Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.

TechniqueId TechniqueName New T1483 Domain Generation Algorithms T1568 T1064 Scripting T1059 T1043 Commonly Used Port T1071 T1065 Uncommonly Used Port T1571 T1100 Web Shell T1505 T1089 Disabling Security Tools T1562 T1035 Service Execution ( Removed totally T1035 without replacement) T1109 Component Firmware T1542 T10178 T1078
2021-08-12 10:58:18 -07:00 · 2021-08-12 10:58:18 -07:00 · 16fe6108dd
--- a/Detections/ASimDNS/imDNS_Miners.yaml
+++ b/Detections/ASimDNS/imDNS_Miners.yaml
@ -10,10 +10,8 @@ queryPeriod: 1d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Execution
  - Impact
 relevantTechniques:
-  - T1035
  - T1496
 tags:
  - Id: 0d76e9cf-788d-4a69-ac7d-f234826b5bed
--- a/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
+++ b/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
@ -12,7 +12,7 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
 tags:
  - Id: b8266f81-2715-41a6-9062-42486cbc9c73
--- a/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml
+++ b/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml
@ -21,8 +21,8 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1043
-  - T1065
+  - T1071
+  - T1571
 query: |

    let starttime = 1d;
--- a/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml
+++ b/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml
@ -39,7 +39,7 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1483
+  - T1568
 query: |

    let triThreshold = 500;
--- a/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml
+++ b/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml
@ -18,8 +18,8 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1043
-  - T1065
+  - T1071
+  - T1571
 query: |

  let starttime = 2d;
--- a/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml
+++ b/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml
@ -16,7 +16,7 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
 query: |

--- a/Detections/DnsEvents/DNS_Miners.yaml
+++ b/Detections/DnsEvents/DNS_Miners.yaml
@ -12,10 +12,8 @@ queryPeriod: 1d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Execution
  - Impact
 relevantTechniques:
-  - T1035
  - T1496
 query: |

--- a/Detections/GitHub/Two
+++ b/Detections/GitHub/Two
@ -11,7 +11,7 @@ triggerThreshold: 0
 tactics:
  - DefenseEvasion
 relevantTechniques:
-  - T1089
+  - T1562
 query: |

  GitHubAudit
--- a/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
+++ b/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
@ -14,7 +14,7 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
 query: |

--- a/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml
+++ b/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml
@ -37,7 +37,7 @@ tactics:
  - CommandAndControl
  - InitialAccess
 relevantTechniques:
-  - T1043
+  - T1071
  - T1566
 query: |

--- a/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml
+++ b/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml
@ -33,7 +33,7 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1043
+  - T1071
 query: |

  let DomainNames = dynamic(["yahoo-verification.org","support-servics.com","verification-live.com","com-mailbox.com","com-myaccuants.com","notification-accountservice.com",
--- a/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml
+++ b/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml
@ -30,7 +30,7 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1043
+  - T1071
 query: |
  let DomainNames = dynamic(["irf.services","microsoft-onthehub.com","msofficelab.com","com-mailbox.com","my-sharefile.com","my-sharepoints.com",
  "accounts-web-mail.com","customer-certificate.com","session-users-activities.com","user-profile-credentials.com","verify-linke.com","support-servics.net",
--- a/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
+++ b/Detections/OfficeActivity/exchange_auditlogdisabled.yaml
@ -15,7 +15,7 @@ triggerThreshold: 0
 tactics:
  - DefenseEvasion
 relevantTechniques:
-  - T1089
+  - T1562
 query: |

  OfficeActivity
--- a/Detections/OfficeActivity/office_policytampering.yaml
+++ b/Detections/OfficeActivity/office_policytampering.yaml
@ -18,7 +18,7 @@ tactics:
  - DefenseEvasion
 relevantTechniques:
  - T1098
-  - T1089
+  - T1562
 query: |
  let opList = OfficeActivity 
  | summarize by Operation
--- a/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml
+++ b/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml
@ -20,7 +20,7 @@ triggerThreshold: 0
 tactics:
  - Execution
 relevantTechniques:
-  - T1064
+  - T1059
 query: |

  let starttime = 14d;
--- a/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml
+++ b/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml
@ -20,7 +20,7 @@ triggerThreshold: 0
 tactics:
  - Persistence
 relevantTechniques:
-  - T1100
+  - T1505
 query: |

  let alertTimeWindow = 1h;
--- a/Detections/W3CIISLog/Supernovawebshell.yaml
+++ b/Detections/W3CIISLog/Supernovawebshell.yaml
@ -17,7 +17,7 @@ tactics:
  - Persistence
  - PrivilegeEscalation
 relevantTechniques:
-  - T1100
+  - T1505
 query: |

