Merge pull request #1503 from guardicore/629/ship-db-with-attack-mitigations

Ship database with attack mitigations

.gitmodules

@@ -1,6 +1,3 @@
-[submodule "monkey/monkey_island/cc/services/attack/attack_data"]
-	path = monkey/monkey_island/cc/services/attack/attack_data
-	url = https://github.com/guardicore/cti
 [submodule "docs/themes/learn"]
 	path = docs/themes/learn
 	url = https://github.com/guardicode/hugo-theme-learn.git

deployment_scripts/dump_attack_mitigations/attack_mitigations.py

@@ -0,0 +1,65 @@
+from typing import Dict
+
+from mongoengine import Document, EmbeddedDocument, EmbeddedDocumentField, ListField, StringField
+from stix2 import AttackPattern, CourseOfAction
+
+
+class Mitigation(EmbeddedDocument):
+    name = StringField(required=True)
+    description = StringField(required=True)
+    url = StringField()
+
+    @staticmethod
+    def get_from_stix2_data(mitigation: CourseOfAction):
+        name = mitigation["name"]
+        description = mitigation["description"]
+        url = get_stix2_external_reference_url(mitigation)
+        return Mitigation(name=name, description=description, url=url)
+
+
+class AttackMitigations(Document):
+    technique_id = StringField(required=True, primary_key=True)
+    mitigations = ListField(EmbeddedDocumentField("Mitigation"))
+
+    def add_mitigation(self, mitigation: CourseOfAction):
+        mitigation_external_ref_id = get_stix2_external_reference_id(mitigation)
+        if mitigation_external_ref_id.startswith("M"):
+            self.mitigations.append(Mitigation.get_from_stix2_data(mitigation))
+
+    def add_no_mitigations_info(self, mitigation: CourseOfAction):
+        mitigation_external_ref_id = get_stix2_external_reference_id(mitigation)
+        if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0:
+            mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation)
+            mitigation_mongo_object["description"] = mitigation_mongo_object[
+                "description"
+            ].splitlines()[0]
+            mitigation_mongo_object["url"] = ""
+            self.mitigations.append(mitigation_mongo_object)
+
+    @staticmethod
+    def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]):
+        return {
+            key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern)
+            for key, attack_pattern in stix2_dict.items()
+        }
+
+    @staticmethod
+    def mitigations_from_attack_pattern(attack_pattern: AttackPattern):
+        return AttackMitigations(
+            technique_id=get_stix2_external_reference_id(attack_pattern),
+            mitigations=[],
+        )
+
+
+def get_stix2_external_reference_url(stix2_data) -> str:
+    for reference in stix2_data["external_references"]:
+        if "url" in reference:
+            return reference["url"]
+    return ""
+
+
+def get_stix2_external_reference_id(stix2_data) -> str:
+    for reference in stix2_data["external_references"]:
+        if reference["source_name"] == "mitre-attack" and "external_id" in reference:
+            return reference["external_id"]
+    return ""

deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py

@@ -0,0 +1,184 @@
+import argparse
+import json
+import subprocess
+import time
+from pathlib import Path
+from typing import Dict, List
+
+import mongoengine
+import pymongo
+from attack_mitigations import AttackMitigations
+from bson import json_util
+from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter
+
+COLLECTION_NAME = "attack_mitigations"
+
+
+def main():
+    args = parse_args()
+
+    set_default_mongo_connection(args.database_name, args.mongo_host, args.mongo_port)
+
+    mongo_client = pymongo.MongoClient(host=args.mongo_host, port=args.mongo_port)
+    database = mongo_client.get_database(args.database_name)
+
+    clean_collection(database)
+    populate_attack_mitigations(database, Path(args.cti_repo))
+    dump_attack_mitigations(database, Path(args.cti_repo), Path(args.dump_file_path))
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(
+        description="Export attack mitigations from a database",
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+    )
+    parser.add_argument(
+        "--mongo_host", default="localhost", help="URL for mongo database.", required=False
+    )
+    parser.add_argument(
+        "--mongo-port",
+        action="store",
+        default=27017,
+        type=int,
+        help="Port for mongo database.",
+        required=False,
+    )
+    parser.add_argument(
+        "--database-name",
+        action="store",
+        default="monkeyisland",
+        help="Database name inside of mongo.",
+        required=False,
+    )
+    parser.add_argument(
+        "--cti-repo",
+        action="store",
+        default="attack_mitigations",
+        help="The path to the Cyber Threat Intelligence Repository.",
+        required=True,
+    )
+    parser.add_argument(
+        "--dump-file-path",
+        action="store",
+        default="./attack_mitigations.json",
+        help="A file path where the database dump will be saved.",
+        required=False,
+    )
+
+    return parser.parse_args()
+
+
+def set_default_mongo_connection(database_name: str, host: str, port: int):
+    mongoengine.connect(db=database_name, host=host, port=port)
+
+
+def clean_collection(database: pymongo.database.Database):
+    if collection_exists(database, COLLECTION_NAME):
+        database.drop_collection(COLLECTION_NAME)
+
+
+def collection_exists(database: pymongo.database.Database, collection_name: str) -> bool:
+    return collection_name in database.list_collection_names()
+
+
+def populate_attack_mitigations(database: pymongo.database.Database, cti_repo: Path):
+    database.create_collection(COLLECTION_NAME)
+    attack_data_path = cti_repo / "enterprise-attack"
+
+    stix2_mitigations = get_all_mitigations(attack_data_path)
+    mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns(
+        get_all_attack_techniques(attack_data_path)
+    )
+    mitigation_technique_relationships = get_technique_and_mitigation_relationships(
+        attack_data_path
+    )
+    for relationship in mitigation_technique_relationships:
+        mongo_mitigations[relationship["target_ref"]].add_mitigation(
+            stix2_mitigations[relationship["source_ref"]]
+        )
+    for relationship in mitigation_technique_relationships:
+        mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info(
+            stix2_mitigations[relationship["source_ref"]]
+        )
+    for key, mongo_object in mongo_mitigations.items():
+        mongo_object.save()
+
+
+def get_all_mitigations(attack_data_path: Path) -> Dict[str, CourseOfAction]:
+    file_system = FileSystemSource(attack_data_path)
+    mitigation_filter = [Filter("type", "=", "course-of-action")]
+    all_mitigations = file_system.query(mitigation_filter)
+    all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations}
+    return all_mitigations
+
+
+def get_all_attack_techniques(attack_data_path: Path) -> Dict[str, AttackPattern]:
+    file_system = FileSystemSource(attack_data_path)
+    technique_filter = [Filter("type", "=", "attack-pattern")]
+    all_techniques = file_system.query(technique_filter)
+    all_techniques = {technique["id"]: technique for technique in all_techniques}
+    return all_techniques
+
+
+def get_technique_and_mitigation_relationships(attack_data_path: Path) -> List[CourseOfAction]:
+    file_system = FileSystemSource(attack_data_path)
+    technique_filter = [
+        Filter("type", "=", "relationship"),
+        Filter("relationship_type", "=", "mitigates"),
+    ]
+    all_techniques = file_system.query(technique_filter)
+    return all_techniques
+
+
+def dump_attack_mitigations(
+    database: pymongo.database.Database, cti_repo: Path, dump_file_path: Path
+):
+    if not collection_exists(database, COLLECTION_NAME):
+        raise Exception(f"Could not find collection: {COLLECTION_NAME}")
+
+    metadata = get_metadata(cti_repo)
+    data = get_data_from_database(database)
+
+    json_output = f'{{"metadata":{json.dumps(metadata)},"data":{json_util.dumps(data)}}}'
+
+    with open(dump_file_path, "wb") as jsonfile:
+        jsonfile.write(json_output.encode())
+
+
+def get_metadata(cti_repo: Path) -> dict:
+    timestamp = str(time.time())
+    commit_hash = get_commit_hash(cti_repo)
+    origin_url = get_origin_url(cti_repo)
+
+    return {"timestamp": timestamp, "commit_hash": commit_hash, "origin_url": origin_url}
+
+
+def get_commit_hash(cti_repo: Path) -> str:
+    return run_command(["git", "rev-parse", "--short", "HEAD"], cti_repo).strip()
+
+
+def get_origin_url(cti_repo: Path) -> str:
+    return run_command(["git", "remote", "get-url", "origin"], cti_repo).strip()
+
+
+def run_command(cmd: List, cwd: Path = None) -> str:
+    cp = subprocess.run(cmd, capture_output=True, cwd=cwd, encoding="utf-8")
+
+    if cp.returncode != 0:
+        raise Exception(
+            f"Error running command -- Command: {cmd} -- Return Code: {cp.returncode} -- stderr: "
+            f"{cp.stderr}"
+        )
+
+    return cp.stdout
+
+
+def get_data_from_database(database: pymongo.database.Database) -> pymongo.cursor.Cursor:
+    collection = database.get_collection(COLLECTION_NAME)
+    collection_contents = collection.find()
+
+    return collection_contents
+
+
+if __name__ == "__main__":
+    main()

