2019-07-31 08:09:06 +00:00
import re
2019-04-23 11:13:07 +00:00
APP_NAME = ' DeTT&CT '
APP_DESC = ' Detect Tactics, Techniques & Combat Threats '
2020-10-30 20:16:51 +00:00
VERSION = ' 1.4.2 '
2019-04-23 11:13:07 +00:00
2019-08-08 09:49:12 +00:00
EXPIRE_TIME = 60 * 60 * 24
2019-04-23 11:13:07 +00:00
2019-07-15 12:55:39 +00:00
# MITRE ATT&CK data types for custom schema and STIX
DATA_TYPE_CUSTOM_TECH_BY_GROUP = ' mitre_techniques_used_by_group '
DATA_TYPE_CUSTOM_TECH_BY_SOFTWARE = ' mitre_techniques_used_by_software '
DATA_TYPE_CUSTOM_SOFTWARE_BY_GROUP = ' mitre_software_used_by_group '
DATA_TYPE_STIX_ALL_TECH = ' mitre_all_techniques '
DATA_TYPE_STIX_ALL_TECH_ENTERPRISE = ' mitre_all_techniques_enterprise '
DATA_TYPE_STIX_ALL_GROUPS = ' mitre_all_groups '
DATA_TYPE_STIX_ALL_SOFTWARE = ' mitre_all_software '
DATA_TYPE_STIX_ALL_RELATIONSHIPS = ' mitre_all_relationships '
2019-08-01 13:00:09 +00:00
DATA_TYPE_STIX_ALL_ENTERPRISE_MITIGATIONS = ' mitre_all_mitigations_enterprise '
DATA_TYPE_STIX_ALL_MOBILE_MITIGATIONS = ' mitre_all_mitigations_mobile '
2019-04-23 11:13:07 +00:00
# Group colors
COLOR_GROUP_OVERLAY_MATCH = ' #f9a825 ' # orange
COLOR_GROUP_OVERLAY_NO_MATCH = ' #ffee58 ' # yellow
COLOR_SOFTWARE = ' #0d47a1 ' # dark blue
COLOR_GROUP_AND_SOFTWARE = ' #64b5f6 ' # light blue
COLOR_GRADIENT_MIN = ' #ffcece ' # light red
COLOR_GRADIENT_MAX = ' #ff0000 ' # red
COLOR_TACTIC_ROW_BACKGRND = ' #dddddd ' # light grey
COLOR_GROUP_OVERLAY_ONLY_DETECTION = ' #8BC34A ' # green
COLOR_GROUP_OVERLAY_ONLY_VISIBILITY = ' #1976D2 ' # blue
# data source colors (purple range)
COLOR_DS_25p = ' #E1BEE7 '
COLOR_DS_50p = ' #CE93D8 '
COLOR_DS_75p = ' #AB47BC '
COLOR_DS_99p = ' #7B1FA2 '
COLOR_DS_100p = ' #4A148C '
# data source colors HAPPY (green range)
COLOR_DS_25p_HAPPY = ' #DCEDC8 '
COLOR_DS_50p_HAPPY = ' #AED581 '
COLOR_DS_75p_HAPPY = ' #8BC34A '
COLOR_DS_99p_HAPPY = ' #689F38 '
COLOR_DS_100p_HAPPY = ' #33691E '
# Detection colors (green range)
2020-06-18 15:01:16 +00:00
COLOR_D_0 = ' #9C27B0 ' # Purple: Forensics/Context
2019-04-23 11:13:07 +00:00
COLOR_D_1 = ' #DCEDC8 '
COLOR_D_2 = ' #AED581 '
COLOR_D_3 = ' #8BC34A '
COLOR_D_4 = ' #689F38 '
COLOR_D_5 = ' #33691E '
# Visibility colors (blue range)
COLOR_V_1 = ' #BBDEFB '
COLOR_V_2 = ' #64B5F6 '
COLOR_V_3 = ' #1976D2 '
COLOR_V_4 = ' #0D47A1 '
2020-06-18 15:01:16 +00:00
# Orange overlay colors
2020-06-22 12:13:53 +00:00
COLOR_O_0 = ' #FFECB7 '
COLOR_O_1 = ' #FFE07A '
COLOR_O_2 = ' #FFCA28 '
COLOR_O_3 = ' #FFAE00 '
COLOR_O_4 = ' #FF8F00 '
COLOR_O_5 = ' #FF6F00 '
2020-06-18 15:01:16 +00:00
2019-12-04 09:39:11 +00:00
COLOR_WHITE = ' #FFFFFF '
2019-04-23 11:13:07 +00:00
# Detection and visibility overlay color:
COLOR_OVERLAY_VISIBILITY = COLOR_V_3
COLOR_OVERLAY_DETECTION = COLOR_D_3
COLOR_OVERLAY_BOTH = COLOR_GROUP_OVERLAY_MATCH
2019-05-02 18:15:43 +00:00
# Overlay types as used within the group functionality
OVERLAY_TYPE_GROUP = ' group '
OVERLAY_TYPE_VISIBILITY = ' visibility '
OVERLAY_TYPE_DETECTION = ' detection '
2019-04-23 11:13:07 +00:00
FILE_TYPE_DATA_SOURCE_ADMINISTRATION = ' data-source-administration '
FILE_TYPE_TECHNIQUE_ADMINISTRATION = ' technique-administration '
FILE_TYPE_GROUP_ADMINISTRATION = ' group-administration '
