-
Notifications
You must be signed in to change notification settings - Fork 33
/
tool.cljc
51 lines (44 loc) · 2.05 KB
/
tool.cljc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
(ns ctim.schemas.tool
(:require #?(:clj [flanders.core :as f :refer [def-entity-type def-map-type def-eq]]
:cljs [flanders.core :as f :refer-macros [def-entity-type def-map-type def-eq]])
[ctim.schemas.common :as c]
[ctim.schemas.vocabularies :as v]))
(def type-identifier "tool")
(def-eq ToolTypeIdentifier type-identifier)
(def tool-desc
(str "Tools are legitimate software that can be used by threat actors to "
"perform attacks. Knowing how and when threat actors use such tools can "
"be important for understanding how campaigns are executed. Unlike "
"malware, these tools or software packages are often found on a system "
"and have legitimate purposes for power users, system administrators, "
"network administrators, or even normal users. Remote access tools "
"(e.g., RDP) and network scanning tools (e.g., Nmap) are examples of "
"Tools that may be used by a Threat Actor during an attack."))
(def tool-desc-link
"[Tool](https://docs.google.com/document/d/1IvkLxg_tCnICsatu2lyxKmWmh1gY2h8HUNssKIE-UIA/pub#h.z4voa9ndw8v)")
(def-entity-type Tool
{:description tool-desc
:reference tool-desc-link}
c/base-entity-entries
c/sourcable-object-entries
c/described-entity-entries
(f/required-entries
(f/entry :type ToolTypeIdentifier)
(f/entry :labels [v/ToolLabel]
:description "The kind(s) of tool(s) being described."))
(f/optional-entries
(f/entry :kill_chain_phases [c/KillChainPhase]
:description (str "The list of kill chain phases for which this "
"Tool can be used."))
(f/entry :tool_version c/ShortString
:description (str "The version identifier associated with the Tool."))
(f/entry :x_mitre_aliases [c/ShortString]
:description "ATT&CK Software.aliases")))
(def-entity-type NewTool
"For submitting a new Tool"
(:entries Tool)
c/base-new-entity-entries
(f/optional-entries
(f/entry :type ToolTypeIdentifier)))
(def ToolRef
(c/ref-for-type type-identifier))