# Working with MITRE's ATT&CK Framework


# Background

* ATT&CK on Github
    * https://github.com/mitre/cti
    * https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json 
* STIX JSON Format
* ATT&CK API Clients
    * `cti-python-stix2` and `cti-taxii-client`
    * `attack-cti`
    * `pyattck`
    
<hr>

# Part 1 - `pyattck`

## Installation

* https://pyattck.readthedocs.io/en/latest/
* https://swimlane.com/blog/swimlane-pyattack-works-with-mitre-att-ck-framework/


    pip install pyattck

In [4]:
from pyattck import Attck


attack = Attck()

If you're connecting through a web proxy, you should set the `HTTP_PROXY` and `HTTPS_PROXY` environment variables.

## Exploring Tactics

In [6]:
for tactic in attack.tactics:
    print(tactic.name)

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation


The power of tab-complete in Jupyter:

In [4]:
example_tactic = attack.tactics[0]

In [5]:
example_tactic.name

'Collection'

In [6]:
print(example_tactic.description)

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.


In [7]:
for technique in example_tactic.techniques:
    print(technique.id, technique.name)

T1123 Audio Capture
T1119 Automated Collection
T1115 Clipboard Data
T1074 Data Staged
T1530 Data from Cloud Storage Object
T1213 Data from Information Repositories
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1114 Email Collection
T1056 Input Capture
T1185 Man in the Browser
T1113 Screen Capture
T1125 Video Capture


## Exploring Techniques

In [52]:
example_technique = attack.techniques[1]

In [53]:
example_technique.name

'Access Token Manipulation'

In [54]:
example_technique.id

'T1134'

In [55]:
example_technique.description

"Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command <code>runas</code>.(Citation: Microsoft runas)\n  \nAdversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries common

In [56]:
example_technique.wiki

'https://attack.mitre.org/techniques/T1134'

In [59]:
for actor in example_technique.actors:
    print(actor.name)

Lazarus Group
APT28
Turla


In [93]:
for mitigation in example_technique.mitigations:
    print(mitigation.name)

Access Token Manipulation Mitigation
Privileged Account Management
User Account Management


## Exploring Actors

In [7]:
for actor in attack.actors:
    print(actor.name)

APT1
APT12
APT16
APT17
APT18
APT19
APT28
APT29
APT3
APT30
APT32
APT33
APT34
APT37
APT38
APT39
APT41
Axiom
BRONZE BUTLER
BlackOasis
Carbanak
Charming Kitten
Cleaver
Cobalt Group
CopyKittens
Dark Caracal
DarkHydrus
Darkhotel
Deep Panda
DragonOK
Dragonfly
Dragonfly 2.0
Dust Storm
Elderwood
Equation
FIN10
FIN4
FIN5
FIN6
FIN7
FIN8
GCMAN
Gallmaker
Gamaredon Group
Gorgon Group
Group5
Honeybee
Ke3chang
Kimsuky
Lazarus Group
Leafminer
Leviathan
Lotus Blossom
MONSOON
Machete
Magic Hound
Moafee
Molerats
MuddyWater
NEODYMIUM
Naikon
Night Dragon
OilRig
Orangeworm
PLATINUM
PROMETHIUM
Patchwork
PittyTiger
Poseidon Group
Putter Panda
RTM
Rancor
Sandworm Team
Scarlet Mimic
Silence
SilverTerrier
Soft Cell
Sowbug
Stealth Falcon
Stolen Pencil
Strider
Suckfly
TA459
TA505
TEMP.Veles
Taidoor
The White Company
Threat Group-1314
Threat Group-3390
Thrip
Tropic Trooper
Turla
WIRTE
Winnti Group
admin@338
menuPass


In [8]:
for actor in attack.actors:
    print(actor.name)
    for technique in actor.techniques:
        print('-', technique.id, technique.name)

