nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc_elastic_rules/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

@@ -0,0 +1,198 @@
+[metadata]
+creation_date = "2025/12/01"
+integration = ["aws", "gcp", "azure"]
+maturity = "production"
+updated_date = "2025/12/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
+address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
+to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
+succession to expand their access or exfiltrate sensitive information.
+"""
+from = "now-9m"
+interval = "5m"
+language = "esql"
+license = "Elastic License v2"
+name = "Multiple Cloud Secrets Accessed by Source Address"
+note = """## Triage and analysis
+
+### Multiple Cloud Secrets Accessed by Source Address
+
+This alert identifies a single source IP address accessing secret-management APIs across **multiple cloud providers**
+(e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) within a short timeframe.
+This behavior is strongly associated with **credential theft, session hijacking, or token replay**, where an adversary
+uses stolen authenticated sessions to harvest secrets across cloud environments.
+
+Unexpected cross-cloud secret retrieval is uncommon and typically indicates automation misuse or malicious activity.
+
+### Possible investigation steps
+
+- Validate the principal
+  - Identify the user, service account, workload identity, or application making the requests.
+  - Confirm whether this identity is expected to operate across more than one cloud provider.
+- Review related activity
+  - Look for additional alerts involving the same identity, source IP, or token over the last 24–48 hours.
+  - Identify whether the source IP has been observed performing unusual authentication, privilege escalation,
+    or reconnaissance.
+- Check application or service context
+  - Determine whether any workload legitimately pulls secrets from multiple cloud providers.
+  - Review deployment pipelines or integration layers that might legitimately bridge AWS, Azure, and GCP.
+- Analyze user agent and invocation patterns
+  - Compare `user_agent.original` or equivalent fields against expected SDKs or automation tools.
+  - Suspicious indicators include CLI tools, unknown libraries, browser user agents, or custom scripts.
+- Inspect IP reputation and origin
+  - Determine whether the source IP corresponds to a managed workload (EC2, GCE, Azure VM) or an unexpected host.
+  - Validate that the associated instance or host is under your control and behaving normally.
+- Review IAM permissions and accessed secrets
+  - Check the policies attached to the identity.
+  - Verify whether the accessed secrets are sensitive, unused, or unrelated to the identity’s purpose.
+- Assess potential compromise scope
+  - If compromise is suspected, enumerate other assets accessed by the same identity in the last 24 hours.
+  - Look for lateral movement, privilege escalation, or abnormal API usage.
+
+### False positive analysis
+
+- Validate whether the source IP is associated with a legitimate multi-cloud orchestration tool, automation pipeline,
+  or shared CI/CD system.
+- Confirm that the identity is authorized to access secrets across multiple cloud services.
+- If activity is expected, consider adding exceptions that pair account identity, source IP, and expected user agent
+  to reduce noise.
+
+### Response and remediation
+
+- Initiate incident response** if the activity is unauthorized or suspicious.
+- Restrict or disable** the affected credentials or service accounts.
+- Rotate all accessed secrets** and review other secrets the identity can access.
+- Analyze systems** that may have leaked credentials, such as compromised hosts or exposed tokens.
+- Harden identity security:
+  - Enforce MFA for users where applicable.
+  - Reduce permissions to least privilege.
+  - Review trust relationships, workload identities, and cross-cloud integrations.
+- Search for persistence mechanisms** such as newly created keys, roles, or service accounts.
+- Improve monitoring and audit visibility** by ensuring logging is enabled across all cloud environments.
+- Determine root cause** (phishing, malware, token replay, exposed credential, etc.) and close the vector to prevent recurrence.
+"""
+references = [
+    "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+    "https://docs.cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version",
+    "https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets",
+    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+]
+risk_score = 73
+rule_id = "472b4944-d810-43cf-83dc-7d080ae1b8dd"
+setup = """
+This multi-datasource rule relies on additional configurations from each hyperscaler.
