Description:
This project aims to bridge the gap between Microsoft Attack Surface Reduction (ASR) rules and MITRE ATT&CK by mapping ASR rules to their corresponding ATT&CK techniques. The primary goal is to enhance the understanding of how ASR rules align with the ATT&CK framework.
Mapping Methodology:
The approach for mapping ASR (Attack Surface Reduction) rules to MITRE ATT&CK techniques draws inspiration from the following sources:
MITRE ATT&CK Enterprise Mitigations:
ID: M1040
ID: M1050
Attack Control Framework Mappings:
Mapping Methodology
Last Updated: Tue May 15 2024
ASR TO ATTACK: PDF
ASR TO ATTACK: Google SpreadSheet Table
ASR TO ATTACK: STIX Visualizer
Tidal Cyber Community Edition: Matrix
References to Documentation for ASR rules: Microsoft ASR rules
| ASR Rules KQL Query | Technique IDs Mapping | Mapping types | Technique Names |
|---|---|---|---|
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | T1003.001 | mitigates | LSASS Memory |
| Block execution of potentially obfuscated scripts | T1027.010, T1027.013 | mitigates | Command Obfuscation, Encrypted/Encoded File |
| Block use of copied or impersonated system tools (preview) | T1036.003, T1036.005 | mitigates | Rename System Utilities, Match Legitimate Name or Location |
| Block process creations originating from PSExec and WMI commands | T1047, T1569.002, T1570 | mitigates | Windows Management Instrumentation, Service Execution, Lateral Tool Transfer |
| Block Office applications from injecting code into other processes | T1055 | mitigates | Process Injection |
| Block JavaScript or VBScript from launching downloaded executable content | T1059.005, T1059.007 | mitigates | Visual Basic, JavaScript |
| Block abuse of exploited vulnerable signed drivers | T1068, T1543, T1543.003 | mitigates | Exploitation for Privilege Escalation, Create or Modify System Process, Windows Service |
| Block untrusted and unsigned processes that run from USB | T1091 | mitigates | Replication Through Removable Media |
| Block Win32 API calls from Office macros | T1106 | mitigates | Native API |
| Block Office application from creating child processes | T1137, T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006, T1204.002 | mitigates | Office Application Startup, Office Template Macros, Office Test, Outlook Forms, Outlook Home Page, Outlook Rules, Add-ins, Malicious File |
| Block Office communication application from creating child processes | T1137.005, T1203 | mitigates | Outlook Rules, Exploitation for Client Execution |
| Block Office applications from creating executable content | T1137.006 | mitigates | Add-ins |
| Block executable files from running unless they meet a prevalence, age, or trusted list criteria | T1204 | mitigates | User Execution |
| Block Adobe Reader from creating child processes | T1204.002 | mitigates | Malicious File |
| Block executable content from email client and webmail | T1204.002 | mitigates | Malicious File |
| Use advanced protection against ransomware | T1486 | mitigates | Data Encrypted for Impact |
| Block Webshell creation for Servers | T1505.003 | mitigates | Web Shell |
| Block persistence through WMI event subscription | T1546.003 | mitigates | Windows Management Instrumentation Event Subscription |
| Block rebooting machine in Safe Mode (preview) | T1562.009 | mitigates | Safe Mode Boot |
-
Heatmap Generation for Coverage Analysis:
- Description: Utilize the ASR to ATT&CK Navigator Coverage alongside the ATT&CK Navigator for the specific threats you are concerned about (e.g., the top 20 techniques used by ransomware groups).
- Benefit: This allows you to generate a heatmap that visualizes the coverage provided by existing Microsoft ASR rules. By identifying the techniques already mitigated by ASR rules, you can prioritize efforts on techniques that are not yet covered.
-
Integration with Threat Intelligence Platforms (TIPs):
- Description: Streamline the ASR to ATT&CK Navigator Coverage or ASR_STIX2 files into your Threat Intelligence Platforms (TIPs) such as TidalCyber, OpenCTI, MISP, etc.
- Benefit: Integrating these files into your TIPs allows for enhanced threat intelligence analysis and pivoting. It also enables you to see how the user-defined mitigation scores are upgraded when ASR rules are applied, providing a clear view of the improvements in your security posture.
Linkedin : Nounou Mbeiri
Twitter : @Nounou Mbeiri