APT1
- T1003 Credential Dumping
- T1059 Command-Line Interface
- T1076 Remote Desktop Protocol
- T1005 Data from Local System
- T1002 Data Compressed
- T1064 Scripting
- T1057 Process Discovery
- T1114 Email Collection
- T1036 Masquerading
- T1049 System Network Connections Discovery
- T1087 Account Discovery
- T1119 Automated Collection
- T1075 Pass the Hash
- T1135 Network Share Discovery
- T1007 System Service Discovery
- T1016 System Network Configuration Discovery
APT12
- T1204 User Execution
- T1203 Exploitation for Client Execution
- T1193 Spearphishing Attachment
- T1102 Web Service
APT16
APT17
APT18
- T1133 External Remote Services
- T1083 File and Directory Discovery
- T1027 Obfuscated Files or Information
- T1071 Standard Application Layer Protocol
- T1078 Valid Accounts
- T1043 Commonly Used Port
- T1060 Registry Run Keys / Startup Folder
- T1105 Remote File Copy
- T1059 Command-Line Interface
- T1053 Scheduled Task
- T1107 File Deletion
- T1082 System Information Discovery

- T1071 Standard Application Layer Protocol
- T1056 Input Capture
- T1057 Process Discovery
- T1112 Modify Registry
- T1189 Drive-by Compromise
- T1115 Clipboard Data
- T1045 Software Packing
- T1059 Command-Line Interface
- T1105 Remote File Copy
- T1107 File Deletion
- T1070 Indicator Removal on Host
- T1494 Runtime Data Manipulation
- T1493 Transmitted Data Manipulation
- T1492 Stored Data Manipulation
- T1487 Disk Structure Wipe
- T1486 Data Encrypted for Impact
- T1485 Data Destruction
- T1049 System Network Connections Discovery
- T1529 System Shutdown/Reboot
APT39
- T1193 Spearphishing Attachment
- T1192 Spearphishing Link
- T1076 Remote Desktop Protocol
- T1060 Registry Run Keys / Startup Folder
- T1053 Scheduled Task
- T1023 Shortcut Modification
- T1016 System Network Configuration Discovery
- T1002 Data Compressed
- T1090 Connection Proxy
- T1003 Credential Dumping
- T1064 Scripting
- T1078 Valid Accounts
- T1046 Network Service Scanning
- T1021 Remote Services
- T1100 Web S

- T1108 Redundant Access
- T1107 File Deletion
- T1018 Remote System Discovery
- T1070 Indicator Removal on Host
- T1078 Valid Accounts
- T1003 Credential Dumping
- T1074 Data Staged
- T1064 Scripting
- T1133 External Remote Services
- T1119 Automated Collection
FIN6
- T1087 Account Discovery
- T1018 Remote System Discovery
- T1053 Scheduled Task
- T1022 Data Encrypted
- T1076 Remote Desktop Protocol
- T1119 Automated Collection
- T1002 Data Compressed
- T1068 Exploitation for Privilege Escalation
- T1086 PowerShell
- T1046 Network Service Scanning
- T1064 Scripting
- T1060 Registry Run Keys / Startup Folder
- T1074 Data Staged
- T1078 Valid Accounts
- T1003 Credential Dumping
- T1071 Standard Application Layer Protocol
- T1032 Standard Cryptographic Protocol
- T1036 Masquerading
- T1102 Web Service
- T1069 Permission Groups Discovery
- T1035 Service Execution
- T1116 Code Signing
- T1047 Windows Management Instrumentation
- T1194 Spearphishing via Service
FIN7
- T1125 Video Capture
- 

- T1193 Spearphishing Attachment
- T1192 Spearphishing Link
- T1064 Scripting
- T1043 Commonly Used Port
- T1027 Obfuscated Files or Information
- T1071 Standard Application Layer Protocol
- T1060 Registry Run Keys / Startup Folder
- T1074 Data Staged
- T1025 Data from Removable Media
- T1053 Scheduled Task
- T1032 Standard Cryptographic Protocol
- T1204 User Execution
Magic Hound
- T1043 Commonly Used Port
- T1083 File and Directory Discovery
- T1105 Remote File Copy
- T1064 Scripting
- T1114 Email Collection
- T1059 Command-Line Interface
- T1033 System Owner/User Discovery
- T1016 System Network Configuration Discovery
- T1027 Obfuscated Files or Information
- T1193 Spearphishing Attachment
- T1082 System Information Discovery
- T1065 Uncommonly Used Port
- T1002 Data Compressed
- T1194 Spearphishing via Service
- T1060 Registry Run Keys / Startup Folder
- T1086 PowerShell
- T1107 File Deletion
- T1204 User Execution
- T1057 Process Discovery
- T1192 Spearphishing Link
- T1102 Web S