+
+- GCP Audit: [Enable DATA_READ for the Secret Manager API service](https://docs.cloud.google.com/logging/docs/audit/configure-data-access)
+- Azure: [Enable Diagnostic Logging for the Key Vault Service](https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli)
+- AWS: Secrets Manager read access is automatically logged by CloudTrail.
+"""
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Domain: IAM",
+    "Domain: Storage",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS Secrets Manager",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Data Source: GCP",
+    "Data Source: Google Cloud Platform",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index
+| WHERE 
+  ( 
+    /* AWS Secrets Manager */ 
+    (event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR 
+    // Azure Key Vault (platform logs)
+    (event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or 
+    /* Azure Key Vault (activity logs) */ 
+    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR 
+    /* Azure Managed HSM secret */ 
+    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR 
+    /* Google Secret Manager */ 
+    (event.dataset IN ("googlecloud.audit", "gcp.audit") AND 
+     event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
+   ) AND source.ip IS NOT NULL
+// Unified user identity (raw)
+| EVAL Esql_priv.user_id =
+    COALESCE(
+      client.user.id,
+      aws.cloudtrail.user_identity.arn,
+      azure.platformlogs.identity.claim.upn,
+      NULL
+    )
+// Cloud vendor label based on dataset
+| EVAL Esql.cloud_vendor = CASE(
+    event.dataset == "aws.cloudtrail", "aws",
+    event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
+    event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
+    "unknown"
+  )
+// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project
+| EVAL Esql.tenant_label = CASE(
+    Esql.cloud_vendor == "aws", CONCAT("aws:", cloud.account.id),
+    Esql.cloud_vendor == "azure", CONCAT("azure:", cloud.account.id),
+    Esql.cloud_vendor == "gcp", CONCAT("gcp:", cloud.account.id),
+    NULL
+  )
+| STATS
+    // Core counts
+    Esql.events_count = COUNT(*),
+    Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),
+    // Action & data source context
+    Esql.event_action_values = VALUES(event.action),
+    Esql.data_source_values = VALUES(event.dataset),
+    // Cloud vendor + tenant context
+    Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
+    Esql.tenant_label_values = VALUES(Esql.tenant_label),
+    // Hyperscaler-specific IDs
+    Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == "aws", cloud.account.id, NULL)),
+    Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == "azure", cloud.account.id, NULL)),
+    Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, NULL)),
+    // Generic cloud metadata
+    Esql.cloud_region_values = VALUES(cloud.region),
+    Esql.cloud_service_name_values = VALUES(cloud.service.name),
+    // Identity (privileged)
+    Esql_priv.user_values = VALUES(Esql_priv.user_id),
+    Esql_priv.client_user_id_values = VALUES(client.user.id),
+    Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
+    Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),
+    // Namespace values
+    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
+  BY source.ip
+// Require multi-vendor cred-access from same source IP
+| WHERE Esql.vendor_count_distinct >= 2
+| SORT Esql.events_count DESC
+| KEEP Esql.*, Esql_priv.*, source.ip
+'''
+
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.006"
+name = "Cloud Secrets Management Stores"
+reference = "https://attack.mitre.org/techniques/T1555/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

nldcsc_elastic_rules/rules/cross-platform/credential_access_trufflehog_execution.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/09/18"
-integration = ["endpoint"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/11/25"
+updated_date = "2025/11/26"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,19 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.process-*"]
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*"
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Credential Access via TruffleHog Execution"
@@ -58,9 +70,9 @@ references = [
     "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
     "https://socket.dev/blog/shai-hulud-strikes-again-v2",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "47595dea-452b-4d37-b82d-6dd691325139"
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -68,7 +80,14 @@ tags = [
     "OS: macOS",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",
+    "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Data Source: Auditd Manager",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"

nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_config_modification.toml

@@ -0,0 +1,120 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/12/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server
+configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts
+directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that
+abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute
+arbitrary commands when the AI tool is next invoked.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.file*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual Process Modifying GenAI Configuration File"
+note = """## Triage and analysis
+
+### Investigating Unusual Process Modifying GenAI Configuration File
+
+Configuration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities. 
