├── NSM_Rules.json ├── README.md ├── T1003 └── README.md ├── T1028 └── README.md ├── T1035 └── README.md ├── T1046 └── README.md ├── T1047 └── README.md ├── T1085 └── README.md ├── T1086 └── README.md ├── T1100 └── README.md ├── T1105 └── README.md └── T1175 └── README.md /NSM_Rules.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "NSM Rules", 3 | "version": "2.1", 4 | "domain": "mitre-enterprise", 5 | "description": "", 6 | "filters": { 7 | "stages": [ 8 | "act" 9 | ], 10 | "platforms": [ 11 | "windows", 12 | "linux", 13 | "mac" 14 | ] 15 | }, 16 | "sorting": 0, 17 | "viewMode": 0, 18 | "hideDisabled": false, 19 | "techniques": [ 20 | { 21 | "techniqueID": "T1028", 22 | "tactic": "execution", 23 | "color": "#31a354", 24 | "comment": "", 25 | "enabled": true, 26 | "metadata": [] 27 | }, 28 | { 29 | "techniqueID": "T1028", 30 | "tactic": "lateral-movement", 31 | "color": "#31a354", 32 | "comment": "", 33 | "enabled": true, 34 | "metadata": [] 35 | }, 36 | { 37 | "techniqueID": "T1047", 38 | "tactic": "execution", 39 | "color": "#31a354", 40 | "comment": "", 41 | "enabled": true, 42 | "metadata": [] 43 | }, 44 | { 45 | "techniqueID": "T1085", 46 | "tactic": "defense-evasion", 47 | "color": "#fdae6b", 48 | "comment": "", 49 | "enabled": true, 50 | "metadata": [] 51 | }, 52 | { 53 | "techniqueID": "T1085", 54 | "tactic": "execution", 55 | "color": "#fdae6b", 56 | "comment": "", 57 | "enabled": true, 58 | "metadata": [] 59 | }, 60 | { 61 | "techniqueID": "T1100", 62 | "tactic": "persistence", 63 | "color": "#31a354", 64 | "comment": "", 65 | "enabled": true, 66 | "metadata": [] 67 | }, 68 | { 69 | "techniqueID": "T1100", 70 | "tactic": "privilege-escalation", 71 | "color": "#31a354", 72 | "comment": "", 73 | "enabled": true, 74 | "metadata": [] 75 | }, 76 | { 77 | "techniqueID": "T1046", 78 | "tactic": "discovery", 79 | "color": "#31a354", 80 | "comment": "", 81 | "enabled": true, 82 | "metadata": [] 83 | }, 84 | { 85 | "techniqueID": "T1003", 86 | "tactic": "credential-access", 87 | "color": "#31a354", 88 | "comment": "", 89 | "enabled": true, 90 | "metadata": [] 91 | }, 92 | { 93 | "techniqueID": "T1175", 94 | "tactic": "lateral-movement", 95 | "color": "#31a354", 96 | "comment": "", 97 | "enabled": true, 98 | "metadata": [] 99 | }, 100 | { 101 | "techniqueID": "T1086", 102 | "tactic": "execution", 103 | "color": "#31a354", 104 | "comment": "", 105 | "enabled": true, 106 | "metadata": [] 107 | }, 108 | { 109 | "techniqueID": "T1105", 110 | "tactic": "command-and-control", 111 | "color": "#31a354", 112 | "comment": "", 113 | "enabled": true, 114 | "metadata": [] 115 | }, 116 | { 117 | "techniqueID": "T1105", 118 | "tactic": "lateral-movement", 119 | "color": "#31a354", 120 | "comment": "", 121 | "enabled": true, 122 | "metadata": [] 123 | }, 124 | { 125 | "techniqueID": "T1035", 126 | "tactic": "execution", 127 | "color": "#31a354", 128 | "comment": "", 129 | "enabled": true, 130 | "metadata": [] 131 | } 132 | ], 133 | "gradient": { 134 | "colors": [ 135 | "#ff6666", 136 | "#ffe766", 137 | "#8ec843" 138 | ], 139 | "minValue": 0, 140 | "maxValue": 100 141 | }, 142 | "legendItems": [ 143 | { 144 | "color": "#31a354", 145 | "label": "Covered" 146 | }, 147 | { 148 | "color": "#fdae6b", 149 | "label": "Limitations due to source" 150 | }, 151 | { 152 | "color": "#ffe766", 153 | "label": "Partly covered" 154 | } 155 | ], 156 | "metadata": [], 157 | "showTacticRowBackground": false, 158 | "tacticRowBackground": "#8ec843", 159 | "selectTechniquesAcrossTactics": true 160 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Mapping NSM rules to MITRE ATT&CK Techniques 2 | 3 | ## About 4 | 5 | The idea behind this project is to categorize and develop, where feasible, Suricata *(and general NSM)* rules by mapping them against the [MITRE ATT&CK framework](https://attack.mitre.org). 