{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Exporting ATT&CK Group Navigator Layers" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Get Relationship STIX Objects - (Manual)\n", "-----------------------\n", "I believe it is important to understand the code behind the main functions available in the Python library [attackcti](https://attackcti.readthedocs.io/en/latest/index.html). I highly recommend to first read the docs I put together about [cti-taxii-client](https://attackcti.readthedocs.io/en/latest/taxii_client.html) and [cti-python-stix2](https://attackcti.readthedocs.io/en/latest/stix.html) libraries.\n", "Those two summarize several of the concepts that I had to read to understand how to perform a simple query against ATT&CK's TAXII server" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import STIX and TAXII Libraries" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "from stix2 import TAXIICollectionSource, Filter, CompositeDataSource\n", "from taxii2client.v20 import Collection" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Set ATT&CK TAXII Collection ID Variables\n", "The public ATT&CK TAXII instance has three main collections (Enterprise, Pre and Mobile). Every collection has an ID which attackcti uses to retrieve ATT&CK STIX objects from all those matrices." ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "ATTACK_STIX_COLLECTIONS = \"https://cti-taxii.mitre.org/stix/collections/\"\n", "ENTERPRISE_ATTACK = \"95ecc380-afe9-11e4-9b6c-751b66dd541e\"\n", "PRE_ATTACK = \"062767bd-02d2-4b72-84ba-56caef0f8658\"\n", "MOBILE_ATTACK = \"2f669986-b40b-4423-b720-4396ca6a462b\"\n", "ICS_ATTACK = \"02c3ef24-9cd4-48f3-a99f-b74ce24f1d34\"" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize TAXII Collection Sources\n", "According to [STIX2 docs](https://stix2.readthedocs.io/en/latest/index.html), the [TAXIICollectionSource API](https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource) provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/)" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [], "source": [ "ENTERPRISE_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ENTERPRISE_ATTACK + \"/\")\n", "TC_ENTERPRISE_SOURCE = TAXIICollectionSource(ENTERPRISE_COLLECTION)\n", "PRE_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + PRE_ATTACK + \"/\")\n", "TC_PRE_SOURCE = TAXIICollectionSource(PRE_COLLECTION)\n", "MOBILE_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + MOBILE_ATTACK + \"/\")\n", "TC_MOBILE_SOURCE = TAXIICollectionSource(MOBILE_COLLECTION)\n", "ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + \"/\")\n", "TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize a Composite Data Source\n", "According to [STIX2 docs](https://stix2.readthedocs.io/en/latest/index.html), a user can have a single [CompositeDataSource](https://stix2.readthedocs.io/en/latest/api/stix2.datastore.html#stix2.datastore.CompositeDataSource) as an interface to a set of DataSources. When an API call is made to the CompositeDataSource, it is delegated to each of the (real) DataSources that are attached to it. In our case, we have three TAXIICollection sources (Enterprise, PRE and Mobile) as defined in our previous step. Therefore, we can use the CompositeDataSource class and the add_data_sources method to attach every ATT&CK TAXIICollection source and be able to query all of them at the same time." ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "COMPOSITE_DS = CompositeDataSource()\n", "COMPOSITE_DS.add_data_sources([TC_ENTERPRISE_SOURCE, TC_PRE_SOURCE, TC_MOBILE_SOURCE, TC_ICS_SOURCE])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve all relationships\n", "Now that we can query all the ATT&CK TAXIICollection sources at once, we can use the query method and a set of filters to retrieve STIX objects of type relationship" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "Relationship(type='relationship', id='relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd06b0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-11-10T18:04:03.668Z', modified='2020-11-10T18:04:03.668Z', relationship_type='uses', description=\"(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)\", source_ref='intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7', target_ref='malware--a7881f21-e978-4fe4-af56-92c9416a2616', external_references=[ExternalReference(source_name='FireEye KEGTAP SINGLEMALT October 2020', description='Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.', url='https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'), ExternalReference(source_name='DHS/CISA