# YAML administration file versions
FILE_TYPE_DATA_SOURCE_ADMINISTRATION_VERSION = 1.0
2019-07-31 08:09:06 +00:00
FILE_TYPE_TECHNIQUE_ADMINISTRATION_VERSION = 1.2
2019-04-23 11:13:07 +00:00
FILE_TYPE_GROUP_ADMINISTRATION_VERSION = 1.0
# YAML file upgrade text
2019-08-08 09:49:12 +00:00
FILE_TYPE_TECHNIQUE_ADMINISTRATION_UPGRADE_TEXT = {
1.1 : " * Adding new key ' technique_name ' containing the ATT&CK technique name. \n "
" * Adding new key ' applicable_to ' for both detection and visibility. Default value is [ ' all ' ]. " ,
1.2 : " * Detection: removing the key-value pair ' date_registered ' . \n "
" You will be asked if you still want to keep this key-value pair even though DeTT&CT no longer makes use of it. \n "
" * Detection: the key-value pair ' date_implemented ' will be renamed to ' date ' . \n "
" * Visibility: adding a new key-value pair ' date ' . You will be asked on what date to fill in for the visibility scores already present. \n "
" * Detection and visibility: the key-value pairs ' score ' and ' date ' are moved into a ' score_logbook ' . \n "
" The primary purpose of doing this is to allow you to keep track of changes in the score. " }
2019-07-31 08:09:06 +00:00
# visibility update questions and answers
2019-09-19 13:49:59 +00:00
V_UPDATE_Q_ALL_MANUAL = ' For all most recent visibility score objects that are eligible for an update, the key-value pair \' auto-generated \' is set to \' false \' or is not present. \n ' \
2019-07-31 08:09:06 +00:00
' This implies that these scores are manually assigned. How do you want to proceed?: '
2019-09-19 13:49:59 +00:00
V_UPDATE_Q_ALL_AUTO = ' For all most recent visibility score objects that are eligible for an update, the key-value pair \' auto-generated \' is set to \' true \' . \n ' \
2019-07-31 08:09:06 +00:00
' This implies that these scores are auto-generated. How do you want to proceed?: '
V_UPDATE_Q_MIXED = ' You have visibility scores that are eligible for an update, which are manually assigned and which are calculated based on the nr. of data sources (i.e. auto-generated = true) \n ' \
' How do you want to proceed? '
V_UPDATE_ANSWER_1 = ' Update all visibility scores that have changed. '
V_UPDATE_ANSWER_2 = ' Decide per visibility score, that has changed if you want to update or not. \n ' \
' Both the current and new visibility score will be printed. '
V_UPDATE_ANSWER_3 = ' Only auto-update the visibility scores, that have changed, which have \' auto-generated = true \' '
V_UPDATE_ANSWER_4 = ' - Auto-update the visibility scores, that have changed, which have \' auto-generated = true \' . \n ' \
' - And decide per manually assigned visibility score, that has changed, if you want to update or not. \n ' \
' Both the current and new visibility score will be printed. '
V_UPDATE_ANSWER_CANCEL = ' Cancel. '
# update actions for visibility scores
V_UPDATE_ACTION_AUTO = ' auto update '
V_UPDATE_ACTION_DIFF = ' the user decides to update or not '
# YAML regex
REGEX_YAML_VERSION_10 = re . compile ( r ' ^ \ s*version: \ s+1 \ .0 \ s*$ ' , re . IGNORECASE )
2020-06-25 18:48:51 +00:00
REGEX_YAML_TECHNIQUE_ID = re . compile ( r ' ^- \ s+technique_id: \ s+T \ d {4} ( \ . \ d {3} |) \ s*$ ' , re . IGNORECASE )
REGEX_YAML_TECHNIQUE_ID_FORMAT = re . compile ( r ' T \ d {4} ( \ . \ d {3} |) ' , re . IGNORECASE )
