SANS CTI Summit 2022 - Explorando ATT&CK Fuentes & Componentes de Datos#


Instalando ATT&CK Python Client#

!pip install --upgrade attackcti

# If attackcti is already installed, you can upgrade it by adding the --upgrade option
# !pip install --upgrade attackcti
Requirement already satisfied: attackcti in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (0.3.5)
Requirement already satisfied: stix2 in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from attackcti) (3.0.1)
Requirement already satisfied: taxii2-client in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from attackcti) (2.3.0)
Requirement already satisfied: simplejson in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from stix2->attackcti) (3.17.2)
Requirement already satisfied: stix2-patterns>=1.2.0 in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from stix2->attackcti) (1.3.2)
Requirement already satisfied: requests in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from stix2->attackcti) (2.25.1)
Requirement already satisfied: pytz in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from stix2->attackcti) (2021.1)
Requirement already satisfied: six in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from taxii2-client->attackcti) (1.16.0)
Requirement already satisfied: antlr4-python3-runtime~=4.8.0 in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from stix2-patterns>=1.2.0->stix2->attackcti) (4.8)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from requests->stix2->attackcti) (1.26.4)
Requirement already satisfied: idna<3,>=2.5 in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from requests->stix2->attackcti) (2.10)
Requirement already satisfied: certifi>=2017.4.17 in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from requests->stix2->attackcti) (2020.12.5)
Requirement already satisfied: chardet<5,>=3.0.2 in c:\users\rorodri\appdata\local\programs\python\python39\lib\site-packages (from requests->stix2->attackcti) (4.0.0)

Importando ATT&CK Api Client#

from attackcti import attack_client

import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)

Inicializando la clase ATT&CK Client#

lift = attack_client()

Obteniendo Objetos: Fuentes de Datos#

La función get_data_sources accesa la metadata de los nuevos objetos x-mitre-data-source.

Actualmente, los objetos x-mitre-data-source agregan contexto en la sección Detección para cada técnica de la matriz Enterprise.

data_sources = lift.get_data_sources()
# Cantidad the objetos x-mitre-data-source
print('Existen',len(data_sources),'fuentes de datos')
Existen 38 fuentes de datos
# Ejemplo de objeto x-mitre-data-source
data_sources[0]
{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'modified': '2021-10-20T15:05:19.275Z',
 'name': 'Internet Scan',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'type': 'x-mitre-data-source',
 'id': 'x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17',
 'description': 'Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet',
 'created': '2021-10-20T15:05:19.275Z',
 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0035',
   'external_id': 'DS0035',
   'source_name': 'mitre-attack'}],
 'x_mitre_version': '1.0',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_collection_layers': ['OSINT'],
 'x_mitre_contributors': []}

Obteniendo Objetos: Componentes de Datos#

La función get_data_components accesa la metadata de los nuevos objetos x-mitre-data-component.

Actualmente, los objetos x-mitre-data-component solo agregan contexto en la sección Detección para cada técnica de la matriz Enterprise.

Por ello, la función get_data_components retorna el mismo resultado que la función get_enterprise_data_components.

En el futuro, cuando se complete el mapeo de data components a técnicas de las matrices ICS y Mobile, existirá una diferencia entre estas funciones.

Además, podremos introducir nuevas funciones como get_ics_data_components y get_mobile_data_components.

data_components = lift.get_data_components()
# Cantidad the objetos x-mitre-data-component
print('Existen',len(data_components),'componentes de datos')
Existen 109 componentes de datos
# Ejemplo de objeto x-mitre-data-component
data_components[0]
{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'modified': '2021-10-20T15:05:19.275Z',
 'id': 'x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4',
 'description': 'Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'name': 'Passive DNS',
 'created': '2021-10-20T15:05:19.275Z',
 'type': 'x-mitre-data-component',
 'x_mitre_version': '1.0',
 'x_mitre_data_source_ref': 'x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866'}

Obteniendo Objetos: Técnicas (enrich_data_sources = False)#

La función get_techniques accesa la metadata de objetos attack-pattern de las matrices Enterprise, ICS, y Mobile.

