diff --git a/sigma/data/mitre_attack.py b/sigma/data/mitre_attack.py index d727d50f..375e918d 100644 --- a/sigma/data/mitre_attack.py +++ b/sigma/data/mitre_attack.py @@ -590,3 +590,640 @@ 'T1621': 'Multi-Factor Authentication Request Generation', 'T1622': 'Debugger Evasion', 'T1647': 'Plist File Modification'} +mitre_attack_intrusion_sets: Dict[str, str] = { 'G0001': 'Axiom', + 'G0002': 'Moafee', + 'G0003': 'Cleaver', + 'G0004': 'Ke3chang', + 'G0005': 'APT12', + 'G0006': 'APT1', + 'G0007': 'APT28', + 'G0008': 'Carbanak', + 'G0009': 'Deep Panda', + 'G0010': 'Turla', + 'G0011': 'PittyTiger', + 'G0012': 'Darkhotel', + 'G0013': 'APT30', + 'G0014': 'Night Dragon', + 'G0016': 'APT29', + 'G0017': 'DragonOK', + 'G0018': 'admin@338', + 'G0019': 'Naikon', + 'G0020': 'Equation', + 'G0021': 'Molerats', + 'G0022': 'APT3', + 'G0023': 'APT16', + 'G0024': 'Putter Panda', + 'G0025': 'APT17', + 'G0026': 'APT18', + 'G0027': 'Threat Group-3390', + 'G0028': 'Threat Group-1314', + 'G0029': 'Scarlet Mimic', + 'G0030': 'Lotus Blossom', + 'G0031': 'Dust Storm', + 'G0032': 'Lazarus Group', + 'G0033': 'Poseidon Group', + 'G0034': 'Sandworm Team', + 'G0035': 'Dragonfly', + 'G0036': 'GCMAN', + 'G0037': 'FIN6', + 'G0038': 'Stealth Falcon', + 'G0039': 'Suckfly', + 'G0040': 'Patchwork', + 'G0041': 'Strider', + 'G0043': 'Group5', + 'G0044': 'Winnti Group', + 'G0045': 'menuPass', + 'G0046': 'FIN7', + 'G0047': 'Gamaredon Group', + 'G0048': 'RTM', + 'G0049': 'OilRig', + 'G0050': 'APT32', + 'G0051': 'FIN10', + 'G0052': 'CopyKittens', + 'G0053': 'FIN5', + 'G0054': 'Sowbug', + 'G0055': 'NEODYMIUM', + 'G0056': 'PROMETHIUM', + 'G0059': 'Magic Hound', + 'G0060': 'BRONZE BUTLER', + 'G0061': 'FIN8', + 'G0062': 'TA459', + 'G0063': 'BlackOasis', + 'G0064': 'APT33', + 'G0065': 'Leviathan', + 'G0066': 'Elderwood', + 'G0067': 'APT37', + 'G0068': 'PLATINUM', + 'G0069': 'MuddyWater', + 'G0070': 'Dark Caracal', + 'G0071': 'Orangeworm', + 'G0072': 'Honeybee', + 'G0073': 'APT19', + 'G0075': 'Rancor', + 'G0076': 'Thrip', + 'G0077': 'Leafminer', + 'G0078': 'Gorgon Group', + 'G0079': 'DarkHydrus', + 'G0080': 'Cobalt Group', + 'G0081': 'Tropic Trooper', + 'G0082': 'APT38', + 'G0083': 'SilverTerrier', + 'G0084': 'Gallmaker', + 'G0085': 'FIN4', + 'G0087': 'APT39', + 'G0088': 'TEMP.Veles', + 'G0089': 'The White Company', + 'G0090': 'WIRTE', + 'G0091': 'Silence', + 'G0092': 'TA505', + 'G0093': 'GALLIUM', + 'G0094': 'Kimsuky', + 'G0095': 'Machete', + 'G0096': 'APT41', + 'G0097': 'Bouncing Golf', + 'G0098': 'BlackTech', + 'G0099': 'APT-C-36', + 'G0100': 'Inception', + 'G0101': 'Frankenstein', + 'G0102': 'Wizard Spider', + 'G0103': 'Mofang', + 'G0104': 'Sharpshooter', + 'G0105': 'DarkVishnya', + 'G0106': 'Rocke', + 'G0107': 'Whitefly', + 'G0108': 'Blue Mockingbird', + 'G0112': 'Windshift', + 'G0114': 'Chimera', + 'G0115': 'GOLD SOUTHFIELD', + 'G0116': 'Operation Wocao', + 