In [1]:
%load_ext autoreload
%autoreload 2
import urllib3, json, certifi
import HTMLx
from IPython.display import HTML, display
from operator import itemgetter 

In [2]:
MITREFILE = "enterprise-attack.json"
MITREURL = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"

In [3]:
http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED',ca_certs=certifi.where())
chunk_size = 1024
r = http.request('GET', MITREURL, preload_content=False)

with open(MITREFILE, 'wb') as out:
    while True:
        data = r.read(chunk_size)
        if not data:
            break
        out.write(data)

r.release_conn()

In [4]:
with open(MITREFILE) as f:
    m = json.load(f)

In [5]:
print( len(m["objects"]))

4548


# Number of objects of different type

In [6]:
res = dict()
for o in m["objects"]:
    #t = o["id"][0:o["id"].find("--")]
    t = o["type"]
    if t == "relationship":
        s = o["source_ref"][0:o["source_ref"].find("--")]
        d = o["target_ref"][0:o["target_ref"].find("--")]
        t += ":"+s+"->"+o["relationship_type"]+"->"+d
    res[t] = res.get(t,0) + 1

display(HTML(HTMLx.html_table(["Object","Cnt"],map(lambda x: [x, res[x]],res.keys()))))
with open("objects.html","w") as f:
    f.write(HTMLx.html_table(["Object","Cnt"],map(lambda x: [x, res[x]],res.keys())))


Object,Cnt
attack-pattern,223
relationship:course-of-action->mitigates->attack-pattern,222
relationship:intrusion-set->uses->attack-pattern,884
relationship:intrusion-set->uses->malware,199
relationship:intrusion-set->uses->tool,144
relationship:malware->uses->attack-pattern,2065
relationship:tool->uses->attack-pattern,208
relationship:intrusion-set->revoked-by->intrusion-set,2
relationship:malware->revoked-by->malware,1
course-of-action,222


In [7]:
platform = "Windows"
display(HTML("<H1>{}</H1>".format(platform)))

## APT actors uses Techniques

In [8]:
res = dict()

for o in m["objects"]:
    if o["type"] == "attack-pattern" and len(list(filter(lambda x: x == platform, o["x_mitre_platforms"]))) > 0:
        
        mitre_t = list(filter(lambda x: x["source_name"] == "mitre-attack", o["external_references"]))[0]["external_id"]
        k = mitre_t + ": " + o["name"]             
        res[k] = dict()
        res[k]["x_mitre_data_sources"] = list()
        res[k]["x_mitre_data_sources"] = o.get("x_mitre_data_sources",[])
          
        for c in ["intrusion-set","malware","tool"]: #APT, #malware, #tools
            res[k][c] = 0
        
        for o2 in m["objects"]: 
            if o2["type"] == "relationship" \
            and o2["relationship_type"] == "uses" \
            and o2["target_ref"] == o["id"]:
                k2 = o2["source_ref"][0:o2["source_ref"].find("--")]
                if k2 in ["intrusion-set","malware","tool"]: 
                    res[k][k2] = res[k].get(k2,0) + 1


data = list()
for kk, aa, mm, tt, ds in sorted ( ( (k, res[k]["intrusion-set"], res[k]["malware"], res[k]["tool"],res[k]["x_mitre_data_sources"]) for k in res.keys()), \
                          key = itemgetter(1), reverse = True ) :
    data.append([kk, aa, mm, tt, "<BR>".join(ds)])

display(HTML(HTMLx.html_table(["techique", "intrusion-set","malware","tool","data_sources"],data)))

techique,intrusion-set,malware,tool,data_sources
T1064: Scripting,31,19,3,Process monitoring File monitoring Process command-line parameters
T1086: PowerShell,28,15,3,Windows Registry File monitoring Process monitoring Process command-line parameters
T1003: Credential Dumping,27,21,13,API monitoring Process monitoring PowerShell logs Process command-line parameters
T1204: User Execution,26,1,0,Anti-virus Process command-line parameters Process monitoring
T1027: Obfuscated Files or Information,24,62,2,Network protocol analysis Process use of network File monitoring Malware reverse engineering Binary file metadata Process command-line parameters Environment variable Process monitoring Windows event logs Network intrusion detection system Email gateway SSL/TLS inspection
T1059: Command-Line Interface,23,85,4,Process monitoring Process command-line parameters
T1060: Registry Run Keys / Startup Folder,23,68,2,Windows Registry File monitoring
T1105: Remote File Copy,23,97,6,File monitoring Packet capture Process use of network Netflow/Enclave netflow Network protocol analysis Process monitoring
T1193: Spearphishing Attachment,23,0,0,File monitoring Packet capture Network intrusion detection system Detonation chamber Email gateway Mail server
T1071: Standard Application Layer Protocol,21,104,2,Packet capture Netflow/Enclave netflow Process use of network Malware reverse engineering Process monitoring


## Telemetry required for Techniques

In [9]:
res = dict()
no_data_sources = list()
for o in m["objects"]:
    t = o["type"]
    if t == "attack-pattern" and len(list(filter(lambda x: x == platform, o["x_mitre_platforms"]))) > 0:
        if o.get("x_mitre_data_sources") is None:
            no_data_sources.append(o["name"])
        else:
            for s in o["x_mitre_data_sources"]:
                res[s] = res.get(s,0) + 1

display(HTML(
    HTMLx.html_table(["data_sources", "attack-pattern"],\
                     list([key,value] for key, value in sorted(res.items(), key = itemgetter(1), reverse = True)))
))

data_sources,attack-pattern
Process monitoring,136
Process command-line parameters,76
File monitoring,68
API monitoring,39
Process use of network,36
Windows Registry,34
Packet capture,32
Authentication logs,24
Netflow/Enclave netflow,24
Windows event logs,19


## Windows techniques without required telemetry specified

In [10]:
for i in no_data_sources:
    print(i)

Peripheral Device Discovery