deployment_scripts/dump_attack_mitigations/requirements.txt

@@ -0,0 +1,13 @@
+antlr4-python3-runtime==4.8
+certifi==2021.5.30
+charset-normalizer==2.0.6
+idna==3.2
+mongoengine==0.23.1
+pymongo==3.12.0
+pytz==2021.1
+requests==2.26.0
+simplejson==3.17.5
+six==1.16.0
+stix2==3.0.1
+stix2-patterns==1.3.2
+urllib3==1.26.7

docs/content/development/attack_mitigations.md

@@ -0,0 +1,39 @@
+---
+title: "MITRE ATT&CK Mitigations"
+date: 2021-09-30T08:18:37+03:00
+draft: true
+weight: 10
+---
+
+{{% notice info %}}
+Check out [the documentation for the MITRE ATT&CK techniques as well]({{< ref "/reports/mitre" >}}).
+{{% /notice %}}
+
+## Summary
+
+Attack Mitigations are presented in MITRE ATT&CK report. They appear next to
+descriptions of attack techniques and suggest steps that can be taken to reduce
+the risk of that particular technique being successful in a network. They also
+provide links for further reading on https://attack.mitre.org/
+
+The Infection Monkey is shipped with pre-processed information about MITRE
+ATT&CK mitigations located at
+`monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. This may need to
+be periodically updated as the MITRE ATT&CK framework evolves.
+
+
+## Updating the MITRE ATT&CK mitigations data
+1. Clone the [MITRE Cyber Threat Intelligence
+   Repository](https://github.com/mitre/cti) or the [Guardicore
+   fork](https://github.com/guardicore/cti):
+   ```
+   $ CTI_REPO=$PWD/cti
+   $ git clone <REPO> $CTI_REPO
+   ```
+2. Start a MongoDB v4.2 server.
+3. Run the script to generate the `attack_mitigations.json` file:
+   ```
+   $ cd monkey/deployment_scripts/dump_attack_mitigations
+   $ pip install -r requirements.txt
+   $ python dump_attack_mitigations.py --cti-repo $CTI_REPO --dump-file-path ../../monkey/monkey_island/cc/setup/mongo/attack_mitigations.json
+   ```

monkey/monkey_island/Pipfile

@@ -20,7 +20,6 @@ pycryptodome = "==3.9.8"
 python-dateutil = "<3.0.0,>=2.1"
 requests = ">=2.24"
 ring = ">=0.7.3"
-stix2 = ">=2.0.2"
 six = ">=1.13.0"
 tqdm = ">=4.47"
 Flask-JWT-Extended = "==4.*"