Ransomware Targeting Healthcare October 2020', description='DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.', url='https://us-cert.cisa.gov/ncas/alerts/aa20-302a'), ExternalReference(source_name=\"DFIR Ryuk's Return October 2020\", description='The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.', url='https://thedfirreport.com/2020/10/08/ryuks-return/'), ExternalReference(source_name='DFIR Ryuk 2 Hour Speed Run November 2020', description='The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.', url='https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/'), ExternalReference(source_name='DFIR Ryuk in 5 Hours October 2020', description='The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.', url='https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/'), ExternalReference(source_name='Sophos New Ryuk Attack October 2020', description='Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.', url='https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])" ] }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "source": [ "rels = COMPOSITE_DS.query(Filter(\"type\", \"=\", \"relationship\"))\n", "rels[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve all relationships from an specific STIX object\n", "What if you want to be very specific and get relationships from a specific STIX objects? You can use the [relationships](https://stix2.readthedocs.io/en/latest/api/stix2.datastore.html#stix2.datastore.CompositeDataSource.relationships) method from the [CompositeDataSource](https://stix2.readthedocs.io/en/latest/api/stix2.datastore.html#stix2.datastore.CompositeDataSource) class to retrieve relationships involving a given STIX object." ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "Relationship(type='relationship', id='relationship--689b0bff-7eb4-4678-997b-64794c56add0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-09-22T20:17:38.809Z', modified='2020-10-06T15:32:20.360Z', relationship_type='uses', description='[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)', source_ref='intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133', target_ref='attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00', external_references=[ExternalReference(source_name='Secureworks REvil September 2019', description='Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.', url='https://www.secureworks.com/research/revil-sodinokibi-ransomware'), ExternalReference(source_name='Secureworks GandCrab and REvil September 2019', description='Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', url='https://www.secureworks.com/blog/revil-the-gandcrab-connection'), ExternalReference(source_name='Secureworks GOLD SOUTHFIELD', description='Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.', url='https://www.secureworks.com/research/threat-profiles/gold-southfield')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])" ] }, "execution_count": 6, "metadata": {}, "output_type": "execute_result" } ], "source": [ "from attackcti import attack_client\n", "lift = attack_client()\n", "\n", "groups = lift.get_groups()\n", "groups = lift.remove_revoked(groups)\n", "\n", "rels = COMPOSITE_DS.relationships(groups[0], 'uses', source_only=True)\n", "rels[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Get Relationship STIX Objects - (Automatic)\n", "-----------------------" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve all relationships" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [], "source": [ "from attackcti import attack_client\n", "lift = attack_client()" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 2.64 s, sys: 71 ms, total: 2.71 s\n", "Wall time: 4.36 s\n" ] } ], "source": [ "%time all_relationships = lift.get_relationships()" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "Relationship(type='relationship', id='relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd06b0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-11-10T18:04:03.668Z', modified='2020-11-10T18:04:03.668Z', relationship_type='uses', description=\"(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)\", source_ref='intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7', target_ref='malware--a7881f21-e978-4fe4-af56-92c9416a2616', external_references=[ExternalReference(source_name='FireEye KEGTAP SINGLEMALT October 2020', description='Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.', url='https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'), ExternalReference(source_name='DHS/CISA