Para obtener los objetos attack-pattern de cada matriz, se puede usar las siguientes funciones:

  • Enterprise –>: get_enterprise_techniques

  • ICS ———>: get_ics_techniques

  • Mobile ——>: get_mobile_techniques

Todos los objetos attack-pattern contienen, como parte de su metadata, el campo x_mitre_data_sources.

El campo x_mitre_data_sources brinda contexto de data sources y data components como una lista de nombres, pero no como objetos. Aquí tenemos un ejemplo:

x_mitre_data_sources=[‘File: File Creation’, ‘Process: Process Creation’, ‘File: File Metadata’, ‘Command: Command Execution’]

techniques = lift.get_techniques()
# Cantidad the objetos attack-pattern
print('Existen',len(techniques),'técnicas (Enterprise, ICS, Mobile)')
Existen 736 técnicas (Enterprise, ICS, Mobile)
# Ejemplo de objeto attack-pattern
techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-12T20:02:31.866Z', modified='2021-10-16T01:50:40.276Z', name='Resource Forking', description='Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1564/009', external_id='T1564.009'), ExternalReference(source_name='macOS Hierarchical File System Overview', description='Tenon. (n.d.). Retrieved October 12, 2021.', url='http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553'), ExternalReference(source_name='Resource and Data Forks', description='Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.', url='https://flylib.com/books/en/4.395.1.192/1/'), ExternalReference(source_name='ELC Extended Attributes', description="Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.", url='https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/'), ExternalReference(source_name='sentinellabs resource named fork 2020', description='Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.', url='https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/'), ExternalReference(source_name='tau bundlore erika noerenberg 2020', description='Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.', url='https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Jaron Bradley @jbradley89', 'Ivan Sinyakov'], x_mitre_data_sources=['File: File Creation', 'Process: Process Creation', 'File: File Metadata', 'Command: Command Execution'], x_mitre_defense_bypassed=['Notarization; Gatekeeper'], x_mitre_detection='Identify files with the <code>com.apple.ResourceFork</code> extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['macOS'], x_mitre_version='1.0')
# Ejemplo de contexto (Data Sources y Data Components) para objeto attack-pattern
techniques[0]['x_mitre_data_sources']
['File: File Creation',
 'Process: Process Creation',
 'File: File Metadata',
 'Command: Command Execution']

Obteniendo Objetos: Técnicas (enrich_data_sources = True)#

Como se mencionó anteriormente, los objetos x-mitre-data-component solo agregan contexto en la sección Detección para cada técnica de la matriz Enterprise.

Por lo tanto, hemos considerado el parámetro enrich_data_sources en las funciones get_enterprise_techniques y get_techniques para agregar el contexto de los objetos x-mitre-data-source and x-mitre-data-component.

En el futuro, cuando se complete el mapeo de data components a técnicas de las matrices ICS y Mobile, agregaremos el parámetro enrich_data_sources a las funciones get_ics_techniques y get_mobile_techniques.

