-
Notifications
You must be signed in to change notification settings - Fork 0
/
ref.py
241 lines (226 loc) · 12.3 KB
/
ref.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
import sys, os, json, csv
class StatsRef:
def __init__(self):
pass
def __attacks__(self):
attacks = {
"Privilege Escalation": {
"Abuse Elevation Control Mechanism": ["Bypass User Account Control"],
"Access Token Manipulation": ["Create Process with Token", "Token Impersonation/Theft"],
"Boot or Logon Autostart Execution": ["Registry Run Keys / Startup Folder"],
"Create or Modify System Process": ["Windows Service"],
"Event Triggered Execution": ["Application Shimming",
"Component Object Model Hijacking",
"Accessibility Features",
"Management Instrumentation Event Subscription"],
"Hijack Execution Flow": ["DLL Search Order Hijacking"],
"Process Injection": ["", "Process Hollowing"],
"Scheduled Task/Job": ["Scheduled Task"],
"Valid Accounts": ["Domain Accounts"],
},
"Discovery": {
"Application Window Discovery": [""],
"Account Discovery": ["Domain Account", "Local Account"],
"File and Directory Discovery": [""],
"Network Share Discovery": [""],
"Password Policy Discovery": [""],
"Peripheral Device Discovery": [""],
"Permission Groups Discovery": ["Domain Groups", "Local Groups"],
"Process Discovery": [""],
"Query Registry": [""],
"Remote System Discovery": [""],
"Software Discovery": ["Security Software Discovery"],
"System Information Discovery": [""],
"System Network Configuration Discovery": [""],
"System Network Connections Discovery": [""],
"System Owner/User Discovery": [""],
"System Service Discovery": [""],
"Virtualization/Sandbox Evasion": ["System Checks"],
},
"Credential Access": {
"Brute Force": ["Password Spraying"],
"Credentials from Password Stores": ["Credentials from Web Browsers"],
"Input Capture": ["Keylogging"],
"OS Credential Dumping": ["LSASS Memory", "Security Account Manager"],
"Unsecured Credentials": ["Credentials in Files", "Private Keys"],
},
"Command and Control": {
"Application Layer Protocol": ["", "DNS", "Web Protocols"],
"Data Encoding": ["Standard Encoding"],
"Encrypted Channel": ["Asymmetric Cryptography", "Symmetric Cryptography"],
"Ingress Tool Transfer": [""],
"Non-Application Layer Protocol": [""],
"Proxy": [""],
"Remote Access Software": [""],
"Commonly Used Port": [""],
"Web Service": [""],
},
"Collection": {
"Archive Collected Data": ["Archive via Utility"],
"Automated Collection": [""],
"Clipboard Data": [""],
"Data from Local System": [""],
"Data from Network Shared Drive": [""],
"Email Collection": ["Local Email Collection"],
"Data Staged": ["Local Data Staging", "Remote Data Staging"],
"Screen Capture": [""],
},
"Execution": {
"Command and Scripting Interpreter": ["",
"JavaScript/Jscript",
"PowerShell",
"Visual Basic",
"Windows Command Shell"],
"Inter-Process Communication": ["Component Object Model"],
"Native API": [""],
"System Services": ["Service Execution"],
"User Execution": ["Malicious File"],
"Windows Management Instrumentation": [""],
},
"Defense Evasion": {
"Deobfuscate/Decode Files or Information": [""],
"File and Directory Permissions Modification": ["Windows File and Directory Permissions Modification"],
"Hide Artifacts": ["NTFS File Attributes"],
"Indicator Removal on Host": ["File Deletion", "Network Share Connection Removal", "Timestomp"],
"Impair Defenses": ["Disable or Modify System Firewall"],
"Masquerading": ["",
"Masquerade Task or Service",
"Match Legitimate Name or Location",
"Rename System Utilities",
"Right to Left Override"],
"Modify Registry": [""],
"Obfuscated Files or Information": ["", "Software Packing", "Steganography"],
"Signed Binary Proxy Execution": ["Mshta", "Rundll32"],
"Use Alternate Authentication Material": ["Pass the Hash", "Pass the Ticket"],
},
"Lateral Movement": {
"Remote Services": ["Remote Desktop Protocol", "SMB/Windows Admin Shares", "SSH", "Windows Remote Management"],
"Lateral Tool Transfer": [""],
},
"Persistence": {
"Create Account": ["Local Account"],
},
"Exfiltration": {
"Exfiltration Over Alternative Protocol": ["", "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"],
"Exfiltration Over Command and Control Channel": [""],
"Exfiltration Over Web Service": ["Exfiltration to Cloud Storage"]
}
}
return attacks
def __colormap__(self):
colormap = {
"Privilege Escalation": "cyan",
"Discovery": "blue",
"Credential Access": "yellow",
"Command and Control": "orange",