Ransomware Targeting Healthcare October 2020', description='DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.', url='https://us-cert.cisa.gov/ncas/alerts/aa20-302a'), ExternalReference(source_name=\"DFIR Ryuk's Return October 2020\", description='The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.', url='https://thedfirreport.com/2020/10/08/ryuks-return/'), ExternalReference(source_name='DFIR Ryuk 2 Hour Speed Run November 2020', description='The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.', url='https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/'), ExternalReference(source_name='DFIR Ryuk in 5 Hours October 2020', description='The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.', url='https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/'), ExternalReference(source_name='Sophos New Ryuk Attack October 2020', description='Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.', url='https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])" ] }, "execution_count": 9, "metadata": {}, "output_type": "execute_result" } ], "source": [ "all_relationships[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve all relationships from an specific STIX object" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [], "source": [ "groups = lift.get_groups()\n", "groups = lift.remove_revoked(groups)" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 274 ms, sys: 35.5 ms, total: 310 ms\n", "Wall time: 1.95 s\n" ] } ], "source": [ "%time group_relationships = lift.get_relationships_by_object(groups[0])" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "Relationship(type='relationship', id='relationship--689b0bff-7eb4-4678-997b-64794c56add0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-09-22T20:17:38.809Z', modified='2020-10-06T15:32:20.360Z', relationship_type='uses', description='[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)', source_ref='intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133', target_ref='attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00', external_references=[ExternalReference(source_name='Secureworks REvil September 2019', description='Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.', url='https://www.secureworks.com/research/revil-sodinokibi-ransomware'), ExternalReference(source_name='Secureworks GandCrab and REvil September 2019', description='Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', url='https://www.secureworks.com/blog/revil-the-gandcrab-connection'), ExternalReference(source_name='Secureworks GOLD SOUTHFIELD', description='Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.', url='https://www.secureworks.com/research/threat-profiles/gold-southfield')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "group_relationships[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Retrive Techniques used by one Group - (Manual)\n", "-----------------------" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "In this case we want relationship objects that have target_ref values of type attack-pattern. Following the manual code I shared above, and the results from the `get_relationships_by_object()` function, you can simply query the ATT&CK Enterprise TAXIICollection source with the filter below" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "AttackPattern(type='attack-pattern', id='attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-11T14:17:21.153Z', modified='2020-03-11T14:17:21.153Z', name='Compromise Software Supply Chain', description='Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\\n\\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1195/002', external_id='T1195.002'), ExternalReference(source_name='Avast CCleaner3 2018', description='Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018.', url='https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities'), ExternalReference(source_name='Command Five SK 2011', description='Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018.', url='https://www.commandfive.com/papers/C5_APT_SKHack.