'G0117': 'Fox Kitten', + 'G0119': 'Indrik Spider', + 'G0120': 'Evilnum', + 'G0121': 'Sidewinder', + 'G0122': 'Silent Librarian', + 'G0123': 'Volatile Cedar', + 'G0124': 'Windigo', + 'G0125': 'HAFNIUM', + 'G0126': 'Higaisa', + 'G0127': 'TA551', + 'G0128': 'ZIRCONIUM', + 'G0129': 'Mustang Panda', + 'G0130': 'Ajax Security Team', + 'G0131': 'Tonto Team', + 'G0132': 'CostaRicto', + 'G0133': 'Nomadic Octopus', + 'G0134': 'Transparent Tribe', + 'G0135': 'BackdoorDiplomacy', + 'G0136': 'IndigoZebra', + 'G0137': 'Ferocious Kitten', + 'G0138': 'Andariel', + 'G0139': 'TeamTNT', + 'G0140': 'LazyScripter', + 'G0142': 'Confucius', + 'G0143': 'Aquatic Panda'} +mitre_attack_malwares: Dict[str, str] = { 'S0001': 'Trojan.Mebromi', + 'S0003': 'RIPTIDE', + 'S0004': 'TinyZBot', + 'S0007': 'Skeleton Key', + 'S0009': 'Hikit', + 'S0010': 'Lurid', + 'S0011': 'Taidoor', + 'S0012': 'PoisonIvy', + 'S0013': 'PlugX', + 'S0014': 'BS2005', + 'S0015': 'Ixeshe', + 'S0016': 'P2P ZeuS', + 'S0017': 'BISCUIT', + 'S0018': 'Sykipot', + 'S0019': 'Regin', + 'S0020': 'China Chopper', + 'S0021': 'Derusbi', + 'S0022': 'Uroburos', + 'S0023': 'CHOPSTICK', + 'S0024': 'Dyre', + 'S0025': 'CALENDAR', + 'S0026': 'GLOOXMAIL', + 'S0027': 'Zeroaccess', + 'S0028': 'SHIPSHAPE', + 'S0030': 'Carbanak', + 'S0031': 'BACKSPACE', + 'S0032': 'gh0st RAT', + 'S0033': 'NetTraveler', + 'S0034': 'NETEAGLE', + 'S0035': 'SPACESHIP', + 'S0036': 'FLASHFLOOD', + 'S0037': 'HAMMERTOSS', + 'S0038': 'Duqu', + 'S0041': 'Wiper', + 'S0042': 'LOWBALL', + 'S0043': 'BUBBLEWRAP', + 'S0044': 'JHUHUGIT', + 'S0045': 'ADVSTORESHELL', + 'S0046': 'CozyCar', + 'S0047': 'Hacking Team UEFI Rootkit', + 'S0048': 'PinchDuke', + 'S0049': 'GeminiDuke', + 'S0050': 'CosmicDuke', + 'S0051': 'MiniDuke', + 'S0052': 'OnionDuke', + 'S0053': 'SeaDuke', + 'S0054': 'CloudDuke', + 'S0055': 'RARSTONE', + 'S0056': 'Net Crawler', + 'S0058': 'SslMM', + 'S0059': 'WinMM', + 'S0060': 'Sys10', + 'S0061': 'HDoor', + 'S0062': 'DustySky', + 'S0063': 'SHOTPUT', + 'S0064': 'ELMER', + 'S0065': '4H RAT', + 'S0066': '3PARA RAT', + 'S0067': 'pngdowner', + 'S0068': 'httpclient', + 'S0069': 'BLACKCOFFEE', + 'S0070': 'HTTPBrowser', + 'S0071': 'hcdLoader', + 'S0072': 'OwaAuth', + 'S0073': 'ASPXSpy', + 'S0074': 'Sakula', + 'S0076': 'FakeM', + 'S0077': 'CallMe', + 'S0078': 'Psylo', + 'S0079': 'MobileOrder', + 'S0080': 'Mivast', + 'S0081': 'Elise', + 'S0082': 'Emissary', + 'S0083': 'Misdat', + 'S0084': 'Mis-Type', + 'S0085': 'S-Type', + 'S0086': 'ZLib', + 'S0087': 'Hi-Zor', + 'S0088': 'Kasidet', + 'S0089': 'BlackEnergy', + 'S0090': 'Rover', + 'S0091': 'Epic', + 'S0092': 'Agent.btz', + 'S0093': 'Backdoor.Oldrea', + 'S0094': 'Trojan.Karagany', + 'S0098': 'T9000', + 'S0107': 'Cherry Picker', + 'S0109': 'WEBC2', + 'S0112': 'ROCKBOOT', + 'S0113': 'Prikormka', + 'S0114': 'BOOTRASH', + 'S0115': 'Crimson', + 'S0117': 'XTunnel', + 'S0118': 'Nidiran', + 