-
Notifications
You must be signed in to change notification settings - Fork 115
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
+ Python Library version to 0.3.3 + Updated Revoked function + New Function remove_deprecated + Updated ATT&CK Navigator Version to 3.0 +updated export samples for attack navigator layers for each GROUP in ATT&CK + fix #14
- Loading branch information
1 parent
ccde77b
commit 710696d
Showing
103 changed files
with
127 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"description": "Enterprise techniques used by APT-C-36, ATT&CK group G0099 v1.0", "name": "APT-C-36 (G0099)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1105", "techniqueName": "Ingress Tool Transfer", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1059.005", "techniqueName": "Visual Basic", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has embedded a VBScript within a malicious Word document which is executed upon the document opening.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1036.004", "techniqueName": "Masquerade Task or Service", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1571", "techniqueName": "Non-Standard Port", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1204.002", "techniqueName": "Malicious File", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has prompted victims to accept macros in order to execute the subsequent payload.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1053.005", "techniqueName": "Scheduled Task", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used a macro function to set scheduled tasks, disguised as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used ConfuserEx to obfuscate its variant of [Imminent Monitor](https://attack.mitre.org/software/S0434), compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019)"}, {"score": 1, "techniqueID": "T1566.001", "techniqueName": "Spearphishing Attachment", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.(Citation: QiAnXin APT-C-36 Feb2019) "}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT-C-36", "color": "#ff6666"}]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
{"description": "Enterprise techniques used by APT12, ATT&CK group G0005 v1.0", "name": "APT12 (G0005)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1102", "techniqueName": "Web Service", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has used blogs and WordPress for C2 infrastructure."}, {"score": 1, "techniqueID": "T1193", "techniqueName": "Spearphishing Attachment", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has sent emails with malicious Microsoft Office documents and PDFs attached."}, {"score": 1, "techniqueID": "T1203", "techniqueName": "Exploitation for Client Execution", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)."}, {"score": 1, "techniqueID": "T1204", "techniqueName": "User Execution", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT12", "color": "#ff6666"}]} | ||
{"description": "Enterprise techniques used by APT12, ATT&CK group G0005 v1.0", "name": "APT12 (G0005)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1568.003", "techniqueName": "DNS Calculation", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has used multiple variants of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.(Citation: Meyers Numbered Panda)"}, {"score": 1, "techniqueID": "T1102.002", "techniqueName": "Bidirectional Communication", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has used blogs and WordPress for C2 infrastructure.(Citation: Meyers Numbered Panda)"}, {"score": 1, "techniqueID": "T1566.001", "techniqueName": "Spearphishing Attachment", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has sent emails with malicious Microsoft Office documents and PDFs attached.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)"}, {"score": 1, "techniqueID": "T1203", "techniqueName": "Exploitation for Client Execution", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)"}, {"score": 1, "techniqueID": "T1204.002", "techniqueName": "Malicious File", "comment": "[APT12](https://attack.mitre.org/groups/G0005) has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT12", "color": "#ff6666"}]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
{"description": "Enterprise techniques used by APT16, ATT&CK group G0023 v1.0", "name": "APT16 (G0023)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1272", "techniqueName": "Identify business relationships", "comment": "[APT16](https://attack.mitre.org/groups/G0023) spearphished journalists, apparently targeting those interested in contact information for DPP members or politicians."}, {"score": 1, "techniqueID": "T1334", "techniqueName": "Compromise 3rd party infrastructure to support delivery", "comment": "[APT16](https://attack.mitre.org/groups/G0023) has compromised otherwise legitimate sites as staging servers for second-stage payloads."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT16", "color": "#ff6666"}]} | ||
{"description": "Enterprise techniques used by APT16, ATT&CK group G0023 v1.0", "name": "APT16 (G0023)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1334", "techniqueName": "Compromise 3rd party infrastructure to support delivery", "comment": "[APT16](https://attack.mitre.org/groups/G0023) has compromised otherwise legitimate sites as staging servers for second-stage payloads.(Citation: FireEye EPS Awakens Part 2)"}, {"score": 1, "techniqueID": "T1272", "techniqueName": "Identify business relationships", "comment": "[APT16](https://attack.mitre.org/groups/G0023) spearphished journalists, apparently targeting those interested in contact information for DPP members or politicians.(Citation: FireEye EPS Awakens Part 2)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT16", "color": "#ff6666"}]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
{"description": "Enterprise techniques used by APT17, ATT&CK group G0025 v1.0", "name": "APT17 (G0025)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1342", "techniqueName": "Develop social network persona digital footprint", "comment": "[APT17](https://attack.mitre.org/groups/G0025) created biographical sections on TechNet profile pages to appear more legitimate."}, {"score": 1, "techniqueID": "T1341", "techniqueName": "Build social network persona", "comment": "[APT17](https://attack.mitre.org/groups/G0025) posted in forum threads and created profile pages in Microsoft TechNet."}, {"score": 1, "techniqueID": "T1331", "techniqueName": "Obfuscate infrastructure", "comment": "[APT17](https://attack.mitre.org/groups/G0025) obfuscated infrastructure using a multi-layered malware beaconing approach."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT17", "color": "#ff6666"}]} | ||