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['File monitoring', 'Web proxy'], x_mitre_detection='Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ', x_mitre_is_subtechnique=True, x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')" ] }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "source": [ "filter_objects = [\n", " Filter('type', '=', 'attack-pattern'),\n", " Filter('id', '=', [r.target_ref for r in group_relationships])\n", "]\n", "techniques_used = TC_ENTERPRISE_SOURCE.query(filter_objects)\n", "techniques_used[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Retrive Techniques used by one Group - (Automatic)\n", "-----------------------" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "AttackPattern(type='attack-pattern', id='attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-11T14:17:21.153Z', modified='2020-03-11T14:17:21.153Z', name='Compromise Software Supply Chain', description='Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\\n\\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1195/002', external_id='T1195.002'), ExternalReference(source_name='Avast CCleaner3 2018', description='Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018.', url='https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities'), ExternalReference(source_name='Command Five SK 2011', description='Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018.', url='https://www.commandfive.com/papers/C5_APT_SKHack.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['File monitoring', 'Web proxy'], x_mitre_detection='Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ', x_mitre_is_subtechnique=True, x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')" ] }, "execution_count": 14, "metadata": {}, "output_type": "execute_result" } ], "source": [ "from attackcti import attack_client\n", "lift = attack_client()\n", "groups = lift.get_groups()\n", "groups = lift.remove_revoked(groups)\n", "group_techniques = lift.get_techniques_used_by_group(groups[0])\n", "group_techniques[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Retrive all Techniques used by all Groups - (Manual)\n", "-----------------------\n", "You can apply the same get_techniques_used_by_group() function, but against all the groups STIX objects that the get_groups() function retrieves. You can do a simple for loop over more than 90 groups. However, it takes longer than what I would like it to take. Therefore, I decided to go a different route and started testing some code." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get all groups and techniques" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [], "source": [ "from attackcti import attack_client\n", "lift = attack_client()\n", "groups = lift.get_groups()\n", "techniques = lift.get_techniques()\n", "techniques = lift.remove_revoked(techniques)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Filter Group objects using techniques" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"type\": \"relationship\",\n", " \"id\": \"relationship--82dee5a5-7890-4bed-bc8c-83ffa13a8bcf\",\n", " \"created_by_ref\": \"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5\",\n", " \"created\": \"2020-11-10T17:28:19.540Z\",\n", " \"modified\": \"2020-11-10T17:28:19.540Z\",\n", " \"relationship_type\": \"uses\",\n", " \"description\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) has identified domain admins through the use of \\u201cnet group \\u2018Domain admins\\u2019\\u201d commands.(Citation: DFIR Ryuk's Return October 2020)\",\n", " \"source_ref\": \"intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7\",\n", " \"target_ref\": \"attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af\",\n", " \"external_references\": [\n", " {\n", " \"source_name\": \"DFIR Ryuk's Return October 2020\",\n", " \"description\": \"The DFIR Report. (2020, October 8). Ryuk\\u2019s Return. Retrieved October 9, 2020.\",\n", " \"url\": \"https://thedfirreport.com/2020/10/08/ryuks-return/\"\n", " }\n", " ],\n", " \"object_marking_refs\": [\n", " \"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168\"\n", " ]\n", "}\n" ] } ], "source": [ "from stix2.utils import get_type_from_id\n", "group_relationships = []\n", "for rel in all_relationships:\n", " if get_type_from_id(rel.source_ref) == 'intrusion-set'\\\n", " and get_type_from_id(rel.target_ref) == 'attack-pattern':\n", " group_relationships.append(rel)\n", "len(group_relationships)\n", "print(group_relationships[0])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Match Group -> Relationships Intrusion-set ID\n", "Then, I just take all the group_relationships I got, and look for the specific `intrusion-set (Group)` id in the groups STIX objects. Once there is a match, I create new fields on the `intrusion-set (Group)` STIX object to add additional information about the `attack-pattern (Technique)` in the relationship object. The most important additional metadata is the target_ref field which points to the specific `attack-pattern (Technique)` id involving the `group`. The results are then added to a new list named `group_techniques_ref` ." ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [], "source": [ "import json\n", "group_techniques_ref = []\n", "for g in groups:\n", " for rel in group_relationships:\n", " if g['id'] == rel['source_ref']:\n", " gs = json.loads(g.serialize())\n", " gs\n", " gs['technique_ref'] = rel['target_ref']\n", " gs['relationship_description'] = rel['description']\n", " gs['relationship_id'] = rel['id']\n", " group_techniques_ref.append(gs)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Match Attack-patterns -> Intrusion-set object ID\n", "I apply the same concept as before, and just loop through all the attack-pattern objects and look for the specific attack-pattern id in the initial relationships STIX objects. Once there is a match, I add additional information from the attack-pattern itself to the python dictionaries in the `group_techniques_ref` list. The results then get added to a new list named `groups_use_techniques`." ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'external_references': [{'external_id': 'G0115',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/groups/G0115'},\n", " {'source_name': 'Secureworks REvil September 2019',\n", " 'url': 'https://www.secureworks.com/research/revil-sodinokibi-ransomware',\n", " 'description': 'Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.'},\n", " {'source_name': 'Secureworks GandCrab and REvil September 2019',\n", " 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection',\n", " 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.'},\n", " {'source_name': 'Secureworks GOLD SOUTHFIELD',\n", " 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield',\n", " 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.'}],\n", " 'name': 'GOLD SOUTHFIELD',\n", " 'description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)',\n", " 'type': 'intrusion-set',\n", " 'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133',\n", " 'aliases': ['GOLD SOUTHFIELD'],\n", " 'modified': '2020-10-06T15:32:20.089Z',\n", " 'created': '2020-09-22T19:41:27.845Z',\n", " 'x_mitre_version': '1.0',\n", " 'technique_ref': 'attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00',\n", " 'relationship_description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)',\n", " 'relationship_id': 'relationship--689b0bff-7eb4-4678-997b-64794c56add0',\n", " 'technique': 'Compromise Software Supply Chain',\n", " 'technique_description': 'Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\\n\\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ',\n", " 'tactic': ['initial-access'],\n", " 'technique_id': 'T1195.002',\n", " 'matrix': 'mitre-attack',\n", " 'platform': ['Linux', 'macOS', 'Windows'],\n", " 'data_sources': ['File monitoring', 'Web proxy']}" ] }, "execution_count": 18, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups_use_techniques = []\n", "for gt in group_techniques_ref:\n", " for t in techniques:\n", " if gt['technique_ref'] == t['id']:\n", " tactic_list = list()\n", " for phase in t['kill_chain_phases']:\n", " tactic_list.append(phase['phase_name'])\n", " gt['technique'] = t['name']\n", " gt['technique_description'] = t['description']\n", " gt['tactic'] = tactic_list\n", " gt['technique_id'] = t['external_references'][0]['external_id']\n", " gt['matrix'] = t['external_references'][0]['source_name']\n", " if 'x_mitre_platforms' in t.keys():\n", " gt['platform'] = t['x_mitre_platforms']\n", " if 'x_mitre_data_sources' in t.keys():\n", " gt['data_sources'] = t['x_mitre_data_sources']\n", " if 'x_mitre_permissions_required' in t.keys():\n", " gt['permissions_required'] = t['x_mitre_permissions_required']\n", " if 'x_mitre_effective_permissions' in t.keys():\n", " gt['effective_permissions'] = t['x_mitre_effective_permissions']\n", " groups_use_techniques.append(gt)\n", "groups_use_techniques[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Retrive all Techniques used by all Groups - (Automatic)\n", "-----------------------" ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 5.41 s, sys: 125 ms, total: 5.54 s\n", "Wall time: 8.17 s\n" ] } ], "source": [ "from attackcti import attack_client\n", "lift = attack_client()\n", "%time techniques_used = lift.get_techniques_used_by_all_groups()" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "1937" ] }, "execution_count": 20, "metadata": {}, "output_type": "execute_result" } ], "source": [ "len(techniques_used)" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'external_references': [{'external_id': 'G0115',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/groups/G0115'},\n", " {'source_name': 'Secureworks REvil September 2019',\n", " 'url': 'https://www.secureworks.com/research/revil-sodinokibi-ransomware',\n", " 'description': 'Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.'