monkey/monkey_island/Pipfile.lock

@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "9857728597cb9daa816ac6e5cf7a86ae1c86c8e56c68d8d0551f57845124a562"
+            "sha256": "8d64d81ac872383366db0e261649783cc60ee03cbaf7d41ae27239bdc4300a91"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -30,13 +30,6 @@
             ],
             "version": "==9.0.1"
         },
-        "antlr4-python3-runtime": {
-            "hashes": [
-                "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33"
-            ],
-            "markers": "python_version >= '3'",
-            "version": "==4.8"
-        },
         "asyncio-throttle": {
             "hashes": [
                 "sha256:a01a56f3671e961253cf262918f3e0741e222fc50d57d981ba5c801f284eccfe"
@@ -192,7 +185,7 @@
                 "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
                 "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+            "markers": "platform_system == 'Windows' and sys_platform == 'win32' and platform_system == 'Windows'",
             "version": "==0.4.3"
         },
         "coloredlogs": {
@@ -204,28 +197,29 @@
         },
         "cryptography": {
             "hashes": [
-                "sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e",
-                "sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b",
-                "sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7",
-                "sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085",
-                "sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc",
-                "sha256:3c4129fc3fdc0fa8e40861b5ac0c673315b3c902bbdc05fc176764815b43dd1d",
-                "sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a",
-                "sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498",
-                "sha256:695104a9223a7239d155d7627ad912953b540929ef97ae0c34c7b8bf30857e89",
-                "sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9",
-                "sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c",
-                "sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7",
-                "sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb",
-                "sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14",
-                "sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af",
-                "sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e",
-                "sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5",
-                "sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06",
-                "sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7"
+                "sha256:07bb7fbfb5de0980590ddfc7f13081520def06dc9ed214000ad4372fb4e3c7f6",
+                "sha256:18d90f4711bf63e2fb21e8c8e51ed8189438e6b35a6d996201ebd98a26abbbe6",
+                "sha256:1ed82abf16df40a60942a8c211251ae72858b25b7421ce2497c2eb7a1cee817c",
+                "sha256:22a38e96118a4ce3b97509443feace1d1011d0571fae81fc3ad35f25ba3ea999",
+                "sha256:2d69645f535f4b2c722cfb07a8eab916265545b3475fdb34e0be2f4ee8b0b15e",
+                "sha256:4a2d0e0acc20ede0f06ef7aa58546eee96d2592c00f450c9acb89c5879b61992",
+                "sha256:54b2605e5475944e2213258e0ab8696f4f357a31371e538ef21e8d61c843c28d",
+                "sha256:7075b304cd567694dc692ffc9747f3e9cb393cc4aa4fb7b9f3abd6f5c4e43588",
+                "sha256:7b7ceeff114c31f285528ba8b390d3e9cfa2da17b56f11d366769a807f17cbaa",
+                "sha256:7eba2cebca600a7806b893cb1d541a6e910afa87e97acf2021a22b32da1df52d",
+                "sha256:928185a6d1ccdb816e883f56ebe92e975a262d31cc536429041921f8cb5a62fd",
+                "sha256:9933f28f70d0517686bd7de36166dda42094eac49415459d9bdf5e7df3e0086d",
+                "sha256:a688ebcd08250eab5bb5bca318cc05a8c66de5e4171a65ca51db6bd753ff8953",
+                "sha256:abb5a361d2585bb95012a19ed9b2c8f412c5d723a9836418fab7aaa0243e67d2",
+                "sha256:c10c797ac89c746e488d2ee92bd4abd593615694ee17b2500578b63cad6b93a8",
+                "sha256:ced40344e811d6abba00295ced98c01aecf0c2de39481792d87af4fa58b7b4d6",
+                "sha256:d57e0cdc1b44b6cdf8af1d01807db06886f10177469312fbde8f44ccbb284bc9",
+                "sha256:d99915d6ab265c22873f1b4d6ea5ef462ef797b4140be4c9d8b179915e0985c6",
