,
╓╗╗, ,╓▄▄▄Φ▓▓██▌╫D
║▌ `▓L ,,, ╓▄▄▄Φ▓▓▀▀▀╫╫╫╫╫╫╫▀▀╫▓▓▄
▓▄▓▓▓ ,▄▄B░▀╫Ñ╬░░╫╫▓▓▓▓╫╫╫╫▓▓▓╫╫╫╫╣▓▓▓▄
║████L ,╓#▀▀▀╨╫ÑÑ╦▄▒▀╣▓▄▄▀╣▌╫▀ ██╫╫╫╫▓▓╫▓▓φ
▓╫╫╫▀]Ñ░░░░ÑÑÑÑ░░░░░╠▀W▄╠▀▓▒░╫Ñ╖ ╙└"╜▀▓▓▓▓▓█▓▓
║░░░╦╬╫╫╫╫╫╫╫╫╫╫╫╫╫ÑÑ░░░╠Ñ░╨╫Ñ░╫╫╫╫N ▀▓▓▓╫██▓╕
,]░╦╬╫╫╫╫╫╫╫▓▓▓▓▓▓╫╫╫╫╫╫╫Ñ░░╠░░╫M░╠╫╫╫╫╦, ▀▓▓▓▓▓▓⌐
╗▄╦ ]░░╬╫╫╫╫╫▓▓██████████▓▓▒╫╫╫╫Ñ░░╟▒╟▓▒ñ▓▓▓▓░N ╙▓▓▓▓▓▓
║███╫█╫ ]░░╫╫╫╫╫▓███▓▓▓▓▓▓▓▓▓▓███▓╫╫╫╫╫░░╟▒╟▓Ü╟▓▓▓▓░H ╟▓▓▓▓▓L
║███╫█╫ ]░░╫╫╫╫▓██▓╫▓▓▓▀▀╠╠╬▀▓▓▓╫▓██▓╫╫╫╫░░ÑÑ╠▄░╠▓▓▓▄▄▄▄▄▓▓▓╫╫╫╫
╓▄▄╫█╫╖╖╖╦░╫╫╫╫╫██▓▓▓▓▀░╬Ñ╣╬╫Ñ░╟▓▓▓▓██╫╫╫╫Ñ░╦]░░░║████▀▀╫╫╫▓╩╨╟╫
╟▓▓╫█╫▀▀▀╩╬╩╫╫▓██▓▓▓▓▌░╫░╟▓▓K╫Ñ░▓▓▓▓╫██▓▒╩╩╩╩ ╙╩╨▀▓M╨╩╨╙╝╣N╦╗Φ╝
╫█╫ ▀███▀╣▓▓▓▓▓░╫Ñ░╠▀░╫Ü░▓▓▓▓▓▀▀███╕ ▐▓▌╖
▄▄▄▄▓█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄╛
▀╩╫╫╫╠╣▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀░╫╫╫╫▌
╗▄╫╫Ñ░╠▀▓▓▓▓▓▓▓▓▓▓▓▓▀░╦╬╫╫∩
`⌠╫╫╫Ñ░░Å╣▀▀▀▀▀▒░╦╬╫╫╫`█
╙╙""╫╫╫½╫╫╫╬╫╫╫╫╫M"▓╛
└╙└ ▄▓╩`║▓╩ Å▀
Cut through MITRE ATT&CK framework and extract relevant identifiers for searching and hunting.
At its core, MITRESaw creates a CSV-formatted version of the MITRE ATT&CK Framework and outputs individual Threat Actor ATT&CK Navigator JSON files, depending on keywords provided.
MITRESaw has evolved to also produce search queries based on extracted indicators (aligned with Threat Group TTPs). Searches currently provided are compatible with Splunk, Azure Sentinel and Elastic/Kibana. SIGMA will be included soon.
python3 -m pip install -r requirements.txt
python3 MITRESaw.py framework platforms searchterms threatgroups [-a] [-n] [-o] [-q] [-s] [-t]
To display usage, simply run: python3 MITRESaw.py -h
usage: MITRESaw.py [-h] [-a] [-n] [-o] [-q] [-t] framework platforms searchterms threatgroups
positional arguments:
framework Specify which framework to collect from - Enterprise, ICS or Mobile
platforms Filter results based on provided platforms e.g. Windows,Linux,IaaS,Azure_AD (use _ instead of spaces)
Use . to not filter i.e. obtain all Platforms
Valid options are: 'Azure_AD', 'Containers', 'Google_Workspace', 'IaaS', 'Linux', 'Network', 'Office_365', 'PRE', 'SaaS', 'Windows', 'macOS'
searchterms Filter Threat Actor results based on specific industries e.g. mining,technology,defense,law (use _ instead of spaces)
Use . to not filter i.e. obtain all Threat Actors
threatgroups Filter Threat Actor results based on specific group names and/or Software e.g. APT29,HAFNIUM,Lazurus_Group,Turla,AppleJeus,Brute Ratel C4 (use _ instead of spaces)
Use . to not filter i.e. obtain all Threat Actors
optional arguments:
-h, --help show this help message and exit
-a, --asciiart Don't show ASCII Art of the saw.
-n, --navlayers Obtain ATT&CK Navigator layers for Groups and Software identified during extraction of identifable evidence
-o, --showotherlogsources Show log sources which can detect identified techniques where the coverage is less than 1%
-q, --queries Build search queries based on results - to be imported into Splunk; Azure Sentinel; Elastic/Kibana
-t, --truncate Truncate printing of indicators for a cleaner output (they are still written to output file)
python3 MITRESaw.py Windows,Linux,macOS mining,technology,defense,_uk_,law . -q
Because the MITRE ATT&CK has been built and is managed in the United States, the keywords provided need to be in US English, as opposed UK English. An example where results would not reflect the search terms provided is the word defense (US)/defence (UK).
I have also had discussions with peers about how to leverage the ATT&CK STIX data compiled by MITRE instead of the Excel SpreadSheets but the data provided in the STIX data doesn't contain the same Group/Software information as the SpreadSheets. Although the STIX data does detail the procedure examples of each Group/Software(/Campaign) leverages each respective technique, nowhere in the STIX dataset is there a description for each of the Groups/Software/Campaigns and without this, MITRESaw cannot ascertain which Threat Actors target certain industries using the STIX dataset.
For example, for APT41
- Description
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.
- Procedure example Create or Modify System Process: Windows Service
APT41 modified legitimate Windows services to install malware backdoors. APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.