Collect Matrix Specific Functions
Contents
Collect Matrix Specific Functions#
This project also comes with functions that collect several STIX objects from specific ATT&CK matrices. These functions help to collect more with less API call requests one matrix at the time.
Import ATTACK API Client#
from attackcti import attack_client
Import Extra Libraries#
from pandas import *
import json
import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)
pandas.__version__
'1.3.5'
Initialize ATT&CK Client Variable#
lift = attack_client()
Collect Enterprise ATT&CK#
We can start by collecting everything from Enterprise ATT&CK such as ‘techniques’, ‘data-component’, ‘mitigations’, ‘groups’, ‘malware’, ‘tools’, ‘data-source’, ‘relationships’, ‘tactics’, ‘matrix’, ‘identity’, ‘marking-definition’. This function returns a dictionary where keys are mapped to each type of object available in the matrix.
%time enterprise = lift.get_enterprise()
Wall time: 9.6 s
enterprise.keys()
dict_keys(['techniques', 'data-component', 'mitigations', 'groups', 'malware', 'tools', 'data-source', 'relationships', 'tactics', 'matrix', 'identity', 'marking-definition'])
Access All Enterprise Techniques#
We can then access information such as techniques from the all the data collected from enterprise:
print("Number of Techniques in Enterprise ATT&CK")
len(enterprise['techniques'])
Number of Techniques in Enterprise ATT&CK
566
By default, the data returned by the available functions in the attackcti library is of type stix2. However, if you want to interact with libraries such as Pandas, it needs to be of type dict
techniques = []
for t in enterprise['techniques']:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]
| created | name | x_mitre_data_sources | x_mitre_platforms | |
|---|---|---|---|---|
| 0 | 2021-10-12T20:02:31.866Z | Resource Forking | [File: File Creation, Process: Process Creatio... | [macOS] |
| 1 | 2021-10-08T14:06:28.212Z | Downgrade Attack | [Command: Command Execution, Process: Process ... | [Windows, Linux, macOS] |
| 2 | 2021-10-05T21:26:15.081Z | Login Items | [Process: Process Creation, File: File Modific... | [macOS] |
| 3 | 2021-10-05T01:15:06.293Z | Reflective Code Loading | [Script: Script Execution, Process: OS API Exe... | [macOS, Linux, Windows] |
| 4 | 2021-10-01T17:58:26.445Z | Cloud Storage Object Discovery | [Cloud Storage: Cloud Storage Enumeration, Clo... | [IaaS] |
Collect Enterprise Techniques#
Rather than collecting all STIX objects from enterprise and filtering on only techniques, we can use the following function to retrieve only techniques from ATT&CK TAXII server.
enterprise_techniques = lift.get_enterprise_techniques()
print("Number of Techniques in Enterprise ATT&CK")
len(enterprise_techniques)
Number of Techniques in Enterprise ATT&CK
566
enterprise_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-12T20:02:31.866Z', modified='2021-10-16T01:50:40.276Z', name='Resource Forking', description='Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1564/009', external_id='T1564.009'), ExternalReference(source_name='macOS Hierarchical File System Overview', description='Tenon. (n.d.). Retrieved October 12, 2021.', url='http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553'), ExternalReference(source_name='Resource and Data Forks', description='Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.', url='https://flylib.com/books/en/4.395.1.192/1/'), ExternalReference(source_name='ELC Extended Attributes', description="Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.", url='https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/'), ExternalReference(source_name='sentinellabs resource named fork 2020', description='Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.', url='https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/'), ExternalReference(source_name='tau bundlore erika noerenberg 2020', description='Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.', url='https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Jaron Bradley @jbradley89', 'Ivan Sinyakov'], x_mitre_data_sources=['File: File Creation', 'Process: Process Creation', 'File: File Metadata', 'Command: Command Execution'], x_mitre_defense_bypassed=['Notarization; Gatekeeper'], x_mitre_detection='Identify files with the <code>com.apple.ResourceFork</code> extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['macOS'], x_mitre_version='1.0')
techniques = []
for t in enterprise_techniques:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]
