blob: ba654822b099bd67f0635761a90c35fb23c9d8d2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.cloud.securitycenter.v1;
option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
option java_multiple_files = true;
option java_outer_classname = "MitreAttackProto";
option java_package = "com.google.cloud.securitycenter.v1";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
option ruby_package = "Google::Cloud::SecurityCenter::V1";
// MITRE ATT&CK tactics and techniques related to this finding.
// See: https://attack.mitre.org
message MitreAttack {
// MITRE ATT&CK tactics that can be referenced by SCC findings.
// See: https://attack.mitre.org/tactics/enterprise/
enum Tactic {
// Unspecified value.
TACTIC_UNSPECIFIED = 0;
// TA0043
RECONNAISSANCE = 1;
// TA0042
RESOURCE_DEVELOPMENT = 2;
// TA0001
INITIAL_ACCESS = 5;
// TA0002
EXECUTION = 3;
// TA0003
PERSISTENCE = 6;
// TA0004
PRIVILEGE_ESCALATION = 8;
// TA0005
DEFENSE_EVASION = 7;
// TA0006
CREDENTIAL_ACCESS = 9;
// TA0007
DISCOVERY = 10;
// TA0008
LATERAL_MOVEMENT = 11;
// TA0009
COLLECTION = 12;
// TA0011
COMMAND_AND_CONTROL = 4;
// TA0010
EXFILTRATION = 13;
// TA0040
IMPACT = 14;
}
// MITRE ATT&CK techniques that can be referenced by SCC findings.
// See: https://attack.mitre.org/techniques/enterprise/
enum Technique {
// Unspecified value.
TECHNIQUE_UNSPECIFIED = 0;
// T1595
ACTIVE_SCANNING = 1;
// T1595.001
SCANNING_IP_BLOCKS = 2;
// T1105
INGRESS_TOOL_TRANSFER = 3;
// T1106
NATIVE_API = 4;
// T1129
SHARED_MODULES = 5;
// T1059
COMMAND_AND_SCRIPTING_INTERPRETER = 6;
// T1059.004
UNIX_SHELL = 7;
// T1496
RESOURCE_HIJACKING = 8;
// T1090
PROXY = 9;
// T1090.002
EXTERNAL_PROXY = 10;
// T1090.003
MULTI_HOP_PROXY = 11;
// T1568
DYNAMIC_RESOLUTION = 12;
// T1552
UNSECURED_CREDENTIALS = 13;
// T1078
VALID_ACCOUNTS = 14;
// T1078.003
LOCAL_ACCOUNTS = 15;
// T1078.004
CLOUD_ACCOUNTS = 16;
// T1498
NETWORK_DENIAL_OF_SERVICE = 17;
// T1069
PERMISSION_GROUPS_DISCOVERY = 18;
// T1069.003
CLOUD_GROUPS = 19;
// T1567
EXFILTRATION_OVER_WEB_SERVICE = 20;
// T1567.002
EXFILTRATION_TO_CLOUD_STORAGE = 21;
// T1098
ACCOUNT_MANIPULATION = 22;
// T1098.004
SSH_AUTHORIZED_KEYS = 23;
// T1543
CREATE_OR_MODIFY_SYSTEM_PROCESS = 24;
// T1539
STEAL_WEB_SESSION_COOKIE = 25;
// T1578
MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE = 26;
// T1190
EXPLOIT_PUBLIC_FACING_APPLICATION = 27;
// T1556
MODIFY_AUTHENTICATION_PROCESS = 28;
// T1485
DATA_DESTRUCTION = 29;
// T1484
DOMAIN_POLICY_MODIFICATION = 30;
// T1562
IMPAIR_DEFENSES = 31;
// T1046
NETWORK_SERVICE_DISCOVERY = 32;
// T1134
ACCESS_TOKEN_MANIPULATION = 33;
// T1548
ABUSE_ELEVATION_CONTROL_MECHANISM = 34;
}
// The MITRE ATT&CK tactic most closely represented by this finding, if any.
Tactic primary_tactic = 1;
// The MITRE ATT&CK technique most closely represented by this finding, if
// any. primary_techniques is a repeated field because there are multiple
// levels of MITRE ATT&CK techniques. If the technique most closely
// represented by this finding is a sub-technique (e.g. `SCANNING_IP_BLOCKS`),
// both the sub-technique and its parent technique(s) will be listed (e.g.
// `SCANNING_IP_BLOCKS`, `ACTIVE_SCANNING`).
repeated Technique primary_techniques = 2;
// Additional MITRE ATT&CK tactics related to this finding, if any.
repeated Tactic additional_tactics = 3;
// Additional MITRE ATT&CK techniques related to this finding, if any, along
// with any of their respective parent techniques.
repeated Technique additional_techniques = 4;
// The MITRE ATT&CK version referenced by the above fields. E.g. "8".
string version = 5;
}
|