+
+### Possible investigation steps
+
+- Identify the process that modified the configuration file and determine if it's expected (GenAI tool, installer, user action) or suspicious (unknown script, malware).
+- If the modifying process is NOT a GenAI tool, investigate its origin, parent process tree, and whether it was downloaded or executed from a suspicious location.
+- If a GenAI tool made the modification, check recent user prompts or agent activity that may have triggered the config change via prompt injection.
+- Review the contents of the modified configuration file for suspicious MCP server URLs, unauthorized plugins, or unusual agent permissions.
+- Examine the process command line and parent process tree to identify how the modifying process was invoked.
+- Check for other file modifications by the same process around the same time, particularly to other GenAI configs or startup scripts.
+- Investigate whether the GenAI tool subsequently connected to unknown domains or spawned unusual child processes after the config change.
+
+### False positive analysis
+
+- Novel but legitimate configuration changes will trigger this rule when the process/file combination hasn't been seen in 7 days. Review the modified file content to determine legitimacy.
+- GenAI tool updates may modify config files in new ways; correlate with recent software updates.
+- IDE extensions integrating with GenAI tools may modify configs as part of initial setup.
+
+### Response and remediation
+
+- Review the modified configuration file and revert any unauthorized changes to MCP servers, plugins, or agent settings.
+- If malicious MCP servers were added, block the associated domains at the network level.
+- Review and rotate any API keys or credentials that may have been exposed through the compromised GenAI configuration.
+"""
+references = [
+    "https://modelcontextprotocol.io/",
+    "https://www.cybereason.com/blog/security-research/weaponized-ai-how-cybercriminals-exploit-mcp-for-account-takeover",
+    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "590fc62d-7386-4c75-92b0-af4517018da1"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Tactic: Persistence",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+    "Domain: LLM",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.category : "file" and event.action : ("modification" or "overwrite") and
+file.path : (
+    */.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or
+    */.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or
+    */.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or
+    */.ollama/config* or */AppData/Local/Ollama/* or
+    */.codex/* or */AppData/Roaming/Codex/* or
+    */.gemini/* or */AppData/Roaming/gemini-cli/* or
+    */.grok/* or */AppData/Roaming/Grok/* or
+    */.windsurf/* or */AppData/Roaming/Windsurf/* or
+    */.vscode/extensions/*mcp*
+)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1554"
+name = "Compromise Host Software Binary"
+reference = "https://attack.mitre.org/techniques/T1554/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["process.executable"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
+
+

nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml

@@ -0,0 +1,158 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"]
+maturity = "production"
+updated_date = "2025/12/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when GenAI tools spawn compilers or packaging tools to generate executables. Attackers leverage local LLMs to
+autonomously generate and compile malware, droppers, or implants. Python packaging tools (pyinstaller, nuitka, pyarmor)
+are particularly high-risk as they create standalone executables that can be deployed without dependencies. This rule
+focuses on compilation activity that produces output binaries, filtering out inspection-only operations.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.process-*",
+    "logs-windows.sysmon_operational-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-auditd_manager.auditd-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "GenAI Process Compiling or Generating Executables"
+note = """## Triage and analysis
+
+### Investigating GenAI Process Compiling or Generating Executables
+
+This rule detects GenAI tools spawning compilers or packaging tools. While developers may use GenAI to write code that they then compile, autonomous compilation by GenAI processes is unusual.
+
+### Possible investigation steps
+
+- Review the GenAI process that spawned the compiler to identify which tool is running and verify if it's an expected/authorized tool.
+- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
+- Review the output files created by the compilation process to identify any malicious executables.
+- Check for other alerts or suspicious activity on the same host around the same time.
