From f77aed3ef0935bcc23bb1a731ef728222d7f9d7a Mon Sep 17 00:00:00 2001 From: Ruben Bouman Date: Mon, 29 Jun 2020 15:52:26 +0200 Subject: [PATCH] Functionality to update to sub-techniques, including an option to provide a local stix path. Also updated sample YAML file. --- dettect.py | 34 +- generic.py | 73 +- mitre-data/subtechniques-crosswalk.json | 2150 +++++++++++++++++ .../techniques-administration-endpoints.yaml | 761 +++--- technique_mapping.py | 110 +- upgrade.py | 267 +- 6 files changed, 2886 insertions(+), 509 deletions(-) create mode 100644 mitre-data/subtechniques-crosswalk.json diff --git a/dettect.py b/dettect.py index 71b2d7a..ef7c47e 100644 --- a/dettect.py +++ b/dettect.py @@ -3,6 +3,7 @@ import os import signal from interactive_menu import * from editor import DeTTECTEditor +import generic def _init_menu(): @@ -62,6 +63,10 @@ def _init_menu(): parser_data_sources.add_argument('-of', '--output-filename', help='set the output filename') parser_data_sources.add_argument('-ln', '--layer-name', help='set the name of the Navigator layer') parser_data_sources.add_argument('--health', help='check the YAML file(s) for errors', action='store_true') + parser_data_sources.add_argument('--local-stix-path', help='path to a local STIX repository to use DeTT&CT offline ' + 'or to use a specific version of STIX objects.') + parser_data_sources.add_argument('--update-to-sub-techniques', help='Update the technique administration YAML file' + 'to ATT&CK with sub-techniques.', action='store_true') # create the visibility parser parser_visibility = subparsers.add_parser('visibility', aliases=['v'], @@ -92,13 +97,17 @@ def _init_menu(): parser_visibility.add_argument('-of', '--output-filename', help='set the output filename') parser_visibility.add_argument('-ln', '--layer-name', help='set the name of the Navigator layer') parser_visibility.add_argument('--health', help='check the YAML file for errors', action='store_true') + parser_visibility.add_argument('--local-stix-path', help='path to a local STIX repository to use DeTT&CT offline ' + 'or to use a specific version of STIX objects.') + parser_visibility.add_argument('--update-to-sub-techniques', help='Update the technique administration YAML file' + 'to ATT&CK with sub-techniques.', action='store_true') # create the detection parser parser_detection = subparsers.add_parser('detection', aliases=['d'], help='detection coverage mapping based on techniques', description='Create a heat map based on detection scores, overlay ' - 'detections with visibility, generate a detection ' - 'improvement graph, output to Excel or check the health of ' + 'detections with visibility, generate a detection ' + 'improvement graph, output to Excel or check the health of ' 'the technique administration YAML file.') parser_detection.add_argument('-ft', '--file-tech', help='path to the technique administration YAML file (used to ' 'score the level of detection)', required=True) @@ -124,11 +133,15 @@ def _init_menu(): parser_detection.add_argument('-of', '--output-filename', help='set the output filename') parser_detection.add_argument('-ln', '--layer-name', help='set the name of the Navigator layer') parser_detection.add_argument('--health', help='check the YAML file(s) for errors', action='store_true') + parser_detection.add_argument('--local-stix-path', help='path to a local STIX repository to use DeTT&CT offline ' + 'or to use a specific version of STIX objects.') + parser_detection.add_argument('--update-to-sub-techniques', help='Update the technique administration YAML file' + 'to ATT&CK with sub-techniques.', action='store_true') # create the group parser parser_group = subparsers.add_parser('group', aliases=['g'], description='Create threat actor group heat maps, compare group(s) and ' - 'compare group(s) with visibility and detection coverage.', + 'compare group(s) with visibility and detection coverage.', help='threat actor group mapping') parser_group.add_argument('-g', '--groups', help='specify the ATT&CK Groups to include separated using commas. ' 'Group can be their ID, name or alias (default is all groups). ' @@ -163,11 +176,15 @@ def _init_menu(): parser_group.add_argument('-of', '--output-filename', help='set the output filename') parser_group.add_argument('-ln', '--layer-name', help='set the name of the Navigator layer') parser_group.add_argument('--health', help='check the YAML file(s) for errors', action='store_true') + parser_group.add_argument('--local-stix-path', help='path to a local STIX repository to use DeTT&CT offline ' + 'or to use a specific version of STIX objects.') + parser_group.add_argument('--update-to-sub-techniques', help='Update the technique administration YAML file' + 'to ATT&CK with sub-techniques.', action='store_true') # create the generic parser parser_generic = subparsers.add_parser('generic', description='Generic functions which will output to stdout.', help='includes: statistics on ATT&CK data source and updates on techniques' - ', groups and software', aliases=['ge']) + ', groups and software', aliases=['ge']) parser_generic.add_argument('-ds', '--datasources', help='get a sorted count on how many ATT&CK Enterprise ' 'techniques are covered by a particular Data Source', @@ -181,6 +198,8 @@ def _init_menu(): parser_generic.add_argument('--sort', help='sorting of the output from \'-u/--update\' on modified or creation ' 'date (default = modified)', choices=['modified', 'created'], default='modified') + parser_generic.add_argument('--local-stix-path', help='path to a local STIX repository to use DeTT&CT offline ' + 'or to use a specific version of STIX objects.') return menu_parser @@ -193,6 +212,13 @@ def _menu(menu_parser): """ args = menu_parser.parse_args() + if 'local_stix_path' in args and args.local_stix_path: + generic.local_stix_path = args.local_stix_path + + if 'update_to_sub_techniques' in args and args.update_to_sub_techniques: + from upgrade import upgrade_to_sub_techniques + upgrade_to_sub_techniques(args.file_tech) + if args.interactive: interactive_menu() diff --git a/generic.py b/generic.py index c353daf..a06e139 100644 --- a/generic.py +++ b/generic.py @@ -4,12 +4,14 @@ import pickle from io import StringIO from datetime import datetime as dt from ruamel.yaml import YAML -from upgrade import upgrade_yaml_file +from upgrade import upgrade_yaml_file, check_yaml_updated_to_sub_techniques from constants import * from health import check_yaml_file_health # Due to performance reasons the import of attackcti is within the function that makes use of this library. +local_stix_path = None + def _save_attack_data(data, path): """ @@ -27,20 +29,32 @@ def _save_attack_data(data, path): def load_attack_data(data_type): """ - Load the cached ATT&CK data from disk, if not expired (data file on disk is older then EXPIRE_TIME seconds). + By default the ATT&CK data is loaded from the online TAXII server or from the local cache directory. The + local cache directory will be used if the file is not expired (data file on disk is older then EXPIRE_TIME + seconds). When the local_stix_path option is given, the ATT&CK data will be loaded from the given path of + a local STIX repository. :param data_type: the desired data type, see DATATYPE_XX constants. :return: MITRE ATT&CK data object (STIX or custom schema) """ - if os.path.exists("cache/" + data_type): - with open("cache/" + data_type, 'rb') as f: - cached = pickle.load(f) - write_time = cached[1] - if not (dt.now() - write_time).total_seconds() >= EXPIRE_TIME: - # the first item in the list contains the ATT&CK data - return cached[0] - from attackcti import attack_client - mitre = attack_client() + if local_stix_path is not None: + if local_stix_path is not None and os.path.isdir(os.path.join(local_stix_path, 'enterprise-attack')) \ + and os.path.isdir(os.path.join(local_stix_path, 'pre-attack')) \ + and os.path.isdir(os.path.join(local_stix_path, 'mobile-attack')): + mitre = attack_client(local_path=local_stix_path) + else: + print('[!] Not a valid local STIX path: ' + local_stix_path) + quit() + else: + if os.path.exists("cache/" + data_type): + with open("cache/" + data_type, 'rb') as f: + cached = pickle.load(f) + write_time = cached[1] + if not (dt.now() - write_time).total_seconds() >= EXPIRE_TIME: + # the first item in the list contains the ATT&CK data + return cached[0] + + mitre = attack_client() attack_data = None if data_type == DATA_TYPE_STIX_ALL_RELATIONSHIPS: @@ -167,7 +181,9 @@ def load_attack_data(data_type): attack_data = mitre.get_mobile_mitigations() attack_data = mitre.remove_revoked(attack_data) - _save_attack_data(attack_data, "cache/" + data_type) + # Only use cache when using online TAXII server: + if local_stix_path is None: + _save_attack_data(attack_data, "cache/" + data_type) return attack_data @@ -863,8 +879,8 @@ def _check_file_type(filename, file_type=None): def check_file(filename, file_type=None, health_is_called=False): """ - Calls three functions to perform the following checks: is the file a valid YAML file, needs the file to be upgrade, - does the file contain errors. + Calls four functions to perform the following checks: is the file a valid YAML file, needs the file to be upgraded, + does the file contain errors or does the file need a sub-techniques upgrade. :param filename: path to a YAML file :param file_type: value to check against the 'file_type' key in the YAML file :param health_is_called: boolean that specifies if detailed errors in the file will be printed by the function 'check_yaml_file_health' @@ -878,6 +894,10 @@ def check_file(filename, file_type=None, health_is_called=False): upgrade_yaml_file(filename, file_type, yaml_content['version'], load_attack_data(DATA_TYPE_STIX_ALL_TECH)) check_yaml_file_health(filename, file_type, health_is_called) + if file_type == FILE_TYPE_TECHNIQUE_ADMINISTRATION: + if not check_yaml_updated_to_sub_techniques(filename): + return None + return yaml_content['file_type'] return yaml_content # value is None @@ -1075,3 +1095,28 @@ def clean_filename(filename): :return: sanitized filename """ return filename.replace('/', '').replace('\\', '').replace(':', '')[:200] + + +def get_technique_from_yaml(yaml_content, technique_id): + """ + Generic function to lookup a specific technique_id in the YAML content. + :param techniques: list with all techniques + :param technique_id: technique_id to look for + :return: the technique you're searching for. None if not found. + """ + for tech in yaml_content['techniques']: + if tech['technique_id'] == technique_id: + return tech + + +def remove_technique_from_yaml(yaml_content, technique_id): + """ + Function to delete a specific technique in the YAML content. + :param techniques: list with all techniques + :param technique_id: technique_id to look for + :return: none + """ + for tech in yaml_content['techniques']: + if tech['technique_id'] == technique_id: + yaml_content['techniques'].remove(tech) + return diff --git a/mitre-data/subtechniques-crosswalk.json b/mitre-data/subtechniques-crosswalk.json new file mode 100644 index 0000000..9795e08 --- /dev/null +++ b/mitre-data/subtechniques-crosswalk.json @@ -0,0 +1,2150 @@ +[ + { + "T1001": [ + { + "id": "T1001", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1002": [ + { + "id": "T1560", + "explanation": "Created to consolidate behavior around encrypting and compressing collected data" + } + ] + }, + { + "T1003": [ + { + "id": "T1003", + "explanation": "Remains Technique, Renamed, Name change from Credential Dumping and new sub-techniques added" + } + ] + }, + { + "T1004": [ + { + "id": "T1547.