'S0124': 'Pisloader', + 'S0125': 'Remsec', + 'S0126': 'ComRAT', + 'S0127': 'BBSRAT', + 'S0128': 'BADNEWS', + 'S0129': 'AutoIt backdoor', + 'S0130': 'Unknown Logger', + 'S0131': 'TINYTYPHON', + 'S0132': 'H1N1', + 'S0133': 'Miner-C', + 'S0134': 'Downdelph', + 'S0135': 'HIDEDRV', + 'S0136': 'USBStealer', + 'S0137': 'CORESHELL', + 'S0138': 'OLDBAIT', + 'S0139': 'PowerDuke', + 'S0140': 'Shamoon', + 'S0141': 'Winnti for Windows', + 'S0142': 'StreamEx', + 'S0143': 'Flame', + 'S0144': 'ChChes', + 'S0145': 'POWERSOURCE', + 'S0146': 'TEXTMATE', + 'S0147': 'Pteranodon', + 'S0148': 'RTM', + 'S0149': 'MoonWind', + 'S0150': 'POSHSPY', + 'S0151': 'HALFBAKED', + 'S0152': 'EvilGrab', + 'S0153': 'RedLeaves', + 'S0154': 'Cobalt Strike', + 'S0155': 'WINDSHIELD', + 'S0156': 'KOMPROGO', + 'S0157': 'SOUNDBITE', + 'S0158': 'PHOREAL', + 'S0159': 'SNUGRIDE', + 'S0161': 'XAgentOSX', + 'S0162': 'Komplex', + 'S0163': 'Janicab', + 'S0164': 'TDTESS', + 'S0165': 'OSInfo', + 'S0166': 'RemoteCMD', + 'S0167': 'Matryoshka', + 'S0168': 'Gazer', + 'S0169': 'RawPOS', + 'S0170': 'Helminth', + 'S0171': 'Felismus', + 'S0172': 'Reaver', + 'S0173': 'FLIPSIDE', + 'S0176': 'Wingbird', + 'S0177': 'Power Loader', + 'S0178': 'Truvasys', + 'S0180': 'Volgmer', + 'S0181': 'FALLCHILL', + 'S0182': 'FinFisher', + 'S0184': 'POWRUNER', + 'S0185': 'SEASHARPEE', + 'S0186': 'DownPaper', + 'S0187': 'Daserf', + 'S0188': 'Starloader', + 'S0189': 'ISMInjector', + 'S0196': 'PUNCHBUGGY', + 'S0197': 'PUNCHTRACK', + 'S0198': 'NETWIRE', + 'S0199': 'TURNEDUP', + 'S0200': 'Dipsind', + 'S0201': 'JPIN', + 'S0202': 'adbupd', + 'S0203': 'Hydraq', + 'S0204': 'Briba', + 'S0205': 'Naid', + 'S0206': 'Wiarp', + 'S0207': 'Vasport', + 'S0208': 'Pasam', + 'S0210': 'Nerex', + 'S0211': 'Linfo', + 'S0212': 'CORALDECK', + 'S0213': 'DOGCALL', + 'S0214': 'HAPPYWORK', + 'S0215': 'KARAE', + 'S0216': 'POORAIM', + 'S0217': 'SHUTTERSPEED', + 'S0218': 'SLOWDRIFT', + 'S0219': 'WINERACK', + 'S0220': 'Chaos', + 'S0221': 'Umbreon', + 'S0222': 'CCBkdr', + 'S0223': 'POWERSTATS', + 'S0226': 'Smoke Loader', + 'S0228': 'NanHaiShu', + 'S0229': 'Orz', + 'S0230': 'ZeroT', + 'S0232': 'HOMEFRY', + 'S0233': 'MURKYTOP', + 'S0234': 'Bandook', + 'S0235': 'CrossRAT', + 'S0236': 'Kwampirs', + 'S0237': 'GravityRAT', + 'S0238': 'Proxysvc', + 'S0239': 'Bankshot', + 'S0240': 'ROKRAT', + 'S0241': 'RATANKBA', + 'S0242': 'SynAck', + 'S0243': 'DealersChoice', + 'S0244': 'Comnie', + 'S0245': 'BADCALL', + 'S0246': 'HARDRAIN', + 'S0247': 'NavRAT', + 'S0248': 'yty', + 'S0249': 'Gold Dragon', + 'S0251': 'Zebrocy', + 'S0252': 'Brave Prince', + 'S0253': 'RunningRAT', + 'S0254': 'PLAINTEE', + 'S0255': 'DDKONG', + 'S0256': 'Mosquito', + 'S0257': 'VERMIN', + 'S0258': 'RGDoor', + 'S0259': 'InnaputRAT', + 'S0260': 'InvisiMole', + 'S0261': 'Catchamas', + 'S0263': 'TYPEFRAME', + 'S0264': 'OopsIE', + 'S0265': 'Kazuar', + 'S0266': 'TrickBot', + 