- T1018 Remote System Discovery
- T1087 Account Discovery
- T1105 Remote File Copy
- T1022 Data Encrypted
- T1108 Redundant Access
- T1038 DLL Search Order Hijacking
- T1071 Standard Application Layer Protocol
- T1086 PowerShell
- T1073 DLL Side-Loading
- T1055 Process Injection
- T1049 System Network Connections Discovery
- T1133 External Remote Services
- T1027 Obfuscated Files or Information
- T1088 Bypass User Account Control
- T1028 Windows Remote Management
- T1068 Exploitation for Privilege Escalation
- T1030 Data Transfer Size Limits
- T1047 Windows Management Instrumentation
- T1002 Data Compressed
- T1107 File Deletion
- T1003 Credential Dumping
- T1126 Network Share Connection Removal
- T1016 System Network Configuration Discovery
- T1043 Commonly Used Port
- T1059 Command-Line Interface
- T1112 Modify Registry
- T1189 Drive-by Compromise
- T1078 Valid Accounts
- T1005 Data from Local System
- T1074 Data Staged
- T1056 Input Capture
- T1119 Automated Collection
- T1089 Disab

In [6]:
for actor in attack.actors:
    if actor.name == 'APT28':
        print('Techniques\n====')
        for technique in actor.techniques:
            print('-', technique.id, technique.name)
        print('Tools\n=====')
        for tool in actor.tools:
            print(tool.name, '-', tool.description.replace('\n', ' '))
        print('\nMalware\n=====')
        for malware in actor.malwares:
            print(malware.name, '-', malware.description)

Techniques
====
- T1001 Data Obfuscation
- T1091 Replication Through Removable Media
- T1114 Email Collection
- T1105 Remote File Copy
- T1173 Dynamic Data Exchange
- T1158 Hidden Files and Directories
- T1099 Timestomp
- T1192 Spearphishing Link
- T1120 Peripheral Device Discovery
- T1113 Screen Capture
- T1083 File and Directory Discovery
- T1070 Indicator Removal on Host
- T1204 User Execution
- T1122 Component Object Model Hijacking
- T1193 Spearphishing Attachment
- T1213 Data from Information Repositories
- T1037 Logon Scripts
- T1059 Command-Line Interface
- T1040 Network Sniffing
- T1067 Bootkit
- T1068 Exploitation for Privilege Escalation
- T1211 Exploitation for Defense Evasion
- T1119 Automated Collection
- T1134 Access Token Manipulation
- T1025 Data from Removable Media
- T1074 Data Staged
- T1075 Pass the Hash
- T1078 Valid Accounts
- T1199 Trusted Relationship
- T1085 Rundll32
- T1071 Standard Application Layer Protocol
- T1086 PowerShell
- T1092 Communication Through R

In [3]:
from collections import Counter

mitigations_counter = Counter([
    mitigation.name
    for technique in attack.techniques
    for mitigation in technique.mitigations])

In [4]:
mitigations_counter.most_common()

[('Privileged Account Management', 37),
 ('User Account Management', 37),
 ('Execution Prevention', 32),
 ('Restrict File and Directory Permissions', 29),
 ('Network Intrusion Prevention', 28),
 ('Disable or Remove Feature or Program', 24),
 ('Audit', 23),
 ('Network Segmentation', 22),
 ('Operating System Configuration', 18),
 ('Update Software', 17),
 ('User Training', 17),
 ('Password Policies', 17),
 ('Filter Network Traffic', 15),
 ('Multi-factor Authentication', 13),
 ('Code Signing', 10),
 ('Restrict Web-Based Content', 10),
 ('Encrypt Sensitive Information', 10),
 ('Application Isolation and Sandboxing', 10),
 ('Exploit Protection', 10),
 ('Software Configuration', 8),
 ('User Account Control', 6),
 ('Data Backup', 6),
 ('Antivirus/Antimalware', 6),
 ('Limit Access to Resource Over Network', 5),
 ('Active Directory Configuration', 5),
 ('Restrict Registry Permissions', 5),
 ('Remote Data Storage', 4),
 ('Threat Intelligence Program', 4),
 ('Privileged Process Integrity', 3),
 (