6 | 7 | ### How does it work? 8 | 9 | Each technique has its own folder. Inside the folder, one of two things can happen: 10 | 11 | * We will link to existing rules from known rulesets if a rule already exists 12 | * We will share the rule in the format used by Suricata 13 | 14 | **The following rulesets are currently considered by this project:** 15 | 16 | * [Emerging Threats Open](https://rules.emergingthreats.net/open/suricata-4.0/) 17 | * Emerging Threats Pro 18 | 19 | ## Have something to share? 20 | 21 | Feel free to reach out to me via Twitter ([@0xtf](https://twitter.com/0xtf)) if you have some rules you'd like to share or comments/questions/tips. 22 | 23 | ## MITRE ATT&CK Navigator 24 | 25 | Browse supported techniques using [this URL](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2F0xtf%2Fnsm-attack%2Fmaster%2FNSM_Rules.json). 26 | 27 | ## Sponsorship 28 | 29 | 30 | 31 | If you're interested in working in this project, [3CORESec](https://3coresec.com) has a sponsorship program that allows you to get paid for your contributions to open source projects. 32 | 33 | [Get in touch](https://3coresec.com/contact.html) for more information! 34 | -------------------------------------------------------------------------------- /T1003/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | -------------------------------------------------------------------------------------------------- | --------- | 5 | | ET Open | 2027435 | ET ATTACK\_RESPONSE Windows 64bit procdump Dump File Exfiltration | NO | 6 | | ET Open | 2027436 | ET ATTACK\_RESPONSE Windows 32bit procdump Dump File Exfiltration | NO | 7 | | ET Open | 2029330 | ET MALWARE Mimikatz x86 Executable Transfer Over SMB | NO | 8 | | ET Open | 2029331 | ET MALWARE Mimikatz x64 Executable Transfer Over SMB | NO | 9 | | ET Open | 2029332 | ET MALWARE Mimikatz x86 Mimidrv.sys File Transfer Over SMB | NO | 10 | | ET Open | 2029333 | ET MALWARE Mimikatz x64 Mimidrv.sys File Transfer Over SMB | NO | 11 | | ET Open | 2029334 | ET MALWARE Mimikatz x86 Executable Download Over HTTP | NO | 12 | | ET Open | 2029335 | ET MALWARE Mimikatz x64 Executable Download Over HTTP | NO | 13 | | ET Open | 2029336 | ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP | NO | 14 | | ET Open | 2029337 | ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP | NO | 15 | | ET Open | 2010783 | ET EXPLOIT GsecDump executed | NO | 16 | 17 | # Notes 18 | 19 | * Credential Dumping - [T1003](https://attack.mitre.org/techniques/T1003/) 20 | 21 | # Packet capture example: 22 | 23 | ``` 24 | ``` 25 | -------------------------------------------------------------------------------- /T1028/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | --------------------------------------------------------------------------------- | --------- | 5 | | ET Open | 2026849 | ET POLICY WinRM wsman Access - Possible Lateral Movement | Yes | 6 | | ET Open | 2026850 | ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement | Yes | 7 | 8 | # Notes 9 | 10 | * Windows Remote Management - [T1028](https://attack.mitre.org/techniques/T1028/) 11 | 12 | # Packet capture 13 | 14 | -------------------------------------------------------------------------------- /T1035/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | ----------------------------------------------------------------------------- | --------- | 5 | | ET Open | 2026879 | ET POLICY Possible winexe over SMB - Possible Lateral Movement | YES | 6 | | ET Open | 2010781 | ET POLICY PsExec service created | YES | 7 | 8 | # Notes 9 | 10 | * Service Execution - [T1035](https://attack.mitre.org/techniques/T1035/) 11 | 12 | Coverage of this technique is limited to the software/user agent/identifiers mapped above and when done over the network. 13 | 14 | # Packet capture example: 15 | 16 | **2026879** 17 | 18 | ``` 19 | 1.0...0...2...6.....W.O.R.K.G.R.O.U.P.A.d.m.i.n.i.s.t.r.a.t.o.r.K.A.L.I...._1B..tM.BcrV.........&.$..:.......U.n.i.x...S.a.m.b.a. .4...9...4.-.D.e.b.i.a.n..... 20 | ``` 21 | **2010781** 22 | 23 | ``` 24 | P.s.E.x.e.c. .S.e.r.v.i.c.e.....(.....F.i.l.e.V.e.r.s.i.o.n.....2...2...H.....I.n.t.e.r.n.a.l.N.a.m.e...P.s.E.x.e.c. .S.e.r.v.i.c.e. .H.o.s.t...v.)...L.e.g.a.l.C.o.p.y.r.i.g.h.t...C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.1.-.2.0.1.6. .M.a.r.k. .R.u.s.s.i.n.o.v.i.c.h.....B. 25 | ``` 26 | -------------------------------------------------------------------------------- /T1046/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | --------------------------------------------------------------------------------- | --------- | 5 | | ET Open | * | ET SCAN * | Yes | 6 | | ET Open | * | GPL SCAN * | Yes | 7 | 8 | # Notes 9 | 10 | * Network Service Scanning - [T1046](https://attack.mitre.org/techniques/T1046/) 11 | 12 | ET Open has several signatures, updated regularly, for the detection of this technique. All signatures are labeled as **ET SCAN A** or **GPL SCAN A**, where A equals the name of a particular service or scanning tool. 13 | 14 | Examples: 15 | 16 | - 2101638 - GPL SCAN SSH Version map attempt 17 | - 2100321 - GPL SCAN Finger Account Enumeration Attempt 18 | - 2024364 - ET SCAN Possible Nmap User-Agent Observed 19 | - 2023687 - ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri 20 | -------------------------------------------------------------------------------- /T1047/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | --------------------------------------------------------------------------------- | --------- | 5 | | ET Open | 2025726 | ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement | No | 6 | 7 | # Notes 8 | 9 | * Windows Management Instrumentation - [T1047](https://attack.mitre.org/techniques/T1047/) 10 | 11 | Coverage of this technique is limited to the software/user agent/identifiers mapped above and when done over the network. 12 | 13 | # Packet capture example: 14 | 15 | **2025726** 16 | 17 | ``` 18 | ``` 19 | -------------------------------------------------------------------------------- /T1085/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | --------------------------------------------------------------------------------- | --------- | 5 | | ET Open | 2025725 | ET POLICY RunDll Request Over SMB - Likely Lateral Movement | Yes | 6 | 7 | # Notes 8 | 9 | * Rundll32 - [T1085](https://attack.mitre.org/techniques/T1085/) 10 | 11 | Coverage of this technique is limited to the software/user agent/identifiers mapped above and when done over the network. 