{"description": "Enterprise techniques used by APT17, ATT&CK group G0025 v1.0", "name": "APT17 (G0025)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1342", "techniqueName": "Develop social network persona digital footprint", "comment": "[APT17](https://attack.mitre.org/groups/G0025) created biographical sections on TechNet profile pages to appear more legitimate.(Citation: FireEye APT17)"}, {"score": 1, "techniqueID": "T1331", "techniqueName": "Obfuscate infrastructure", "comment": "[APT17](https://attack.mitre.org/groups/G0025) obfuscated infrastructure using a multi-layered malware beaconing approach. (Citation: FireEye APT17)"}, {"score": 1, "techniqueID": "T1341", "techniqueName": "Build social network persona", "comment": "[APT17](https://attack.mitre.org/groups/G0025) posted in forum threads and created profile pages in Microsoft TechNet.(Citation: FireEye APT17)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT17", "color": "#ff6666"}]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
{"description": "Enterprise techniques used by APT18, ATT&CK group G0026 v1.0", "name": "APT18 (G0026)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1060", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[APT18](https://attack.mitre.org/groups/G0026) establishes persistence via the <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> key."}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT18](https://attack.mitre.org/groups/G0026) obfuscates strings in the payload."}, {"score": 1, "techniqueID": "T1059", "techniqueName": "Command-Line Interface", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses cmd.exe to execute commands on the victim\u2019s machine."}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Remote File Copy", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can upload a file to the victim\u2019s machine."}, {"score": 1, "techniqueID": "T1083", "techniqueName": "File and Directory Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can list files information for specific directories."}, {"score": 1, "techniqueID": "T1071", "techniqueName": "Standard Application Layer Protocol", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses HTTP and DNS for C2 communications."}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can collect system information from the victim\u2019s machine."}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses port 80 for C2 communications."}, {"score": 1, "techniqueID": "T1133", "techniqueName": "External Remote Services", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services."}, {"score": 1, "techniqueID": "T1053", "techniqueName": "Scheduled Task", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors used the native [at](https://attack.mitre.org/software/S0110) Windows task scheduler tool to use scheduled tasks for execution on a victim network."}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services."}, {"score": 1, "techniqueID": "T1107", "techniqueName": "File Deletion", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors deleted tools and batch files from victim systems."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT18", "color": "#ff6666"}]} | ||
{"description": "Enterprise techniques used by APT18, ATT&CK group G0026 v1.0", "name": "APT18 (G0026)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1071.004", "techniqueName": "DNS", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses DNS for C2 communications.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1547.001", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[APT18](https://attack.mitre.org/groups/G0026) establishes persistence via the <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> key.(Citation: Anomali Evasive Maneuvers July 2015)(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT18](https://attack.mitre.org/groups/G0026) obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1059.003", "techniqueName": "Windows Command Shell", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses cmd.exe to execute commands on the victim\u2019s machine.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)"}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Ingress Tool Transfer", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can upload a file to the victim\u2019s machine.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1083", "techniqueName": "File and Directory Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can list files information for specific directories.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1071.001", "techniqueName": "Web Protocols", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses HTTP for C2 communications.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[APT18](https://attack.mitre.org/groups/G0026) can collect system information from the victim\u2019s machine.(Citation: PaloAlto DNS Requests May 2016)"}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[APT18](https://attack.mitre.org/groups/G0026) uses port 80 for C2 communications.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)"}, {"score": 1, "techniqueID": "T1133", "techniqueName": "External Remote Services", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect and Respond Adair)"}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect and Respond Adair)"}, {"score": 1, "techniqueID": "T1053.002", "techniqueName": "At (Windows)", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors used the native [at](https://attack.mitre.org/software/S0110) Windows task scheduler tool to use scheduled tasks for execution on a victim network.(Citation: Dell Lateral Movement)"}, {"score": 1, "techniqueID": "T1070.004", "techniqueName": "File Deletion", "comment": "[APT18](https://attack.mitre.org/groups/G0026) actors deleted tools and batch files from victim systems.(Citation: Dell Lateral Movement)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT18", "color": "#ff6666"}]} |
Oops, something went wrong.