},\n", " {'source_name': 'Secureworks GandCrab and REvil September 2019',\n", " 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection',\n", " 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.'},\n", " {'source_name': 'Secureworks GOLD SOUTHFIELD',\n", " 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield',\n", " 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.'}],\n", " 'name': 'GOLD SOUTHFIELD',\n", " 'description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)',\n", " 'type': 'intrusion-set',\n", " 'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133',\n", " 'aliases': ['GOLD SOUTHFIELD'],\n", " 'modified': '2020-10-06T15:32:20.089Z',\n", " 'created': '2020-09-22T19:41:27.845Z',\n", " 'x_mitre_version': '1.0',\n", " 'technique_ref': 'attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00',\n", " 'relationship_description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)',\n", " 'relationship_id': 'relationship--689b0bff-7eb4-4678-997b-64794c56add0',\n", " 'revoked': False,\n", " 'technique': 'Compromise Software Supply Chain',\n", " 'technique_description': 'Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\\n\\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ',\n", " 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')],\n", " 'technique_id': 'T1195.002',\n", " 'matrix': 'mitre-attack',\n", " 'platform': ['Linux', 'macOS', 'Windows'],\n", " 'data_sources': ['File monitoring', 'Web proxy']}" ] }, "execution_count": 21, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_used[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Create Navigator Group Layer Files - (Manual)\n", "-----------------------" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Create a list of group dictionaries\n", "To make things easier, I create a list of dictionaries where each group name is the main key and the value is a list where I append every single technique involving that group. I get that information from the `get_techniques_used_by_all_groups()` results." ] }, { "cell_type": "code", "execution_count": 22, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'Naikon': []}" ] }, "execution_count": 22, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = lift.get_groups()\n", "groups = lift.remove_revoked(groups)\n", "groups_list = []\n", "for g in groups:\n", " group_dict = dict()\n", " group_dict[g['name']] = []\n", " groups_list.append(group_dict)\n", "groups_list[89]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Group techniques by group\n", "We can then use the output of the `get_techniques_used_by_all_groups()` function and start appending techniques to the dictionaries with the key name that matches the group name being involved with each technique." ] }, { "cell_type": "code", "execution_count": 23, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'Naikon': [{'techniqueId': 'T1566.001',\n", " 'techniqueName': 'Spearphishing Attachment',\n", " 'comment': '[Naikon](https://attack.mitre.org/groups/G0019) has used malicious e-mail attachments to deliver malware.(Citation: CheckPoint Naikon May 2020)',\n", " 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')],\n", " 'group_id': 'G0019'},\n", " {'techniqueId': 'T1204.002',\n", " 'techniqueName': 'Malicious File',\n", " 'comment': '[Naikon](https://attack.mitre.org/groups/G0019) has convinced victims to open malicious attachments to execute malware.(Citation: CheckPoint Naikon May 2020)',\n", " 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')],\n", " 'group_id': 'G0019'},\n", " {'techniqueId': 'T1137.006',\n", " 'techniqueName': 'Add-ins',\n", " 'comment': '[Naikon](https://attack.mitre.org/groups/G0019) has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.(Citation: CheckPoint Naikon May 2020)',\n", " 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')],\n", " 'group_id': 'G0019'},\n", " {'techniqueId': 'T1574.002',\n", " 'techniqueName': 'DLL Side-Loading',\n", " 'comment': \"[Naikon](https://attack.mitre.org/groups/G0019) has used DLL side-loading to load malicious DLL's into legitimate executables.