| created | name | x_mitre_data_sources | x_mitre_platforms | |
|---|---|---|---|---|
| 0 | 2021-10-12T20:02:31.866Z | Resource Forking | [File: File Creation, Process: Process Creatio... | [macOS] |
| 1 | 2021-10-08T14:06:28.212Z | Downgrade Attack | [Command: Command Execution, Process: Process ... | [Windows, Linux, macOS] |
| 2 | 2021-10-05T21:26:15.081Z | Login Items | [Process: Process Creation, File: File Modific... | [macOS] |
| 3 | 2021-10-05T01:15:06.293Z | Reflective Code Loading | [Script: Script Execution, Process: OS API Exe... | [macOS, Linux, Windows] |
| 4 | 2021-10-01T17:58:26.445Z | Cloud Storage Object Discovery | [Cloud Storage: Cloud Storage Enumeration, Clo... | [IaaS] |
Collect Enterprise Mitigations#
enterprise_mitigations = lift.get_enterprise_mitigations()
print("Number of Mitigations in Enterprise ATT&CK")
len(enterprise_mitigations)
Number of Mitigations in Enterprise ATT&CK
267
enterprise_mitigations[0]
CourseOfAction(type='course-of-action', id='course-of-action--65401701-019d-44ff-b223-08d520bb0e7b', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-08-04T21:22:11.612Z', modified='2021-08-30T15:00:10.680Z', name='Data Loss Prevention', description='Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)', revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/mitigations/M1057', external_id='M1057'), ExternalReference(source_name='PurpleSec Data Loss Prevention', description='Michael Swanagan. (2020, October 24). 7 Data Loss Prevention Best Practices & Strategies. Retrieved August 30, 2021.', url='https://purplesec.us/data-loss-prevention/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_version='1.0')
Collect Enterprise Groups#
enterprise_groups = lift.get_enterprise_groups()
print("Number of Groups in Enterprise ATT&CK")
len(enterprise_groups)
Number of Groups in Enterprise ATT&CK
128
enterprise_groups[0]
IntrusionSet(type='intrusion-set', id='intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-01T01:57:31.229Z', modified='2021-10-15T18:47:18.824Z', name='TeamTNT', description='[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. (Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)', aliases=['TeamTNT'], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0139', external_id='G0139'), ExternalReference(source_name='Palo Alto Black-T October 2020', description='Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.', url='https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/'), ExternalReference(source_name='Lacework TeamTNT May 2021', description="Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021.", url='https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/'), ExternalReference(source_name='Intezer TeamTNT September 2020', description='Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.', url='https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/'), ExternalReference(source_name='Cado Security TeamTNT Worm August 2020', description='Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.', url='https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/'), ExternalReference(source_name='Unit 42 Hildegard Malware', description='Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.', url='https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/'), ExternalReference(source_name='Trend Micro TeamTNT', description='Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.', url='https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf'), ExternalReference(source_name='ATT TeamTNT Chimaera September 2020', description='AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.', url='https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera'), ExternalReference(source_name='Aqua TeamTNT August 2020', description='Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.', url='https://blog.aquasec.com/container-security-tnt-container-attack'), ExternalReference(source_name='Intezer TeamTNT Explosion September 2021', description='Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021.', url='https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Will Thomas, Cyjax'], x_mitre_version='1.0')
Collect Enterprise Malware#
enterprise_malware = lift.get_enterprise_malware()
print("Number of Malware in Enterprise ATT&CK")
len(enterprise_malware)
Number of Malware in Enterprise ATT&CK
474
enterprise_malware[0]