+- Verify if the GenAI tool is from a trusted source and if it's authorized for use in your environment.
+- Identify whether the generated executables appear in temporary directories often used for malware staging (`%TEMP%`, `/tmp`, `.cache`).
+- Inspect the compiled artifacts for networking imports, credential harvesting functionality, or persistence mechanisms.
+
+### False positive analysis
+
+- Legitimate development workflows that use GenAI tools for code generation may trigger this rule if they compile the generated code.
+- Some GenAI-assisted coding IDEs (Cursor, Copilot Workspace) may run compilation tasks when testing code; confirm whether the behavior is tied to developer workflow.
+
+### Response and remediation
+
+- Terminate the GenAI process and any spawned compiler processes to stop the malicious activity.
+- Investigate the compiled executables to determine if they are malicious.
+- Review audit logs to determine the scope of compilation activity and identify any executables that may have been created.
+- Quarantine any compiled binaries; submit suspicious artifacts to sandbox or malware analysis.
+"""
+references = [
+    "https://atlas.mitre.org/techniques/AML.T0053",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "b2c3d4e5-f6a7-8901-bcde-f123456789ab"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Auditd Manager",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Resources: Investigation Guide",
+    "Domain: LLM",
+    "Mitre Atlas: T0053",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+
+  // GenAI parent process
+  (
+    process.parent.name in (
+      "ollama.exe", "ollama", "Ollama",
+      "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
+      "lmstudio.exe", "lmstudio", "LM Studio",
+      "claude.exe", "claude", "Claude",
+      "cursor.exe", "cursor", "Cursor", "Cursor Helper", "Cursor Helper (Plugin)",
+      "copilot.exe", "copilot", "Copilot",
+      "codex.exe", "codex",
+      "Jan", "jan.exe", "jan", "Jan Helper",
+      "gpt4all.exe", "gpt4all", "GPT4All",
+      "gemini-cli.exe", "gemini-cli",
+      "genaiscript.exe", "genaiscript",
+      "grok.exe", "grok",
+      "qwen.exe", "qwen",
+      "koboldcpp.exe", "koboldcpp", "KoboldCpp",
+      "llama-server", "llama-cli"
+    ) or
+    
+    // Node/Deno with GenAI frameworks
+    (process.parent.name in ("node.exe", "node", "deno.exe", "deno") and
+     process.parent.command_line like~ ("*mcp-server*", "*@modelcontextprotocol*", "*langchain*", "*autogpt*", "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*")) or
+    
+    // Python with GenAI frameworks
+    (process.parent.name like~ "python*" and
+     process.parent.command_line like~ ("*langchain*", "*autogpt*", "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*"))
+  ) and
+
+  // Compilation tools
+  (
+    // Python packaging
+    process.name in ("pyinstaller", "py2exe", "cx_Freeze", "nuitka", "pyarmor", "pkg") or
+    
+    // C/C++ compilation with output
+    (process.name in ("gcc", "g++", "clang", "clang++", "cl.exe") and
+     process.command_line like~ "*-o *" and
+     process.command_line like~ ("*.c *", "*.c", "*.cpp *", "*.cpp", "*.cc *", "*.cc", "*.m *", "*.m") and
+     not process.command_line like~ "*git*") or
+    
+    // Go compilation
+    (process.name == "go" and process.args == "build") or
+    
+    // Rust compilation
+    (process.name == "cargo" and process.args == "build") or
+    (process.name == "rustc" and process.command_line like~ "*-o *") or
+    
+    // .NET compilation
+    process.name in ("csc.exe", "vbc.exe", "msbuild.exe") or
+    (process.name == "dotnet" and process.args == "build") or
+    
+    // Java compilation
+    process.name == "javac"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+[[rule.threat.technique.subtechnique]]
+id = "T1027.004"
+name = "Compile After Delivery"
+reference = "https://attack.mitre.org/techniques/T1027/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+