Exploring ICS ATT&CK

Query ATT&CK

Import TAXII Libraries

ATT&CK users can use the initial Server class to instantiate a server object pointing to the framework’s public TAXII server URL https://cti-taxii.mitre.org/taxii/

from taxii2client.v20 import Server
server = Server("https://cti-taxii.mitre.org/taxii/")

Available API Roots can be referenced from the server object. API Roots are logical groupings of TAXII Channels and Collections and can be thought of as instances of the TAXII API available at different URLs, where each API Root is the “root” URL of that particular instance of the TAXII API:

server.api_roots
[<taxii2client.v20.ApiRoot at 0x11085ae80>]
api_root = server.api_roots[0]

Explore ATT&CK TAXII Collections

The collections attribute can then be used and get more information about them via their respective available properties:

api_root.collections
[<taxii2client.v20.Collection at 0x111b26a90>,
 <taxii2client.v20.Collection at 0x111b26220>,
 <taxii2client.v20.Collection at 0x111b262b0>,
 <taxii2client.v20.Collection at 0x111b26b20>]
for collection in api_root.collections:
    print(collection.title, "->", collection.description)
Enterprise ATT&CK -> This data collection holds STIX objects from Enterprise ATT&CK
PRE-ATT&CK -> This data collection holds STIX objects from PRE-ATT&CK
Mobile ATT&CK -> This data collection holds STIX objects from Mobile ATT&CK
ICS ATT&CK -> This data collection holds STIX objects from ICS ATT&CK
api_root.collections[3].title
'ICS ATT&CK'
api_root.collections[3].id
'02c3ef24-9cd4-48f3-a99f-b74ce24f1d34'

Set ICS ATT&CK TAXII Collection ID Variable

ICS_ATTACK = "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"

Initialize TAXII Collection Sources

According to STIX2 docs, the TAXIICollectionSource API provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/)

from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
ATTACK_STIX_COLLECTIONS = "https://cti-taxii.mitre.org/stix/collections/"
ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + "/")
TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)

Retrieve all ICS Techniques

Now that we can query the ICS ATT&CK TAXIICollection. We can use the query method and a set of filter to retrieve STIX objects of type “attack-pattern” -> “Techniques”

ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter("type", "=", "attack-pattern"))
print(ICS_TECHNIQUES[0])
{
    "type": "attack-pattern",
    "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "created": "2021-04-13T12:45:26.506Z",
    "modified": "2021-04-13T12:45:26.506Z",
    "name": "Remote System Information Discovery",
    "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system\u2019s operational role and model information can dictate whether it is a relevant target for the adversary\u2019s operational objectives. In addition, the system\u2019s configuration may be used to scope subsequent technique usage. Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system\u2019s API.",
    "kill_chain_phases": [
        {
            "kill_chain_name": "mitre-ics-attack",
            "phase_name": "discovery-ics"
        }
    ],
    "external_references": [
        {
            "source_name": "mitre-ics-attack",
            "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0888",
            "external_id": "T0888"
        }
    ],
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "x_mitre_data_sources": [
        "Network protocol analysis",
        "Packet capture"
    ],
    "x_mitre_platforms": [
        "Safety Instrumented System/Protection Relay",
        "Field Controller/RTU/PLC/IED"
    ]
}
for TECHNIQUE in ICS_TECHNIQUES:
    print(TECHNIQUE['external_references'][0]['external_id'], "--", TECHNIQUE['name'])
T0888 -- Remote System Information Discovery
T0834 -- Native API
T0890 -- Exploitation for Privilege Escalation
T0821 -- Modify Controller Tasking
T0889 -- Modify Program
T0886 -- Remote Services
T0837 -- Loss of Protection
T0878 -- Alarm Suppression
T0806 -- Brute Force I/O
T0884 -- Connection Proxy
T0811 -- Data from Information Repositories
T0868 -- Detect Operating Mode
T0871 -- Execution through API
T0822 -- External Remote Services
T0872 -- Indicator Removal on Host
T0828 -- Loss of Productivity and Revenue
T0835 -- Manipulate I/O Image
T0801 -- Monitor Process State
T0843 -- Program Download
T0867 -- Lateral Tool Transfer
T0854 -- Serial Connection Enumeration
T0862 -- Supply Chain Compromise
T0859 -- Valid Accounts
T0802 -- Automated Collection
T0875 -- Change Program State
T0808 -- Control Device Identification
T0812 -- Default Credentials
T0870 -- Detect Program State
T0819 -- Exploit Public-Facing Application
T0823 -- Graphical User Interface
T0883 -- Internet Accessible Device
T0831 -- Manipulation of Control
T0833 -- Modify Control Logic
T0840 -- Network Connection Enumeration
T0844 -- Program Organization Units
T0848 -- Rogue Master
T0881 -- Service Stop
T0857 -- System Firmware
T0860 -- Wireless Compromise
T0804 -- Block Reporting Message
T0807 -- Command-Line Interface
T0809 -- Data Destruction
T0814 -- Denial of Service
T0817 -- Drive-by Compromise
T0877 -- I/O Image
T0826 -- Loss of Availability
T0829 -- Loss of View
T0849 -- Masquerading
T0839 -- Module Firmware
T0842 -- Network Sniffing
T0873 -- Project File Infection
T0852 -- Screen Capture
T0856 -- Spoof Reporting Message
T0855 -- Unauthorized Command Message
T0800 -- Activate Firmware Update Mode
T0805 -- Block Serial COM
T0885 -- Commonly Used Port
T0810 -- Data Historian Compromise
T0815 -- Denial of View
T0818 -- Engineering Workstation Compromise
T0866 -- Exploitation of Remote Services
T0824 -- I/O Module Discovery
T0827 -- Loss of Control
T0830 -- Man in the Middle
T0838 -- Modify Alarm Settings
T0861 -- Point & Tag Identification
T0850 -- Role Identification
T0847 -- Replication Through Removable Media
T0853 -- Scripting
T0869 -- Standard Application Layer Protocol
T0863 -- User Execution
T0803 -- Block Command Message
T0858 -- Change Operating Mode
T0879 -- Damage to Property
T0813 -- Denial of Control
T0816 -- Device Restart/Shutdown
T0820 -- Exploitation for Evasion
T0874 -- Hooking
T0825 -- Location Identification
T0880 -- Loss of Safety
T0832 -- Manipulation of View
T0836 -- Modify Parameter
T0841 -- Network Service Scanning
T0845 -- Program Upload
T0846 -- Remote System Discovery
T0851 -- Rootkit
T0865 -- Spearphishing Attachment
T0882 -- Theft of Operational Information
T0887 -- Wireless Sniffing