Malware(type='malware', id='malware--e14085cb-0e8d-4be6-92ba-e3b93ee5978f', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-05T21:58:51.161Z', modified='2021-10-19T00:43:30.036Z', name='XCSSET', description='[XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)', revoked=False, labels=['malware'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0658', external_id='S0658'), ExternalReference(source_name='XCSSET', description='(Citation: trendmicro xcsset xcode project 2020)'), ExternalReference(source_name='OSX.DubRobber', description='(Citation: malwarebyteslabs xcsset dubrobber)'), ExternalReference(source_name='trendmicro xcsset xcode project 2020', description='Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.', url='https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf'), ExternalReference(source_name='malwarebyteslabs xcsset dubrobber', description='Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021.', url='https://blog.malwarebytes.com/detections/osx-dubrobber/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['XCSSET', 'OSX.DubRobber'], x_mitre_platforms=['macOS'], x_mitre_version='1.0')
Collect Enterprise Tools#
enterprise_tools = lift.get_enterprise_tools()
print("Number of Tools in Enterprise ATT&CK")
len(enterprise_tools)
Number of Tools in Enterprise ATT&CK
72
enterprise_tools[0]
Tool(type='tool', id='tool--f91162cc-1686-4ff8-8115-bf3f61a4cc7a', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-09-14T21:45:30.280Z', modified='2021-09-21T18:03:13.205Z', name='Wevtutil', description='[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)', revoked=False, labels=['tool'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0645', external_id='S0645'), ExternalReference(source_name='Wevtutil Microsoft Documentation', description='Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.', url='https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['Wevtutil'], x_mitre_contributors=['Viren Chaudhari, Qualys', 'Harshal Tupsamudre, Qualys'], x_mitre_platforms=['Windows'], x_mitre_version='1.0')
Collect Enterprise Relationships#
enterprise_relationships = lift.get_enterprise_relationships()
print("Number of Relationships in Enterprise ATT&CK")
len(enterprise_relationships)
Number of Relationships in Enterprise ATT&CK
14069
enterprise_relationships[0]
Relationship(type='relationship', id='relationship--9567076b-2a77-43e4-befd-19556def9d47', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-11-10T09:30:48.753Z', modified='2021-11-10T09:30:48.753Z', relationship_type='detects', source_ref='x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', target_ref='attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58', revoked=False, object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])
Collect Enterprise Tactics#
enterprise_tactics = lift.get_enterprise_tactics()
print("Number of Tactics in Enterprise ATT&CK")
len(enterprise_tactics)
Number of Tactics in Enterprise ATT&CK
14
enterprise_tactics[0]
{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'type': 'x-mitre-tactic',
'name': 'Reconnaissance',
'description': 'The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.',
'modified': '2020-10-18T02:04:50.842Z',
'id': 'x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592',
'created': '2020-10-02T14:48:41.809Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'external_references': [{'url': 'https://attack.mitre.org/tactics/TA0043',
'external_id': 'TA0043',
'source_name': 'mitre-attack'}],
'x_mitre_shortname': 'reconnaissance'}
Collect Enterprise Data Sources#
enterprise_data_sources = lift.get_enterprise_data_sources()
print("Number of Mitigations in Data Sources ATT&CK")
len(enterprise_data_sources)
Number of Mitigations in Data Sources ATT&CK
38
enterprise_data_sources[0]
{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'modified': '2021-10-20T15:05:19.275Z',
'name': 'Internet Scan',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'type': 'x-mitre-data-source',
'id': 'x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17',
'description': 'Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet',
'created': '2021-10-20T15:05:19.275Z',
'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0035',
'external_id': 'DS0035',
'source_name': 'mitre-attack'}],
'x_mitre_version': '1.0',
'x_mitre_platforms': ['PRE'],
'x_mitre_collection_layers': ['OSINT'],
'x_mitre_contributors': []}
You can do the same with other matrices such as Mobile and ICS
Collect Mobile ATT&CK#
%time all_mobile = lift.get_mobile()
Wall time: 1.55 s
all_mobile.keys()
