adding dataTypes

Author: osmontero

windows/a_computer_account_was_deleted.yml

@@ -9,6 +9,7 @@
             Make sure to audit the activities of the user or process responsible for the account's deletion."
   category: "Impact"
   tactic: "Data Destruction"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1485/"

windows/a_privileged_service_was_called.yml

@@ -9,6 +9,7 @@
             identify the cause and remediate any potential vulnerabilities or security issues in the system."
   category: "Privilege Escalation"
   tactic: "Access Token Manipulation"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1134/"

windows/acl_was_set_on_accounts_which_are_members_of_administrators_groups.yml

@@ -9,6 +9,7 @@
             take corrective action, revoke unwanted permissions, and restore original ACL settings."
   category: "Privilege Escalation"
   tactic: "Permission Groups Discovery"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1069/"

windows/ad_adminsdholder.yml

@@ -11,6 +11,7 @@
             and strengthen the protection of the AdminSDHolder object."
   category: "Privilege Escalation"
   tactic: "Permission Groups Discovery"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1069/"

windows/adding_the_hidden_file_attribute_with_via_attribexe.yml

@@ -11,6 +11,7 @@
             In case of detecting unauthorized changes, identify and delete hidden files and take measures to prevent malicious actions."
   category: "Defense Evasion"
   tactic: "Hide Artifacts"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1564/"

windows/admin_account_was_added_to_admins_group.yml

@@ -10,6 +10,7 @@
             Also, review the security of the environment and reinforce the access and control policies over the administrators group to prevent unauthorized changes."
   category: "Privilege Escalation"
   tactic: "Domain Policy Modification"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0004"
     - "https://attack.mitre.org/techniques/T1484/"

windows/admin_account_was_removed.yml

@@ -9,6 +9,7 @@
             Additionally, review and enforce security of the environment to prevent unauthorized changes to administrator group membership and limit access to administrator accounts to authorized users only."
   category: "Impact"
   tactic: "Account Access Removal"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1531/"

windows/admin_account_was_removed_from_admins_group.yml

@@ -9,6 +9,7 @@
             Also, review and enforce the security of the environment to prevent unauthorized changes to the membership of the administrators group."
   category: "Impact"
   tactic: "Account Access Removal"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1531/"

windows/admin_group_was_changed.yml

@@ -10,6 +10,7 @@
         Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to"
   category: "Potentially Compromised System"
   tactic: "Domain Policy Modification"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/techniques/T1484"
   frequency: 60

windows/admin_group_was_removed.yml

@@ -9,6 +9,7 @@
             Additionally, review and enforce security of the environment to prevent unauthorized changes to administrator group membership and limit access to administrator accounts to authorized users only."
   category: "Impact"
   tactic: "Account Access Removal"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1531/"

windows/an_attempt_was_made_to_reset_an_account's_password.yml

@@ -9,6 +9,7 @@
             such as locking the affected account and reviewing security logs for any other unusual activity."
   category: "Credential Access"
   tactic: "Use Alternate Authentication Material"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1550/"

windows/an_attempt_was_made_to_set_the_DSRM.yml

@@ -11,6 +11,7 @@
              the Active Directory database, and reboot the server without leaving any trace of the activity"
   category: "Collection"
   tactic: "Data from Local System"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0009/"
     - "https://attack.mitre.org/techniques/T1005"

windows/anomalous_logon_sessions.yml

@@ -9,6 +9,7 @@
             Keep a continuous watch on type 9 logins and other related events to detect anomalous patterns. 
             If you determine that the login is malicious or unauthorized, revoke the associated credentials and take appropriate corrective action to safeguard system security."
   category: "Credential Access"
+  dataTypes: ["wineventlog"]
   tactic: ""
   reference: 
     - "https://attack.mitre.org/tactics/TA0006/"

windows/antimalware_engine_encountered_an_error_and_failed.yml

@@ -11,6 +11,7 @@
             Restoring the anti-malware engine to maintain effective protection against security threats is essential."
   category: "Defense Evasion"
   tactic: "Impair Defenses"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/"

windows/antimalware_engine_found_malware_or_other_potentially_unwanted_software.yml

