version 0.3.3

+ Python Library version to 0.3.3 + Updated Revoked function + New Function remove_deprecated + Updated ATT&CK Navigator Version to 3.0 +updated export samples for attack navigator layers for each GROUP in ATT&CK + fix #14
OTRF · Aug 21, 2020 · 710696d · 710696d
1 parent ccde77b
commit 710696d
Show file tree

Hide file tree

Showing 103 changed files with 127 additions and 99 deletions.
diff --git a/attackcti/attack_api.py b/attackcti/attack_api.py
@@ -239,23 +239,33 @@ def handle_list(list_object, object_type):
     def remove_revoked(self, stix_objects, extract=False):
         handle_revoked = list()
         for obj in stix_objects:
-            if 'revoked' in obj.keys() and obj['revoked'] == True:
+            if 'revoked' in obj.keys():
                 if extract:
-                    handle_revoked.append(obj)
+                    if obj['revoked']:
+                        handle_revoked.append(obj)
+                    else:
+                        continue
                 else:
-                    continue
-            handle_revoked.append(obj)
+                    if obj['revoked'] == False:
+                        handle_revoked.append(obj)
+            else:
+                handle_revoked.append(obj)
         return handle_revoked
 
     def remove_deprecated(self, stix_objects, extract=False):
         handle_deprecated = list()
         for obj in stix_objects:
-            if 'x_mitre_deprecated' in obj.keys() and obj['x_mitre_deprecated'] == True:
+            if 'x_mitre_deprecated' in obj.keys():
                 if extract:
-                    handle_deprecated.append(obj)
+                    if obj['x_mitre_deprecated']:
+                        handle_deprecated.append(obj)
+                    else:
+                        continue
                 else:
-                    continue
-            handle_deprecated.append(obj)
+                    if obj['x_mitre_deprecated'] == False:
+                        handle_deprecated.append(obj)
+            else:
+                handle_deprecated.append(obj)
         return handle_deprecated
 
     # ******** Enterprise ATT&CK Technology Domain  *******
@@ -667,11 +677,14 @@ def get_techniques_used_by_all_groups(self, stix_format=True):
         for gt in group_techniques_ref:
             for t in techniques:
                 if gt['technique_ref'] == t['id']:
+                    if 'revoked' in t.keys():
+                        gt['revoked'] = t['revoked']
                     tactic_list = list()
-                    for phase in t['kill_chain_phases']:
-                        tactic_list.append(phase['phase_name'])
+                    if 'kill_chain_phases' in t.keys():
+                        tactic_list = t['kill_chain_phases']
                     gt['technique'] = t['name']
-                    gt['technique_description'] = t['description']
+                    if 'description' in t.keys():
+                        gt['technique_description'] = t['description']
                     gt['tactic'] = tactic_list
                     gt['technique_id'] = t['external_references'][0]['external_id']
                     gt['matrix'] =  t['external_references'][0]['source_name']
@@ -887,7 +900,7 @@ def export_groups_navigator_layers(self):
                         "description": ("Enterprise techniques used by {0}, ATT&CK group {1} v1.0".format(k,v[0]['group_id'])),
                         "name": ("{0} ({1})".format(k,v[0]['group_id'])),
                         "domain": "mitre-enterprise",
-                        "version": "2.2",
+                        "version": "3.0",
                         "techniques": [
                             {
                                 "score": 1,

