{ "cells": [ { "cell_type": "markdown", "id": "35b9af20-56b5-4065-afe9-0c86271fe9ae", "metadata": {}, "source": [ "# Looking beyond the details: understand attack 'storylines' with MITRE tags" ] }, { "cell_type": "markdown", "id": "bc10aa39-349f-40c2-9272-3e5953a22864", "metadata": {}, "source": [ "## Introduction" ] }, { "cell_type": "markdown", "id": "f0b4ae91-f15a-4d8e-9aa1-46078af73f17", "metadata": {}, "source": [ "Today's compute environments are typically well monitored by multiple different network- and host-based sensors - producing a large amount of events and alerts even after careful tuning.\n", "In case of a complex attack chain, where an attacker is able to break into an internal system and move to other systems, gain privileges and get access to data, different alerts will be created during the attacker's activities.\n", "While the detailed monitoring is great to catch and mitigate very specific attack steps, it can be hard to get the bigger picture of the attack operation and understand the overall goals (and results) of the attack.\n", "\n", "In the following, we explore one possible way to abstract from the details to a higher-level understanding of an attack chain to expose the 'storyline' of the attack with the help of MITRE tags - complementary to the lower-level details of alerts.\n", "The [MITRE ATT&CK®](https://attack.mitre.org/) framework defines a \"globally-accessible knowledge base of adversary tactics and techniques based on real-world observations\", i.e., describes the different kinds of possible attack steps in a systematic way, independent from any particular tool. For each of the documented techniques/sub-techniques the MITRE ATT&CK includes textual context, examples, ways of mitigations and detections and references. \n", "It is structured into a set of 14 high-level tactics, like reconnaissance, initial access, privileged escalation etc, each of which is comprised of many techniques and sub-techniques in a hierarchical fashion. \n", "\n", "One concrete example for illustration is the [Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/) with the MITRE tag T1059.001. It describes the potential abuse of the PowerShell by adversaries for execution of malicious tasks. The tag T1059.001 indicates that this is the sub-technique 1 of the technique [T1059: Command and Scripting Interpreter ](https://attack.mitre.org/techniques/T1059/) that in turn is part of the high-level tactic [Execution](https://attack.mitre.org/tactics/TA0002/).\n", "\n", "Particularly important is that this effort is independent of any specific tool and thereby can be used to understand attack steps across multiple tools. Support for tagging the tool-specific alerts with MITRE tags are in many cases under way or already available.\n", "\n", "Intuition suggests that a more complex attack chain will have some typical sequence of phases at a higher level, proceeding maybe in progression like discovery → initial access → privilege escalation → data exfiltration → persistence (although this in general will not be a strict sequence of phases, as an attacker might skip or repeat phases, e.g., after further lateral movements). \n", "\n", "To test and illustrate this approach we have created a small test environment. In this setup, we use a known, scripted attack scenario while observing the environment with multiple sensors and collect the alerts generated by the sensors. Instead of looking at the details of these alerts, we here go in the opposite direction of abstracting from the low-level, detailed alerts to look only at the timeline of the MITRE tags associated with the alerts." ] }, { "cell_type": "markdown", "id": "982c0d6e-a87c-4520-997d-cedab27be8c6", "metadata": {}, "source": [ "## Experimental setup" ] }, { "cell_type": "markdown", "id": "10ddfbc6-2db7-49be-9220-0b9d894a6652", "metadata": {}, "source": [ "" ] }, { "cell_type": "markdown", "id": "dd204857-46bb-42b6-944e-58773b9a7ef3", "metadata": {}, "source": [ "The small environment that we use for testing is shown in the above figure: the blue parts are the 'productive' components comprised of a web application `juice-shop`, a MySQL server and MS Windows server. The web application we use is the intentionally vulnerable web shop created by the [OWASP](https://owasp.org/) team called\n", "[Juice Shop](https://owasp.org/www-project-juice-shop) for testing and learning. We use it on a Linux VM and on the Windows VM as an easy way for us to create an attack scenario targetting some of the known vulnerabilities of the Juice-Shop. \n", "In addition, there are a small number of VMs that act as simulated users of the webshop in order to create 'normal' background traffic.\n", "\n", "The monitoring components are shown in green: we monitor the Linux VMs with SysFlow, the network is monitored by Snort and for the Windows server we have a setup that feeds Sysmon events through Winlogbeat into an instance of [HELK](https://github. com/Cyb3rWard0g/HELK). In this article, we only look at alerts (rather then the base telemetry events produced by SysFlow/Sysmon) that are generated by a TTP ruleset on the SysFlow side and the set of [Sigma](https://github.com/SigmaHQ/sigma) rules on the Sysmon side. The alerts based on the Sysmon events are in this setting created by [ElastAlert](https://github.com/Yelp/elastalert) that is part of the HELK package and is configured to use the set of Sigma rules.\n", "With regards to the current availability of MITRE tags: \n", "- the TTP ruleset used by SysFlow already contains MITRE tags, and the team is continually extending the existing list\n", "- also Sigma rules already are enriched with MITRE tags that we can use in ElastAlert\n", "- Snort rules currently have no MITRE tags attached currently - in this case we manually added MITRE tag information to selected rules.\n", "\n", "Our setup also contains a transformation of the alerts into the [Elastic Common Schema (ECS)](https://www. elastic.co/what-is/ecs/) format for normalisation as part of the pipeline before they are collected in two instances of ElasticSearch.\n", "\n", "For SysFlow this capability to convert events and alerts to the ECS format and storage into ElasticSearch was added in version 0.3.0 - you can find details about it in the [blog](https://sysflow.io/2021/08/20/elk-integration.html) together with a detailed [demonstration](https://github.com/sysflow-telemetry/sf-deployments/tree/dev/integrations/elk)." ] }, { "cell_type": "markdown", "id": "25d530de-cc76-47ae-9ae6-7dea03ac1d2b", "metadata": {}, "source": [ "The figure below shows the attack scenario that we created as a scripted way to run a complex attack scenario in a reproducible way: it contains steps from reconnaisance, like nmap scans, uses some of the known intentional vulnerabilities of the OWASP Juice-Shop to break into the web shop, attack from this foothold the database server and exfiltrate data from it. As a next step, the attacker moves laterally to the Windows server where the attack succeeds to install an additional user and a persistent backdoor with OpenSSH." ] }, { "cell_type": "markdown", "id": "4053d28e-e22e-414b-862c-e8d2f829b21e", "metadata": {}, "source": [ "" ] }, { "cell_type": "markdown", "id": "variable-season", "metadata": {}, "source": [ "## Create MITRE tactics timeline from ECS alert data" ] }, { "cell_type": "markdown", "id": "7dd40793-0ccf-40a8-8400-9a581bcab402", "metadata": {}, "source": [ "### Define mapping MITRE tag → MITRE tactic" ] }, { "cell_type": "markdown", "id": "f534ded0-8b7e-4499-be6a-121d213d25e9", "metadata": {}, "source": [ "The alerts received by our sensors contain MITRE tags like T1059.001, but from this tag alone we do not know the MITRE tactic it belongs to as there is no strict hierarchy as MITRE techniques can belong to multiple tactics.