'S0267': 'FELIXROOT', + 'S0268': 'Bisonal', + 'S0269': 'QUADAGENT', + 'S0270': 'RogueRobin', + 'S0271': 'KEYMARBLE', + 'S0272': 'NDiskMonitor', + 'S0273': 'Socksbot', + 'S0274': 'Calisto', + 'S0275': 'UPPERCUT', + 'S0276': 'Keydnap', + 'S0277': 'FruitFly', + 'S0278': 'iKitten', + 'S0279': 'Proton', + 'S0280': 'MirageFox', + 'S0281': 'Dok', + 'S0282': 'MacSpy', + 'S0283': 'jRAT', + 'S0284': 'More_eggs', + 'S0302': 'Twitoor', + 'S0330': 'Zeus Panda', + 'S0331': 'Agent Tesla', + 'S0333': 'UBoatRAT', + 'S0334': 'DarkComet', + 'S0335': 'Carbon', + 'S0336': 'NanoCore', + 'S0337': 'BadPatch', + 'S0338': 'Cobian RAT', + 'S0339': 'Micropsia', + 'S0340': 'Octopus', + 'S0341': 'Xbash', + 'S0342': 'GreyEnergy', + 'S0343': 'Exaramel for Windows', + 'S0344': 'Azorult', + 'S0345': 'Seasalt', + 'S0346': 'OceanSalt', + 'S0347': 'AuditCred', + 'S0348': 'Cardinal RAT', + 'S0350': 'zwShell', + 'S0351': 'Cannon', + 'S0352': 'OSX_OCEANLOTUS.D', + 'S0353': 'NOKKI', + 'S0354': 'Denis', + 'S0355': 'Final1stspy', + 'S0356': 'KONNI', + 'S0360': 'BONDUPDATER', + 'S0362': 'Linux Rabbit', + 'S0365': 'Olympic Destroyer', + 'S0366': 'WannaCry', + 'S0367': 'Emotet', + 'S0368': 'NotPetya', + 'S0369': 'CoinTicker', + 'S0370': 'SamSam', + 'S0371': 'POWERTON', + 'S0372': 'LockerGoga', + 'S0373': 'Astaroth', + 'S0374': 'SpeakUp', + 'S0375': 'Remexi', + 'S0376': 'HOPLIGHT', + 'S0377': 'Ebury', + 'S0379': 'Revenge RAT', + 'S0380': 'StoneDrill', + 'S0381': 'FlawedAmmyy', + 'S0382': 'ServHelper', + 'S0383': 'FlawedGrace', + 'S0384': 'Dridex', + 'S0385': 'njRAT', + 'S0386': 'Ursnif', + 'S0387': 'KeyBoy', + 'S0388': 'YAHOYAH', + 'S0389': 'JCry', + 'S0390': 'SQLRat', + 'S0391': 'HAWKBALL', + 'S0393': 'PowerStallion', + 'S0394': 'HiddenWasp', + 'S0395': 'LightNeuron', + 'S0396': 'EvilBunny', + 'S0397': 'LoJax', + 'S0398': 'HyperBro', + 'S0400': 'RobbinHood', + 'S0401': 'Exaramel for Linux', + 'S0402': 'OSX/Shlayer', + 'S0409': 'Machete', + 'S0410': 'Fysbis', + 'S0412': 'ZxShell', + 'S0414': 'BabyShark', + 'S0415': 'BOOSTWRITE', + 'S0416': 'RDFSNIFFER', + 'S0417': 'GRIFFON', + 'S0428': 'PoetRAT', + 'S0430': 'Winnti for Linux', + 'S0431': 'HotCroissant', + 'S0433': 'Rifdoor', + 'S0435': 'PLEAD', + 'S0436': 'TSCookie', + 'S0437': 'Kivars', + 'S0438': 'Attor', + 'S0439': 'Okrum', + 'S0441': 'PowerShower', + 'S0442': 'VBShower', + 'S0443': 'MESSAGETAP', + 'S0444': 'ShimRat', + 'S0446': 'Ryuk', + 'S0447': 'Lokibot', + 'S0448': 'Rising Sun', + 'S0449': 'Maze', + 'S0450': 'SHARPSTATS', + 'S0451': 'LoudMiner', + 'S0452': 'USBferry', + 'S0453': 'Pony', + 'S0454': 'Cadelspy', + 'S0455': 'Metamorfo', + 'S0456': 'Aria-body', + 'S0457': 'Netwalker', + 'S0458': 'Ramsay', + 'S0459': 'MechaFlounder', + 'S0460': 'Get2', + 'S0461': 'SDBbot', + 'S0462': 'CARROTBAT', + 'S0464': 'SYSCON', + 'S0466': 'WindTail', + 'S0467': 'TajMahal', + 'S0468': 'Skidmap', + 'S0469': 