2019-07-31 08:09:06 +00:00
REGEX_YAML_DETECTION = re . compile ( r ' ^ \ s+detection: \ s*$ ' , re . IGNORECASE )
REGEX_YAML_VISIBILITY = re . compile ( r ' ^ \ s+visibility: \ s*$ ' , re . IGNORECASE )
REGEX_YAML_INDENT_CHARS = re . compile ( r ' (^[ \ s-]+).* ' , re . IGNORECASE )
REGEX_YAML_VALID_DATE = re . compile ( r ' ([12] \ d {3} -(0[1-9]|1[0-2])-(0[1-9]|[12] \ d|3[01])) ' , re . IGNORECASE )
REGEX_YAML_DATE = re . compile ( r ' ^[ \ s-]+date:.*$ ' , re . IGNORECASE )
2020-06-25 18:48:51 +00:00
REGEX_YAML_TECHNIQUE_ID_GROUP = re . compile ( r ' ^- \ s+technique_id: \ s+(T \ d {4} ) \ s*$ ' , re . IGNORECASE )
2019-07-31 08:09:06 +00:00
2019-08-08 09:49:12 +00:00
# YAML objects
YAML_OBJ_VISIBILITY = { ' applicable_to ' : [ ' all ' ] ,
' comment ' : ' ' ,
' score_logbook ' :
[
{ ' date ' : None ,
' score ' : 0 ,
' comment ' : ' ' ,
' auto_generated ' : True }
]
}
2020-02-10 11:17:00 +00:00
2019-08-08 09:49:12 +00:00
YAML_OBJ_DETECTION = { ' applicable_to ' : [ ' all ' ] ,
' location ' : [ ' ' ] ,
' comment ' : ' ' ,
' score_logbook ' :
[
{ ' date ' : None ,
' score ' : - 1 ,
' comment ' : ' ' }
2020-02-10 11:17:00 +00:00
] }
2019-08-08 09:49:12 +00:00
YAML_OBJ_TECHNIQUE = { ' technique_id ' : ' ' ,
' technique_name ' : ' ' ,
' detection ' : YAML_OBJ_DETECTION ,
' visibility ' : YAML_OBJ_VISIBILITY }
2019-07-31 08:09:06 +00:00
2019-08-15 18:31:20 +00:00
YAML_OBJ_DATA_SOURCE = { ' data_source_name ' : ' ' ,
' date_registered ' : None ,
' date_connected ' : None ,
' products ' : [ ' ' ] ,
' available_for_data_analytics ' : False ,
' comment ' : ' ' ,
' data_quality ' : {
' device_completeness ' : 0 ,
' data_field_completeness ' : 0 ,
' timeliness ' : 0 ,
' consistency ' : 0 ,
' retention ' : 0 } }
2019-04-23 11:13:07 +00:00
# Interactive menu
MENU_NAME_DATA_SOURCE_MAPPING = ' Data source mapping '
MENU_NAME_VISIBILITY_MAPPING = ' Visibility coverage mapping '
MENU_NAME_DETECTION_COVERAGE_MAPPING = ' Detection coverage mapping '
MENU_NAME_THREAT_ACTOR_GROUP_MAPPING = ' Threat actor group mapping '
2019-08-08 09:49:12 +00:00
# EQL
EQL_INVALID_RESULT_DS = ' [!] Invalid data source administration content. Check your EQL query to return data_sources object(s): '
EQL_INVALID_RESULT_TECH = ' [!] Invalid technique administration content. Check your EQL query to return '
# Health text
2019-08-20 09:14:51 +00:00
HEALTH_ERROR_TXT = ' [!] The below YAML file contains possible errors. It \' s recommended to check via the ' \
2019-08-08 09:49:12 +00:00
' \' --health \' argument or using the option in the interactive menu: \n - '
2019-11-04 13:48:58 +00:00
2020-10-30 17:43:14 +00:00
PLATFORMS = { ' windows ' : ' Windows ' , ' linux ' : ' Linux ' , ' pre ' : ' PRE ' , ' macos ' : ' macOS ' , ' aws ' : ' AWS ' , ' gcp ' : ' GCP ' , ' azure ' : ' Azure ' ,
' azure ad ' : ' Azure AD ' , ' office 365 ' : ' Office 365 ' , ' saas ' : ' SaaS ' , ' network ' : ' Network ' }
2020-02-10 11:17:00 +00:00
# Data sources applicable per platform
DATA_SOURCES = { ' Windows ' : [ ' Access tokens ' , ' Anti-virus ' , ' API monitoring ' , ' Application logs ' , ' Asset management ' , ' Authentication logs ' , ' Binary file metadata ' , ' BIOS ' , ' Browser extensions ' ,