  W3CIISLog
--- a/Queries/AzureActivity/PortOpenedForAzureResource.yaml
+++ b/Queries/AzureActivity/PortOpenedForAzureResource.yaml
@ -10,8 +10,8 @@ tactics:
  - CommandAndControl
  - Impact
 relevantTechniques:
-  - T1043
-  - T1065
+  - T1071
+  - T1571
  - T1496
 query: |

--- a/Queries/AzureActivity/Rare_Custom_Script_Extension.yaml
+++ b/Queries/AzureActivity/Rare_Custom_Script_Extension.yaml
@ -11,7 +11,7 @@ requiredDataConnectors:
 tactics:
  - Execution
 relevantTechniques:
-  - T1064
+  - T1059
 query: |

  let starttime = todatetime('{{StartTimeISO}}');
--- a/Queries/AzureDevOpsAuditing/AAD
+++ b/Queries/AzureDevOpsAuditing/AAD
@ -11,7 +11,7 @@ tactics:
  - DefenseEvasion
 relevantTechniques:
  - T1098
-  - T1089
+  - T1562
 query: |
  AzureDevOpsAuditing
  | where OperationName =="OrganizationPolicy.PolicyValueUpdated"
--- a/Queries/AzureDevOpsAuditing/Addtional
+++ b/Queries/AzureDevOpsAuditing/Addtional
@ -11,7 +11,7 @@ tactics:
  - DefenseEvasion
 relevantTechniques:
  - T1098
-  - T1089
+  - T1562
 query: |
  AzureDevOpsAuditing
  | where OperationName == "Group.UpdateGroupMembership.Add"
--- a/Queries/AzureDevOpsAuditing/Guest
+++ b/Queries/AzureDevOpsAuditing/Guest
@ -11,7 +11,7 @@ tactics:
  - DefenseEvasion
 relevantTechniques:
  - T1098
-  - T1089
+  - T1562
 query: |
  AzureDevOpsAuditing
  | where OperationName =="OrganizationPolicy.PolicyValueUpdated"
--- a/Queries/AzureDevOpsAuditing/Public
+++ b/Queries/AzureDevOpsAuditing/Public
@ -11,7 +11,7 @@ tactics:
  - DefenseEvasion
 relevantTechniques:
  - T1098
-  - T1089
+  - T1562
 query: |
  AzureDevOpsAuditing
  | where OperationName == "OrganizationPolicy.PolicyValueUpdated"
--- a/Queries/AzureDevOpsAuditing/Public
+++ b/Queries/AzureDevOpsAuditing/Public
@ -11,7 +11,7 @@ tactics:
  - DefenseEvasion
 relevantTechniques:
  - T1098
-  - T1089
+  - T1562
 query: |
  AzureDevOpsAuditing
  | where Data.ProjectVisibility == "Public"
--- a/Queries/DnsEvents/DNS_CommonlyAbusedTLDs.yaml
+++ b/Queries/DnsEvents/DNS_CommonlyAbusedTLDs.yaml
@ -13,7 +13,7 @@ tactics:
  - CommandAndControl
  - Exfiltration
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
  - T1048
 query: |
--- a/Queries/DnsEvents/DNS_DomainAnomalousLookupIncrease.yaml
+++ b/Queries/DnsEvents/DNS_DomainAnomalousLookupIncrease.yaml
@ -14,7 +14,7 @@ tactics:
  - CommandAndControl
  - Exfiltration
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
  - T1048
 query: |
--- a/Queries/DnsEvents/DNS_FullNameAnomalousLookupIncrease.yaml
+++ b/Queries/DnsEvents/DNS_FullNameAnomalousLookupIncrease.yaml
@ -12,7 +12,7 @@ tactics:
  - CommandAndControl
  - Exfiltration
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
  - T1048
 query: |
--- a/Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml
+++ b/Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml
@ -15,7 +15,7 @@ triggerThreshold: 0
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
 query: |