12 | 13 | # Packet capture example 14 | 15 | **2025725** 16 | 17 | ``` 18 | ..^..!.PV.N...E...8{@............#."....m@.Z..P...\...(.\.d.{.1.,.2.}.\...\.d.{.1.,.2.}.\...\.d.{.1.,.4.}.\...\.d.{.1.,.4.}.\.\.*.).?.....\...D.i.s.p.l.a.y.L.i.n.k. .C.o.r.e. .S.o.f.t.w.a.r.e.\.....@@AAAAAAAAAAAAAAAAAAAAAOI9kB9bTDzsuPUImOKJyecMhHPCH7DRHyOz7G4lgcYW45ZU100QKxr0Wsh1Hmtatg==@@....@@AAAAAAAAAAAAAAAAAAAAAERBTlifQmf1fz1vxjiciD8vRlxlEgpXPezQY83v72BU6SGNQ7VDUVvS7Rrgsg8RTA==@@....dl::tk::installer::updateProductsUninstallString....R.u.n.D.l.l.3.2...e.x.e. .".....@@AAAAAAAAAAAAAAAAAAAAAIOcja9jf6b/gJx97HR2oqM=@@....H.K.L.M.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.U.n.i.n.s.t.a.l.l.......O.@@AAAAAAAAAAAAAAAAAAAAAHAsyHoA8y5s8AaQ+7Q9drNdgXbs/96rcTUVfoJcA/1z@@....@@AAAAAAAAAAAAAAAAAAAAAERBTlifQmf1fz1vxjiciD8vRlxlEgpXPezQY83v72BU6SGNQ7VDUVvS7Rrgsg8RTA==@@....I.n.s.t.a.l.l.e.r.A.p.i...d.l.l.".,.d.l.R.e.m.o.v.e.P.r.o.d.u.c.t. .....I.n.s.t.a.l.l.e.r.A.p.i...d.l.l.".,.d.l.R.e.m.o.v.e.P.r.o.d.u.c.t. .....R.u.n.D.l.l.3.2...e.x.e. .".....@@AAAAAAAAAAAAAAAAAAAAAERBTlifQmf1fz1vxjiciD8vRlxlEgpXPezQY83v72BU6SGNQ7VDUVvS7Rrgsg8RTA==@@....@@AAAAAAAAAAAAAAAAAAAAAE+1gMTpfleKlBCJyzpIKZ5j3fxUO/pJYL5293oBLMQzq9Qdjx+wye3TD1UHGpIb1jbZDZBotgn4KlmC17n+Lpg=@@....D.e.f.a.u.l.t.P.r.o.d.u.c.t.........@@AAAAAAAAAAAAAAAAAAAAAERBTlifQmf1fz1vxjiciD8vRlxlEgpXPezQY83v72BU6SGNQ7VDUVvS7Rrgsg8RTA==@@....L.o.c.a.l.\.D.i.s.p.l.a.y.L.i.n.k.S.e.t.u.p.P.r.e.v.I.n.s.t.a.n.c.e.D.e.t.e.c.t.o.r.....C.u.s.t.o.m.A.c.t.i.o.n.D.a.t.a.........V.e.r.s.i.o.n.S.t.r.i.n.g...V.e.r.s.i.o.n.S.t.r.i.n. 19 | ``` 20 | -------------------------------------------------------------------------------- /T1086/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | --------------------------------------------------------------------------------------------- | --------- | 5 | | ET Pro | 2027168 | ET POLICY Powershell Activity Over SMB - Likely Lateral Movement | Yes | 6 | | ET Pro | 2027169 | ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement | Yes | 7 | | ET Pro | 2027170 | ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement | Yes | 8 | | ET Pro | 2027171 | ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement| Yes | 9 | | ET Pro | 2027172 | ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement | Yes | 10 | | ET Pro | 2027173 | ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement | Yes | 11 | | ET Pro | 2025704 | ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File | Yes | 12 | | ET Pro | 2025705 | ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File | Yes | 13 | 14 | # Notes 15 | 16 | * PowerShell - [T1086](https://attack.mitre.org/techniques/T1086/) 17 | 18 | # Packet capture 19 | 20 | **2027168** 21 | 22 | ``` 23 | ``` 24 | -------------------------------------------------------------------------------- /T1100/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | --------------------------------------------------------------------------------- | --------- | 5 | | ET Open | * | ET WEB_SERVER ATTACKER WebShell | Yes | 6 | 7 | # Notes 8 | 9 | * Web Shell - [T1100](https://attack.mitre.org/techniques/T1100/) 10 | 11 | ET Open has several signatures, updated regularly, for the detection of this technique. All signatures are labeled as **ET WEB_SERVER ATTACKER WebShell A**, where A equals the name of a particular shell or attack. 