@@ -9,6 +9,7 @@
             In addition, it is essential to keep your virus definitions and anti-malware engine up to date to ensure continuous and effective protection against future threats."
   category: "Execution"
   tactic: "Event Triggered Execution"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0002/"
     - "https://attack.mitre.org/techniques/T1546/"

windows/antimalware_engine_no_longer_supports_this_operating_system.yml

@@ -10,6 +10,7 @@
             Also, be sure to keep your security software, including virus definitions and anti-malware engine, up-to-date to ensure continuous and effective protection against security threats."
   category: "Defense Evasion"
   tactic: "Impair Defenses"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/"

windows/antimalware_platform_failed_performing_an_action_to_protect_you_from_potentially_unwanted_software.yml

@@ -8,6 +8,7 @@
             Take the necessary steps to resolve the failure, which may include updating security software, correcting misconfigurations, or applying patches. It is important to ensure that the anti-malware platform is working properly to ensure continuous and effective protection against potentially unwanted software."
   category: "Defense Evasion"
   tactic: "Impair Defenses"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/"

windows/antimalware_platform_is_expired_due_to_error.yml

@@ -11,6 +11,7 @@
             It is important to ensure that you keep your virus definitions and anti-malware engine up to date, as well as resolve any issues that may affect the proper functioning of the security platform."
   category: "Defense Evasion"
   tactic: "Impair Defenses"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/"

windows/antivirus_scanning_for_virus_malware_and_other_potentially_unwanted_software_is_disabled.yml

@@ -8,6 +8,7 @@
             If it is determined that the deactivation was inappropriate or malicious, reactivate Windows Defender protection and take the necessary corrective actions to strengthen the security of the system."
   category: "Defense Evasion"
   tactic: "Impair Defenses"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/"

windows/attemp_winrar_or_7z_encryption.yml

@@ -13,6 +13,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Collection"
   tactic: "Archive Collected Data"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0009/"
     - "https://attack.mitre.org/techniques/T1560/"

windows/audit_log_was_cleared.yml

@@ -9,6 +9,7 @@
         to limit access by potentially unnecessary protocols and services, such as SMB file sharing."
   category: "Potentially Malicious Activity"
   tactic: "Account Manipulation: SSH Authorized Keys"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/techniques/T1098/004/"
   frequency: 60

windows/audit_policy_change.yml

@@ -14,6 +14,7 @@
             It is important to track audit policy changes to ensure effective control of system security."
   category: "Defense Evasion"
   tactic: "Impair Defenses"
+  dataTypes: ["wineventlog"]
   reference: 
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/"

windows/bruteforce_attack.yml

@@ -10,6 +10,7 @@
             Early detection and rapid response are key to protecting the system against potential malicious attacks."
   category: "Credential Access"
   tactic: "Brute Force"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1110/"

windows/bruteforce_multiple_logon_failure_followed_by_success.yml

@@ -10,6 +10,7 @@
             Early detection and rapid response can help prevent brute force attacks and protect the system against potential unauthorized access."
   category: "Credential Access"
   tactic: "Brute Force"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1110/"

windows/clearing_windows_console_history.yml

@@ -12,6 +12,7 @@
       Ensure PowerShell audit policies and log collection are in place to provide future visibility."
   category: "Defense Evasion"
   tactic: "Clear Command History"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1070/003/"

windows/clearing_windows_event_logs.yml

@@ -13,6 +13,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Defense Evasion"
   tactic: "Clear Windows Event Logs"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1070/001/"

windows/command_shell_started_by_unusual_process.yml

@@ -8,6 +8,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Execution"
   tactic: "Command and Scripting Interpreter"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0002/"
     - "https://attack.mitre.org/techniques/T1059/"

windows/command_shell_via_rundll32.yml

@@ -13,6 +13,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Execution"
   tactic: "Command and Scripting Interpreter"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0002/"
     - "https://attack.mitre.org/techniques/T1059/"

windows/copy_ntds_sam_volshadowcp_cmdline.yml

@@ -13,6 +13,7 @@
       Determine the initial vector abused by the attacker and take measures to avoid reinfection through the same vector."
   category: "Credential Access"
   tactic: "Security Account Manager"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1003/"

windows/credential_access_via_snapshot_lsass_clone_creation.yml

@@ -13,6 +13,7 @@
       Determine the initial vector abused by the attacker and take measures to avoid reinfection through the same vector."
   category: "Credential Access"
   tactic: "LSASS Memory"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1003/001/"

windows/credential_dumping_msbuild.yml

@@ -15,6 +15,7 @@
       Determine the initial vector abused by the attacker and take measures to avoid reinfection through the same vector."
   category: "Credential Access"
   tactic: "OS Credential Dumping"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1003/"

