<a href="https://colab.research.google.com/github/ericyoc/cyber_ops_analysis_tools_techniques/blob/main/cyber_ops_analysis_tools_techniques.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

In [28]:
import csv
from prettytable import PrettyTable
import textwrap

def create_table_data():
    cyber_kill_chain = ["Reconnaissance", "Weaponization", "", "", "Delivery", "", "", "Exploitation", "", "Installation", "", "Command and Control (C2)", "Action on Objectives", ""]
    mitre_attack = ["Reconnaissance", "Resource Development", "Initial Access", "Execution", "Persistance", "Privilege Escalation", "Defense Evasion", "Credential Access", "Discovery", "Lateral Movement", "Collection", "Command and Control (C2)", "Exfiltration", "Impact"]
    sast = ["ipconfig, nslookup, CyberChef", "Ghidra (or IDA Pro), strings", "", "", "", "", "CFF Explorer, PEiD, DIE, PE Explorer, UPX, strings", "", "", "", "", "CyberChef", "CyberChef", ""]
    dast = ["wireshark", "", "wireshark", "ProcMon, Process Explorer", "ProcMon, Process Explorer", "ProcMon, Process Explorer", "ProcMon, Process Explorer", "ProcMon, Process Explorer", "ProcMon, Process Explorer", "ProcMon, Process Explorer", "ProcMon, Process Explorer", "wireshark", "wireshark", "ProcMon, Process Explorer"]
    executable_bin = ["", "ELF/PE", "", "ELF/PE", "ELF/PE", "ELF/PE", "ELF/PE", "", "", "ELF/PE", "", "", "", "ELF/PE"]
    file_system = ["", "X", "", "", "X", "X", "X", "X", "X", "X", "X", "", "X", "X"]
    network_traffic = ["X", "", "X", "", "", "", "", "X", "X", "X", "X", "X", "X", "X"]
    kali = ["X", "", "X", "X", "X", "X", "", "X", "X", "X", "X", "X", "X", "X"]
    flare = ["", "X", "", "X", "X", "X", "X", "X", "X", "X", "X", "X", "X", "X"]
    obfuscation = ["", "X", "", "", "", "", "X", "", "", "", "", "X", "X", ""]
    anti_virus_edr_evasion = ["", "X", "", "X", "", "X", "X", "", "X", "", "", "X", "X", ""]
    sandbox_detection = ["", "", "", "X", "", "", "X", "", "", "", "", "", "", ""]
    domain_generation_algorithm = ["", "", "", "", "", "", "", "", "", "", "", "X", "X", ""]
    open_directory = ["X", "", "", "", "", "", "", "", "X", "", "X", "X", "X", ""]
    online_sandbox = ["", "X", "", "", "", "", "", "", "", "", "", "", "", ""]
    local_sandbox = ["", "", "", "QEMU", "", "QEMU", "QEMU", "", "QEMU", "QEMU", "", "", "", "QEMU"]
    offense_example = [
        "Scanning target networks and systems for vulnerabilities",
        "Developing custom malware or exploits tailored to target systems",
        "Exploiting vulnerabilities to gain initial access to target systems",
        "Executing malicious code or commands on compromised systems",
        "Establishing persistent access through backdoors or malware",
        "Exploiting vulnerabilities to gain higher privileges on compromised systems",
        "Using obfuscation, encryption, or anti-analysis techniques to evade detection",
        "Stealing user credentials through techniques like keylogging or credential dumping",
        "Exploring compromised systems to gather information and identify valuable targets",
        "Moving laterally across the compromised network to access additional systems",
        "Collecting sensitive data from compromised systems",
        "Establishing communication channels between compromised systems and attacker-controlled servers",
        "Exfiltrating stolen data from compromised systems to attacker-controlled servers",
        "Disrupting or destroying compromised systems, or encrypting data for ransom"
    ]
    defense_example = [
        "Implementing firewalls, IDS/IPS, and network segmentation",
        "Conducting secure coding practices and regular security assessments",
        "Applying security patches and maintaining strong access controls",
        "Implementing application whitelisting and endpoint detection and response (EDR)",
        "Regularly monitoring systems for suspicious activities and unauthorized changes",
        "Implementing least privilege principles and regularly auditing user permissions",
        "Employing multi-layered defenses and behavioral analysis tools",
        "Implementing strong authentication mechanisms and regularly monitoring for suspicious login attempts",
        "Implementing network segmentation and regularly monitoring for unauthorized network discovery attempts",
        "Implementing network segmentation and monitoring for unusual network traffic patterns",
        "Implementing data loss prevention (DLP) solutions and monitoring for unauthorized data access",
        "Implementing network monitoring and filtering to detect and block malicious C2 traffic",
        "Implementing data loss prevention (DLP) solutions and monitoring for unauthorized data transfers",
        "Implementing incident response plans and regularly conducting backup and restore tests"
    ]
    representative_malware_family = [
        "",
        "Metasploit, Cobalt Strike",
        "Emotet, Trickbot",
        "Mimikatz, PsExec",
        "Carbanak, Zeus",
        "Stuxnet, Duqu",
        "ZeroAccess, Dridex, Ranbyus",
        "Lokibot, AgentTesla",
        "Sality, Ramnit",
        "Nitol, Conficker",
        "Flame, Duqu 2.0",
        "Pterodo, Pushdo",
        "Carbanak, Equationdrug",
        "WannaCry, NotPetya"
    ]