(Citation: CheckPoint Naikon May 2020)\",\n", " 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'),\n", " KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'),\n", " KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],\n", " 'group_id': 'G0019'},\n", " {'techniqueId': 'T1518.001',\n", " 'techniqueName': 'Security Software Discovery',\n", " 'comment': '[Naikon](https://attack.mitre.org/groups/G0019) uses commands such as netsh advfirewall firewall to discover local firewall settings.(Citation: Baumgartner Naikon 2015)',\n", " 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],\n", " 'group_id': 'G0019'},\n", " {'techniqueId': 'T1016',\n", " 'techniqueName': 'System Network Configuration Discovery',\n", " 'comment': '[Naikon](https://attack.mitre.org/groups/G0019) uses commands such as netsh interface show to discover network interface settings.(Citation: Baumgartner Naikon 2015)',\n", " 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],\n", " 'group_id': 'G0019'}]}" ] }, "execution_count": 23, "metadata": {}, "output_type": "execute_result" } ], "source": [ "for group in groups_list:\n", " for group_name,techniques_list in group.items():\n", " for gut in techniques_used:\n", " if group_name == gut['name']:\n", " technique_dict = dict()\n", " technique_dict['techniqueId'] = gut['technique_id']\n", " technique_dict['techniqueName'] = gut['technique']\n", " technique_dict['comment'] = gut['relationship_description']\n", " technique_dict['tactic'] = gut['tactic']\n", " technique_dict['group_id'] = gut['external_references'][0]['external_id']\n", " techniques_list.append(technique_dict)\n", "groups_list[89]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Run dynamic navigator layer template" ] }, { "cell_type": "code", "execution_count": 24, "metadata": {}, "outputs": [], "source": [ "import json\n", "for group in groups_list:\n", " for k,v in group.items():\n", " if v:\n", " actor_layer = {\n", " \"description\": (\"Enterprise techniques used by {0}, ATT&CK group {1} v1.0\".format(k,v[0]['group_id'])),\n", " \"name\": (\"{0} ({1})\".format(k,v[0]['group_id'])),\n", " \"domain\": \"mitre-enterprise\",\n", " \"version\": \"2.2\",\n", " \"techniques\": [\n", " {\n", " \"score\": 1,\n", " \"techniqueID\" : technique['techniqueId'],\n", " \"techniqueName\" : technique['techniqueName'],\n", " \"comment\": technique['comment']\n", " } for technique in v\n", " ],\n", " \"gradient\": {\n", " \"colors\": [\n", " \"#ffffff\",\n", " \"#ff6666\"\n", " ],\n", " \"minValue\": 0,\n", " \"maxValue\": 1\n", " },\n", " \"legendItems\": [\n", " {\n", " \"label\": (\"used by {}\".format(k)),\n", " \"color\": \"#ff6666\"\n", " }\n", " ]\n", " }\n", " with open(('{0}_{1}.json'.format(k,v[0]['group_id'])), 'w') as f:\n", " f.write(json.dumps(actor_layer))" ] }, { "cell_type": "code", "execution_count": 25, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "ALLANITE_G1000.json Inception_G0100.json\r\n", "APT-C-36_G0099.json Ke3chang_G0004.json\r\n", "APT12_G0005.json Kimsuky_G0094.json\r\n", "APT16_G0023.json Lazarus Group_G0032.json\r\n", "APT17_G0025.json Leafminer_G0077.json\r\n", "APT18_G0026.json Leviathan_G0065.json\r\n", "APT19_G0073.json Machete_G0095.json\r\n", "APT1_G0006.json Magic Hound_G0059.json\r\n", "APT28_G0007.json Moafee_G0002.json\r\n", "APT29_G0016.json Mofang_G0103.json\r\n", "APT30_G0013.json Molerats_G0021.json\r\n", "APT32_G0050.json MuddyWater_G0069.json\r\n", "APT33_G0064.json Naikon_G0019.json\r\n", "APT37_G0067.json Night Dragon_G0014.json\r\n", "APT38_G0082.json OilRig_G0049.json\r\n", "APT39_G0087.json Orangeworm_G0071.json\r\n", "APT3_G0022.json PLATINUM_G0068.json\r\n", "APT41_G0096.json PROMETHIUM_G0056.json\r\n", "Axiom_G0001.json Patchwork_G0040.json\r\n", "BRONZE BUTLER_G0060.json PittyTiger_G0011.json\r\n", "BlackOasis_G0063.json Poseidon Group_G0033.json\r\n", "BlackTech_G0098.json Putter Panda_G0024.json\r\n", "Blue Mockingbird_G0108.json RTM_G0048.json\r\n", "Bouncing Golf_G0097.json Rancor_G0075.json\r\n", "Carbanak_G0008.json Rocke_G0106.json\r\n", "Chimera_G0114.json Sandworm Team_G0034.json\r\n", "Cleaver_G0003.json Scarlet Mimic_G0029.json\r\n", "Cobalt Group_G0080.json Sharpshooter_G0104.json\r\n", "CopyKittens_G0052.json Silence_G0091.json\r\n", "Dark Caracal_G0070.json SilverTerrier_G0083.json\r\n", "DarkHydrus_G0079.json Soft Cell_G0093.json\r\n", "DarkVishnya_G0105.json Sowbug_G0054.json\r\n", "Darkhotel_G0012.json Stealth Falcon_G0038.json\r\n", "Deep Panda_G0009.json Stolen Pencil_G0086.json\r\n", "Dragonfly 2.0_G0074.json Strider_G0041.json\r\n", "Dragonfly_G0035.json Suckfly_G0039.json\r\n", "Dust