\n", "Luckily there is an API for the MITRE ATT&CK data that we can use to resolve the tag to the tactic(s) it belongs to.\n", "\n", "To achieve this we first download the information about all techniques via the API and then build a mapping `tag2tactics` for each tag to the tactics it belongs to." ] }, { "cell_type": "code", "execution_count": 1, "id": "concrete-parameter", "metadata": {}, "outputs": [], "source": [ "# --- imports as required\n", "import json, os, collections, datetime\n", "import pandas as pd\n", "from taxii2client.v20 import Server, Collection\n", "from stix2 import TAXIICollectionSource, Filter\n", "import plotly.graph_objects as go\n", "import plotly as pl\n", "import plotly.io as pio\n", "pio.renderers.default = 'iframe'" ] }, { "cell_type": "code", "execution_count": 2, "id": "d4ba0800-b183-43e9-9fb6-203c4e75d2ed", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Enterprise ATT&CK: 95ecc380-afe9-11e4-9b6c-751b66dd541e\n", "PRE-ATT&CK: 062767bd-02d2-4b72-84ba-56caef0f8658\n", "Mobile ATT&CK: 2f669986-b40b-4423-b720-4396ca6a462b\n", "ICS ATT&CK: 02c3ef24-9cd4-48f3-a99f-b74ce24f1d34\n" ] }, { "name": "stderr", "output_type": "stream", "text": [ "[taxii2client.v20] [WARNING ] [2022-02-03 17:12:18,042] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.\n", "[taxii2client.v20] [WARNING ] [2022-02-03 17:12:18,095] TAXII Server Response with different amount of objects! Setting per_request=707\n" ] }, { "name": "stdout", "output_type": "stream", "text": [ "Found 707 different MITRE tags and created mapping to corresponding tactics in the dictionary tag2tactics.\n" ] } ], "source": [ "# ----- download the ATT&CK data via its API\n", "def download_MITRE_data():\n", " # see https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via\n", "\n", " # Instantiate server and get API Root\n", " server = Server(\"https://cti-taxii.mitre.org/taxii/\")\n", " api_root = server.api_roots[0]\n", "\n", " # Print name and ID of all ATT&CK technology-domains available as collections\n", " for collection in api_root.collections:\n", " print(collection.title + \": \" + collection.id)\n", "\n", " # Establish TAXII2 Collection instance for Enterprise ATT&CK collection\n", " collection = Collection(\"https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/\")\n", "\n", " # Supply the collection to TAXIICollection\n", " tc_source = TAXIICollectionSource(collection)\n", "\n", " # Fetch information about the techniques\n", " techniques = tc_source.query([Filter(\"type\", \"=\", \"attack-pattern\")])\n", " return techniques\n", "\n", "# ----- create a Python dict 'tag2tactics' containing the mapping\n", "def get_mitre_tag(technique):\n", " external_refs = technique.get('external_references')\n", " mitre_tags = list(map(lambda x: x.get('external_id'), \n", " filter(lambda x: x.get('source_name') == 'mitre-attack', external_refs)\n", " ))\n", " if len(mitre_tags) == 1: return mitre_tags[0]\n", " print(f'WARN: more than one or no mitre_tags found: mitre_tags = {mitre_tags}')\n", " return None\n", "\n", "def get_tactics(technique):\n", " kill_chain_phases = technique.get('kill_chain_phases', [])\n", " tactics = list(map(lambda x: x.get('phase_name'), \n", " filter(lambda x: x.get('kill_chain_name') == 'mitre-attack', kill_chain_phases)\n", " ))\n", " return tactics\n", "\n", "def define_tag_tactic_mapping(techniques):\n", " tag2tactics = {}\n", " for it,technique in enumerate(techniques):\n", " mitre_tag = get_mitre_tag(technique)\n", " tactics = get_tactics(technique)\n", " tag2tactics[mitre_tag] = tactics\n", " return tag2tactics\n", "\n", "# ----- create dictionary with mapping MITRE tag → MITRE tactics\n", "techniques = download_MITRE_data()\n", "tag2tactics = define_tag_tactic_mapping(techniques)\n", "print(f'Found {len(tag2tactics)} different MITRE tags and created mapping to corresponding tactics in the dictionary