' Component firmware ' , ' Data loss prevention ' , ' Detonation chamber ' , ' Digital certificate logs ' , ' Disk forensics ' , ' DLL monitoring ' , ' DNS records ' , ' EFI ' , ' Email gateway ' ,
' Environment variable ' , ' File monitoring ' , ' Host network interface ' , ' Kernel drivers ' , ' Loaded DLLs ' , ' Mail server ' , ' Malware reverse engineering ' , ' MBR ' , ' Named Pipes ' ,
' Netflow/Enclave netflow ' , ' Network device logs ' , ' Network intrusion detection system ' , ' Network protocol analysis ' , ' Packet capture ' , ' PowerShell logs ' ,
' Process command-line parameters ' , ' Process monitoring ' , ' Process use of network ' , ' Sensor health and status ' , ' Services ' , ' SSL/TLS inspection ' , ' System calls ' ,
' Third-party application logs ' , ' User interface ' , ' VBR ' , ' Web application firewall logs ' , ' Web logs ' , ' Web proxy ' , ' Windows Error Reporting ' , ' Windows event logs ' ,
' Windows Registry ' , ' WMI Objects ' ] ,
' Linux ' : [ ' Anti-virus ' , ' API monitoring ' , ' Application logs ' , ' Asset management ' , ' Authentication logs ' , ' Binary file metadata ' , ' BIOS ' , ' Browser extensions ' , ' Component firmware ' ,
' Data loss prevention ' , ' Detonation chamber ' , ' Digital certificate logs ' , ' Disk forensics ' , ' DNS records ' , ' EFI ' , ' Email gateway ' , ' Environment variable ' , ' File monitoring ' ,
' Host network interface ' , ' Kernel drivers ' , ' Mail server ' , ' Malware reverse engineering ' , ' MBR ' , ' Named Pipes ' , ' Netflow/Enclave netflow ' , ' Network device logs ' ,
' Network intrusion detection system ' , ' Network protocol analysis ' , ' Packet capture ' , ' PowerShell logs ' , ' Process command-line parameters ' , ' Process monitoring ' ,
' Process use of network ' , ' Sensor health and status ' , ' Services ' , ' SSL/TLS inspection ' , ' System calls ' , ' Third-party application logs ' , ' User interface ' , ' VBR ' ,
' Web application firewall logs ' , ' Web logs ' , ' Web proxy ' ] ,
2020-10-30 17:43:14 +00:00
' PRE ' : [ ' Domain registration ' , ' Email gateway ' , ' Mail server ' , ' Network device logs ' , ' Packet capture ' , ' Social media monitoring ' , ' SSL/TLS certificates ' , ' Web logs ' ] ,
2020-02-10 11:17:00 +00:00
' macOS ' : [ ' Anti-virus ' , ' API monitoring ' , ' Application logs ' , ' Asset management ' , ' Authentication logs ' , ' Binary file metadata ' , ' BIOS ' , ' Browser extensions ' , ' Component firmware ' ,
' Data loss prevention ' , ' Detonation chamber ' , ' Digital certificate logs ' , ' Disk forensics ' , ' DNS records ' , ' EFI ' , ' Email gateway ' , ' Environment variable ' , ' File monitoring ' ,
' Host network interface ' , ' Kernel drivers ' , ' Mail server ' , ' Malware reverse engineering ' , ' MBR ' , ' Named Pipes ' , ' Netflow/Enclave netflow ' , ' Network device logs ' ,
' Network intrusion detection system ' , ' Network protocol analysis ' , ' Packet capture ' , ' PowerShell logs ' , ' Process command-line parameters ' , ' Process monitoring ' ,
' Process use of network ' , ' Sensor health and status ' , ' Services ' , ' SSL/TLS inspection ' , ' System calls ' , ' Third-party application logs ' , ' User interface ' , ' VBR ' ,