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1005": [ + { + "id": "T1005", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1006": [ + { + "id": "T1006", + "explanation": "Remains Technique, Renamed, Name change from File System Logical Offsets" + } + ] + }, + { + "T1007": [ + { + "id": "T1007", + "explanation": "Remains Technique" + } + ] + }, + { + "T1008": [ + { + "id": "T1008", + "explanation": "Remains Technique" + } + ] + }, + { + "T1009": [ + { + "id": "T1027.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1010": [ + { + "id": "T1010", + "explanation": "Remains Technique, Fixed technique reference in description" + } + ] + }, + { + "T1011": [ + { + "id": "T1011", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1012": [ + { + "id": "T1012", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1013": [ + { + "id": "T1547.010", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1014": [ + { + "id": "T1014", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1015": [ + { + "id": "T1546.008", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1016": [ + { + "id": "T1016", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1017": [ + { + "id": "T1072", + "explanation": "Name change from Application Deployment Software" + } + ] + }, + { + "T1018": [ + { + "id": "T1018", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1019": [ + { + "id": "T1542.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1020": [ + { + "id": "T1020", + "explanation": "Remains Technique, Fixed technique reference in description" + } + ] + }, + { + "T1021": [ + { + "id": "T1021", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1022": [ + { + "id": "T1560", + "explanation": "Created to consolidate behavior around encrypting and compressing collected data" + } + ] + }, + { + "T1023": [ + { + "id": "T1547.009", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1024": [ + { + "id": "T1573", + "explanation": "Created to consolidate behavior around encrypted C2" + } + ] + }, + { + "T1025": [ + { + "id": "T1025", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1026": [ + { + "id": "N/A", + "explanation": "Deprecate, Deprecated from ATT&CK due to lack of in the wild use. Existing Group/Software procedure examples did not fit the core idea behind the technique" + } + ] + }, + { + "T1027": [ + { + "id": "T1027", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1028": [ + { + "id": "T1021.006", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1029": [ + { + "id": "T1029", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1030": [ + { + "id": "T1030", + "explanation": "Remains Technique" + } + ] + }, + { + "T1031": [ + { + "id": "T1543.003", + "explanation": "Existing technique that became a sub-technique. Consolidates Modify Existing Service and New Service techniques into one sub-technique" + } + ] + }, + { + "T1032": [ + { + "id": "T1573", + "explanation": "Created to consolidate behavior around encrypted C2" + } + ] + }, + { + "T1033": [ + { + "id": "T1033", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1034": [ + { + "id": "T1574.007", + "explanation": "Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques." + }, + { + "id": "T1574.008", + "explanation": "Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques." + }, + { + "id": "T1574.009", + "explanation": "Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques." + } + ] + }, + { + "T1035": [ + { + "id": "T1569.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1036": [ + { + "id": "T1036", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1037": [ + { + "id": "T1037", + "explanation": "Remove from lateral-movement, Renamed, Name change from Logon Scripts and new sub-techniques added" + } + ] + }, + { + "T1038": [ + { + "id": "T1574.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1039": [ + { + "id": "T1039", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1040": [ + { + "id": "T1040", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1041": [ + { + "id": "T1041", + "explanation": "Remains Technique, Renamed, Name change from Exfiltration over Command and Control Channel and added data sources" + } + ] + }, + { + "T1042": [ + { + "id": "T1546.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1043": [ + { + "id": "T1571", + "explanation": "Created to refine the idea behind Common and Uncommonly Used Port to focus the behavior on use of a non-standard port for C2 based on the protocol used" + } + ] + }, + { + "T1044": [ + { + "id": "T1574.010", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1045": [ + { + "id": "T1027.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1046": [ + { + "id": "T1046", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1047": [ + { + "id": "T1047", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1048": [ + { + "id": "T1048", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1049": [ + { + "id": "T1049", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1050": [ + { + "id": "T1543.003", + "explanation": "Existing technique that became a sub-technique. Consolidates Modify Existing Service and New Service techniques into one sub-technique" + } + ] + }, + { + "T1051": [ + { + "id": "N/A", + "explanation": "Deprecate, Deprecated from ATT&CK due to lack of in the wild use" + } + ] + }, + { + "T1052": [ + { + "id": "T1052", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1053": [ + { + "id": "T1053", + "explanation": "Remains Technique, Renamed, Name change from Local Job Scheduling and new sub-techniques added" + } + ] + }, + { + "T1054": [ + { + "id": "T1562.006", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1055": [ + { + "id": "T1055", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1056": [ + { + "id": "T1056", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1057": [ + { + "id": "T1057", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1058": [ + { + "id": "T1574.011", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1059": [ + { + "id": "T1059", + "explanation": "Remains Technique, Renamed, Name change from Command-Line Interface and new sub-techniques added" + } + ] + }, + { + "T1060": [ + { + "id": "T1547.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1061": [ + { + "id": "N/A", + "explanation": "Deprecate, Deprecated from ATT&CK because the behavior is redundant and implied by use of remote desktop tools like Remote Desktop Protocol. Existing Group/Software procedure examples were remapped appropriately" + } + ] + }, + { + "T1062": [ + { + "id": "N/A", + "explanation": "Deprecate, Deprecated from ATT&CK due to lack of in the wild use" + } + ] + }, + { + "T1063": [ + { + "id": "T1518.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1064": [ + { + "id": "T1059.004", + "explanation": "Deprecated and split into separate Bash, VBScript, and Python sub-techniques of Command and Scripting Interpreter." + }, + { + "id": "T1059.005", + "explanation": "Deprecated and split into separate Bash, VBScript, and Python sub-techniques of Command and Scripting Interpreter." + }, + { + "id": "T1059.006", + "explanation": "Deprecated and split into separate Bash, VBScript, and Python sub-techniques of Command and Scripting Interpreter." + } + ] + }, + { + "T1065": [ + { + "id": "T1571", + "explanation": "Created to refine the idea behind Common and Uncommonly Used Port to focus the behavior on use of a non-standard port for C2 based on the protocol used" + } + ] + }, + { + "T1066": [ + { + "id": "T1027.005", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1067": [ + { + "id": "T1542.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1068": [ + { + "id": "T1068", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1069": [ + { + "id": "T1069", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1070": [ + { + "id": "T1551", + "explanation": "Remains Technique" + } + ] + }, + { + "T1071": [ + { + "id": "T1071", + "explanation": "Remains Technique, Renamed, Name change from Standard Application Layer Protocol and new sub-techniques added" + } + ] + }, + { + "T1072": [ + { + "id": "T1072", + "explanation": "Remains Technique, Renamed, Name change from Application Deployment Software" + } + ] + }, + { + "T1073": [ + { + "id": "T1574.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1074": [ + { + "id": "T1074", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1075": [ + { + "id": "T1550.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1076": [ + { + "id": "T1021.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1077": [ + { + "id": "T1021.002", + "explanation": "Existing technique that became a sub-technique and was renamed from Windows Admin Shares" + } + ] + }, + { + "T1078": [ + { + "id": "T1078", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1079": [ + { + "id": "T1573", + "explanation": "Created to consolidate behavior around encrypted C2" + } + ] + }, + { + "T1080": [ + { + "id": "T1080", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1081": [ + { + "id": "T1552.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1082": [ + { + "id": "T1082", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1083": [ + { + "id": "T1083", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1084": [ + { + "id": "T1546.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1085": [ + { + "id": "T1218.011", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1086": [ + { + "id": "T1059.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1087": [ + { + "id": "T1087", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1088": [ + { + "id": "T1548.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1089": [ + { + "id": "T1562.