ICS ATT&CK Available in attackcti 0.3.4.3

Reference: https://pypi.org/project/attackcti/

from attackcti import attack_client
lift = attack_client()

ICS_TECHNIQUES = lift.get_ics_techniques()
print("Techniques Count:",len(ICS_TECHNIQUES))
Techniques Count: 89
print(ICS_TECHNIQUES[0])
{
    "type": "attack-pattern",
    "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "created": "2021-04-13T12:45:26.506Z",
    "modified": "2021-04-13T12:45:26.506Z",
    "name": "Remote System Information Discovery",
    "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system\u2019s operational role and model information can dictate whether it is a relevant target for the adversary\u2019s operational objectives. In addition, the system\u2019s configuration may be used to scope subsequent technique usage. Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system\u2019s API.",
    "kill_chain_phases": [
        {
            "kill_chain_name": "mitre-ics-attack",
            "phase_name": "discovery-ics"
        }
    ],
    "external_references": [
        {
            "source_name": "mitre-ics-attack",
            "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0888",
            "external_id": "T0888"
        }
    ],
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ],
    "x_mitre_data_sources": [
        "Network protocol analysis",
        "Packet capture"
    ],
    "x_mitre_platforms": [
        "Safety Instrumented System/Protection Relay",
        "Field Controller/RTU/PLC/IED"
    ]
}

Get All Data Sources Mapped to ICS ATT&CK Techniques

ICS_DATA_SOURCES = []
for TECHNIQUE in ICS_TECHNIQUES:
    if 'x_mitre_data_sources' in TECHNIQUE.keys():
        for DS in TECHNIQUE['x_mitre_data_sources']:
            if DS not in ICS_DATA_SOURCES:
                ICS_DATA_SOURCES.append(DS)
ICS_DATA_SOURCES
['Network protocol analysis',
 'Packet capture',
 'API monitoring',
 'Process monitoring',
 'System calls',
 'Sequential event recorder',
 'Controller program',
 'Windows event logs',
 'Authentication logs',
 'Alarm history',
 'Alarm thresholds',
 'Data historian',
 'Netflow/Enclave netflow',
 'Process use of network',
 'Application logs',
 'Data loss prevention',
 'Third-party application logs',
 'File monitoring',
 'Process command-line parameters',
 'Network device logs',
 'Host network interfaces',
 'Web proxy',
 'Detonation chamber',
 'Digital signatures',
 'Web logs',
 'Web application firewall logs',
 'Binary file metadata',
 'Asset management',
 'Windows Registry',
 'Network intrusion detection system',
 'Alarm History',
 'process use of network',
 'SSl/TLS inspection',
 'File Monitoring',
 'Windows error reporting',
 'Windows registry',
 'Controller parameters',
 'Malware reverse engineering',
 'Anti-virus',
 'Email gateway',
 'Mail server']

Get All Groups from ICS ATT&CK

ICS_GROUPS = lift.get_ics_groups()
for GROUP in ICS_GROUPS:
    print(GROUP['name'])
TEMP.Veles
HEXANE
Dragonfly 2.0
APT33
OilRig
Dragonfly
Sandworm Team
Lazarus Group
ALLANITE

Get All Malware from ICS ATT&CK

ICS_MALWARE = lift.get_ics_malware()
for MALWARE in ICS_MALWARE:
    print(MALWARE['name'])
EKANS
Ryuk
LockerGoga
PLC-Blaster
Stuxnet
VPNFilter
NotPetya
Triton
WannaCry
Flame
Industroyer
Killdisk
Bad Rabbit
Conficker
Backdoor.Oldrea
ACAD/Medre.A
BlackEnergy
Duqu