<hr>

# Part 2 - Generate Coverage Spreadsheet

Placeholder descriptive text

## Group Techniques by Data Source

In [9]:
from collections import defaultdict

def group_techniques_by_data_source(attack, actor_name=None):
    data_sources = defaultdict(list)
    for technique in attack.techniques:
        if actor_name:
            related_actors = [actor.name for actor in technique.actors]
            if actor_name not in related_actors:
                continue
        if technique.data_source:
            for data_source in technique.data_source:
                data_sources[data_source].append(technique.id)
    return data_sources

In [10]:
data_source_map = group_techniques_by_data_source(attack)

In [11]:
data_source_map.keys()

dict_keys(['File monitoring', 'Process monitoring', 'Process command-line parameters', 'Process use of network', 'API monitoring', 'Access tokens', 'Windows Registry', 'Windows event logs', 'Azure activity logs', 'Office 365 account logs', 'Authentication logs', 'Packet capture', 'Loaded DLLs', 'System calls', 'OAuth audit logs', 'DLL monitoring', 'Data loss prevention', 'Binary file metadata', 'Malware reverse engineering', 'MBR', 'VBR', 'Network protocol analysis', 'Browser extensions', 'AWS CloudTrail logs', 'Office 365 audit logs', 'Stackdriver logs', 'Netflow/Enclave netflow', 'Disk forensics', 'Component firmware', 'PowerShell logs', 'Host network interface', 'Network intrusion detection system', 'Kernel drivers', 'Application logs', 'Third-party application logs', 'Web application firewall logs', 'Web logs', 'Services', 'Anti-virus', 'SSL/TLS inspection', 'Network device logs', 'DNS records', 'Web proxy', 'Office 365 trace logs', 'Mail server', 'Email gateway', 'User interface',

In [71]:
data_source_map['Authentication logs']

['T1098',
 'T1110',
 'T1088',
 'T1146',
 'T1522',
 'T1175',
 'T1136',
 'T1207',
 'T1213',
 'T1114',
 'T1212',
 'T1133',
 'T1148',
 'T1147',
 'T1185',
 'T1126',
 'T1075',
 'T1097',
 'T1108',
 'T1076',
 'T1021',
 'T1178',
 'T1184',
 'T1199',
 'T1078',
 'T1506',
 'T1100',
 'T1077',
 'T1047',
 'T1028']

In [12]:
apt1_data_source_map = group_techniques_by_data_source(attack, actor_name='APT1')
apt1_data_source_map.keys()

dict_keys(['Azure activity logs', 'Office 365 account logs', 'API monitoring', 'Process monitoring', 'Process command-line parameters', 'File monitoring', 'Data loss prevention', 'PowerShell logs', 'Binary file metadata', 'Office 365 trace logs', 'Mail server', 'Email gateway', 'Authentication logs', 'Process use of network', 'Network protocol analysis', 'Netflow/Enclave netflow'])

In [13]:
apt1_data_source_map['Authentication logs']

['T1114', 'T1075', 'T1076']

## Generate the spreadsheet

In [14]:
import pandas as pd

def create_data_source_spreadsheet(data_source_map, fp='Data Source Coverage Spreadsheet.xlsx'):
    (pd.DataFrame([
        {'Data Source': data_source, 'Techniques': techniques}
         for data_source, techniques in data_source_map.items()])
     .assign(**{'Num of Techniques': lambda df: df.Techniques.str.len(),
                'Data Source Available?': '',
                'Comments': ''})
     .drop(columns=['Techniques'])
     .set_index('Data Source')
     .sort_index()
     .to_excel(fp))
    
    print(f'Wrote data source coverage spreadsheet to {fp}')

In [15]:
create_data_source_spreadsheet(data_source_map)

Wrote data source coverage spreadsheet to Data Source Coverage Spreadsheet.xlsx


In [73]:
create_data_source_spreadsheet(apt1_data_source_map, fp='APT1 Data Source Coverage Spreadsheet.xlsx')

Wrote data source coverage spreadsheet to APT1 Data Source Coverage Spreadsheet.xlsx


<hr>

# Part 3 - Generate Layer File

> ref: https://github.com/mitre-attack/attack-navigator/blob/master/layers/LAYERFORMATv2_2.md