dict_keys(['techniques', 'mitigations', 'groups', 'malware', 'tools', 'relationships', 'tactics', 'matrix', 'identity', 'marking-definition'])
Collect Mobile Techniques#
mobile_techniques = lift.get_mobile_techniques()
print("Number of Techniques in Mobile ATT&CK")
len(mobile_techniques)
Number of Techniques in Mobile ATT&CK
92
techniques = []
for t in mobile_techniques:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df.reindex(['created','name', 'x_mitre_platforms'], axis=1)[0:5]
| created | name | x_mitre_platforms | |
|---|---|---|---|
| 0 | 2021-09-30T18:18:52.285Z | User Evasion | [Android] |
| 1 | 2021-09-24T14:47:34.182Z | Hooking | [Android] |
| 2 | 2021-09-20T13:42:20.824Z | Call Control | [Android] |
| 3 | 2020-12-16T20:16:07.673Z | Command-Line Interface | [Android, iOS] |
| 4 | 2020-11-30T14:26:07.728Z | Proxy Through Victim | [Android] |
Collect Mobile Mitigations#
mobile_mitigations = lift.get_mobile_mitigations()
print("Number of Mitigations in Mobile ATT&CK")
len(mobile_mitigations)
Number of Mitigations in Mobile ATT&CK
13
mobile_mitigations[0]
CourseOfAction(type='course-of-action', id='course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-10-18T12:53:03.508Z', modified='2019-10-18T15:51:48.318Z', name='User Guidance', description='Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.', revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/mitigations/M1011', external_id='M1011')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_version='1.0')
Collect Mobile Groups#
mobile_groups = lift.get_mobile_groups()
print("Number of Groups in Mobile ATT&CK")
len(mobile_groups)
Number of Groups in Mobile ATT&CK
5
mobile_groups[0]
IntrusionSet(type='intrusion-set', id='intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-06-25T17:16:39.168Z', modified='2021-04-26T14:37:33.234Z', name='Windshift', description='[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)', aliases=['Windshift', 'Bahamut'], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0112', external_id='G0112'), ExternalReference(source_name='Bahamut', description='(Citation: SANS Windshift August 2018)'), ExternalReference(source_name='SANS Windshift August 2018', description='Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.', url='https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf'), ExternalReference(source_name='objective-see windtail1 dec 2018', description="Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.", url='https://objective-see.com/blog/blog_0x3B.html'), ExternalReference(source_name='objective-see windtail2 jan 2019', description="Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.", url='https://objective-see.com/blog/blog_0x3D.html')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_version='1.1')
Collect Mobile Malware#
mobile_malware = lift.get_mobile_malware()
print("Number of Malware in Mobile ATT&CK")
len(mobile_malware)
Number of Malware in Mobile ATT&CK
92
mobile_malware[0]
Malware(type='malware', id='malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-01T14:42:48.234Z', modified='2021-10-14T15:38:53.014Z', name='BusyGasper', description='[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)', revoked=False, labels=['malware'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0655', external_id='S0655'), ExternalReference(source_name='SecureList BusyGasper', description='Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.', url='https://securelist.com/busygasper-the-unfriendly-spy/87627/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['BusyGasper'], x_mitre_platforms=['Android'], x_mitre_version='1.0')
Collect Mobile Tools#
mobile_tools = lift.get_mobile_tools()
print("Number of Tools in Mobile ATT&CK")
len(mobile_tools)
Number of Tools in Mobile ATT&CK
2
mobile_tools[0]
Tool(type='tool', id='tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-09-04T15:38:56.070Z', modified='2019-10-14T18:08:28.349Z', name='FlexiSpy', description='[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)', revoked=False, labels=['tool'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0408', external_id='S0408'), ExternalReference(source_name='FortiGuard-FlexiSpy', description='K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.', url='https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf'), ExternalReference(source_name='CyberMerchants-FlexiSpy', description='Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.', url='http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html'), ExternalReference(source_name='FlexiSpy-Website', description='FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019.', url='https://www.flexispy.com/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['FlexiSpy'], x_mitre_contributors=['Emily Ratliff, IBM'], x_mitre_platforms=['Android'], x_mitre_version='1.0')
