Merge pull request #77 from mitre/attck-v17

update ATT&CK mapping to v17

Author: deacon-mp

data/abilities/command-and-control/1837b43e-4fff-46b2-a604-a602f7540469.yml

@@ -3,8 +3,8 @@
   description: A Blue Python agent that executes elasticsearch queries.
   tactic: command-and-control
   technique:
-    attack_id: T1071
-    name: Standard Application Layer Protocol
+    attack_id: T1071.001
+    name: "Application Layer Protocol: Web Protocols"
   platforms:
     darwin:
       sh:

data/abilities/detection/1226f8ec-e2e5-4311-88e7-378c0e5cc7ce.yml

@@ -5,8 +5,8 @@
   description: Finds suspicious URLs in received mail
   tactic: detection
   technique:
-    attack_id: x
-    name: x
+    attack_id: T1566.002
+    name: "Phishing: Spearphishing Link"
   repeatable: True
   platforms:
     linux:

data/abilities/detection/1b4aa8d5-ba97-4b9b-92a3-eaaaffbfdf0a.yml

@@ -3,8 +3,8 @@
   description: Compare open ports against a known baseline
   tactic: detection
   technique:
-    attack_id: T1065
-    name: Uncommonly Used Port
+    attack_id: T1571
+    name: Non-Standard Port
   repeatable: True
   platforms:
     windows:

data/abilities/detection/8bc73098-54d1-4f69-abd5-271e3e2da5df.yml

@@ -4,8 +4,8 @@
   description: Checks to see if a new (unauthorized) scheduled task has been added
   tactic: detection
   technique:
-    attack_id: x
-    name: x
+    attack_id: T1053.005
+    name: "Scheduled Task/Job: Scheduled Task"
   repeatable: True
   platforms:
     windows:

data/abilities/detection/ee54384f-cfbc-4228-9dc1-cc5632307afb.yml

@@ -4,8 +4,8 @@
   description: Checks to see if a new (unauthorized) cron job has been added
   tactic: detection
   technique:
-    attack_id: x
-    name: x
+    attack_id: T1053.003
+    name: "Scheduled Task/Job: Cron"
   repeatable: True
   platforms:
     linux:

data/abilities/elastic_hunting/4b283acc-45c0-4de8-b0ac-ac0699e5ab95.yml

@@ -4,8 +4,8 @@
   description: Search for Sysmon Event 1 powershell records with "ExecutionPolicy" and "Bypass"
   tactic: hunt
   technique:
-    attack_id: x
-    name: x
+    attack_id: T1059.001
+    name: "Command and Scripting Interpreter: PowerShell"
   platforms:
     windows:
       elasticsearch: &cmd

data/abilities/response/32e563bb-ba06-4bcc-b817-fc2c434c0b66.yml

@@ -4,8 +4,8 @@
   description: Removes newly added cron jobs
   tactic: response
   technique:
-    attack_id: x
-    name: x
+    attack_id: T1053.003
+    name: "Scheduled Task/Job: Cron"
   platforms:
     linux:
       sh:
@@ -35,4 +35,4 @@
           edge: has_new_cronjob
           target: host.new.cronjob
     - plugins.stockpile.app.requirements.paw_provenance:
-        - source: host.new.cronjob
+        - source: host.new.cronjob

data/abilities/response/cb85039a-6196-4262-883b-0beeb804b83d.yml

@@ -4,8 +4,8 @@
   privilege: Elevated
   tactic: response
   technique:
-    attack_id: T1065
-    name: Uncommonly Used Port
+    attack_id: T1571
+    name: Non-Standard Port
   platforms:
     windows:
       psh, pwsh:
@@ -19,4 +19,4 @@
     - plugins.response.app.requirements.basic:
         - source: remote.port.unauthorized
           edge: has_pid
-          target: host.pid.unauthorized
+          target: host.pid.unauthorized

data/abilities/response/debd322d-2100-45f7-8832-29ef7c56786d.yml

@@ -4,8 +4,8 @@
   privilege: Elevated
   tactic: response
   technique:
-    attack_id: T1065
-    name: Uncommonly Used Port
+    attack_id: T1571
+    name: Non-Standard Port
   platforms:
     windows:
       psh, pwsh:
@@ -19,4 +19,4 @@
     - plugins.response.app.requirements.basic:
         - source: host.port.unauthorized
           edge: has_pid
-          target: host.pid.unauthorized
+          target: host.pid.unauthorized