diff --git a/export_examples/navigator/APT-C-36_G0099.json b/export_examples/navigator/APT-C-36_G0099.json
@@ -0,0 +1 @@
+{"description": "Enterprise techniques used by APT-C-36, ATT&CK group G0099 v1.0", "name": "APT-C-36 (G0099)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1105", "techniqueName": "Ingress Tool Transfer", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1059.005", "techniqueName": "Visual Basic", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has embedded a VBScript within a malicious Word document which is executed upon the document opening.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1036.004", "techniqueName": "Masquerade Task or Service", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1571", "techniqueName": "Non-Standard Port", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1204.002", "techniqueName": "Malicious File", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has prompted victims to accept macros in order to execute the subsequent payload.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1053.005", "techniqueName": "Scheduled Task", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used a macro function to set scheduled tasks, disguised as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used ConfuserEx to obfuscate its variant of [Imminent Monitor](https://attack.mitre.org/software/S0434), compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1566.001", "techniqueName": "Spearphishing Attachment", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.(Citation: QiAnXin APT-C-36 Feb2019) "}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT-C-36", "color": "#ff6666"}]}
diff --git a/export_examples/navigator/APT12_G0005.json b/export_examples/navigator/APT12_G0005.json
@@ -1 +1 @@
-{"description": "Enterprise techniques used by APT12, ATT&CK group G0005 v1.0", "name": "APT12 (G0005)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1102", "techniqueName": "Web Service", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has used blogs and WordPress for C2 infrastructure."}, {"score": 1, "techniqueID": "T1193", "techniqueName": "Spearphishing Attachment", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has sent emails with malicious Microsoft Office documents and PDFs attached."}, {"score": 1, "techniqueID": "T1203", "techniqueName": "Exploitation for Client Execution", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)."}, {"score": 1, "techniqueID": "T1204", "techniqueName": "User Execution", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT12", "color": "#ff6666"}]}
+{"description": "Enterprise techniques used by APT12, ATT&CK group G0005 v1.0", "name": "APT12 (G0005)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1568.003", "techniqueName": "DNS Calculation", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has used multiple variants of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.(Citation: Meyers Numbered Panda)"}, {"score": 1, "techniqueID": "T1102.002", "techniqueName": "Bidirectional Communication", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has used blogs and WordPress for C2 infrastructure.(Citation: Meyers Numbered Panda)"}, {"score": 1, "techniqueID": "T1566.001", "techniqueName": "Spearphishing Attachment", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has sent emails with malicious Microsoft Office documents and PDFs attached.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)"}, {"score": 1, "techniqueID": "T1203", "techniqueName": "Exploitation for Client Execution", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)"}, {"score": 1, "techniqueID": "T1204.002", "techniqueName": "Malicious File", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT12", "color": "#ff6666"}]}
diff --git a/export_examples/navigator/APT16_G0023.json b/export_examples/navigator/APT16_G0023.json
@@ -1 +1 @@
-{"description": "Enterprise techniques used by APT16, ATT&CK group G0023 v1.0", "name": "APT16 (G0023)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1272", "techniqueName": "Identify business relationships", "comment": "[APT16](https://attack.mitre.org/groups/G0023) spearphished journalists, apparently targeting those interested in contact information for DPP members or politicians."}, {"score": 1, "techniqueID": "T1334", "techniqueName": "Compromise 3rd party infrastructure to support delivery", "comment": "[APT16](https://attack.mitre.org/groups/G0023) has compromised otherwise legitimate sites as staging servers for second-stage payloads."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT16", "color": "#ff6666"}]}
+{"description": "Enterprise techniques used by APT16, ATT&CK group G0023 v1.0", "name": "APT16 (G0023)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1334", "techniqueName": "Compromise 3rd party infrastructure to support delivery", "comment": "[APT16](https://attack.mitre.org/groups/G0023) has compromised otherwise legitimate sites as staging servers for second-stage payloads.(Citation: FireEye EPS Awakens Part 2)"}, {"score": 1, "techniqueID": "T1272", "techniqueName": "Identify business relationships", "comment": "[APT16](https://attack.mitre.org/groups/G0023) spearphished journalists, apparently targeting those interested in contact information for DPP members or politicians.(Citation: FireEye EPS Awakens Part 2)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT16", "color": "#ff6666"}]}
diff --git a/export_examples/navigator/APT17_G0025.json b/export_examples/navigator/APT17_G0025.json
@@ -1 +1 @@
-{"description": "Enterprise techniques used by APT17, ATT&CK group G0025 v1.0", "name": "APT17 (G0025)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1342", "techniqueName": "Develop social network persona digital footprint", "comment": "[APT17](https://attack.mitre.org/groups/G0025) created biographical sections on TechNet profile pages to appear more legitimate."}, {"score": 1, "techniqueID": "T1341", "techniqueName": "Build social network persona", "comment": "[APT17](https://attack.mitre.org/groups/G0025) posted in forum threads and created profile pages in Microsoft TechNet."}, {"score": 1, "techniqueID": "T1331", "techniqueName": "Obfuscate infrastructure", "comment": "[APT17](https://attack.mitre.org/groups/G0025) obfuscated infrastructure using a multi-layered malware beaconing approach."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT17", "color": "#ff6666"}]}