Collect Mobile Relationships#
mobile_relationships = lift.get_mobile_relationships()
print("Number of Relationships in Mobile ATT&CK")
len(mobile_relationships)
Number of Relationships in Mobile ATT&CK
1079
mobile_relationships[0]
Relationship(type='relationship', id='relationship--fcc42341-ec3a-4e24-a374-46bed72d061f', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-01T14:42:49.191Z', modified='2021-10-01T14:42:49.191Z', relationship_type='uses', description='[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)', source_ref='malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4', target_ref='attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160', revoked=False, external_references=[ExternalReference(source_name='SecureList BusyGasper', description='Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.', url='https://securelist.com/busygasper-the-unfriendly-spy/87627/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])
Collect Mobile Tactics#
mobile_tactics = lift.get_mobile_tactics()
print("Number of Tactics in Mobile ATT&CK")
len(mobile_tactics)
Number of Tactics in Mobile ATT&CK
14
mobile_tactics[0]
{'name': 'Execution',
'id': 'x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'description': 'The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.',
'external_references': [{'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/tactics/TA0041',
'external_id': 'TA0041'}],
'modified': '2020-01-27T14:00:49.089Z',
'type': 'x-mitre-tactic',
'created': '2020-01-27T14:00:49.089Z',
'x_mitre_shortname': 'execution'}
Collect ICS ATT&CK#
%time all_ics = lift.get_ics()
Wall time: 996 ms
all_ics.keys()
dict_keys(['techniques', 'mitigations', 'groups', 'malware', 'relationships', 'tactics', 'matrix'])
Collect ICS Techniques#
ics_techniques = lift.get_ics_techniques()
print("Number of Techniques in ICS ATT&CK")
len(mobile_techniques)
Number of Techniques in ICS ATT&CK
92
techniques = []
for t in ics_techniques:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df.reindex(['created','name', 'x_mitre_platforms'], axis=1)[0:5]
| created | name | x_mitre_platforms | |
|---|---|---|---|
| 0 | 2021-10-14T15:25:32.143Z | Transient Cyber Asset | [Engineering Workstation] |
| 1 | 2021-04-13T12:45:26.506Z | Remote System Information Discovery | [Safety Instrumented System/Protection Relay, ... |
| 2 | 2021-04-13T12:36:26.506Z | Native API | [Control Server, Data Historian, Field Control... |
| 3 | 2021-04-13T12:08:26.506Z | Exploitation for Privilege Escalation | [Human-Machine Interface, Safety Instrumented ... |
| 4 | 2021-04-13T11:15:26.506Z | Modify Program | [Field Controller/RTU/PLC/IED] |
Collect ICS Mitigations#
ics_mitigations = lift.get_ics_mitigations()
print("Number of Mitigations in ICS ATT&CK")
len(ics_mitigations)
Number of Mitigations in ICS ATT&CK
51
ics_mitigations[0]
CourseOfAction(type='course-of-action', id='course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-12T17:00:21.233Z', modified='2021-04-12T17:00:21.233Z', name='Supply Chain Management', description='Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.', revoked=False, external_references=[ExternalReference(source_name='mitre-ics-attack', url='https://collaborate.mitre.org/attackics/index.php/Mitigation/M0817', external_id='M0817')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_version='1.0')
CollectICS Groups#
ics_groups = lift.get_ics_groups()
print("Number of Groups in ICS ATT&CK")
len(ics_groups)
Number of Groups in ICS ATT&CK
9
ics_groups[0]