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1090": [ + { + "id": "T1090", + "explanation": "Remains Technique, Renamed, Name change from Connection Proxy and new sub-techniques added" + } + ] + }, + { + "T1091": [ + { + "id": "T1091", + "explanation": "Remains Technique" + } + ] + }, + { + "T1092": [ + { + "id": "T1092", + "explanation": "Remains Technique" + } + ] + }, + { + "T1093": [ + { + "id": "T1055.012", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1094": [ + { + "id": "T1095", + "explanation": "Merged with and name change from Standard Non-Application Layer Protocol" + } + ] + }, + { + "T1095": [ + { + "id": "T1095", + "explanation": "Remains Technique, Renamed, Name change from Standard Non-Application Layer Protocol" + } + ] + }, + { + "T1096": [ + { + "id": "T1564.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1097": [ + { + "id": "T1550.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1098": [ + { + "id": "T1098", + "explanation": "Remove from credential-access, New sub-techniques added" + } + ] + }, + { + "T1099": [ + { + "id": "T1551.006", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1100": [ + { + "id": "T1505.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1101": [ + { + "id": "T1547.005", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1102": [ + { + "id": "T1102", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1103": [ + { + "id": "T1546.010", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1104": [ + { + "id": "T1104", + "explanation": "Remains Technique" + } + ] + }, + { + "T1105": [ + { + "id": "T1105", + "explanation": "Remains Technique, Renamed, Name change from Remote File Copy" + } + ] + }, + { + "T1106": [ + { + "id": "T1106", + "explanation": "Remains Technique, Renamed, Name change from Execution through API" + } + ] + }, + { + "T1107": [ + { + "id": "T1551.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1108": [ + { + "id": "N/A", + "explanation": "Deprecate, Deprecated from ATT&CK because the behavior is too high level and is sufficiently covered by Valid Accounts and External Remote Services. Existing Group/Software procedure examples were remapped appropriately" + } + ] + }, + { + "T1109": [ + { + "id": "T1542.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1110": [ + { + "id": "T1110", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1111": [ + { + "id": "T1111", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1112": [ + { + "id": "T1112", + "explanation": "Remains Technique" + } + ] + }, + { + "T1113": [ + { + "id": "T1113", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1114": [ + { + "id": "T1114", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1115": [ + { + "id": "T1115", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1116": [ + { + "id": "T1553.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1117": [ + { + "id": "T1218.010", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1118": [ + { + "id": "T1218.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1119": [ + { + "id": "T1119", + "explanation": "Remains Technique" + } + ] + }, + { + "T1120": [ + { + "id": "T1120", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1121": [ + { + "id": "T1218.009", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1122": [ + { + "id": "T1546.015", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1123": [ + { + "id": "T1123", + "explanation": "Remains Technique" + } + ] + }, + { + "T1124": [ + { + "id": "T1124", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1125": [ + { + "id": "T1125", + "explanation": "Remains Technique" + } + ] + }, + { + "T1126": [ + { + "id": "T1551.005", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1127": [ + { + "id": "T1127", + "explanation": "Remains Technique, Renamed, Minor description update, sub-technique added" + } + ] + }, + { + "T1128": [ + { + "id": "T1546.007", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1129": [ + { + "id": "T1129", + "explanation": "Remains Technique, Renamed, Name change from Execution through Module Load" + } + ] + }, + { + "T1130": [ + { + "id": "T1553.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1131": [ + { + "id": "T1547.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1132": [ + { + "id": "T1132", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1133": [ + { + "id": "T1133", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1134": [ + { + "id": "T1134", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1135": [ + { + "id": "T1135", + "explanation": "Remains Technique, Fixed technique reference in description, added Linux, and minor description update" + } + ] + }, + { + "T1136": [ + { + "id": "T1136", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1137": [ + { + "id": "T1137", + "explanation": "Remains Technique" + } + ] + }, + { + "T1138": [ + { + "id": "T1546.011", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1139": [ + { + "id": "T1552.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1140": [ + { + "id": "T1140", + "explanation": "Remains Technique" + } + ] + }, + { + "T1141": [ + { + "id": "T1056.002", + "explanation": "Broken out from pre-defined behavior within Input Capture" + } + ] + }, + { + "T1142": [ + { + "id": "T1555.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1143": [ + { + "id": "T1564.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1144": [ + { + "id": "T1553.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1145": [ + { + "id": "T1552.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1146": [ + { + "id": "T1551.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1147": [ + { + "id": "T1564.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1148": [ + { + "id": "T1562.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1149": [ + { + "id": "N/A", + "explanation": "Deprecate, Deprecated from ATT&CK due to lack of in the wild use" + } + ] + }, + { + "T1150": [ + { + "id": "T1547.011", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1151": [ + { + "id": "T1036.006", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1152": [ + { + "id": "T1569.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1153": [ + { + "id": "N/A", + "explanation": "Deprecate, Deprecated from ATT&CK due to lack of in the wild use" + } + ] + }, + { + "T1154": [ + { + "id": "T1546.005", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1155": [ + { + "id": "T1059.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1156": [ + { + "id": "T1546.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1157": [ + { + "id": "T1574.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1158": [ + { + "id": "T1564.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1159": [ + { + "id": "T1543.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1160": [ + { + "id": "T1543.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1161": [ + { + "id": "T1546.006", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1162": [ + { + "id": "T1547.011", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1163": [ + { + "id": "T1037.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1164": [ + { + "id": "T1547.007", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1165": [ + { + "id": "T1037.005", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1166": [ + { + "id": "T1548.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1167": [ + { + "id": "T1555.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1168": [ + { + "id": "T1053", + "explanation": "Name change from Local Job Scheduling and new sub-techniques added" + } + ] + }, + { + "T1169": [ + { + "id": "T1548.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1170": [ + { + "id": "T1218.005", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1171": [ + { + "id": "T1557.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1172": [ + { + "id": "T1090.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1173": [ + { + "id": "T1559.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1174": [ + { + "id": "T1556.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1175": [ + { + "id": "T1021.003", + "explanation": "Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques." + }, + { + "id": "T1559.001", + "explanation": "Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques." + } + ] + }, + { + "T1176": [ + { + "id": "T1176", + "explanation": "Remains Technique, Data sources changed and minor description update" + } + ] + }, + { + "T1177": [ + { + "id": "T1547.008", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1178": [ + { + "id": "T1134.005", + "explanation": "Added due to manipulation of token information" + } + ] + }, + { + "T1179": [ + { + "id": "T1056.004", + "explanation": "Existing technique that became a sub-technique and was renamed from API Hooking. Scope change to only credential access for API hooking was based on available procedure examples" + } + ] + }, + { + "T1180": [ + { + "id": "T1546.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1181": [ + { + "id": "T1055.011", + "explanation": "Broken out from pre-defined behavior within Process Injection" + } + ] + }, + { + "T1182": [ + { + "id": "T1546.009", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1183": [ + { + "id": "T1546.012", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1184": [ + { + "id": "T1563.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1185": [ + { + "id": "T1185", + "explanation": "Remains Technique" + } + ] + }, + { + "T1186": [ + { + "id": "T1055.013", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1187": [ + { + "id": "T1187", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1188": [ + { + "id": "T1090.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1189": [ + { + "id": "T1189", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1190": [ + { + "id": "T1190", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1191": [ + { + "id": "T1218.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1192": [ + { + "id": "T1566.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1193": [ + { + "id": "T1566.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1194": [ + { + "id": "T1566.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1195": [ + { + "id": "T1195", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1196": [ + { + "id": "T1218.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1197": [ + { + "id": "T1197", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1198": [ + { + "id": "T1553.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1199": [ + { + "id": "T1199", + "explanation": "Remains Technique" + } + ] + }, + { + "T1200": [ + { + "id": "T1200", + "explanation": "Remains Technique" + } + ] + }, + { + "T1201": [ + { + "id": "T1201", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1202": [ + { + "id": "T1202", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1203": [ + { + "id": "T1203", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1204": [ + { + "id": "T1204", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1205": [ + { + "id": "T1545.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1206": [ + { + "id": "T1548.