+{"description": "Enterprise techniques used by APT17, ATT&CK group G0025 v1.0", "name": "APT17 (G0025)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1342", "techniqueName": "Develop social network persona digital footprint", "comment": "[APT17](https://attack.mitre.org/groups/G0025) created biographical sections on TechNet profile pages to appear more legitimate.(Citation: FireEye APT17)"}, {"score": 1, "techniqueID": "T1331", "techniqueName": "Obfuscate infrastructure", "comment": "[APT17](https://attack.mitre.org/groups/G0025) obfuscated infrastructure using a multi-layered malware beaconing approach. (Citation: FireEye APT17)"}, {"score": 1, "techniqueID": "T1341", "techniqueName": "Build social network persona", "comment": "[APT17](https://attack.mitre.org/groups/G0025) posted in forum threads and created profile pages in Microsoft TechNet.(Citation: FireEye APT17)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT17", "color": "#ff6666"}]}
diff --git a/export_examples/navigator/APT18_G0026.json b/export_examples/navigator/APT18_G0026.json
@@ -1 +1 @@
-{"description": "Enterprise techniques used by APT18, ATT&CK group G0026 v1.0", "name": "APT18 (G0026)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1060", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[APT18](https://attack.mitre.org/groups/G0026) establishes persistence via the <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> key."}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT18](https://attack.mitre.org/groups/G0026) obfuscates strings in the payload."}, {"score": 1, "techniqueID": "T1059", "techniqueName": "Command-Line Interface", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses cmd.exe to execute commands on the victim\u2019s machine."}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Remote File Copy", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can upload a file to the victim\u2019s machine."}, {"score": 1, "techniqueID": "T1083", "techniqueName": "File and Directory Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can list files information for specific directories."}, {"score": 1, "techniqueID": "T1071", "techniqueName": "Standard Application Layer Protocol", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses HTTP and DNS for C2 communications."}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can collect system information from the victim\u2019s machine."}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses port 80 for C2 communications."}, {"score": 1, "techniqueID": "T1133", "techniqueName": "External Remote Services", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services."}, {"score": 1, "techniqueID": "T1053", "techniqueName": "Scheduled Task", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors used the native [at](https://attack.mitre.org/software/S0110) Windows task scheduler tool to use scheduled tasks for execution on a victim network."}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services."}, {"score": 1, "techniqueID": "T1107", "techniqueName": "File Deletion", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors deleted tools and batch files from victim systems."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT18", "color": "#ff6666"}]}
+{"description": "Enterprise techniques used by APT18, ATT&CK group G0026 v1.0", "name": "APT18 (G0026)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1071.004", "techniqueName": "DNS", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses DNS for C2 communications.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1547.001", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[APT18](https://attack.mitre.org/groups/G0026) establishes persistence via the <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> key.(Citation: Anomali Evasive Maneuvers July 2015)(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT18](https://attack.mitre.org/groups/G0026) obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1059.003", "techniqueName": "Windows Command Shell", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses cmd.exe to execute commands on the victim\u2019s machine.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)"}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Ingress Tool Transfer", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can upload a file to the victim\u2019s machine.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1083", "techniqueName": "File and Directory Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can list files information for specific directories.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1071.001", "techniqueName": "Web Protocols", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses HTTP for C2 communications.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can collect system information from the victim\u2019s machine.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses port 80 for C2 communications.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)"}, {"score": 1, "techniqueID": "T1133", "techniqueName": "External Remote Services", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect and Respond Adair)"}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect and Respond Adair)"}, {"score": 1, "techniqueID": "T1053.002", "techniqueName": "At (Windows)", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors used the native [at](https://attack.mitre.org/software/S0110) Windows task scheduler tool to use scheduled tasks for execution on a victim network.(Citation: Dell Lateral Movement)"}, {"score": 1, "techniqueID": "T1070.004", "techniqueName": "File Deletion", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors deleted tools and batch files from victim systems.(Citation: Dell Lateral Movement)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT18", "color": "#ff6666"}]}