12 | 13 | **Examples:** 14 | 15 | * 2020096 - ET WEB_SERVER ATTACKER WebShell - 1337w0rm - Landing Page 16 | * 2020555 - ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded 17 | -------------------------------------------------------------------------------- /T1105/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | -------------------------------------------------------------------------------------------------- | --------- | 5 | | ET Open | 2027267 | ET ATTACK\_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory | Yes | 6 | 7 | # Notes 8 | 9 | * Remote File Copy - [T1105](https://attack.mitre.org/techniques/T1105/) 10 | 11 | Coverage of this technique is limited to the software/user agent/identifiers mapped above and when done over the network. 12 | 13 | # Packet capture example: 14 | 15 | **2027267** 16 | 17 | ``` 18 | ..)!~a..^.."..E.....@...^.............I30.....P....s.......SMB@...............................-..................Hm<...R.l9.......................................@...x.:.........W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.s.q.l.s.r.v.3.2...d.l.l. 19 | ``` 20 | -------------------------------------------------------------------------------- /T1175/README.md: -------------------------------------------------------------------------------- 1 | # Mappings 2 | 3 | | Rules | SID | Signature | Verified | 4 | | --------- | --------- | ------------------------------------------------------------------------------ | --------- | 5 | | ET Pro | 2027190 | ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement | Yes | 6 | | ET Pro | 2027189 | ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement | Yes | 7 | | ET Open | 2021616 | ET TROJAN PSEmpire Checkin via POST | Yes | 8 | 9 | # Notes 10 | 11 | * Distributed Component Object Model - [T1175](https://attack.mitre.org/techniques/T1175/) 12 | 13 | # Packet capture 14 | 15 | **2027190** 16 | 17 | ``` 18 | ..^.."...S....E...j.@.@......y........l\.n{NU.....H.........fo....x...........`...........H...........0...........N...!...&...{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}......vk..J...................S.h.e.l.l. .E.x.e.c.u.t.e. .H.a.r.d.w.a.r.e. .E.v.e.n.t. .H.a.n.d.l.e.r.............X...........vk..N...x...........AppID.......{.F.F.B.8.6.5.5.F.-.8.1.B.9.-.4.f.c.e.-.B.8.9.C.-.9.A.6.B.A.7.6.D.1.3.E.7.}.............nk .E..Oe.......h.......................X...................................LocalServer32.......vk......H...............%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e. .%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.S.H.C.r.e.a.t.e.L.o.c.a.l.S.e.r.v.e.r.R.u.n.D.l.l. .{.F.F.B.8.6.5.5.F.-.8.1.B.9.-.4.f.c.e.-.B.8.9.C.-.9.A.6.B.A.7.6.D.1.3.E.7.}.......0.......lh..............u..TH....s.Q....nk .E..Oe.......h.......................@.......................F...........ProgID......vk..F...................S.h.e.l.l...H.W.E.v.e.n.t.H.a.n.d.l.e.r.S.h.e.l.l.E.x.e.c.u.t.e...1.....................nk .E..Oe.......h...............................................B...........VersionIndependentProgID....vk..B..............T....S.h.e.l.l...H.W.E.v.e.n.t.H.a.n.d.l.e.r.S.h.e.l.l.E.x.e.c.u.t.e.................nk .E..Oe.......x...........X.......................,...........:...!...&...{FFC9F9AE-E87A-3252-8E25-B22423A40065}......vk..:...................S.y.s.t.e.m...T.h.r.e.a.d.S.t.a.t.i.c.A.t.t.r.i.b.u.t.e.................nk .E..Oe....................................... 19 | ``` 20 | --------------------------------------------------------------------------------