    return [
        cyber_kill_chain,
        mitre_attack,
        sast,
        dast,
        executable_bin,
        file_system,
        network_traffic,
        kali,
        flare,
        obfuscation,
        anti_virus_edr_evasion,
        sandbox_detection,
        domain_generation_algorithm,
        open_directory,
        online_sandbox,
        local_sandbox,
        offense_example,
        defense_example,
        representative_malware_family
    ]

def create_pretty_table(table_data, headers):
    table = PrettyTable()
    table.field_names = headers
    table.align = "l"
    table.hrules = True
    table.vrules = True

    for i in range(len(table_data[0])):
        row = [column[i] for column in table_data]
        table.add_row(row)

    return table

def save_to_csv(table_data, headers, file_name):
    with open(file_name, 'w', newline='') as file:
        writer = csv.writer(file)
        writer.writerow(headers)
        for i in range(len(table_data[0])):
            row = [column[i] for column in table_data]
            writer.writerow(row)

def wrap_summary(summary, width=80):
    return "\n".join(textwrap.wrap(summary, width=width))

def main():
    data = create_table_data()

    tables = [
        {
            "label": "Table 1: Analysis Techniques",
            "headers": ["Cyber Kill Chain", "MITRE ATT&CK", "SAST", "DAST"],
            "data": [data[0], data[1], data[2], data[3]],
            "summary": "This table provides an overview of the static and dynamic analysis techniques used at each stage of the Cyber Kill Chain and MITRE ATT&CK frameworks. It helps in understanding which techniques are applicable for reverse engineering, malware analysis, and software exploitation analysis at different stages of an attack. By identifying the appropriate analysis techniques for each stage, security professionals can effectively investigate and mitigate threats. The inclusion of CyberChef as a static analysis tool enhances the capabilities for analyzing and decoding various data formats, while ipconfig and nslookup provide network configuration and DNS lookup functionality.",
        },
        {
            "label": "Table 2: Artifacts and Network Activity",
            "headers": ["Cyber Kill Chain", "MITRE ATT&CK", "Executable (BIN)", "File System", "Network Traffic"],
            "data": [data[0], data[1], data[4], data[5], data[6]],
            "summary": "This table highlights the artifacts (executables and file system changes) and network activity associated with each stage of the Cyber Kill Chain and MITRE ATT&CK frameworks. It assists in identifying and analyzing relevant artifacts and network traffic during reverse engineering, malware analysis, and software exploitation analysis. By understanding the expected artifacts and network activity at each stage, analysts can focus their efforts on the most relevant data points and efficiently investigate malicious activities.",
        },
        {
            "label": "Table 3: Analysis Platforms",
            "headers": ["Cyber Kill Chain", "MITRE ATT&CK", "Kali", "FLARE"],
            "data": [data[0], data[1], data[7], data[8]],
            "summary": "This table indicates the platforms (Kali Linux and FLARE VM) commonly used for analyzing malware and performing reverse engineering and software exploitation analysis at each stage of the Cyber Kill Chain and MITRE ATT&CK frameworks. It helps in selecting the appropriate platform based on the stage and type of analysis being conducted. By leveraging the specialized tools and environments provided by these platforms, analysts can efficiently analyze malware, identify vulnerabilities, and develop exploits.",
        },
        {
            "label": "Table 4: Anti-Analysis Techniques",
            "headers": ["Cyber Kill Chain", "MITRE ATT&CK", "Obfuscation", "Anti-Virus and EDR evasion", "Sandbox Detection", "Domain Generation Algorithm (DGA)", "Open Directory"],
            "data": [data[0], data[1], data[9], data[10], data[11], data[12], data[13]],
            "summary": "This table focuses on the anti-analysis techniques employed by malware at different stages of the Cyber Kill Chain and MITRE ATT&CK frameworks. It includes obfuscation, evasion techniques, sandbox detection, domain generation algorithms (DGA), and the use of open directories. Understanding these techniques is crucial for effectively analyzing malware and developing countermeasures. By recognizing the signs of anti-analysis techniques, analysts can adapt their approaches and employ advanced methods to overcome these obstacles and gain insights into the malware's behavior and functionality.",
