Quick questions about Json

[SadProcessor]

Hey ATT&CK,

I have a few quick questions.
I am rebuiding a set of powershell cmdlets to explore the awesome data you got there...
Started looking at STIX and TAXII and that python library...
then I saw you had it all exported in json right here.
Perfect for what I have in mind (and less work).

Anyways, was wondering how often this json data will be generated/updated?

Also, looking at attack-pattern/course-of-action can't seem to find the 'detection' info as avail on wiki.
Was wondering if it would be possible to add this (quite valuable piece of info),
maybe as an x_mitre property in the course-of-action objects.

Thanks anyways for awesome stuff.

[jburns12]

Hey @SadProcessor - these are both really great points/questions.

Regarding how often the JSON data will be generated/updated, the TAXII server is actually syncing on this repo, so this repo will always be up to date with the ATT&CK content updates.

About the detection info - right now it's part of the description of the corresponding attack pattern. For example, here's the description for .bash_profile and .bashrc with the detection in bold:

"description": "/.bash_profile and /.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. /.bash_profile is executed for login shells and /.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), /.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, /.bashrc is executed. This allows users more fine grained control over when they want certain commands executed.\n\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling /.bash_profile each time instead of /.bashrc.\n\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\n\nDetection: While users may customize their /.bashrc and /.bash_profile files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nPlatforms: Linux, macOS\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\n\nPermissions Required: User, Administrator"

We're discussing whether or not we want to put this into a custom x_mitre_detection property in the attack pattern, so having you bring it up here has been helpful. We will keep you posted on whether or not the current model of having it solely in the description changes. Please let us know if you have any other questions, concerns, or suggestions!

[SadProcessor]

Awesome. Just was I was hoping to hear...
Will go with some regex for now to extract detection as a property.
(Would be cool to have it as an x_mitre in the future)
Thanks.
👍