tag2tactics.')" ] }, { "cell_type": "markdown", "id": "dfee6392-a95a-4f49-b1b0-51178fe63737", "metadata": {}, "source": [ "Please note that a MITRE tag can be associated with multiple tactics, so this is a one-to-many relationship." ] }, { "cell_type": "markdown", "id": "1b384bc3-df45-4ee9-bb61-a605062c25b3", "metadata": {}, "source": [ "### Load alert data" ] }, { "cell_type": "markdown", "id": "bfbe31f5-adf3-42b9-aebf-71789cdf5ffd", "metadata": {}, "source": [ "As recreation of our test environment is beyond this article, we provide the alert data that we collected during the run of an attack here as JSON files that we load in this step into a combined list `alert_data`." ] }, { "cell_type": "code", "execution_count": 3, "id": "8e977ff4-de3d-4ab4-8deb-87034383d442", "metadata": { "lines_to_next_cell": 2 }, "outputs": [], "source": [ "# --- loading the alert data collected in our test environment while running the scripted attack\n", "data_dir = './data/mitre-tag-timeline/'\n", "data_files = ['elastic_snort.json', 'elastic_elastalert.json', 'elastic_sysflow.json']\n", "\n", "alert_data = []\n", "for data_file in data_files:\n", " # --- load the JSON file with the alerts\n", " with open(data_dir + data_file, 'r') as inp:\n", " _data = json.load(inp)\n", " # --- add selected parts to alert_data\n", " alert_data.extend(list(map(lambda x: {'tags': x['tags'], \n", " 'event.start': x['event'].get('start', None), \n", " 'event.created': x['event'].get('created', None), \n", " 'event.reason': x['event']['reason'], \n", " 'event.severity': x['event']['severity'], \n", " 'event.category': x['event']['category'], \n", " 'event.action': x['event']['action'], \n", " 'source_file': data_file}, _data)))" ] }, { "cell_type": "markdown", "id": "8569b841-2a3e-4797-b23c-79edf099cd6f", "metadata": {}, "source": [ "### Combine alert data with MITRE tactics using the mapping" ] }, { "cell_type": "markdown", "id": "f0e33261-e54d-4037-872a-7ac807892549", "metadata": {}, "source": [ "With the observed alerts in `alert_data`, we use our previously generated `tag2tactics` dictionary to add the tactic(s) corresponding the MITRE tags to the alerts.\n", "As each alert can have multiple tags, and each MITRE tag in turn can belong to multiple tactics, we have to duplicate alert info accordingly to account for multiple related tactics.\n", "The enriched data is then converted to a pandas DataFrame `alert_data_tactics` while fixing the timestamps coming from different columns." ] }, { "cell_type": "code", "execution_count": 4, "id": "5a68b36d-3466-4454-856c-486c48290f45", "metadata": {}, "outputs": [], "source": [ "# --- use tags to add tactics: as there can be multiple tags per alert as well as multiple tactics for a tag, create copies of the alert as required\n", "alert_data_tactics = []\n", "for alert in alert_data:\n", " tags = alert['tags']\n", " all_tactics = set()\n", " for tag in tags:\n", " tactics = tag2tactics[tag.replace('mitre:', '').upper()]\n", " for tactic in tactics:\n", " all_tactics.add(tactic)\n", " for tactic in all_tactics:\n", " alert['tactic'] = tactic\n", " alert_data_tactics.append(alert.copy())\n", "# --- convert data to pandas DataFrame\n", "alert_data_tactics = pd.DataFrame(alert_data_tactics)\n", "# --- depending on source file, the timestamps are in different columns ('event.start' vs 'event.created')\n", "# create a fixed 'timestamp' column instead \n", "alert_data_tactics['timestamp'] = alert_data_tactics.apply(lambda row: datetime.datetime.fromisoformat(row['event.start'][:23]) if row['event.start'] else datetime.datetime.fromisoformat(row['event.created'][:23]), axis=1)\n", "del alert_data_tactics['event.start']\n", "del alert_data_tactics['event.created']\n", "alert_data_tactics = alert_data_tactics.sort_values('timestamp').reset_index(drop=True)" ] }, { "cell_type": "markdown", "id": "02924bd9-bf88-4200-b27d-7ba75a15dd3e", "metadata": {}, "source": [ "At this point, the list of alerts with MITRE tactics contains 37 entries:" ] }, { "cell_type": "code", "execution_count": 5, "id": "e20b4099-2cdc-45b9-873d-88e1696c28b4", "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", " | tags | \n", "event.reason | \n", "event.severity | \n", "event.category | \n", "event.action | \n", "source_file | \n", "tactic | \n", "timestamp | \n", "