' Web application firewall logs ' , ' Web logs ' , ' Web proxy ' ] ,
' AWS ' : [ ' Anti-virus ' , ' API monitoring ' , ' Application logs ' , ' Asset management ' , ' Authentication logs ' , ' AWS CloudTrail logs ' , ' AWS OS logs ' , ' Binary file metadata ' , ' Data loss prevention ' ,
' Detonation chamber ' , ' DNS records ' , ' Email gateway ' , ' File monitoring ' , ' Mail server ' , ' Malware reverse engineering ' , ' Netflow/Enclave netflow ' , ' Network device logs ' ,
' Network intrusion detection system ' , ' Network protocol analysis ' , ' Packet capture ' , ' Sensor health and status ' , ' SSL/TLS inspection ' , ' Third-party application logs ' ,
' Web application firewall logs ' , ' Web logs ' , ' Web proxy ' ] ,
' GCP ' : [ ' Anti-virus ' , ' API monitoring ' , ' Application logs ' , ' Asset management ' , ' Authentication logs ' , ' Binary file metadata ' , ' Data loss prevention ' , ' Detonation chamber ' ,
2020-10-30 17:43:14 +00:00
' DNS records ' , ' Email gateway ' , ' File monitoring ' , ' GCP audit logs ' , ' Mail server ' , ' Malware reverse engineering ' , ' Netflow/Enclave netflow ' , ' Network device logs ' ,
2020-02-10 11:17:00 +00:00
' Network intrusion detection system ' , ' Network protocol analysis ' , ' Packet capture ' , ' Sensor health and status ' , ' SSL/TLS inspection ' , ' Stackdriver logs ' ,
' Third-party application logs ' , ' Web application firewall logs ' , ' Web logs ' , ' Web proxy ' ] ,
' Azure ' : [ ' Anti-virus ' , ' API monitoring ' , ' Application logs ' , ' Asset management ' , ' Authentication logs ' , ' Azure activity logs ' , ' Azure OS logs ' , ' Binary file metadata ' ,
' Data loss prevention ' , ' DNS records ' , ' File monitoring ' , ' Malware reverse engineering ' , ' Netflow/Enclave netflow ' , ' Network device logs ' , ' Network intrusion detection system ' ,
' Network protocol analysis ' , ' Packet capture ' , ' Sensor health and status ' , ' SSL/TLS inspection ' , ' Third-party application logs ' , ' Web application firewall logs ' ,
' Web logs ' , ' Web proxy ' ] ,
' Azure AD ' : [ ' API monitoring ' , ' Authentication logs ' , ' Azure activity logs ' , ' Malware reverse engineering ' , ' Sensor health and status ' ] ,
' Office 365 ' : [ ' Anti-virus ' , ' API monitoring ' , ' Authentication logs ' , ' Azure activity logs ' , ' Data loss prevention ' , ' Detonation chamber ' , ' Email gateway ' , ' Mail server ' ,
' Malware reverse engineering ' , ' Office 365 account logs ' , ' Office 365 audit logs ' , ' Office 365 trace logs ' , ' Sensor health and status ' ] ,
2020-10-15 08:59:18 +00:00
' SaaS ' : [ ' Anti-virus ' , ' API monitoring ' , ' Application logs ' , ' Authentication logs ' , ' Data loss prevention ' , ' Detonation chamber ' , ' Email gateway ' , ' Mail server ' ,
2020-10-30 17:43:14 +00:00
' Malware reverse engineering ' , ' OAuth audit logs ' , ' Sensor health and status ' , ' Third-party application logs ' , ' Web application firewall logs ' , ' Web logs ' ] ,
' Network ' : [ ' File monitoring ' , ' Netflow/Enclave netflow ' , ' Network device command history ' , ' Network device configuration ' , ' Network device logs ' , ' Network device run-time memory ' ,
' Network protocol analysis ' , ' Packet capture ' ]
2020-02-10 11:17:00 +00:00
}