windows/credroaming_ldap.yml

@@ -14,6 +14,7 @@
       Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components."
   category: "Privilege Escalation"
   tactic: "Exploitation for Privilege Escalation"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1068/"

windows/critical_event.yml

@@ -8,6 +8,7 @@
             applying patches, adjusting settings, implementing mitigation measures, or responding to incidents as necessary."
   category: ""
   tactic: ""
+  dataTypes: ["wineventlog"]
   reference: 
     - ""
   frequency: 60

windows/dcsync_replication_rights.yml

@@ -12,6 +12,7 @@
       Determine the initial vector abused by the attacker and take measures to avoid reinfection through the same vector."
   category: "Credential Access"
   tactic: "DCSync"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1003/"

windows/defender_exclusion_via_powershell.yml

@@ -14,6 +14,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Defense Evasion"
   tactic: "Impair Defenses"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/"

windows/defense_evasion_from_unusual_directory.yml

@@ -16,6 +16,7 @@
       block the email sender from sending future emails, block malicious web pages, remove sender emails from mailboxes."
   category: "Defense Evasion"
   tactic: "Masquerading"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1036/"

windows/defense_evasion_via_filter_manager.yml

@@ -13,6 +13,7 @@
       Review the privileges assigned to the user to ensure that the least privilege principle is being followed."
   category: "Defense Evasion"
   tactic: "Disable or Modify Tools"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/001/"

windows/delete_volume_usn_journal_with_fsutil.yml

@@ -14,6 +14,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Defense Evasion"
   tactic: "File Deletion"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1070/004/"

windows/deleting_backup_catalogs_with_wbadmin.yml

@@ -13,6 +13,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Impact"
   tactic: "Inhibit System Recovery"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1490/"

windows/detection_of_possible_keylogging.yml

@@ -11,6 +11,7 @@
       Determine the initial vector abused by the attacker and take steps to prevent re-infection via the same vector."
   category: "Collection"
   tactic: "Keylogging"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0009/"
     - "https://attack.mitre.org/techniques/T1056/"

windows/disable_kerberos_preauth.yml

@@ -11,6 +11,7 @@
       identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services."
   category: "Credential Access"
   tactic: "AS-REP Roasting"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1558/"

windows/disable_windows_firewall_rules_with_netsh.yml

@@ -9,6 +9,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Defense Evasion"
   tactic: "Disable or Modify System Firewall"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/004/"

windows/disabling_windows_defender_powershell.yml

@@ -12,6 +12,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Defense Evasion"
   tactic: "Disable or Modify Tools"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1562/001/"

windows/domain_Policy_was_changed.yml

@@ -11,6 +11,7 @@
             and conducting additional investigation to identify and mitigate any potential threats."
   category: "Privilege Escalation"
   tactic: "Domain Policy Modification"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1484/"

windows/domain_admins_group_changed.yml

@@ -10,6 +10,7 @@
         Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to"
   category: "Privilege Escalation"
   tactic: "Domain Policy Modification"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1484/"

windows/domain_controllers_group_changed.yml

@@ -10,6 +10,7 @@
         Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to"
   category: "Privilege Escalation"
   tactic: "Domain Policy Modification"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1484/"

windows/domain_guests_group_changed.yml

@@ -10,6 +10,7 @@
         Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to"
   category: "Privilege Escalation"
   tactic: "Domain Policy Modification"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0004/"
     - "https://attack.mitre.org/techniques/T1484/"

windows/dotnet_compiler_parent_process.yml

@@ -6,6 +6,7 @@
   solution: "We recommend isolating affected hosts and going offline in case of major problems"
   category: "Defense Evasion"
   tactic: "Obfuscated Files or Information"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0005/"
     - "https://attack.mitre.org/techniques/T1027/"

windows/dump_registry_hives.yml

@@ -11,6 +11,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Credential Access"
   tactic: "Security Account Manager"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0006/"
     - "https://attack.mitre.org/techniques/T1003/"

windows/email_powershell_exchange_mailbox.yml

@@ -10,6 +10,7 @@
         Review the privileges of users with the mailbox import and export privilege to ensure that the principle of least privilege is followed."
   category: "Colection"
   tactic: "Data from Local System"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0009/"
     - "https://attack.mitre.org/techniques/T1005/"