Merge pull request #190 from splunk/add_missing_tactic

Modified att&ck mappings for these files. Mostly just added the high …

detections/account_harvesting.json

@@ -88,6 +88,7 @@
             "Actions on Objectives"
         ],
         "mitre_attack": [
+            "Persistence",
             "Create Account"
         ],
         "nist": [
@@ -112,4 +113,4 @@
     "spec_version": 2,
     "type": "splunk",
     "version": "1.0"
-}
+}

detections/anomalous_webclick.json

@@ -88,6 +88,7 @@
             "Actions on Objectives"
         ],
         "mitre_attack": [
+            "Initial Access",
             "Valid Accounts"
         ],
         "nist": [
@@ -114,4 +115,4 @@
     "spec_version": 2,
     "type": "splunk",
     "version": "1.0"
-}
+}

detections/excessive_lockouts_from_endpoint.json

@@ -73,6 +73,7 @@
             "CIS 16"
         ],
         "mitre_attack": [
+            "Initial Access",
             "Valid Accounts"
         ],
         "nist": [
@@ -93,4 +94,4 @@
     "spec_version": 2,
     "type": "splunk",
     "version": "3.0"
-}
+}

detections/excessive_user_account_lockouts.json

@@ -103,6 +103,7 @@
             "CIS 16"
         ],
         "mitre_attack": [
+            "Initial Access",
             "Valid Accounts"
         ],
         "nist": [
@@ -123,4 +124,4 @@
     "spec_version": 2,
     "type": "splunk",
     "version": "2.0"
-}
+}

detections/execution_of_nirsoft_tools.json

@@ -116,6 +116,9 @@
             "Actions on Objectives"
         ],
         "mitre_attack": [
+            "Discovery",
+            "Execution",
+            "Lateral Movement",
             "Third-party Software",
             "Account Discovery"
         ],

detections/lnk_executing_a_process.json

@@ -72,6 +72,7 @@
             "Actions on Objectives"
         ],
         "mitre_attack": [
+            "Initial Access",
             "Spearphishing Attachment"
         ],
         "nist": [
@@ -93,4 +94,4 @@
     "spec_version": 2,
     "type": "splunk",
     "version": "1.0"
-}
+}

detections/new_user_accounts.json

@@ -88,7 +88,8 @@
             "CIS 16"
         ],
         "mitre_attack": [
-            "Valid Accounts"
+            "Persistence",
+            "Create Account"
         ],
         "nist": [
             "PR.IP"

detections/outlook_writing_zip.json

@@ -78,6 +78,7 @@
       "Actions on Objectives"
     ],
     "mitre_attack": [
+      "Initial Access",
       "Spearphishing Attachment"
     ],
     "nist": [

detections/short_lived_accounts.json

@@ -103,7 +103,8 @@
             "CIS 16"
         ],
         "mitre_attack": [
-            "Valid Accounts"
+            "Persistence",
+            "Create Account"
         ],
         "nist": [
             "PR.IP"
@@ -123,4 +124,4 @@
     "spec_version": 2,
     "type": "splunk",
     "version": "1.0"
-}
+}

detections/smb_traffic_spike.json

@@ -117,6 +117,9 @@
             "Actions on Objectives"
         ],
         "mitre_attack": [
+            "Lateral Movement",
+            "Execution",
+            "Command and Control",
             "Commonly Used Port"
         ],
         "nist": [

detections/smb_traffic_spike_mltk.json

@@ -124,6 +124,9 @@
             "Actions on Objectives"
         ],
         "mitre_attack": [
+            "Lateral Movement",
+            "Execution",
+            "Command and Control",
             "Commonly Used Port"
         ],
         "nist": [