{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Exploring ICS ATT&CK" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Query ATT&CK" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Import TAXII Libraries\n", "ATT&CK users can use the initial Server class to instantiate a server object pointing to the framework’s public TAXII server URL https://cti-taxii.mitre.org/taxii/" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "from taxii2client.v21 import Server" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "server = Server(\"https://attack-taxii.mitre.org/taxii2/\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Available API Roots can be referenced from the server object. API Roots are logical groupings of TAXII Channels and Collections and can be thought of as instances of the TAXII API available at different URLs, where each API Root is the “root” URL of that particular instance of the TAXII API:" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "server.api_roots" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "api_root = server.api_roots[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Explore ATT&CK TAXII Collections\n", "The **collections** attribute can then be used and get more information about them via their respective available properties:" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[,\n", " ,\n", " ]" ] }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Enterprise ATT&CK -> ATT&CK for Enterprise provides a knowledge base of real-world adversary behavior targeting traditional enterprise networks. ATT&CK for Enterprise covers the following platforms: Windows, macOS, Linux, PRE, Office 365, Google Workspace, IaaS, Network, and Containers.\n", "ICS ATT&CK -> The ATT&CK for Industrial Control Systems (ICS) knowledge base categorizes the unique set of tactics, techniques, and procedures (TTPs) used by threat actors in the ICS technology domain. ATT&CK for ICS outlines the portions of an ICS attack that are out of scope of Enterprise and reflects the various phases of an adversary’s attack life cycle and the assets and systems they are known to target.\n", "Mobile ATT&CK -> ATT&CK for Mobile is a matrix of adversary behavior against mobile devices (smartphones and tablets running the Android or iOS/iPadOS operating systems). ATT&CK for Mobile builds upon NIST's Mobile Threat Catalogue and also contains a separate matrix of network-based effects, which are techniques that an adversary can employ without access to the mobile device itself.\n" ] } ], "source": [ "for collection in api_root.collections:\n", " print(collection.title, \"->\", collection.description)" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'ICS ATT&CK'" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections[1].title" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'x-mitre-collection--90c00720-636b-4485-b342-8751d232bf09'" ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections[1].id" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Set ICS ATT&CK TAXII Collection ID Variable" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [], "source": [ "ICS_ATTACK = \"x-mitre-collection--90c00720-636b-4485-b342-8751d232bf09\"" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize TAXII Collection Sources\n", "According to [STIX2 docs](https://stix2.readthedocs.io/en/latest/index.html), the [TAXIICollectionSource API](https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource) provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/)" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [], "source": [ "from stix2 import Filter, TAXIICollectionSource\n", "from taxii2client.v21 import Collection" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [], "source": [ "ATTACK_STIX_COLLECTIONS = \"https://attack-taxii.mitre.org/api/v21/collections/\"\n", "ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + \"/\")\n", "TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve all ICS Techniques\n", "Now that we can query the ICS ATT&CK TAXIICollection. We can use the query method and a set of filter to retrieve STIX objects of type \"attack-pattern\" -> \"Techniques\"" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "AttackPattern(type='attack-pattern', spec_version='2.1', id='attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-05-21T17:43:26.506Z', modified='2025-04-16T21:26:18.036Z', name='Masquerading', description='Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \\n\\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T0849', external_id='T0849')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.2.0', x_mitre_deprecated=False, x_mitre_detection='', x_mitre_domains=['ics-attack'], x_mitre_is_subtechnique=False, x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_platforms=['None'], x_mitre_version='1.1')" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter(\"type\", \"=\", \"attack-pattern\"))\n", "ICS_TECHNIQUES[0]" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "T0849 -- Masquerading\n", "T0813 -- Denial of Control\n", "T0824 -- I/O Module Discovery\n", "T0886 -- Remote Services\n", "T0833 -- Modify Control Logic\n", "T0869 -- Standard Application Layer Protocol\n", "T0884 -- Connection Proxy\n", "T0818 -- Engineering Workstation Compromise\n", "T0846 -- Remote System Discovery\n", "T0890 -- Exploitation for Privilege Escalation\n", "T0859 -- Valid Accounts\n", "T0891 -- Hardcoded Credentials\n", "T0852 -- Screen Capture\n", "T0847 -- Replication Through Removable Media\n", "T0843 -- Program Download\n", "T0838 -- Modify Alarm Settings\n", "T0857 -- System Firmware\n", "T0882 -- Theft of Operational Information\n", "T0826 -- Loss of Availability\n", "T0834 -- Native API\n", "T0848 -- Rogue Master\n", "T0823 -- Graphical User Interface\n", "T0844 -- Program Organization Units\n", "T0808 -- Control Device Identification\n", "T0874 -- Hooking\n", "T0875 -- Change Program State\n", "T0827 -- Loss of Control\n", "T0820 -- Exploitation for Evasion\n", "T0830 -- Adversary-in-the-Middle\n", "T0870 -- Detect Program State\n", "T0889 -- Modify Program\n", "T0892 -- Change Credential\n", "T0893 -- Data from Local System\n", "T0883 -- Internet Accessible Device\n", "T0839 -- Module Firmware\n", "T0867 -- Lateral Tool Transfer\n", "T0840 -- Network Connection Enumeration\n", "T0873 -- Project File Infection\n", "T0885 -- Commonly Used Port\n", "T0861 -- Point & Tag Identification\n", "T0864 -- Transient Cyber Asset\n", "T0811 -- Data from Information Repositories\n", "T0819 -- Exploit Public-Facing Application\n", "T0845 -- Program Upload\n", "T0888 -- Remote System Information Discovery\n", "T0853 -- Scripting\n", "T0801 -- Monitor Process State\n", "T0837 -- Loss of Protection\n", "T0868 -- Detect Operating Mode\n", "T0878 -- Alarm Suppression\n", "T0858 -- Change Operating Mode\n", "T0860 -- Wireless Compromise\n", "T0863 -- User Execution\n", "T0816 -- Device Restart/Shutdown\n", "T0835 -- Manipulate I/O Image\n", "T0807 -- Command-Line Interface\n", "T0850 -- Role Identification\n", "T0894 -- System Binary Proxy Execution\n", "T0805 -- Block Serial COM\n", "T0814 -- Denial of Service\n", "T0831 -- Manipulation of Control\n", "T0800 -- Activate Firmware Update Mode\n", "T0829 -- Loss of View\n", "T0887 -- Wireless Sniffing\n", "T0821 -- Modify Controller Tasking\n", "T0836 -- Modify Parameter\n", "T0881 -- Service Stop\n", "T0803 -- Block Command Message\n", "T0862 -- Supply Chain Compromise\n", "T0806 -- Brute Force I/O\n", "T0822 -- External Remote Services\n", "T0812 -- Default Credentials\n", "T0866 -- Exploitation of Remote Services\n", "T0856 -- Spoof Reporting Message\n", "T0879 -- Damage to Property\n", "T0817 -- Drive-by Compromise\n", "T0895 -- Autorun Image\n", "T0825 -- Location Identification\n", "T0865 -- Spearphishing Attachment\n", "T0828 -- Loss of Productivity and Revenue\n", "T0880 -- Loss of Safety\n", "T0854 -- Serial Connection Enumeration\n", "T0871 -- Execution through API\n", "T0815 -- Denial of View\n", "T0877 -- I/O Image\n", "T0872 -- Indicator Removal on Host\n", "T0841 -- Network Service Scanning\n", "T0810 -- Data Historian Compromise\n", "T0832 -- Manipulation of View\n", "T0809 -- Data Destruction\n", "T0855 -- Unauthorized Command Message\n", "T0804 -- Block Reporting Message\n", "T0802 -- Automated Collection\n", "T0851 -- Rootkit\n", "T0842 -- Network Sniffing\n" ] } ], "source": [ "for TECHNIQUE in ICS_TECHNIQUES:\n", " print(TECHNIQUE['external_references'][0]['external_id'], \"--\", TECHNIQUE['name'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## ICS ATT&CK Available since attackcti 0.3.4.3\n", "Reference: https://pypi.org/project/attackcti/" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Techniques Count: 83\n" ] } ], "source": [ "from attackcti import attack_client\n", "\n", "lift = attack_client()\n", "\n", "ICS_TECHNIQUES = lift.get_ics_techniques()\n", "print(\"Techniques Count:\",len(ICS_TECHNIQUES))" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "AttackPattern(type='attack-pattern', spec_version='2.1', id='attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-05-21T17:43:26.506Z', modified='2025-04-16T21:26:18.036Z', name='Masquerading', description='Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \\n\\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T0849', external_id='T0849')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.2.0', x_mitre_deprecated=False, x_mitre_detection='', x_mitre_domains=['ics-attack'], x_mitre_is_subtechnique=False, x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_platforms=['None'], x_mitre_version='1.1')" ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "ICS_TECHNIQUES[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Groups from ICS ATT&CK" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "APT33\n", "HEXANE\n", "APT38\n", "Wizard Spider\n", "Lazarus Group\n", "GOLD SOUTHFIELD\n", "CyberAv3ngers\n", "TEMP.Veles\n", "OilRig\n", "Sandworm Team\n", "FIN7\n", "FIN6\n", "Dragonfly\n", "ALLANITE\n" ] } ], "source": [ "ICS_GROUPS = lift.get_ics_groups()\n", "for GROUP in ICS_GROUPS:\n", " print(GROUP['name'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Malware from ICS ATT&CK" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "LockerGoga\n", "INCONTROLLER\n", "FrostyGoop\n", "REvil\n", "ACAD/Medre.A\n", "Ryuk\n", "Fuxnet\n", "Triton\n", "WannaCry\n", "Industroyer2\n", "Duqu\n", "VPNFilter\n", "KillDisk\n", "Conficker\n", "NotPetya\n", "BlackEnergy\n", "PLC-Blaster\n", "Bad Rabbit\n", "Stuxnet\n", "Backdoor.Oldrea\n", "EKANS\n", "Flame\n", "Industroyer\n" ] } ], "source": [ "ICS_MALWARE = lift.get_ics_malware()\n", "for MALWARE in ICS_MALWARE:\n", " print(MALWARE['name'])" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": ".venv", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.13.3" } }, "nbformat": 4, "nbformat_minor": 4 }