techniques_enriched = lift.get_techniques(enrich_data_sources=True)
# Cantidad the objetos attack-pattern
print('Existen',len(techniques_enriched),'técnicas (Enterprise, ICS, Mobile)')
Existen 736 técnicas (Enterprise, ICS, Mobile)
# Ejemplo de objeto attack-pattern
techniques_enriched[0]
AttackPattern(type='attack-pattern', id='attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-12T20:02:31.866Z', modified='2022-01-20T19:26:43.291Z', name='Resource Forking', description='Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1564/009', external_id='T1564.009'), ExternalReference(source_name='macOS Hierarchical File System Overview', description='Tenon. (n.d.). Retrieved October 12, 2021.', url='http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553'), ExternalReference(source_name='Resource and Data Forks', description='Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.', url='https://flylib.com/books/en/4.395.1.192/1/'), ExternalReference(source_name='ELC Extended Attributes', description="Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.", url='https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/'), ExternalReference(source_name='sentinellabs resource named fork 2020', description='Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.', url='https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/'), ExternalReference(source_name='tau bundlore erika noerenberg 2020', description='Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.', url='https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Jaron Bradley @jbradley89', 'Ivan Sinyakov'], x_mitre_data_sources=[{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2021-11-10T09:30:48.694Z', 'name': 'Command', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089', 'description': 'A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)', 'created': '2021-10-20T15:05:19.273Z', 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0017', 'external_id': 'DS0017', 'source_name': 'mitre-attack'}, {'url': 'https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html', 'description': 'Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.', 'source_name': 'Confluence Linux Command  Line'}, {'url': 'https://www.scip.ch/en/?labs.20150108', 'description': 'Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.', 'source_name': 'Audit OSX'}], 'x_mitre_version': '1.0', 'x_mitre_platforms': ['Windows', 'Linux', 'macOS', 'Network', 'Containers'], 'x_mitre_collection_layers': ['Host', 'Container'], 'x_mitre_contributors': ['Austin Clark', 'Center for Threat-Informed Defense (CTID)'], 'data_components': [{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2021-10-20T15:05:19.273Z', 'id': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'description': 'Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'name': 'Command Execution', 'created': '2021-10-20T15:05:19.273Z', 'type': 'x-mitre-data-component', 'x_mitre_version': '1.0', 'x_mitre_data_source_ref': 'x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089'}]}, {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2021-11-10T09:30:48.695Z', 'name': 'File', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9', 'description': 'A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt)', 'created': '2021-10-20T15:05:19.273Z', 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0022', 'external_id': 'DS0022', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/fileio/file-management', 'description': 'Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.', 'source_name': 'Microsoft File Mgmt'}], 'x_mitre_version': '1.0', 'x_mitre_platforms': ['Windows', 'Linux', 'macOS', 'Network'], 'x_mitre_collection_layers': ['Host'], 'x_mitre_contributors': ['Center for Threat-Informed Defense (CTID)'], 'data_components': [{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2021-10-20T15:05:19.273Z', 'id': 'x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5', 'description': 'Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'name': 'File Metadata', 'created': '2021-10-20T15:05:19.273Z', 'type': 'x-mitre-data-component', 'x_mitre_version': '1.0', 'x_mitre_data_source_ref': 'x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9'}, {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2021-10-20T15:05:19.273Z', 'id': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'description': 'Initial construction of a new file (ex: Sysmon EID 11)', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'name': 'File Creation', 'created': '2021-10-20T15:05:19.273Z', 'type': 'x-mitre-data-component', 'x_mitre_version': '1.0', 'x_mitre_data_source_ref': 'x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9'}]}, {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2021-11-10T09:30:48.697Z', 'name': 'Process', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'type': 'x-mitre-data-source', 'id': 'x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22', 'description': 'Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)', 'created': '2021-10-20T15:05:19.272Z', 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0009', 'external_id': 'DS0009', 'source_name': 'mitre-attack'}, {'url': 'https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads', 'description': 'Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.', 'source_name': 'Microsoft Processes and Threads'}], 'x_mitre_version': '1.0', 'x_mitre_platforms': ['Windows', 'Linux', 'macOS'], 'x_mitre_collection_layers': ['Host'], 'x_mitre_contributors': ['Center for Threat-Informed Defense (CTID)'], 'data_components': [{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2021-10-20T15:05:19.272Z', 'id': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'description': 'Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'name': 'Process Creation', 'created': '2021-10-20T15:05:19.272Z', 'type': 'x-mitre-data-component', 'x_mitre_version': '1.0', 'x_mitre_data_source_ref': 'x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22'}]}], x_mitre_defense_bypassed=['Notarization; Gatekeeper'], x_mitre_detection='Identify files with the <code>com.apple.ResourceFork</code> extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['macOS'], x_mitre_version='1.0')
