE ATT&CK® and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK® and Sigma Alerting")

# Use Cases

Expand Down Expand Up @@ -269,7 +269,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/

## Sigma2attack

Generates a [MITRE ATT&CK Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
Generates a [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.

Requirements:
- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
Expand All @@ -284,7 +284,7 @@ Usage samples:
./tools/sigma2attack --rules-directory ~/hunting/rules
```

Result once imported in the MITRE ATT&CK Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
Result once imported in the MITRE ATT&CK® Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):

![Sigma2attack result](./images/sigma2attack.png)

Expand All @@ -299,7 +299,7 @@ These tools are not part of the main toolchain and maintained separately by thei

# Next Steps

* Integration of MITRE ATT&CK framework identifier to the rule set
* Integration of MITRE ATT&CK® framework identifier to the rule set
* Integration into Threat Intel Exchanges
* Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

Expand Down
2 changes: 1 addition & 1 deletion rules/linux/auditd/lnx_auditd_create_account.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: experimental
description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system"
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
author: Marie Euler
date: 2020/05/18
references:
Expand Down
4 changes: 2 additions & 2 deletions rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: MITRE BZAR Indicators for ATT&CK Execution
title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
author: '@neu5ron, SOC Prime'
date: 2020/03/19
references:
Expand Down
4 changes: 2 additions & 2 deletions rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: MITRE BZAR Indicators for ATT&CK Persistence
title: MITRE BZAR Indicators for Persistence
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
author: '@neu5ron, SOC Prime'
date: 2020/03/19
references:
Expand Down
6 changes: 3 additions & 3 deletions tests/test_rules.py
Original file line number Diff line number Diff line change
Expand Up @@ -349,9 +349,9 @@ def test_invalid_logsource_attributes(self):
print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
def get_mitre_data():
"""
Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data
Generate tags from live MITRE ATT&CK® TAXI service to get up-to-date data
"""
# Get MITRE ATT&CK information
# Get ATT&CK information
lift = attack_client()
# Techniques
MITRE_TECHNIQUES = []
Expand Down Expand Up @@ -394,7 +394,7 @@ def get_mitre_data():

if __name__ == "__main__":
init(autoreset=True)
# Get Current Data from MITRE on ATT&CK
# Get Current Data from MITRE ATT&CK®
MITRE_ALL = get_mitre_data()
# Run the tests
unittest.main()
2 changes: 1 addition & 1 deletion tools/LONG_DESCRIPTION.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@ This package contains the following tools for [Sigma](https://github.com/Neo23x0
* sigmac: the Sigma converter
* merge_sigma: Merge a Sigma collection into a minimal set of Sigma rules
* sigma2misp: Import Sigma rules into MISP
* sigma2attack: Create a MITRE ATT&CK coverage map
* sigma2attack: Create a MITRE ATT&CK® coverage map
* sigma_similarity: Measure similarity of Sigma rules
* sigma_uuid: Check Sigma identifiers
2 changes: 1 addition & 1 deletion tools/sigma/backends/elasticsearch.py
Original file line number Diff line number Diff line change
Expand Up @@ -1228,7 +1228,7 @@ def create_threat_description(self, tactics_list, techniques_list):
"reference": tactic.get("url", ""),
"name": tactic.get("tactic", "")
},
"framework": "MITRE ATT&CK"
"framework": "MITRE ATT&CK®"
}
temp_techniques = list()
for tech in techniques_list:
Expand Down

0 comments on commit d3ee1ab

Please sign in to comment.