IntrusionSet(type='intrusion-set', id='intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-04-16T15:14:38.533Z', modified='2021-10-17T14:49:09.631Z', name='TEMP.Veles', description='[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)', aliases=['TEMP.Veles', 'XENOTIME'], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0088', external_id='G0088'), ExternalReference(source_name='TEMP.Veles', description='(Citation: FireEye TRITON 2019)'), ExternalReference(source_name='XENOTIME', description='The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )'), ExternalReference(source_name='FireEye TRITON 2019', description='Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.', url='https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html'), ExternalReference(source_name='FireEye TEMP.Veles 2018', description='FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.', url='https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html '), ExternalReference(source_name='FireEye TEMP.Veles JSON April 2019', description='Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.', url='https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html'), ExternalReference(source_name='Dragos Xenotime 2018', description='Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.', url='https://dragos.com/resource/xenotime/'), ExternalReference(source_name='Pylos Xenotime 2019', description='Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.', url='https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/'), ExternalReference(source_name='FireEye TEMP.Veles 2018 ', description='FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.', url='https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_version='1.3')
Collect ICS Malware#
ics_malware = lift.get_ics_malware()
print("Number of Malware in ICS ATT&CK")
len(ics_malware)
Number of Malware in ICS ATT&CK
19
ics_malware[0]
Malware(type='malware', id='malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-02-23T20:50:32.845Z', modified='2021-10-14T19:41:44.167Z', name='Conficker', description='[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)', revoked=False, labels=['malware'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0608', external_id='S0608'), ExternalReference(source_name='Kido', description='(Citation: SANS Conficker) '), ExternalReference(source_name='Downadup', description='(Citation: SANS Conficker) '), ExternalReference(source_name='SANS Conficker', description='Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.', url='https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm'), ExternalReference(source_name='Conficker Nuclear Power Plant', description="Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.", url='https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['Conficker', 'Kido', 'Downadup'], x_mitre_platforms=['Windows'], x_mitre_version='1.0')
Collect ICS Relationships#
ics_relationships = lift.get_ics_relationships()
print("Number of Relationships in ICS ATT&CK")
len(ics_relationships)
Number of Relationships in ICS ATT&CK
536
ics_relationships[0]
Relationship(type='relationship', id='relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-14T21:33:27.046Z', modified='2021-10-14T22:06:54.109Z', relationship_type='uses', description='[Sandworm Team](https://collaborate.mitre.org/attackics/index.php/Group/G0007) used valid accounts to laterally move through VPN connections and dual-homed systems.(Citation: Dragos Electrum)(Citation: Dragos CRASHOVERRIDE) In the Ukraine 2015 Incident, Sandworm Team blocked command messages by using malicious firmware to render communication devices inoperable.(Citation: ICS SANS Ukraine March 2018)', source_ref='intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192', target_ref='attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101', revoked=False, external_references=[ExternalReference(source_name='Dragos Electrum', description='Dragos. (n.d.). Electrum. Retrieved October 27, 2019.', url='https://dragos.com/resource/electrum/'), ExternalReference(source_name='Dragos CRASHOVERRIDE', description='Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.', url='https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf'), ExternalReference(source_name='ICS SANS Ukraine March 2018', description='Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.', url='https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])
Collect ICS Tactics#
ics_tactics = lift.get_ics_tactics()
print("Number of Tactics in ICS ATT&CK")
len(ics_tactics)
Number of Tactics in ICS ATT&CK
12
ics_tactics[0]
{'type': 'x-mitre-tactic',
'name': 'Privilege Escalation',
'description': 'The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'created': '2021-04-10T17:32:33.899Z',
'id': 'x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046',
'modified': '2021-04-10T17:32:33.899Z',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'external_references': [{'source_name': 'mitre-ics-attack',
'url': 'https://collaborate.mitre.org/attackics/index.php/Privilege_Escalation',
'external_id': 'TA0111'}],
'x_mitre_shortname': 'privilege-escalation-ics'}