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1207": [ + { + "id": "T1207", + "explanation": "Remains Technique, Renamed, Name change from DCShadow" + } + ] + }, + { + "T1208": [ + { + "id": "T1558.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1209": [ + { + "id": "T1547.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1210": [ + { + "id": "T1210", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1211": [ + { + "id": "T1211", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1212": [ + { + "id": "T1212", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1213": [ + { + "id": "T1213", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1214": [ + { + "id": "T1552.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1215": [ + { + "id": "T1547.006", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1216": [ + { + "id": "T1216", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1217": [ + { + "id": "T1217", + "explanation": "Remains Technique" + } + ] + }, + { + "T1218": [ + { + "id": "T1218", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1219": [ + { + "id": "T1219", + "explanation": "Remains Technique, Renamed, Name change from Remote Access Tools and fixed technique reference in description" + } + ] + }, + { + "T1220": [ + { + "id": "T1220", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1221": [ + { + "id": "T1221", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1222": [ + { + "id": "T1222", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1223": [ + { + "id": "T1218.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1480": [ + { + "id": "T1480", + "explanation": "Remains Technique" + } + ] + }, + { + "T1482": [ + { + "id": "T1482", + "explanation": "Remains Technique, Fixed technique reference in description and minor description update" + } + ] + }, + { + "T1483": [ + { + "id": "T1568.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1484": [ + { + "id": "T1484", + "explanation": "Remains Technique, Minor description update" + } + ] + }, + { + "T1485": [ + { + "id": "T1485", + "explanation": "Remains Technique" + } + ] + }, + { + "T1486": [ + { + "id": "T1486", + "explanation": "Remains Technique" + } + ] + }, + { + "T1487": [ + { + "id": "T1561.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1488": [ + { + "id": "T1561.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1489": [ + { + "id": "T1489", + "explanation": "Remains Technique" + } + ] + }, + { + "T1490": [ + { + "id": "T1490", + "explanation": "Remains Technique" + } + ] + }, + { + "T1491": [ + { + "id": "T1491", + "explanation": "Remains Technique" + } + ] + }, + { + "T1492": [ + { + "id": "T1565.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1493": [ + { + "id": "T1565.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1494": [ + { + "id": "T1565.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1495": [ + { + "id": "T1495", + "explanation": "Remains Technique" + } + ] + }, + { + "T1496": [ + { + "id": "T1496", + "explanation": "Remains Technique" + } + ] + }, + { + "T1497": [ + { + "id": "T1497", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1498": [ + { + "id": "T1498", + "explanation": "Remains Technique" + } + ] + }, + { + "T1499": [ + { + "id": "T1499", + "explanation": "Remains Technique" + } + ] + }, + { + "T1500": [ + { + "id": "T1027.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1501": [ + { + "id": "T1543.002", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1502": [ + { + "id": "T1134.004", + "explanation": "Added due to manipulation of tokens" + } + ] + }, + { + "T1503": [ + { + "id": "T1555.003", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1504": [ + { + "id": "T1546.013", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1505": [ + { + "id": "T1505", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1506": [ + { + "id": "T1550.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1514": [ + { + "id": "T1548.004", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1518": [ + { + "id": "T1518", + "explanation": "Remains Technique, New sub-techniques added" + } + ] + }, + { + "T1519": [ + { + "id": "T1546.014", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1522": [ + { + "id": "T1552.005", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1525": [ + { + "id": "T1525", + "explanation": "Remains Technique" + } + ] + }, + { + "T1526": [ + { + "id": "T1526", + "explanation": "Remains Technique" + } + ] + }, + { + "T1527": [ + { + "id": "T1550.001", + "explanation": "Existing technique that became a sub-technique" + } + ] + }, + { + "T1528": [ + { + "id": "T1528", + "explanation": "Remains Technique" + } + ] + }, + { + "T1529": [ + { + "id": "T1529", + "explanation": "Remains Technique" + } + ] + }, + { + "T1530": [ + { + "id": "T1530", + "explanation": "Remains Technique" + } + ] + }, + { + "T1531": [ + { + "id": "T1531", + "explanation": "Remains Technique" + } + ] + }, + { + "T1534": [ + { + "id": "T1534", + "explanation": "Remains Technique" + } + ] + }, + { + "T1535": [ + { + "id": "T1535", + "explanation": "Remains Technique" + } + ] + }, + { + "T1536": [ + { + "id": "T1536", + "explanation": "Remains Technique, Minor description update, removed some data sources" + } + ] + }, + { + "T1537": [ + { + "id": "T1537", + "explanation": "Remains Technique" + } + ] + }, + { + "T1538": [ + { + "id": "T1538", + "explanation": "Remains Technique" + } + ] + }, + { + "T1539": [ + { + "id": "T1539", + "explanation": "Remains Technique" + } + ] + } +] diff --git a/sample-data/techniques-administration-endpoints.yaml b/sample-data/techniques-administration-endpoints.yaml index 2635394..4ec9945 100644 --- a/sample-data/techniques-administration-endpoints.yaml +++ b/sample-data/techniques-administration-endpoints.yaml @@ -1,7 +1,7 @@ version: 1.2 file_type: technique-administration name: example -platform: ['Windows', 'Azure', 'Azure AD', 'Office 365'] +platform: [Windows, Azure, Azure AD, Office 365] techniques: # - Note that detection and visibility are independent from each other. # Meaning that detection could be left blank and only have visibility filled in. @@ -16,7 +16,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -27,7 +27,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1223 +- technique_id: T1218.001 technique_name: Compiled HTML File detection: applicable_to: [all] @@ -35,7 +35,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -54,7 +54,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -72,7 +72,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -95,7 +95,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -106,8 +106,8 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1196 - technique_name: Control Panel Items +- technique_id: T1218.002 + technique_name: Control Panel detection: applicable_to: [client endpoints] location: [EDR] @@ -124,7 +124,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1214 +- technique_id: T1552.002 technique_name: Credentials in Registry detection: applicable_to: [all] @@ -151,7 +151,8 @@ techniques: score_logbook: - date: 2019-08-05 score: 3 - comment: 'This detection was improved due to the availability of the new log source Process use of network' + comment: This detection was improved due to the availability of the new log + source Process use of network - date: 2018-11-01 score: 1 comment: '' @@ -175,7 +176,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -194,7 +195,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -213,7 +214,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -232,7 +233,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -251,7 +252,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -281,7 +282,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1191 +- technique_id: T1218.003 technique_name: CMSTP detection: applicable_to: [all] @@ -289,7 +290,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -305,7 +306,7 @@ techniques: comment: '' auto_generated: true - technique_id: T1219 - technique_name: Remote Access Tools + technique_name: Remote Access Software detection: applicable_to: [all] location: @@ -327,7 +328,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1198 +- technique_id: T1553.003 technique_name: SIP and Trust Provider Hijacking detection: applicable_to: [all] @@ -335,7 +336,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -354,7 +355,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -365,7 +366,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1193 +- technique_id: T1566.001 technique_name: Spearphishing Attachment detection: applicable_to: [all] @@ -373,7 +374,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -392,7 +393,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -403,7 +404,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1192 +- technique_id: T1566.002 technique_name: Spearphishing Link detection: applicable_to: [all] @@ -411,7 +412,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -422,7 +423,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1209 +- technique_id: T1547.003 technique_name: Time Providers detection: applicable_to: [all] @@ -430,7 +431,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -460,7 +461,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1194 +- technique_id: T1566.003 technique_name: Spearphishing via Service detection: applicable_to: [all] @@ -468,7 +469,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -497,7 +498,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1182 +- technique_id: T1546.009 technique_name: AppCert DLLs detection: applicable_to: [all] @@ -523,7 +524,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -534,7 +535,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1175 +- technique_id: T1021.003 technique_name: Distributed Component Object Model detection: applicable_to: [all] @@ -542,7 +543,26 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null + score: -1 + comment: '' + visibility: + applicable_to: [all] + comment: '' + score_logbook: + - date: 2019-03-01 + score: 1 + comment: '' + auto_generated: true +- technique_id: T1559.001 + technique_name: Component Object Model + detection: + applicable_to: [all] + location: + - '' + comment: '' + score_logbook: + - date: null score: -1 comment: '' visibility: @@ -561,7 +581,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -572,7 +592,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1174 +- technique_id: T1556.002 technique_name: Password Filter DLL detection: applicable_to: [all] @@ -580,7 +600,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -591,7 +611,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1170 +- technique_id: T1218.005 technique_name: Mshta detection: applicable_to: [all] @@ -599,7 +619,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -610,8 +630,8 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1171 - technique_name: LLMNR/NBT-NS Poisoning +- technique_id: T1557.001 + technique_name: LLMNR/NBT-NS Poisoning and SMB Relay detection: - applicable_to: [client endpoints] location: @@ -648,7 +668,7 @@ techniques: - date: 2019-03-01 score: 3 comment: '' -- technique_id: T1173 +- technique_id: T1559.002 technique_name: Dynamic Data Exchange detection: applicable_to: [all] @@ -656,7 +676,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -667,7 +687,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1181 +- technique_id: T1055.011 technique_name: Extra Window Memory Injection detection: applicable_to: [all] @@ -685,15 +705,15 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1179 - technique_name: Hooking +- technique_id: T1056.004 + technique_name: Credential API Hooking detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -704,7 +724,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1186 +- technique_id: T1055.013 technique_name: Process Doppelgänging detection: applicable_to: [all] @@ -712,7 +732,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -723,7 +743,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1172 +- technique_id: T1090.004 technique_name: Domain Fronting detection: applicable_to: [all] @@ -741,7 +761,7 @@ techniques: - date: 2019-03-01 score: 4 comment: '' -- technique_id: T1183 +- technique_id: T1546.012 technique_name: Image File Execution Options Injection detection: applicable_to: [all] @@ -758,7 +778,7 @@ techniques: - date: 2019-03-01 score: 1 comment: '' -- technique_id: T1177 +- technique_id: T1547.008 technique_name: LSASS Driver detection: applicable_to: [all] @@ -766,7 +786,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -777,7 +797,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1180 +- technique_id: T1546.002 technique_name: Screensaver detection: applicable_to: [all] @@ -785,7 +805,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -814,7 +834,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1138 +- technique_id: T1546.011 technique_name: Application Shimming detection: applicable_to: [all] @@ -840,7 +860,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -859,7 +879,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -878,7 +898,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -889,7 +909,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1158 +- technique_id: T1564.001 technique_name: Hidden Files and Directories detection: applicable_to: [all] @@ -897,7 +917,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -916,7 +936,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -939,7 +959,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -950,7 +970,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1131 +- technique_id: T1547.002 technique_name: Authentication Package detection: applicable_to: [all] @@ -958,7 +978,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -970,14 +990,14 @@ techniques: comment: '' auto_generated: true - technique_id: T1129 - technique_name: Execution through Module Load + technique_name: Shared Modules detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -988,7 +1008,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1128 +- technique_id: T1546.007 technique_name: Netsh Helper DLL detection: applicable_to: [all] @@ -996,7 +1016,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1008,14 +1028,14 @@ techniques: comment: '' auto_generated: true - technique_id: T1127 - technique_name: Trusted Developer Utilities + technique_name: Trusted Developer Utilities Proxy Execution detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1025,7 +1045,7 @@ techniques: - date: 2019-03-01 score: 2 comment: '' -- technique_id: T1126 +- technique_id: T1551.005 technique_name: Network Share Connection Removal detection: applicable_to: [all] @@ -1033,7 +1053,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1052,7 +1072,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1071,7 +1091,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1090,7 +1110,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1101,7 +1121,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1122 +- technique_id: T1546.015 technique_name: Component Object Model Hijacking detection: applicable_to: [all] @@ -1109,7 +1129,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1120,7 +1140,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1121 +- technique_id: T1218.009 technique_name: Regsvcs/Regasm detection: applicable_to: [all] @@ -1128,7 +1148,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1139,7 +1159,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1118 +- technique_id: T1218.004 technique_name: InstallUtil detection: applicable_to: [all] @@ -1147,7 +1167,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1158,7 +1178,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1117 +- technique_id: T1218.010 technique_name: Regsvr32 detection: applicable_to: [all] @@ -1184,7 +1204,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1207,7 +1227,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1226,7 +1246,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1245,7 +1265,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1256,7 +1276,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1109 +- technique_id: T1542.002 technique_name: Component Firmware detection: applicable_to: [all] @@ -1264,7 +1284,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1275,34 +1295,15 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1108 - technique_name: Redundant Access - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 1 - comment: '' - auto_generated: true - technique_id: T1106 - technique_name: Execution through API + technique_name: Native API detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1314,14 +1315,14 @@ techniques: comment: '' auto_generated: true - technique_id: T1105 - technique_name: Remote File Copy + technique_name: Ingress Tool Transfer detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1332,7 +1333,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1103 +- technique_id: T1546.010 technique_name: AppInit DLLs detection: applicable_to: [all] @@ -1340,7 +1341,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1359,7 +1360,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1370,7 +1371,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1101 +- technique_id: T1547.005 technique_name: Security Support Provider detection: applicable_to: [all] @@ -1387,7 +1388,7 @@ techniques: - date: 2019-03-01 score: 3 comment: '' -- technique_id: T1100 +- technique_id: T1505.003 technique_name: Web Shell detection: applicable_to: [all] @@ -1395,7 +1396,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1406,7 +1407,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1099 +- technique_id: T1551.006 technique_name: Timestomp detection: applicable_to: [all] @@ -1424,14 +1425,14 @@ techniques: score: 4 comment: '' - technique_id: T1095 - technique_name: Standard Non-Application Layer Protocol + technique_name: Non-Application Layer Protocol detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1441,25 +1442,7 @@ techniques: - date: 2019-03-01 score: 3 comment: '' -- technique_id: T1094 - technique_name: Custom Command and Control Protocol - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 3 - comment: '' -- technique_id: T1093 +- technique_id: T1055.012 technique_name: Process Hollowing detection: applicable_to: [all] @@ -1467,7 +1450,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1479,14 +1462,14 @@ techniques: comment: '' auto_generated: true - technique_id: T1090 - technique_name: Connection Proxy + technique_name: Proxy detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1501,15 +1484,15 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1089 - technique_name: Disabling Security Tools +- technique_id: T1562.001 + technique_name: Disable or Modify Tools detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1520,15 +1503,15 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1088 - technique_name: Bypass User Account Control +- technique_id: T1548.002 + technique_name: Bypass User Access Control detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1547,7 +1530,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1558,7 +1541,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1086 +- technique_id: T1059.001 technique_name: PowerShell detection: applicable_to: [all] @@ -1575,7 +1558,7 @@ techniques: - date: 2019-03-01 score: 2 comment: '' -- technique_id: T1085 +- technique_id: T1218.011 technique_name: Rundll32 detection: applicable_to: [all] @@ -1601,7 +1584,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1639,7 +1622,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1650,29 +1633,6 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1079 - technique_name: Multilayer Encryption - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-07-30 - score: 2 - comment: 'New data source: Process use of network' - auto_generated: true - - date: 2019-03-01 - score: 1 - comment: '' - auto_generated: true - technique_id: T1078 technique_name: Valid Accounts detection: @@ -1681,7 +1641,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1692,8 +1652,8 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1077 - technique_name: Windows Admin Shares +- technique_id: T1021.002 + technique_name: SMB/Windows Admin Shares detection: applicable_to: [all] location: @@ -1715,7 +1675,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1076 +- technique_id: T1021.001 technique_name: Remote Desktop Protocol detection: applicable_to: [all] @@ -1723,7 +1683,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1742,7 +1702,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1753,7 +1713,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1073 +- technique_id: T1574.002 technique_name: DLL Side-Loading detection: applicable_to: [all] @@ -1761,7 +1721,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1777,14 +1737,14 @@ techniques: comment: '' auto_generated: true - technique_id: T1072 - technique_name: Third-party Software + technique_name: Software Deployment Tools detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1800,7 +1760,7 @@ techniques: comment: '' auto_generated: true - technique_id: T1071 - technique_name: Standard Application Layer Protocol + technique_name: Application Layer Protocol detection: applicable_to: [all] location: [SIEM UC 123] @@ -1816,7 +1776,7 @@ techniques: - date: 2019-03-01 score: 2 comment: '' -- technique_id: T1070 +- technique_id: T1551 technique_name: Indicator Removal on Host detection: applicable_to: [all] @@ -1824,7 +1784,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1843,7 +1803,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1862,7 +1822,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1873,7 +1833,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1066 +- technique_id: T1027.005 technique_name: Indicator Removal from Tools detection: applicable_to: [all] @@ -1881,7 +1841,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1896,26 +1856,8 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1065 - technique_name: Uncommonly Used Port - detection: - applicable_to: [all] - location: - - Model B - comment: '' - score_logbook: - - date: 2018-10-01 - score: 5 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 3 - comment: '' -- technique_id: T1064 - technique_name: Scripting +- technique_id: T1059.004 + technique_name: Bash detection: applicable_to: [all] location: [EDR, AV Product] @@ -1932,7 +1874,43 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1063 +- technique_id: T1059.005 + technique_name: VBScript + detection: + applicable_to: [all] + location: [EDR, AV Product] + comment: '' + score_logbook: + - date: 2018-12-01 + score: 3 + comment: '' + visibility: + applicable_to: [all] + comment: '' + score_logbook: + - date: 2019-03-01 + score: 1 + comment: '' + auto_generated: true +- technique_id: T1059.006 + technique_name: Python + detection: + applicable_to: [all] + location: [EDR, AV Product] + comment: '' + score_logbook: + - date: 2018-12-01 + score: 3 + comment: '' + visibility: + applicable_to: [all] + comment: '' + score_logbook: + - date: 2019-03-01 + score: 1 + comment: '' + auto_generated: true +- technique_id: T1518.001 technique_name: Security Software Discovery detection: applicable_to: [all] @@ -1940,7 +1918,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1951,26 +1929,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1061 - technique_name: Graphical User Interface - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 1 - comment: '' - auto_generated: true -- technique_id: T1060 +- technique_id: T1547.001 technique_name: Registry Run Keys / Startup Folder detection: applicable_to: [all] @@ -1978,7 +1937,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -1990,14 +1949,14 @@ techniques: comment: '' auto_generated: true - technique_id: T1059 - technique_name: Command-Line Interface + technique_name: Command and Scripting Interpreter detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2008,15 +1967,15 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1058 - technique_name: Service Registry Permissions Weakness +- technique_id: T1574.011 + technique_name: Services Registry Permissions Weakness detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2035,7 +1994,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2082,7 +2041,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1054 +- technique_id: T1562.006 technique_name: Indicator Blocking detection: applicable_to: [all] @@ -2090,7 +2049,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2102,14 +2061,14 @@ techniques: comment: '' auto_generated: true - technique_id: T1053 - technique_name: Scheduled Task + technique_name: Scheduled Task/Job detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2120,44 +2079,6 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1051 - technique_name: Shared Webroot - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 2 - comment: '' - auto_generated: true -- technique_id: T1050 - technique_name: New Service - detection: - applicable_to: [all] - location: - - '' - comment: Model G - score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 2 - comment: '' - auto_generated: true - technique_id: T1049 technique_name: System Network Connections Discovery detection: @@ -2166,7 +2087,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2185,7 +2106,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2204,7 +2125,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2215,26 +2136,26 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1043 - technique_name: Commonly Used Port +- technique_id: T1571 + technique_name: Non-Standard Port detection: applicable_to: [all] location: - - '' + - Model B comment: '' score_logbook: - date: 2018-10-01 - score: 0 + score: 5 comment: '' visibility: applicable_to: [all] comment: '' score_logbook: - date: 2019-03-01 - score: 2 + score: 3 comment: '' auto_generated: true -- technique_id: T1042 +- technique_id: T1546.001 technique_name: Change Default File Association detection: applicable_to: [all] @@ -2242,7 +2163,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2254,7 +2175,7 @@ techniques: comment: '' auto_generated: true - technique_id: T1041 - technique_name: Exfiltration Over Command and Control Channel + technique_name: Exfiltration Over C2 Channel detection: applicable_to: [all] location: @@ -2280,7 +2201,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2299,7 +2220,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2310,7 +2231,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1038 +- technique_id: T1574.001 technique_name: DLL Search Order Hijacking detection: applicable_to: [all] @@ -2318,7 +2239,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2330,7 +2251,7 @@ techniques: comment: '' auto_generated: true - technique_id: T1037 - technique_name: Logon Scripts + technique_name: Boot or Logon Initialization Scripts detection: applicable_to: [all] location: @@ -2366,7 +2287,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1035 +- technique_id: T1569.002 technique_name: Service Execution detection: applicable_to: [all] @@ -2384,15 +2305,53 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1034 - technique_name: Path Interception +- technique_id: T1574.007 + technique_name: Path Interception by PATH Environment Variable detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: + - date: null + score: -1 + comment: '' + visibility: + applicable_to: [all] + comment: '' + score_logbook: + - date: 2019-03-01 + score: 2 + comment: '' + auto_generated: true +- technique_id: T1574.008 + technique_name: Path Interception by Search Order Hijacking + detection: + applicable_to: [all] + location: + - '' + comment: '' + score_logbook: + - date: null + score: -1 + comment: '' + visibility: + applicable_to: [all] + comment: '' + score_logbook: + - date: 2019-03-01 + score: 2 + comment: '' + auto_generated: true +- technique_id: T1574.009 + technique_name: Path Interception by Unquoted Path + detection: + applicable_to: [all] + location: + - '' + comment: '' + score_logbook: + - date: null score: -1 comment: '' visibility: @@ -2422,33 +2381,15 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1032 - technique_name: Standard Cryptographic Protocol +- technique_id: T1543.003 + technique_name: Existing Service detection: applicable_to: [all] location: - '' comment: '' score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 3 - comment: '' -- technique_id: T1031 - technique_name: Modify Existing Service - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2467,7 +2408,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2490,7 +2431,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2505,7 +2446,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1028 +- technique_id: T1021.006 technique_name: Windows Remote Management detection: applicable_to: [all] @@ -2513,7 +2454,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2532,26 +2473,7 @@ techniques: - '' comment: '' score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 1 - comment: '' - auto_generated: true -- technique_id: T1026 - technique_name: Multiband Communication - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2570,7 +2492,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2581,8 +2503,8 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1024 - technique_name: Custom Cryptographic Protocol +- technique_id: T1573 + technique_name: Encrypted Channel detection: applicable_to: [all] location: [EDR] @@ -2595,10 +2517,15 @@ techniques: applicable_to: [all] comment: '' score_logbook: - - date: 2019-03-01 + - date: 2019-07-30 score: 2 + comment: 'New data source: Process use of network' + auto_generated: true + - date: 2019-03-01 + score: 1 comment: '' -- technique_id: T1023 + auto_generated: true +- technique_id: T1547.009 technique_name: Shortcut Modification detection: applicable_to: [all] @@ -2606,7 +2533,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2617,25 +2544,6 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1022 - technique_name: Data Encrypted - detection: - applicable_to: [all] - location: - - Model D - comment: '' - score_logbook: - - date: 2017-10-10 - score: 2 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-03-01 - score: 1 - comment: '' - auto_generated: true - technique_id: T1020 technique_name: Automated Exfiltration detection: @@ -2644,7 +2552,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2682,29 +2590,6 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1017 - technique_name: Application Deployment Software - detection: - applicable_to: [all] - location: - - '' - comment: '' - score_logbook: - - date: - score: -1 - comment: '' - visibility: - applicable_to: [all] - comment: '' - score_logbook: - - date: 2019-07-30 - score: 2 - comment: 'New data source: Process use of network' - auto_generated: true - - date: 2019-03-01 - score: 1 - comment: '' - auto_generated: true - technique_id: T1016 technique_name: System Network Configuration Discovery detection: @@ -2713,7 +2598,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2724,7 +2609,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1015 +- technique_id: T1546.008 technique_name: Accessibility Features detection: applicable_to: [all] @@ -2732,7 +2617,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2743,7 +2628,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1013 +- technique_id: T1547.010 technique_name: Port Monitors detection: applicable_to: [all] @@ -2751,7 +2636,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2770,7 +2655,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2789,7 +2674,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2808,7 +2693,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2827,7 +2712,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2846,7 +2731,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2865,7 +2750,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2876,7 +2761,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1004 +- technique_id: T1547.004 technique_name: Winlogon Helper DLL detection: applicable_to: [all] @@ -2884,7 +2769,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2896,7 +2781,7 @@ techniques: comment: '' auto_generated: true - technique_id: T1003 - technique_name: Credential Dumping + technique_name: OS Credential Dumping detection: applicable_to: [all] location: [EDR] @@ -2913,8 +2798,8 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1002 - technique_name: Data Compressed +- technique_id: T1560 + technique_name: Archive Collected Data detection: applicable_to: [all] location: @@ -2940,7 +2825,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2959,7 +2844,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -2988,7 +2873,7 @@ techniques: - date: 2019-03-01 score: 3 comment: '' -- technique_id: T1488 +- technique_id: T1561.001 technique_name: Disk Content Wipe detection: applicable_to: [all] @@ -2996,7 +2881,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3033,7 +2918,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3070,7 +2955,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3085,7 +2970,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1494 +- technique_id: T1565.003 technique_name: Runtime Data Manipulation detection: applicable_to: [all] @@ -3093,7 +2978,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3112,7 +2997,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3123,7 +3008,7 @@ techniques: score: 2 comment: '' auto_generated: true -- technique_id: T1500 +- technique_id: T1027.004 technique_name: Compile After Delivery detection: applicable_to: [all] @@ -3131,7 +3016,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3142,7 +3027,7 @@ techniques: score: 1 comment: '' auto_generated: true -- technique_id: T1483 +- technique_id: T1568.002 technique_name: Domain Generation Algorithms detection: applicable_to: [all] @@ -3150,7 +3035,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3169,7 +3054,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3188,7 +3073,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3207,7 +3092,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3227,7 +3112,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3239,8 +3124,8 @@ techniques: score: 1 comment: 'New data source: Process use of network' auto_generated: true -- technique_id: T1141 - technique_name: Input Prompt +- technique_id: T1056.002 + technique_name: GUI Input Capture detection: applicable_to: - all @@ -3248,7 +3133,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3269,7 +3154,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: @@ -3290,7 +3175,7 @@ techniques: - '' comment: '' score_logbook: - - date: + - date: null score: -1 comment: '' visibility: diff --git a/technique_mapping.py b/technique_mapping.py index bcf7b96..e4d803d 100644 --- a/technique_mapping.py +++ b/technique_mapping.py @@ -167,32 +167,35 @@ def _map_and_colorize_techniques_for_detections(my_techniques): if s == 3 else COLOR_D_4 if s == 4 else COLOR_D_5 if s == 5 else '' technique = get_technique(techniques, technique_id) - for tactic in get_tactics(technique): - x = dict() - x['techniqueID'] = technique_id - x['color'] = color - x['comment'] = '' - x['enabled'] = True - x['tactic'] = tactic.lower().replace(' ', '-') - x['metadata'] = [] - x['score'] = s - cnt = 1 - tcnt = len([d for d in technique_data['detection'] if get_latest_score(d) >= 0]) - for detection in technique_data['detection']: - d_score = get_latest_score(detection) - if d_score >= 0: - location = ', '.join(detection['location']) - applicable_to = ', '.join(detection['applicable_to']) - x['metadata'].append({'name': '-Applicable to', 'value': applicable_to}) - x['metadata'].append({'name': '-Detection score', 'value': str(d_score)}) - x['metadata'].append({'name': '-Detection location', 'value': location}) - x['metadata'].append({'name': '-Technique comment', 'value': detection['comment']}) - x['metadata'].append({'name': '-Detection comment', 'value': get_latest_comment(detection)}) - if cnt != tcnt: - x['metadata'].append({'name': '---', 'value': '---'}) - cnt += 1 - x['metadata'] = make_layer_metadata_compliant(x['metadata']) - mapped_techniques.append(x) + if technique is not None: + for tactic in get_tactics(technique): + x = dict() + x['techniqueID'] = technique_id + x['color'] = color + x['comment'] = '' + x['enabled'] = True + x['tactic'] = tactic.lower().replace(' ', '-') + x['metadata'] = [] + x['score'] = s + cnt = 1 + tcnt = len([d for d in technique_data['detection'] if get_latest_score(d) >= 0]) + for detection in technique_data['detection']: + d_score = get_latest_score(detection) + if d_score >= 0: + location = ', '.join(detection['location']) + applicable_to = ', '.join(detection['applicable_to']) + x['metadata'].append({'name': '-Applicable to', 'value': applicable_to}) + x['metadata'].append({'name': '-Detection score', 'value': str(d_score)}) + x['metadata'].append({'name': '-Detection location', 'value': location}) + x['metadata'].append({'name': '-Technique comment', 'value': detection['comment']}) + x['metadata'].append({'name': '-Detection comment', 'value': get_latest_comment(detection)}) + if cnt != tcnt: + x['metadata'].append({'name': '---', 'value': '---'}) + cnt += 1 + x['metadata'] = make_layer_metadata_compliant(x['metadata']) + mapped_techniques.append(x) + else: + print('[!] Technique ' + technique_id + ' is unknown in ATT&CK. Ignoring this technique.') except Exception as e: print('[!] Possible error in YAML file at: %s. Error: %s' % (technique_id, str(e))) quit() @@ -225,34 +228,37 @@ def _map_and_colorize_techniques_for_visibility(my_techniques, my_data_sources, technique = get_technique(techniques, technique_id) color = COLOR_V_1 if s == 1 else COLOR_V_2 if s == 2 else COLOR_V_3 if s == 3 else COLOR_V_4 if s == 4 else '' - for tactic in get_tactics(technique): - x = dict() - x['techniqueID'] = technique_id - x['color'] = color - x['comment'] = '' - x['enabled'] = True - x['tactic'] = tactic.lower().replace(' ', '-') - x['metadata'] = [] - x['metadata'].append({'name': '-Available data sources', 'value': my_ds}) - x['metadata'].append({'name': '-ATT&CK data sources', 'value': ', '.join(get_applicable_data_sources_technique(technique['x_mitre_data_sources'], - applicable_data_sources))}) - x['metadata'].append({'name': '---', 'value': '---'}) - x['score'] = s + if technique is not None: + for tactic in get_tactics(technique): + x = dict() + x['techniqueID'] = technique_id + x['color'] = color + x['comment'] = '' + x['enabled'] = True + x['tactic'] = tactic.lower().replace(' ', '-') + x['metadata'] = [] + x['metadata'].append({'name': '-Available data sources', 'value': my_ds}) + x['metadata'].append({'name': '-ATT&CK data sources', 'value': ', '.join(get_applicable_data_sources_technique(technique['x_mitre_data_sources'], + applicable_data_sources))}) + x['metadata'].append({'name': '---', 'value': '---'}) + x['score'] = s - cnt = 1 - tcnt = len(technique_data['visibility']) - for visibility in technique_data['visibility']: - applicable_to = ', '.join(visibility['applicable_to']) - x['metadata'].append({'name': '-Applicable to', 'value': applicable_to}) - x['metadata'].append({'name': '-Visibility score', 'value': str(get_latest_score(visibility))}) - x['metadata'].append({'name': '-Technique comment', 'value': visibility['comment']}) - x['metadata'].append({'name': '-Visibility comment', 'value': get_latest_comment(visibility)}) - if cnt != tcnt: - x['metadata'].append({'name': '---', 'value': '---'}) - cnt += 1 + cnt = 1 + tcnt = len(technique_data['visibility']) + for visibility in technique_data['visibility']: + applicable_to = ', '.join(visibility['applicable_to']) + x['metadata'].append({'name': '-Applicable to', 'value': applicable_to}) + x['metadata'].append({'name': '-Visibility score', 'value': str(get_latest_score(visibility))}) + x['metadata'].append({'name': '-Technique comment', 'value': visibility['comment']}) + x['metadata'].append({'name': '-Visibility comment', 'value': get_latest_comment(visibility)}) + if cnt != tcnt: + x['metadata'].append({'name': '---', 'value': '---'}) + cnt += 1 - x['metadata'] = make_layer_metadata_compliant(x['metadata']) - mapped_techniques.append(x) + x['metadata'] = make_layer_metadata_compliant(x['metadata']) + mapped_techniques.append(x) + else: + print('[!] Technique ' + technique_id + ' is unknown in ATT&CK. Ignoring this technique.') for t in techniques: tech_id = get_attack_id(t) diff --git a/upgrade.py b/upgrade.py index 5f7271a..b5230c5 100644 --- a/upgrade.py +++ b/upgrade.py @@ -1,4 +1,7 @@ from constants import * +import simplejson +from io import StringIO +import os def _load_techniques(yaml_file_lines): @@ -140,7 +143,7 @@ def _upgrade_technique_yaml_10_to_11(file_lines, attack_tech_data): file_new_lines.append(l) tech_id = REGEX_YAML_TECHNIQUE_ID_GROUP.search(l).group(1) tech_name = get_technique(attack_tech_data, tech_id)['name'] - file_new_lines.append(indent_chars + 'technique_name: ' + tech_name+'\n') + file_new_lines.append(indent_chars + 'technique_name: ' + tech_name + '\n') elif REGEX_YAML_DETECTION.match(l): file_new_lines.append(l) file_new_lines.append((indent_chars * 2) + "applicable_to: ['all']\n") @@ -342,3 +345,265 @@ def _upgrade_technique_yaml_11_to_12(file_lines, attack_tech_data): new_lines = fix_date_and_remove_null(yaml_file, date_for_visibility, input_type='ruamel') return new_lines + + +def check_yaml_updated_to_sub_techniques(filename): + """ + Checks if the YAML technique administration file is already updated to ATT&CK with sub-techniques by comparing the techniques to the the crosswalk file. + :param filename: YAML administration file + :return: + """ + from generic import init_yaml, backup_file, fix_date_and_remove_null, load_attack_data, get_technique, get_technique_from_yaml, remove_technique_from_yaml + + # Open the crosswalk file from MITRE: + conversion_table = None + with open(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'mitre-data/subtechniques-crosswalk.json'), 'r') as f: + conversion_table = simplejson.load(f) + + # Open the techniques YAML file: + _yaml = init_yaml() + with open(filename, 'r') as yaml_file: + yaml_content = _yaml.load(yaml_file) + + # Keep track which techniques can be auto updated and which need manual updating + auto_updatable_techniques = [] + manual_update_techniques = [] + for item in conversion_table: + for tech in item: + for sub_tech in item[tech]: + # Check if technique is in YAML file: + yaml_technique = get_technique_from_yaml(yaml_content, tech) + if yaml_technique is None: + break + else: + # Only check technique ID's that changed into something else (other technique or other sub-technique) + if sub_tech['id'] != tech: + # No conversion possible: Multiple techniques became one technique or one sub-technique: + if sub_tech['explanation'] in ["Created to consolidate behavior around encrypted C2", + "Created to consolidate behavior around encrypting and compressing collected data", + "Created to refine the idea behind Common and Uncommonly Used Port to focus the behavior on use of a non-standard port for C2 based on the protocol used", + "Existing technique that became a sub-technique. Consolidates Modify Existing Service and New Service techniques into one sub-technique"]: + manual_update_techniques.append(tech) + + # No conversion: One technique became multiple sub techniques: + elif sub_tech['explanation'] in ["Deprecated and split into separate Bash, VBScript, and Python sub-techniques of Command and Scripting Interpreter.", + "Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques.", + "Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques."]: + manual_update_techniques.append(tech) + + # No conversion: Technique merged with other technique: + # # T1017 is also merged to T1072, unfortunatly the explanation doesn't tell this + elif sub_tech['explanation'] in ["Merged with and name change from Standard Non-Application Layer Protocol"] \ + or 'Name change from Application Deployment Software' in sub_tech['explanation']: + manual_update_techniques.append(tech) + + # Remove deprecated items: + elif sub_tech['id'] == 'N/A': + auto_updatable_techniques.append(tech) + + # Technique ID's that are changed: + # T1070 changed to T1551 + elif sub_tech['explanation'] == "Remains Technique": + auto_updatable_techniques.append(tech) + + # Conversion from technique to sub-technique: + elif 'Existing technique that became a sub-technique' in sub_tech['explanation'] \ + or 'Broken out from pre-defined behavior within Input Capture' in sub_tech['explanation'] \ + or 'Broken out from pre-defined behavior within Process Injection' in sub_tech['explanation'] \ + or 'Added due to manipulation of token information' in sub_tech['explanation'] \ + or 'Added due to manipulation of tokens' in sub_tech['explanation']: + auto_updatable_techniques.append(tech) + + if len(auto_updatable_techniques) > 0: + print('[!] File: \'' + filename + '\' needs to be updated to ATT&CK with sub-techniques. Use option --update-to-sub-techniques to perform the update.') + return False + elif len(auto_updatable_techniques) == 0 and len(manual_update_techniques) > 0: + print('[!] File: \'' + filename + + '\' needs some manual work to upgrade to ATT&CK with sub-techniques. See the list below what needs to be changed.') + print('') + upgrade_to_sub_techniques(filename, notify_only=True) + return False + elif len(auto_updatable_techniques) == 0 and len(manual_update_techniques) == 0: + return True + else: + return False + + +def upgrade_to_sub_techniques(filename, notify_only=False): + """ + Upgrade the YAML technique administration file to ATT&CK with sub-techniques + :param filename: YAML administration file + :return: + """ + from generic import init_yaml, backup_file, fix_date_and_remove_null, load_attack_data, get_technique, get_technique_from_yaml, remove_technique_from_yaml, ask_yes_no, local_stix_path + + if not notify_only and not ask_yes_no('DeTT&CT is going to update \'' + filename + '\' to ATT&CK with sub-techniques. A backup of this file will be generated. Do you want to continue:'): + quit() + + # Open the crosswalk file from MITRE: + conversion_table = None + with open(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'mitre-data/subtechniques-crosswalk.json'), 'r') as f: + conversion_table = simplejson.load(f) + + # Open the techniques YAML file: + _yaml = init_yaml() + with open(filename, 'r') as yaml_file: + yaml_content = _yaml.load(yaml_file) + + # Get the MITRE ATT&CK techniques (e.g. to get the new name for renamed techniques): + techniques = load_attack_data(DATA_TYPE_STIX_ALL_TECH_ENTERPRISE) + + # Check if STIX object collection (TAXII server or local STIX objects) contain sub-techniques, by checking the existence of the first sub-technique (T1001.001) + stix_sub_tech_check = get_technique(techniques, 'T1001.001') + if stix_sub_tech_check is None: + if local_stix_path: + print('[!] The local STIX repository \'' + local_stix_path + + '\' doesn\'t contain ATT&CK sub-techniques. This is necessary to perform the update.') + else: + print('[!] The TAXII server doesn\'t contain ATT&CK sub-techniques. This is necessary to perform the update.') + quit() + + # Keep an ignore list for techniques that are already been taken care of: + ignore_list = [] + + # Collect messages and show them at the end grouped by comparable messages: + become_subtech_msgs = [] + deprecated_msgs = [] + renamed_msgs = [] + subtech_added_msgs = [] + new_id_msgs = [] + warning_msgs = [] + for item in conversion_table: + for tech in item: + for sub_tech in item[tech]: + # Check if technique is in YAML file: + yaml_technique = get_technique_from_yaml(yaml_content, tech) + + # Only apply changes to techniques that are in the YAML file: + if yaml_technique is not None and tech not in ignore_list: + # First check the source techniques that are equal to the destination techniques: + if sub_tech['id'] == tech: + # Do nothing for the items with "Remains Technique" because nothing changes. + if 'Remains Technique' in sub_tech['explanation'] \ + or 'Remove from lateral-movement, Renamed, Name change from Logon Scripts and new sub-techniques added' in sub_tech['explanation'] \ + or 'Remove from credential-access, New sub-techniques added' in sub_tech['explanation']: + pass + + # Explanations we've missed: + else: + warning_msgs.append('[!] Explanation \'' + sub_tech['explanation'] + + '\' in the subtechniques-crosswalk.json provided by MITRE not handled by DeTT&CT. Please check manually. Technique ' + tech) + + # Perform the renames + if 'renamed' in sub_tech['explanation'].lower(): + new_name = get_technique(techniques, sub_tech['id'])['name'] + if yaml_technique['technique_name'] != new_name: + renamed_msgs.append('[i] Technique ' + tech + ' is renamed from \'' + yaml_technique['technique_name'] + + '\' to \'' + new_name + '\'.') + yaml_technique['technique_name'] = new_name + + # Then check the source techniques that are not equal to the destination techniques: + elif sub_tech['id'] != tech: + # No conversion possible: Multiple techniques became one technique or one sub-technique: + if sub_tech['explanation'] in ["Created to consolidate behavior around encrypted C2", + "Created to consolidate behavior around encrypting and compressing collected data", + "Created to refine the idea behind Common and Uncommonly Used Port to focus the behavior on use of a non-standard port for C2 based on the protocol used", + "Existing technique that became a sub-technique. Consolidates Modify Existing Service and New Service techniques into one sub-technique"]: + text = 'sub-technique' if '.' in sub_tech['id'] else 'technique' + warning_msgs.append('[!] Technique ' + tech + ' has been consolidated with multiple other techniques into one ' + + text + ': ' + sub_tech['id'] + '. You need to migrate this technique manually.') + + # No conversion: One technique became multiple sub techniques: + elif sub_tech['explanation'] in ["Deprecated and split into separate Bash, VBScript, and Python sub-techniques of Command and Scripting Interpreter.", + "Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques.", + "Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques."]: + sub_ids = [] + for i in item[tech]: + sub_ids.append(i['id']) + warning_msgs.append('[!] Technique ' + tech + ' is deprecated and split into multiple sub-techniques: ' + ', '.join(sub_ids) + + '. You need to migrate this technique manually.') + ignore_list.append(tech) + + # No conversion: Technique merged with other technique: + # # T1017 is also merged to T1072, unfortunatly the explanation doesn't tell this + elif sub_tech['explanation'] in ["Merged with and name change from Standard Non-Application Layer Protocol"] \ + or 'Name change from Application Deployment Software' in sub_tech['explanation']: + warning_msgs.append('[!] Technique ' + tech + ' is merged with ' + sub_tech['id'] + + '. You need to migrate this technique manually.') + + # Remove deprecated items: + elif sub_tech['id'] == 'N/A': + remove_technique_from_yaml(yaml_content, tech) + deprecated_msgs.append('[i] Technique ' + tech + ' is deprecated. Technique bas been removed from the YAML file.') + + # Technique ID's that are changed: + # T1070 changed to T1551 + elif sub_tech['explanation'] == "Remains Technique": + yaml_technique['technique_id'] = sub_tech['id'] + new_id_msgs.append('[i] The ID of technique ' + tech + ' is changed to ' + sub_tech['id'] + '.') + + # Conversion from technique to sub-technique: + elif 'Existing technique that became a sub-technique' in sub_tech['explanation'] \ + or 'Broken out from pre-defined behavior within Input Capture' in sub_tech['explanation'] \ + or 'Broken out from pre-defined behavior within Process Injection' in sub_tech['explanation'] \ + or 'Added due to manipulation of token information' in sub_tech['explanation'] \ + or 'Added due to manipulation of tokens' in sub_tech['explanation']: + yaml_technique['technique_id'] = sub_tech['id'] + yaml_technique['technique_name'] = get_technique(techniques, sub_tech['id'])['name'] + become_subtech_msgs.append('[i] Technique ' + tech + ' has become sub-technique: ' + + sub_tech['id'] + '. Change applied in the YAML file.') + + # Explanations we've missed: + else: + warning_msgs.append('[!] Explanation \'' + sub_tech['explanation'] + + '\' in the subtechniques-crosswalk.json provided by MITRE not handled by DeTT&CT. Please check manually. Technique ' + tech) + + # Perform the renames + if 'renamed' in sub_tech['explanation'].lower(): + new_name = get_technique(techniques, sub_tech['id'])['name'] + print(tech) + if yaml_technique['technique_name'] != new_name: + renamed_msgs.append('[i] Technique ' + tech + ' is renamed from \'' + yaml_technique['technique_name'] + + '\' to \'' + new_name + '\'.') + yaml_technique['technique_name'] = new_name + + # Print the results: + if len(become_subtech_msgs + deprecated_msgs + renamed_msgs + subtech_added_msgs + new_id_msgs) > 0: + print("Informational messages (no action needed):") + + for item in become_subtech_msgs: + print(item) + for item in deprecated_msgs: + print(item) + for item in renamed_msgs: + print(item) + for item in subtech_added_msgs: + print(item) + for item in new_id_msgs: + print(item) + print('') + + if len(warning_msgs) > 0: + print("Messages that need your attention:") + for item in warning_msgs: + print(item) + print('') + + if len(become_subtech_msgs + deprecated_msgs + renamed_msgs + subtech_added_msgs + new_id_msgs + warning_msgs) == 0: + print('[i] No techniques found that need to be updated to ATT&CK sub-techniques.') + else: + if not notify_only: + # Create backup of the YAML file: + backup_file(filename) + with open(filename, 'w') as fd: + # ruamel does not support output to a variable. Therefore we make use of StringIO. + string_io = StringIO() + _yaml.dump(yaml_content, string_io) + string_io.seek(0) + new_lines = string_io.readlines() + fd.writelines(new_lines) + print('File written: ' + filename) + + # Quit DeTT&CT when manual work needs to be done: + if len(warning_msgs) > 0: + quit()