'ABK', + 'S0470': 'BBK', + 'S0471': 'build_downer', + 'S0472': 'down_new', + 'S0473': 'Avenger', + 'S0475': 'BackConfig', + 'S0476': 'Valak', + 'S0477': 'Goopy', + 'S0481': 'Ragnar Locker', + 'S0482': 'Bundlore', + 'S0483': 'IcedID', + 'S0484': 'Carberp', + 'S0486': 'Bonadan', + 'S0487': 'Kessel', + 'S0491': 'StrongPity', + 'S0492': 'CookieMiner', + 'S0493': 'GoldenSpy', + 'S0495': 'RDAT', + 'S0496': 'REvil', + 'S0497': 'Dacls', + 'S0498': 'Cryptoistic', + 'S0499': 'Hancitor', + 'S0501': 'PipeMon', + 'S0502': 'Drovorub', + 'S0503': 'FrameworkPOS', + 'S0504': 'Anchor', + 'S0508': 'Ngrok', + 'S0511': 'RegDuke', + 'S0512': 'FatDuke', + 'S0513': 'LiteDuke', + 'S0514': 'WellMess', + 'S0515': 'WellMail', + 'S0516': 'SoreFang', + 'S0517': 'Pillowmint', + 'S0518': 'PolyglotDuke', + 'S0519': 'SYNful Knock', + 'S0520': 'BLINDINGCAN', + 'S0526': 'KGH_SPY', + 'S0528': 'Javali', + 'S0530': 'Melcoz', + 'S0531': 'Grandoreiro', + 'S0532': 'Lucifer', + 'S0533': 'SLOTHFULMEDIA', + 'S0534': 'Bazar', + 'S0537': 'HyperStack', + 'S0538': 'Crutch', + 'S0543': 'Spark', + 'S0546': 'SharpStage', + 'S0547': 'DropBook', + 'S0553': 'MoleNet', + 'S0554': 'Egregor', + 'S0556': 'Pay2Key', + 'S0559': 'SUNBURST', + 'S0560': 'TEARDROP', + 'S0561': 'GuLoader', + 'S0562': 'SUNSPOT', + 'S0564': 'BlackMould', + 'S0565': 'Raindrop', + 'S0567': 'Dtrack', + 'S0568': 'EVILNUM', + 'S0569': 'Explosive', + 'S0570': 'BitPaymer', + 'S0572': 'Caterpillar WebShell', + 'S0574': 'BendyBear', + 'S0575': 'Conti', + 'S0576': 'MegaCortex', + 'S0578': 'SUPERNOVA', + 'S0579': 'Waterbear', + 'S0582': 'LookBack', + 'S0583': 'Pysa', + 'S0584': 'AppleJeus', + 'S0585': 'Kerrdown', + 'S0586': 'TAINTEDSCRIBE', + 'S0587': 'Penquin', + 'S0588': 'GoldMax', + 'S0589': 'Sibot', + 'S0593': 'ECCENTRICBANDWAGON', + 'S0595': 'ThiefQuest', + 'S0596': 'ShadowPad', + 'S0597': 'GoldFinder', + 'S0598': 'P.A.S. Webshell', + 'S0599': 'Kinsing', + 'S0600': 'Doki', + 'S0601': 'Hildegard', + 'S0603': 'Stuxnet', + 'S0604': 'Industroyer', + 'S0605': 'EKANS', + 'S0606': 'Bad Rabbit', + 'S0607': 'KillDisk', + 'S0608': 'Conficker', + 'S0610': 'SideTwist', + 'S0611': 'Clop', + 'S0612': 'WastedLocker', + 'S0613': 'PS1', + 'S0614': 'CostaBricks', + 'S0615': 'SombRAT', + 'S0616': 'DEATHRANSOM', + 'S0617': 'HELLOKITTY', + 'S0618': 'FIVEHANDS', + 'S0622': 'AppleSeed', + 'S0623': 'Siloscape', + 'S0624': 'Ecipekac', + 'S0625': 'Cuba', + 'S0626': 'P8RAT', + 'S0627': 'SodaMaster', + 'S0628': 'FYAnti', + 'S0629': 'RainyDay', + 'S0630': 'Nebulae', + 'S0631': 'Chaes', + 'S0632': 'GrimAgent', + 'S0634': 'EnvyScout', + 'S0635': 'BoomBox', + 'S0636': 'VaporRage', + 'S0637': 'NativeZone', + 'S0638': 'Babuk', + 'S0639': 'Seth-Locker', + 'S0640': 'Avaddon', + 'S0641': 'Kobalos', + 'S0642': 'BADFLICK', + 'S0643': 'Peppy', + 'S0644': 'ObliqueRAT', + 'S0646': 'SpicyOmelette', + 'S0647': 'Turian', + 'S0648': 'JSS Loader', + 