In [16]:
from pathlib import Path
from collections import defaultdict
import json


class NavigatorLayer(object):
    def __init__(self, version='2.2', name='Default Layer Name',
                 description='Default Description', domain='mitre-enterprise',
                 colors=['#ffffff', '#b3d9ff'], min_value=0, max_value=100,
                 sorting=0, view_mode=0, hide_disabled=False, stages=['act'], metadata=None,
                 platforms=['Windows', 'SaaS', 'Azure AD', 'Azure', 'GCP',
                            'Office 365', 'AWS', 'macOS', 'Linux']):
        self.content = {
            'name': name,
            'version': version,
            'domain': domain,
            'description': description,
            'filters': {
                'stages': stages,
                'platforms': platforms
            },
            'gradient': {
                'colors': colors,
                'maxValue': max_value,
                'minValue': min_value
            },
            'sorting': sorting,
            'viewMode': view_mode,
            'hideDisabled': hide_disabled,
            'metadata': [],
            'techniques': []}

        if metadata:
            self.content['metadata'].extend(metadata)

    def to_json(self, fp):
        data = json.dumps(self.content, indent=4)
        Path(fp).write_text(data)

In [17]:
import pandas as pd


def populate_layer_from_spreadsheet(attack, actor_name=None, 
                                    spreadsheet_fp='Data Source Coverage Spreadsheet.xlsx'):
    layer_content = []
    spreadsheet = pd.read_excel(spreadsheet_fp)
    available_data_sources = spreadsheet[
        spreadsheet['Data Source Available?'].str.lower() == 'yes']

    covered_techniques = defaultdict(list)
    for technique in attack.techniques:
        
        if actor_name:
            related_actors = [actor.name for actor in technique.actors]
            if actor_name not in related_actors:
                layer_content.append({
                    'techniqueID': technique.id,
                    'enabled': False})
                continue
            
        for data_source in available_data_sources['Data Source'].unique():
            if technique.data_source and data_source in technique.data_source:
                covered_techniques[technique.id].append(data_source)

    for technique in covered_techniques:
        layer_content.append({
            'techniqueID': technique,
            'score': len(covered_techniques[technique]),
            'metadata': [{
                'name': 'Data Sources',
                'value': ', '.join(covered_techniques[technique])}]})

    return layer_content

In [21]:
layer = NavigatorLayer(
    name='Data Source Coverage Map',
    description='Shows techniques where the organization has a relevant data source',
    max_value=1)

In [22]:
layer.content['techniques'] = populate_layer_from_spreadsheet(
    attack, spreadsheet_fp='Data Source Coverage Spreadsheet.xlsx')

In [23]:
layer.content

{'name': 'Data Source Coverage Map',
 'version': '2.2',
 'domain': 'mitre-enterprise',
 'description': 'Shows techniques where the organization has a relevant data source',
 'filters': {'stages': ['act'],
  'platforms': ['Windows',
   'SaaS',
   'Azure AD',
   'Azure',
   'GCP',
   'Office 365',
   'AWS',
   'macOS',
   'Linux']},
 'gradient': {'colors': ['#ffffff', '#b3d9ff'], 'maxValue': 1, 'minValue': 0},
 'sorting': 0,
 'viewMode': 0,
 'hideDisabled': False,
 'metadata': [],
 'techniques': [{'techniqueID': 'T1134',
   'score': 1,
   'metadata': [{'name': 'Data Sources', 'value': 'API monitoring'}]},
  {'techniqueID': 'T1531',
   'score': 1,
   'metadata': [{'name': 'Data Sources', 'value': 'Windows event logs'}]},
  {'techniqueID': 'T1087',
   'score': 1,
   'metadata': [{'name': 'Data Sources', 'value': 'API monitoring'}]},
  {'techniqueID': 'T1098',
   'score': 3,
   'metadata': [{'name': 'Data Sources',
     'value': 'API monitoring, Packet capture, Windows event logs'}]},
  {'t

In [24]:
layer.to_json('data_source_layer.json')

In [84]:
apt1_layer = NavigatorLayer(
    name='APT1 Data Source Coverage Map',
    description='Shows techniques where the organization has a relevant data source to detect APT1',
    hide_disabled=True,
    max_value=1)

apt1_layer.content['techniques'] = populate_layer_from_spreadsheet(
    attack, actor_name='APT1', spreadsheet_fp='APT1 Data Source Coverage Spreadsheet.xlsx')

apt1_layer.to_json('APT1_layer.json')