--- a/Queries/DnsEvents/DNS_LongURILookup.yaml
+++ b/Queries/DnsEvents/DNS_LongURILookup.yaml
@ -14,7 +14,7 @@ tactics:
  - CommandAndControl
  - Exfiltration
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
  - T1048
 query: |
--- a/Queries/DnsEvents/DNS_WannaCry.yaml
+++ b/Queries/DnsEvents/DNS_WannaCry.yaml
@ -9,10 +9,8 @@ requiredDataConnectors:
    dataTypes:
      - DnsEvents
 tactics:
-  - Execution
  - Impact
 relevantTechniques:
-  - T1035
  - T1496
 query: |

--- a/Queries/GitHub/Oauth
+++ b/Queries/GitHub/Oauth
@ -7,8 +7,8 @@ tactics:
  - Persistence
  - DefenseEvasion
 relevantTechniques:
-  - T1100
-  - T1089
+  - T1505
+  - T1562
 query: |

  GitHubAudit
--- a/Queries/GitHub/Org
+++ b/Queries/GitHub/Org
@ -8,7 +8,7 @@ tactics:
  - DefenseEvasion
 relevantTechniques:
  - T1098
-  - T1089
+  - T1562
 query: |

  GitHubAudit
--- a/Queries/GitHub/User
+++ b/Queries/GitHub/User
@ -8,7 +8,7 @@ tactics:
  - PrivilegeEscalation 
 relevantTechniques:
  - T1098
-  - T10178
+  - T1078
 query: |

  GitHubAudit
--- a/Queries/MultipleDataSources/CobaltDNSBeacon.yaml
+++ b/Queries/MultipleDataSources/CobaltDNSBeacon.yaml
@ -14,7 +14,7 @@ requiredDataConnectors:
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
 query: |

--- a/Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml
+++ b/Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml
@ -21,7 +21,7 @@ tactics:
  - CommandAndControl
  - Exfiltration
 relevantTechniques:
-  - T1043
+  - T1071
  - T1048
 query: |

--- a/Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml
+++ b/Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml
@ -18,7 +18,7 @@ requiredDataConnectors:
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1043
+  - T1071
 query: |

  let STRONTIUM_IPS = dynamic(["82.118.242.171" , "167.114.153.55" , "94.237.37.28", "31.220.61.251" , "128.199.199.187" ]);
--- a/Queries/Syslog/squid_abused_tlds.yaml
+++ b/Queries/Syslog/squid_abused_tlds.yaml
@ -11,7 +11,7 @@ requiredDataConnectors:
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1483
+  - T1568
  - T1008
 query: |

--- a/Queries/Syslog/squid_volume_anomalies.yaml
+++ b/Queries/Syslog/squid_volume_anomalies.yaml
@ -12,7 +12,7 @@ tactics:
  - CommandAndControl
  - Exfiltration
 relevantTechniques:
-  - T1043
+  - T1071
  - T1030
 query: |

--- a/Queries/W3CIISLog/PotentialWebshell.yaml
+++ b/Queries/W3CIISLog/PotentialWebshell.yaml
@ -14,7 +14,7 @@ tactics:
  - Persistence
  - PrivilegeEscalation
 relevantTechniques:
-  - T1100
+  - T1505
 query: | 

  let command = "(?i)net(1)?(.exe)?(%20){1,}user|cmd(.exe)?(%20){1,}/c(%20){1,}";
--- a/Queries/W3CIISLog/WebShellActivity.yaml
+++ b/Queries/W3CIISLog/WebShellActivity.yaml
@ -14,7 +14,7 @@ tactics:
  - Persistence
  - InitialAccess
 relevantTechniques:
-  - T1100
+  - T1505
 query: |

  let starttime = todatetime('{{StartTimeISO}}');
--- a/Queries/WireData/WireDataBeacon.yaml
+++ b/Queries/WireData/WireDataBeacon.yaml
@ -14,8 +14,8 @@ requiredDataConnectors:
 tactics:
  - CommandAndControl
 relevantTechniques:
-  - T1043
-  - T1065
+  - T1071
+  - T1571
 query: |

  let lookback = 1d;
--- a/Queries/ZoomLogs/HighCPURoom.yaml
+++ b/Queries/ZoomLogs/HighCPURoom.yaml
@ -7,7 +7,7 @@ tactics:
  - DefenseEvasion
  - Persistence
 relevantTechniques:
-  - T1109
+  - T1542
 query: |

  ZoomLogs