---|---|---|---|---|---|---|---|---|
0 | \n", "[mitre:T1018] | \n", "Possible Nmap ping sweep | \n", "0 | \n", "network | \n", "Detection of a Network Scan | \n", "elastic_snort.json | \n", "discovery | \n", "2021-11-29 10:32:30.544 | \n", "
1 | \n", "[mitre:T1018] | \n", "Possible Nmap ping sweep | \n", "0 | \n", "network | \n", "Detection of a Network Scan | \n", "elastic_snort.json | \n", "discovery | \n", "2021-11-29 10:32:30.544 | \n", "
2 | \n", "[mitre:T1018] | \n", "Possible Nmap ping sweep | \n", "0 | \n", "network | \n", "Detection of a Network Scan | \n", "elastic_snort.json | \n", "discovery | \n", "2021-11-29 10:32:30.832 | \n", "
3 | \n", "[mitre:T1018] | \n", "Possible Nmap ping sweep | \n", "0 | \n", "network | \n", "Detection of a Network Scan | \n", "elastic_snort.json | \n", "discovery | \n", "2021-11-29 10:32:30.832 | \n", "
4 | \n", "[mitre:T1046] | \n", "TCP Port Scanning - probing closed port | \n", "0 | \n", "network | \n", "Detection of a Network Scan | \n", "elastic_snort.json | \n", "discovery | \n", "2021-11-29 10:32:31.405 | \n", "
5 | \n", "[mitre:T1046] | \n", "TCP Port Scanning | \n", "0 | \n", "network | \n", "Detection of a Network Scan | \n", "elastic_snort.json | \n", "discovery | \n", "2021-11-29 10:32:31.408 | \n", "
6 | \n", "[mitre:T1190] | \n", "SQL Injection attempt | \n", "2 | \n", "network | \n", "Web Application Attack | \n", "elastic_snort.json | \n", "initial-access | \n", "2021-11-29 10:32:34.172 | \n", "
7 | \n", "[mitre:T1068] | \n", "Possible SSTI attack | \n", "2 | \n", "network | \n", "Web Application Attack | \n", "elastic_snort.json | \n", "privilege-escalation | \n", "2021-11-29 10:32:40.593 | \n", "
8 | \n", "[mitre:T1059.004] | \n", "Node process starts shell | \n", "2 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "execution | \n", "2021-11-29 10:32:40.803 | \n", "
9 | \n", "[mitre:T1059.004] | \n", "Reverse Unix shell started | \n", "2 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "execution | \n", "2021-11-29 10:32:40.805 | \n", "
10 | \n", "[mitre:T1059.004] | \n", "Node process starts shell | \n", "2 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "execution | \n", "2021-11-29 10:32:40.808 | \n", "
11 | \n", "[mitre:T1033] | \n", "System Owner/User Discovery | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:32:40.982 | \n", "
12 | \n", "[mitre:T1082] | \n", "System Information Discovery | \n", "0 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:32:45.073 | \n", "
13 | \n", "[mitre:T1057] | \n", "Process Discovery | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:32:51.837 | \n", "
14 | \n", "[mitre:T1083] | \n", "File and Directory Discovery | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:32:56.332 | \n", "
15 | \n", "[mitre:T1049] | \n", "System Network Connections Discovery | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:33:02.389 | \n", "
16 | \n", "[mitre:T1087.001] | \n", "Account Discovery - Local Account | \n", "2 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:33:08.324 | \n", "
17 | \n", "[mitre:T1018] | \n", "Remote System Discovery | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:33:20.998 | \n", "
18 | \n", "[mitre:T1083] | \n", "File and Directory Discovery | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "discovery | \n", "2021-11-29 10:33:27.290 | \n", "
19 | \n", "[mitre:T1222.002] | \n", "Linux and Mac File and Directory Permissions M... | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "defense-evasion | \n", "2021-11-29 10:33:47.689 | \n", "