        },
        {
            "label": "Table 5: Sandbox Analysis",
            "headers": ["Cyber Kill Chain", "MITRE ATT&CK", "Online Sandbox", "Local Sandbox"],
            "data": [data[0], data[1], data[14], data[15]],
            "summary": "This table indicates the usage of online and local sandboxes for analyzing malware at different stages of the Cyber Kill Chain and MITRE ATT&CK frameworks. Sandboxes provide a controlled environment to safely execute and observe the behavior of malware, aiding in reverse engineering and malware analysis efforts. Online sandboxes offer quick and automated analysis, while local sandboxes allow for more in-depth and customized analysis. The inclusion of QEMU as a local sandbox tool enables the emulation of various hardware and software environments, providing flexibility in analyzing malware targeting different platforms.",
        },
        {
            "label": "Table 6: Offense and Defense Examples",
            "headers": ["Cyber Kill Chain", "MITRE ATT&CK", "Offense Example", "Defense Example"],
            "data": [data[0], data[1], data[16], data[17]],
            "summary": "This table provides examples of offensive techniques used by attackers and corresponding defensive measures at each stage of the Cyber Kill Chain and MITRE ATT&CK frameworks. It offers practical insights into real-world scenarios and helps in understanding the attacker's perspective and developing effective defense strategies. By studying the offensive techniques and their associated defense examples, security professionals can proactively identify potential attack vectors, implement appropriate security controls, and enhance their overall security posture.",
        },
        {
            "label": "Table 7: Representative Malware Families",
            "headers": ["Cyber Kill Chain", "MITRE ATT&CK", "Representative Malware Family"],
            "data": [data[0], data[1], data[18]],
            "summary": "This table lists representative malware families associated with each stage of the Cyber Kill Chain and MITRE ATT&CK frameworks. It helps in identifying and studying specific malware samples that exhibit behaviors and characteristics relevant to each stage, enhancing the understanding of real-world threats and supporting targeted analysis efforts. The inclusion of Ranbyus malware in the 'Defense Evasion' stage highlights its use of advanced evasion techniques. By familiarizing themselves with these representative malware families, analysts can recognize common patterns, techniques, and indicators, enabling them to more effectively detect, analyze, and respond to similar threats in the future.",
        }
    ]

    for table in tables:
        pretty_table = create_pretty_table(table["data"], table["headers"])
        print(table["label"])
        print(pretty_table)
        print(wrap_summary(table["summary"]))
        print()

        file_name = table["label"].replace(" ", "_") + ".csv"
        save_to_csv(table["data"], table["headers"], file_name)
        print(f"Table saved to {file_name}")
        print()

if __name__ == "__main__":
    main()

Table 1: Analysis Techniques
+--------------------------+--------------------------+----------------------------------------------------+---------------------------+
| Cyber Kill Chain         | MITRE ATT&CK             | SAST                                               | DAST                      |
+--------------------------+--------------------------+----------------------------------------------------+---------------------------+
| Reconnaissance           | Reconnaissance           | ipconfig, nslookup, CyberChef                      | wireshark                 |
+--------------------------+--------------------------+----------------------------------------------------+---------------------------+
| Weaponization            | Resource Development     | Ghidra (or IDA Pro), strings                       |                           |
+--------------------------+--------------------------+----------------------------------------------------+---------------------------+
|           