Storm_G0031.json TA459_G0062.json\r\n", "Elderwood_G0066.json TA505_G0092.json\r\n", "Equation_G0020.json TEMP.Veles_G0088.json\r\n", "FIN10_G0051.json Taidoor_G0015.json\r\n", "FIN4_G0085.json The White Company_G0089.json\r\n", "FIN5_G0053.json Threat Group-1314_G0028.json\r\n", "FIN6_G0037.json Threat Group-3390_G0027.json\r\n", "FIN7_G0046.json Thrip_G0076.json\r\n", "FIN8_G0061.json Tropic Trooper_G0081.json\r\n", "Frankenstein_G0101.json Turla_G0010.json\r\n", "GCMAN_G0036.json WIRTE_G0090.json\r\n", "GOLD SOUTHFIELD_G0115.json Whitefly_G0107.json\r\n", "Gallmaker_G0084.json Windshift_G0112.json\r\n", "Gamaredon Group_G0047.json Winnti Group_G0044.json\r\n", "Gorgon Group_G0078.json Wizard Spider_G0102.json\r\n", "Group5_G0043.json admin@338_G0018.json\r\n", "HEXANE_G1001.json menuPass_G0045.json\r\n", "Honeybee_G0072.json\r\n" ] } ], "source": [ "! ls *.json" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "We can delete all the files with the following command." ] }, { "cell_type": "code", "execution_count": 26, "metadata": {}, "outputs": [], "source": [ "! rm *.json" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Create Navigator Group Layer Files - (Automatic)\n", "-----------------------" ] }, { "cell_type": "code", "execution_count": 27, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 6.02 s, sys: 181 ms, total: 6.2 s\n", "Wall time: 9.24 s\n" ] } ], "source": [ "from attackcti import attack_client\n", "lift = attack_client()\n", "\n", "%time lift.export_groups_navigator_layers()" ] }, { "cell_type": "code", "execution_count": 28, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "ALLANITE_G1000.json Inception_G0100.json\r\n", "APT-C-36_G0099.json Ke3chang_G0004.json\r\n", "APT12_G0005.json Kimsuky_G0094.json\r\n", "APT16_G0023.json Lazarus Group_G0032.json\r\n", "APT17_G0025.json Leafminer_G0077.json\r\n", "APT18_G0026.json Leviathan_G0065.json\r\n", "APT19_G0073.json Machete_G0095.json\r\n", "APT1_G0006.json Magic Hound_G0059.json\r\n", "APT28_G0007.json Moafee_G0002.json\r\n", "APT29_G0016.json Mofang_G0103.json\r\n", "APT30_G0013.json Molerats_G0021.json\r\n", "APT32_G0050.json MuddyWater_G0069.json\r\n", "APT33_G0064.json Naikon_G0019.json\r\n", "APT37_G0067.json Night Dragon_G0014.json\r\n", "APT38_G0082.json OilRig_G0049.json\r\n", "APT39_G0087.json Orangeworm_G0071.json\r\n", "APT3_G0022.json PLATINUM_G0068.json\r\n", "APT41_G0096.json PROMETHIUM_G0056.json\r\n", "Axiom_G0001.json Patchwork_G0040.json\r\n", "BRONZE BUTLER_G0060.json PittyTiger_G0011.json\r\n", "BlackOasis_G0063.json Poseidon Group_G0033.json\r\n", "BlackTech_G0098.json Putter Panda_G0024.json\r\n", "Blue Mockingbird_G0108.json RTM_G0048.json\r\n", "Bouncing Golf_G0097.json Rancor_G0075.json\r\n", "Carbanak_G0008.json Rocke_G0106.json\r\n", "Chimera_G0114.json Sandworm Team_G0034.json\r\n", "Cleaver_G0003.json Scarlet Mimic_G0029.json\r\n", "Cobalt Group_G0080.json Sharpshooter_G0104.json\r\n", "CopyKittens_G0052.json Silence_G0091.json\r\n", "Dark Caracal_G0070.json SilverTerrier_G0083.json\r\n", "DarkHydrus_G0079.json Soft Cell_G0093.json\r\n", "DarkVishnya_G0105.json Sowbug_G0054.json\r\n", "Darkhotel_G0012.json Stealth Falcon_G0038.json\r\n", "Deep Panda_G0009.json Stolen Pencil_G0086.json\r\n", "Dragonfly 2.0_G0074.json Strider_G0041.json\r\n", "Dragonfly_G0035.json Suckfly_G0039.json\r\n", "Dust Storm_G0031.json TA459_G0062.json\r\n", "Elderwood_G0066.json TA505_G0092.json\r\n", "Equation_G0020.json TEMP.Veles_G0088.json\r\n", "FIN10_G0051.json Taidoor_G0015.json\r\n", "FIN4_G0085.json The White Company_G0089.json\r\n", "FIN5_G0053.json Threat Group-1314_G0028.json\r\n", "FIN6_G0037.json Threat Group-3390_G0027.json\r\n", "FIN7_G0046.json Thrip_G0076.json\r\n", "FIN8_G0061.json Tropic Trooper_G0081.json\r\n", "Frankenstein_G0101.json Turla_G0010.json\r\n", "GCMAN_G0036.json WIRTE_G0090.json\r\n", "GOLD SOUTHFIELD_G0115.json Whitefly_G0107.json\r\n", "Gallmaker_G0084.json Windshift_G0112.json\r\n", "Gamaredon Group_G0047.json Winnti Group_G0044.json\r\n", "Gorgon Group_G0078.json Wizard Spider_G0102.json\r\n", "Group5_G0043.json admin@338_G0018.json\r\n", "HEXANE_G1001.json menuPass_G0045.json\r\n", "Honeybee_G0072.json\r\n" ] } ], "source": [ "! ls *.json" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "We can delete all the files with the following command." ] }, { "cell_type": "code", "execution_count": 29, "metadata": {}, "outputs": [], "source": [ "! rm *.json" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.8.5" } }, "nbformat": 4, "nbformat_minor": 4 }