"Collection": "green",
"Execution": "pink",
"Defense Evasion": "purple",
"Lateral Movement": "fuchsia",
"Persistence": "maroon",
"Exfiltration": "olivedrab"
}
return colormap
def __data_sources__(self):
return ['Process Monitoring', 'DLL Monitoring', 'File Monitoring', 'Network Monitoring', \
'Script Logs', 'Windows Registry', 'Windows Event Logs', 'Authentication Logs', \
'System Calls/API Monitoring', 'Sandbox', 'Named Pipes', 'WMI Objects', \
'Machine Learning', 'ETW', 'SONAR / Endpoint Detection', 'Command-Line Parameters / AMSI', \
'Networking / AMSI', 'Network connection , ETW', 'RPC', 'Memory Analysis', 'Cynet AV', 'Memory Scanning/Signatures', 'Signatures in memory', 'Behavior rules']
def __evaluations__(self):
return ['apt3', 'apt29', 'carbanak_fin7']
def __participants__(self):
participants = [
"AhnLab", "Cybereason", "Fidelis", "Malwarebytes", "RSA", "TrendMicro", "Bitdefender",
"Cylance", "FireEye", "McAfee", "ReaQta", "Uptycs", "CheckPoint", "Cynet", "Fortinet",
"MicroFocus", "Secureworks", "VMware", "Cisco", "ESET", "GoSecure", "Microsoft", "SentinelOne",
"CrowdStrike", "Elastic", "HanSight", "OpenText", "Sophos", "CyCraft", "F-Secure", "Kaspersky",
"PaloAltoNetworks", "Symantec"]
return participants
def __countries__(self):
countries = {
"South Korea": ["AhnLab"],
"United States": ["Cybereason", "Fidelis", "Malwarebytes", "RSA", "Cylance", "FireEye", "McAfee"
"Uptycs", "Fortinet", "Secureworks", "VMWare", "Cisco", "Microsoft", "SentinelOne",
"CrowdStrike", "PaloAltoNetworks", "Symantec"],
"Japan": ["TrendMicro"],
"Taiwan": ["CyCraft"],
"Romania": ["Bitdefender"],
"Netherlands": ["ReaQta", "Elastic"],
"Israel": ["CheckPoint", "Cynet"],
"United Kingdom": ["MicroFocus", "Sophos"],
"Slovakia": ["ESET"],
"Canada": ["GoSecure", "OpenText"],
"China": ["HanSight"],
"Finland": ["F-Secure"],
"Russia": ["Kaspersky"]}
return countries
def __scoring__(self):
scoring = {
('SpecificBehavior'):5, \
('SpecificBehavior, Tainted'):5, \
('Technique'):5, \
('Technique, Tainted'):5, \
('GeneralBehavior'):4, \
('GeneralBehavior, Tainted'):4, \
('Tactic'):4, \
('Tactic, Tainted'):4, \
('General'):4, \
('General, Tainted'):4, \
('SpecificBehavior, Delayed'):3, \
('GeneralBehavior, Delayed'):2, \
('Tactic, Delayed'):2, \
('Technique, Delayed'):3, \
('Enrichment'):3, \
('Enrichment, Tainted'):3, \
('Enrichment, Delayed'):1, \
('Telemetry'):1, \
('Telemetry, Tainted'):1, \
('Telemetry, Delayed'):0, \
('IndicatorofCompromise'):0, \
('IndicatorofCompromise, Tainted'):0,
('IndicatorofCompromise, Delayed'):0, \
('None'):0 ,
('MSSP'): 0,
('MSSP', 'Tainted'): 0,
('MSSP', 'Delayed'): 0}
return scoring
def __grading__(self):
grade_scale = {
"Excellent": (85, 100),
"Very Good": (70, 85),
"Good": (55, 70),
"Fair": (40, 55),
"Poor": (0, 40)}
return grade_scale
def __detections__(self):
return {
'apt3': 'N/A None Telemetry IndicatorofCompromise Enrichment GeneralBehavior SpecificBehavior',
'apt29': 'N/A None MSSP Telemetry General Tactic Technique',
'carbanak_fin7': 'N/A None Telemetry General Tactic Technique'
}
def __participants_by_eval__(self):
return {'apt3': ['Elastic', 'McAfee', 'F-Secure', 'CrowdStrike', 'FireEye', 'RSA', 'Cybereason', 'Microsoft', 'PaloAltoNetworks', 'GoSecure', 'SentinelOne'],
'apt29': ['Elastic', 'McAfee', 'Kaspersky', 'VMware', 'F-Secure', 'CrowdStrike', 'FireEye', 'TrendMicro', 'Symantec', 'Cybereason', 'Malwarebytes', 'HanSight', 'Microsoft', 'PaloAltoNetworks', 'Secureworks', 'Bitdefender', 'Cylance', 'GoSecure', 'SentinelOne', 'CyCraft', 'ReaQta'],
'carbanak_fin7': ['Elastic', 'McAfee', 'VMware', 'F-Secure', 'CrowdStrike', 'FireEye', 'TrendMicro', 'Symantec', 'Cybereason', 'Uptycs', 'Malwarebytes', 'MicroFocus', 'Cisco', 'Cynet', 'Sophos', 'CheckPoint', 'AhnLab', 'Microsoft', 'OpenText', 'PaloAltoNetworks', 'Bitdefender', 'Cylance', 'GoSecure', 'SentinelOne', 'ESET', 'Fidelis', 'CyCraft', 'Fortinet', 'ReaQta']}
def __modifiers__(self):
return {
'apt3': ['Tainted'],
'apt29': ['Correlated', 'Innovative'],
'carbanak_fin7': []
}
def get_references(self):
a = self.__attacks__()
c = self.__colormap__()
e = self.__evaluations__()
p = self.__participants__()
cs = self.__countries__()
s = self.__scoring__()
g = self.__grading__()
d = self.__detections__()
m = self.__modifiers__()
pe = self.__participants_by_eval__()
return a, c, e, p, cs, s, g, d, m, pe
if __name__ == '__main__':
r = StatsRef()
a, c, e, p, cs, s, g = r.get_references()