# Ejemplo de contexto (Data Sources y Data Components) para objeto attack-pattern
techniques_enriched[0]['x_mitre_data_sources']
[{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
  'modified': '2021-11-10T09:30:48.694Z',
  'name': 'Command',
  'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'type': 'x-mitre-data-source',
  'id': 'x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089',
  'description': 'A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)',
  'created': '2021-10-20T15:05:19.273Z',
  'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0017',
    'external_id': 'DS0017',
    'source_name': 'mitre-attack'},
   {'url': 'https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html',
    'description': 'Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.',
    'source_name': 'Confluence Linux Command  Line'},
   {'url': 'https://www.scip.ch/en/?labs.20150108',
    'description': 'Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.',
    'source_name': 'Audit OSX'}],
  'x_mitre_version': '1.0',
  'x_mitre_platforms': ['Windows', 'Linux', 'macOS', 'Network', 'Containers'],
  'x_mitre_collection_layers': ['Host', 'Container'],
  'x_mitre_contributors': ['Austin Clark',
   'Center for Threat-Informed Defense (CTID)'],
  'data_components': [{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
    'modified': '2021-10-20T15:05:19.273Z',
    'id': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0',
    'description': 'Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)',
    'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
    'name': 'Command Execution',
    'created': '2021-10-20T15:05:19.273Z',
    'type': 'x-mitre-data-component',
    'x_mitre_version': '1.0',
    'x_mitre_data_source_ref': 'x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089'}]},
 {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
  'modified': '2021-11-10T09:30:48.695Z',
  'name': 'File',
  'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'type': 'x-mitre-data-source',
  'id': 'x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9',
  'description': 'A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt)',
  'created': '2021-10-20T15:05:19.273Z',
  'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0022',
    'external_id': 'DS0022',
    'source_name': 'mitre-attack'},
   {'url': 'https://docs.microsoft.com/en-us/windows/win32/fileio/file-management',
    'description': 'Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.',
    'source_name': 'Microsoft File Mgmt'}],
  'x_mitre_version': '1.0',
  'x_mitre_platforms': ['Windows', 'Linux', 'macOS', 'Network'],
  'x_mitre_collection_layers': ['Host'],
  'x_mitre_contributors': ['Center for Threat-Informed Defense (CTID)'],
  'data_components': [{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
    'modified': '2021-10-20T15:05:19.273Z',
    'id': 'x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5',
    'description': 'Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.',
    'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
    'name': 'File Metadata',
    'created': '2021-10-20T15:05:19.273Z',
    'type': 'x-mitre-data-component',
    'x_mitre_version': '1.0',
    'x_mitre_data_source_ref': 'x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9'},
   {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
    'modified': '2021-10-20T15:05:19.273Z',
    'id': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c',
    'description': 'Initial construction of a new file (ex: Sysmon EID 11)',
    'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
    'name': 'File Creation',
    'created': '2021-10-20T15:05:19.273Z',
    'type': 'x-mitre-data-component',
    'x_mitre_version': '1.0',
    'x_mitre_data_source_ref': 'x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9'}]},
 {'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
  'modified': '2021-11-10T09:30:48.697Z',
  'name': 'Process',
  'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'type': 'x-mitre-data-source',
  'id': 'x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22',
  'description': 'Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)',
  'created': '2021-10-20T15:05:19.272Z',
  'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0009',
    'external_id': 'DS0009',
    'source_name': 'mitre-attack'},
   {'url': 'https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads',
    'description': 'Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.',
    'source_name': 'Microsoft Processes and Threads'}],
  'x_mitre_version': '1.0',
  'x_mitre_platforms': ['Windows', 'Linux', 'macOS'],
  'x_mitre_collection_layers': ['Host'],
  'x_mitre_contributors': ['Center for Threat-Informed Defense (CTID)'],
  'data_components': [{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
    'modified': '2021-10-20T15:05:19.272Z',
    'id': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077',
    'description': 'Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)',
    'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
    'name': 'Process Creation',
    'created': '2021-10-20T15:05:19.272Z',
    'type': 'x-mitre-data-component',
    'x_mitre_version': '1.0',
    'x_mitre_data_source_ref': 'x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22'}]}]