'S0649': 'SMOKEDHAM', + 'S0650': 'QakBot', + 'S0651': 'BoxCaon', + 'S0652': 'MarkiRAT', + 'S0653': 'xCaon', + 'S0654': 'ProLock', + 'S0657': 'BLUELIGHT', + 'S0658': 'XCSSET', + 'S0659': 'Diavol', + 'S0660': 'Clambling', + 'S0661': 'FoggyWeb', + 'S0662': 'RCSession', + 'S0663': 'SysUpdate', + 'S0664': 'Pandora', + 'S0665': 'ThreatNeedle', + 'S0666': 'Gelsemium', + 'S0667': 'Chrommme', + 'S0668': 'TinyTurla', + 'S0669': 'KOCTOPUS', + 'S0670': 'WarzoneRAT', + 'S0671': 'Tomiris', + 'S0672': 'Zox', + 'S0673': 'DarkWatchman', + 'S0674': 'CharmPower', + 'S0678': 'Torisma', + 'S0679': 'Ferocious', + 'S0680': 'LitePower', + 'S0681': 'Lizar', + 'S0682': 'TrailBlazer', + 'S0685': 'PowerPunch', + 'S0686': 'QuietSieve', + 'S0687': 'Cyclops Blink', + 'S0688': 'Meteor', + 'S0689': 'WhisperGate', + 'S0690': 'Green Lambert', + 'S0691': 'Neoichor', + 'S0693': 'CaddyWiper', + 'S0694': 'DRATzarus', + 'S0696': 'Flagpro', + 'S0697': 'HermeticWiper', + 'S0698': 'HermeticWizard'} diff --git a/sigma/validators/tags.py b/sigma/validators/tags.py index ef62dd9f..a8025364 100644 --- a/sigma/validators/tags.py +++ b/sigma/validators/tags.py @@ -2,7 +2,7 @@ from typing import ClassVar, List, Set from sigma.rule import SigmaRule, SigmaRuleTag from sigma.validators.base import SigmaRuleValidator, SigmaTagValidator, SigmaValidationIssue, SigmaValidationIssueSeverity -from sigma.data.mitre_attack import mitre_attack_tactics, mitre_attack_techniques +from sigma.data.mitre_attack import mitre_attack_tactics, mitre_attack_techniques, mitre_attack_intrusion_sets, mitre_attack_malwares @dataclass class InvalidATTACKTagIssue(SigmaValidationIssue): @@ -18,6 +18,12 @@ def __init__(self) -> None: }.union({ technique.lower() for technique in mitre_attack_techniques.keys() + }).union({ + intrusion_set.lower() + for intrusion_set in mitre_attack_intrusion_sets + }).union({ + malware.lower() + for malware in mitre_attack_malwares }) def validate_tag(self, tag: SigmaRuleTag) -> List[SigmaValidationIssue]: diff --git a/tests/test_validators.py b/tests/test_validators.py index 14e75d7c..2637b1e6 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -444,47 +444,6 @@ def test_validator_multiple_base64_modifier(): """) assert validator.validate(rule) == [ ] -def test_validator_invalid_attack_tags(): - validator = ATTACKTagValidator() - rule = SigmaRule.from_yaml(""" - title: Test - status: test - logsource: - category: test - detection: - sel: - field: value - condition: sel - tags: - - attack.test1 - - attack.test2 - """) - assert validator.validate(rule) == [ - InvalidATTACKTagIssue([ rule ], SigmaRuleTag.from_str("attack.test1")), - InvalidATTACKTagIssue([ rule ], SigmaRuleTag.from_str("attack.test2")), - ] - -def test_validator_invalid_attack_tags(): - validator = ATTACKTagValidator() - rule = SigmaRule.from_yaml(""" - title: Test - status: test - logsource: - category: test - detection: - sel: - field: value - condition: sel - tags: - - attack.test1 - - attack.test2 - """) - assert validator.validate(rule) == [ - InvalidATTACKTagIssue([ rule ], SigmaRuleTag.from_str("attack.test1")), - InvalidATTACKTagIssue([ rule ], SigmaRuleTag.from_str("attack.test2")), - ] - - def test_validator_invalid_attack_tags(): validator = ATTACKTagValidator() rule = SigmaRule.from_yaml(""" @@ -519,6 +478,8 @@ def test_validator_valid_attack_tags(): tags: - attack.command_and_control - attack.t1001.001 + - attack.g0001 + - attack.s0001 """) assert validator.validate(rule) == [ ] diff --git a/tools/update-mitre_attack.py b/tools/update-mitre_attack.py index 092eb2a0..eac9798b 100644 --- a/tools/update-mitre_attack.py +++ b/tools/update-mitre_attack.py @@ -14,10 +14,12 @@ def get_attack_id(refs): if src.startswith("mitre") and src.endswith("attack"): return ref["external_id"] +tactics = dict() +techniques = dict() +intrusion_sets = dict() +malwares = dict() for stix_file in args.stix: stix = json.load(stix_file) - tactics = dict() - techniques = dict() for obj in stix["objects"]: # iterate over all STIX objects if not (obj.get("revoked") or obj.get("x_mitre_deprecated")): # ignore deprecated items if (obj_type := obj.get("type")) is not None: @@ -27,11 +29,19 @@ def get_attack_id(refs): elif obj_type == "attack-pattern": # Technique technique_id = get_attack_id(obj["external_references"]) techniques[technique_id] = obj["name"] + elif obj_type == "intrusion-set": + intrusion_set_id = get_attack_id(obj["external_references"]) + intrusion_sets[intrusion_set_id] = obj["name"] + elif obj_type == "malware": + malware_id = get_attack_id(obj["external_references"]) + malwares[malware_id] = obj["name"] elif obj_type == "x-mitre-collection": attack_version = obj["x_mitre_version"] -print(f"Found { len(tactics) } tactics and { len(techniques) } techniques", file=stderr) +print(f"Found { len(tactics) } tactics, { len(techniques) } techniques, { len(intrusion_sets) } intrusion sets and { len(malwares) } malwares.", file=stderr) print("from typing import Dict", file=args.output) print(f'mitre_attack_version: str = "{ attack_version }"', file=args.output) print("mitre_attack_tactics: Dict[str, str] = " + pformat(tactics, indent=4, sort_dicts=True), file=args.output) -print("mitre_attack_techniques: Dict[str, str] = " + pformat(techniques, indent=4, sort_dicts=True), file=args.output) \ No newline at end of file +print("mitre_attack_techniques: Dict[str, str] = " + pformat(techniques, indent=4, sort_dicts=True), file=args.output) +print("mitre_attack_intrusion_sets: Dict[str, str] = " + pformat(intrusion_sets, indent=4, sort_dicts=True), file=args.output) +print("mitre_attack_malwares: Dict[str, str] = " + pformat(malwares, indent=4, sort_dicts=True), file=args.output) \ No newline at end of file