20 | \n", "[mitre:T1110.001] | \n", "MySQL: failed login attempt | \n", "1 | \n", "network | \n", "Attempted User Privilege Gain | \n", "elastic_snort.json | \n", "credential-access | \n", "2021-11-29 10:34:01.626 | \n", "
21 | \n", "[mitre:T1110.001] | \n", "MySQL: failed login attempt | \n", "1 | \n", "network | \n", "Attempted User Privilege Gain | \n", "elastic_snort.json | \n", "credential-access | \n", "2021-11-29 10:34:01.631 | \n", "
22 | \n", "[mitre:T1110.001] | \n", "MySQL: failed login attempt | \n", "1 | \n", "network | \n", "Attempted User Privilege Gain | \n", "elastic_snort.json | \n", "credential-access | \n", "2021-11-29 10:34:01.637 | \n", "
23 | \n", "[mitre:T1030] | \n", "Large network data transfer with database endp... | \n", "2 | \n", "network | \n", "network-connection-traffic | \n", "elastic_sysflow.json | \n", "exfiltration | \n", "2021-11-29 10:34:01.638 | \n", "
24 | \n", "[mitre:T1222.002] | \n", "Linux and Mac File and Directory Permissions M... | \n", "1 | \n", "process | \n", "process-start | \n", "elastic_sysflow.json | \n", "defense-evasion | \n", "2021-11-29 10:34:18.209 | \n", "
25 | \n", "[mitre:T1046] | \n", "TCP Port Scanning | \n", "0 | \n", "network | \n", "Detection of a Network Scan | \n", "elastic_snort.json | \n", "discovery | \n", "2021-11-29 10:34:26.719 | \n", "
26 | \n", "[mitre:T1190] | \n", "SQL Injection attempt | \n", "2 | \n", "network | \n", "Web Application Attack | \n", "elastic_snort.json | \n", "initial-access | \n", "2021-11-29 10:34:33.245 | \n", "
27 | \n", "[mitre:T1190] | \n", "SQL Injection attempt | \n", "2 | \n", "network | \n", "Web Application Attack | \n", "elastic_snort.json | \n", "initial-access | \n", "2021-11-29 10:34:33.932 | \n", "
28 | \n", "[mitre:T1190] | \n", "SQL Injection attempt | \n", "2 | \n", "network | \n", "Web Application Attack | \n", "elastic_snort.json | \n", "initial-access | \n", "2021-11-29 10:34:34.416 | \n", "
29 | \n", "[mitre:T1068] | \n", "Possible SSTI attack | \n", "2 | \n", "network | \n", "Web Application Attack | \n", "elastic_snort.json | \n", "privilege-escalation | \n", "2021-11-29 10:34:34.746 | \n", "
30 | \n", "[mitre:t1049, mitre:t1018, mitre:t1135, mitre:... | \n", "Sysmon Net.exe Execution | \n", "0 | \n", "process | \n", "Process Create (rule: ProcessCreate) | \n", "elastic_elastalert.json | \n", "discovery | \n", "2021-11-29 10:34:35.068 | \n", "
31 | \n", "[mitre:t1136, mitre:t1136.001] | \n", "Sysmon Net.exe User Account Creation | \n", "1 | \n", "process | \n", "Process Create (rule: ProcessCreate) | \n", "elastic_elastalert.json | \n", "persistence | \n", "2021-11-29 10:34:35.068 | \n", "
32 | \n", "[mitre:t1049, mitre:t1018, mitre:t1135, mitre:... | \n", "Sysmon Net.exe Execution | \n", "0 | \n", "process | \n", "Process Create (rule: ProcessCreate) | \n", "elastic_elastalert.json | \n", "lateral-movement | \n", "2021-11-29 10:34:35.068 | \n", "
33 | \n", "[mitre:t1049, mitre:t1018, mitre:t1135, mitre:... | \n", "Sysmon Net.exe Execution | \n", "0 | \n", "process | \n", "Process Create (rule: ProcessCreate) | \n", "elastic_elastalert.json | \n", "discovery | \n", "2021-11-29 10:34:35.068 | \n", "
34 | \n", "[mitre:t1049, mitre:t1018, mitre:t1135, mitre:... | \n", "Sysmon Net.exe Execution | \n", "0 | \n", "process | \n", "Process Create (rule: ProcessCreate) | \n", "elastic_elastalert.json | \n", "lateral-movement | \n", "2021-11-29 10:34:35.068 | \n", "
35 | \n", "[mitre:t1136, mitre:t1136.001] | \n", "Sysmon Net.exe User Account Creation | \n", "1 | \n", "process | \n", "Process Create (rule: ProcessCreate) | \n", "elastic_elastalert.json | \n", "persistence | \n", "2021-11-29 10:34:35.068 | \n", "
36 | \n", "[mitre:t1086, mitre:t1059.001] | \n", "Sysmon Non Interactive PowerShell | \n", "1 | \n", "process | \n", "Process Create (rule: ProcessCreate) | \n", "elastic_elastalert.json | \n", "execution | \n", "2021-11-29 10:34:35.069 | \n", "