+                "sha256:eb80e8a1f91e4b7ef8b33041591e6d89b2b8e122d787e87eeb2b08da71bb16ad",
+                "sha256:ebeddd119f526bcf323a89f853afb12e225902a24d29b55fe18dd6fcb2838a76"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==3.4.8"
+            "version": "==35.0.0"
         },
         "docutils": {
             "hashes": [
@@ -276,6 +270,13 @@
             "index": "pypi",
             "version": "==0.3.9"
         },
+        "future": {
+            "hashes": [
+                "sha256:b1bead90b70cf6ec3f0710ae53a525360fa360d306a86583adc6bf83a4db537d"
+            ],
+            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "version": "==0.18.2"
+        },
         "gevent": {
             "hashes": [
                 "sha256:02d1e8ca227d0ab0b7917fd7e411f9a534475e0a41fb6f434e9264b20155201a",
@@ -310,59 +311,59 @@
         },
         "greenlet": {
             "hashes": [
-                "sha256:04e1849c88aa56584d4a0a6e36af5ec7cc37993fdc1fda72b56aa1394a92ded3",
-                "sha256:05e72db813c28906cdc59bd0da7c325d9b82aa0b0543014059c34c8c4ad20e16",
-                "sha256:07e6d88242e09b399682b39f8dfa1e7e6eca66b305de1ff74ed9eb1a7d8e539c",
-                "sha256:090126004c8ab9cd0787e2acf63d79e80ab41a18f57d6448225bbfcba475034f",
-                "sha256:1796f2c283faab2b71c67e9b9aefb3f201fdfbee5cb55001f5ffce9125f63a45",
-                "sha256:2f89d74b4f423e756a018832cd7a0a571e0a31b9ca59323b77ce5f15a437629b",
-                "sha256:34e6675167a238bede724ee60fe0550709e95adaff6a36bcc97006c365290384",
-                "sha256:3e594015a2349ec6dcceda9aca29da8dc89e85b56825b7d1f138a3f6bb79dd4c",
-                "sha256:3f8fc59bc5d64fa41f58b0029794f474223693fd00016b29f4e176b3ee2cfd9f",
-                "sha256:3fc6a447735749d651d8919da49aab03c434a300e9f0af1c886d560405840fd1",
-                "sha256:40abb7fec4f6294225d2b5464bb6d9552050ded14a7516588d6f010e7e366dcc",
-                "sha256:44556302c0ab376e37939fd0058e1f0db2e769580d340fb03b01678d1ff25f68",
-                "sha256:476ba9435afaead4382fbab8f1882f75e3fb2285c35c9285abb3dd30237f9142",
-                "sha256:4870b018ca685ff573edd56b93f00a122f279640732bb52ce3a62b73ee5c4a92",
-                "sha256:4adaf53ace289ced90797d92d767d37e7cdc29f13bd3830c3f0a561277a4ae83",
-                "sha256:4eae94de9924bbb4d24960185363e614b1b62ff797c23dc3c8a7c75bbb8d187e",
-                "sha256:5317701c7ce167205c0569c10abc4bd01c7f4cf93f642c39f2ce975fa9b78a3c",
-                "sha256:5c3b735ccf8fc8048664ee415f8af5a3a018cc92010a0d7195395059b4b39b7d",
-                "sha256:5cde7ee190196cbdc078511f4df0be367af85636b84d8be32230f4871b960687",
-                "sha256:655ab836324a473d4cd8cf231a2d6f283ed71ed77037679da554e38e606a7117",
-                "sha256:6ce9d0784c3c79f3e5c5c9c9517bbb6c7e8aa12372a5ea95197b8a99402aa0e6",
-                "sha256:6e0696525500bc8aa12eae654095d2260db4dc95d5c35af2b486eae1bf914ccd",
-                "sha256:75ff270fd05125dce3303e9216ccddc541a9e072d4fc764a9276d44dee87242b",
-                "sha256:8039f5fe8030c43cd1732d9a234fdcbf4916fcc32e21745ca62e75023e4d4649",
-                "sha256:84488516639c3c5e5c0e52f311fff94ebc45b56788c2a3bfe9cf8e75670f4de3",
-                "sha256:84782c80a433d87530ae3f4b9ed58d4a57317d9918dfcc6a59115fa2d8731f2c",
-                "sha256:8ddb38fb6ad96c2ef7468ff73ba5c6876b63b664eebb2c919c224261ae5e8378",
-                "sha256:98b491976ed656be9445b79bc57ed21decf08a01aaaf5fdabf07c98c108111f6",
-                "sha256:990e0f5e64bcbc6bdbd03774ecb72496224d13b664aa03afd1f9b171a3269272",
-                "sha256:9b02e6039eafd75e029d8c58b7b1f3e450ca563ef1fe21c7e3e40b9936c8d03e",
-                "sha256:a11b6199a0b9dc868990456a2667167d0ba096c5224f6258e452bfbe5a9742c5",
-                "sha256:a414f8e14aa7bacfe1578f17c11d977e637d25383b6210587c29210af995ef04",
-                "sha256:a91ee268f059583176c2c8b012a9fce7e49ca6b333a12bbc2dd01fc1a9783885",
-                "sha256:ac991947ca6533ada4ce7095f0e28fe25d5b2f3266ad5b983ed4201e61596acf",
-                "sha256:b050dbb96216db273b56f0e5960959c2b4cb679fe1e58a0c3906fa0a60c00662",
-                "sha256:b97a807437b81f90f85022a9dcfd527deea38368a3979ccb49d93c9198b2c722",
-                "sha256:bad269e442f1b7ffa3fa8820b3c3aa66f02a9f9455b5ba2db5a6f9eea96f56de",
-                "sha256:bf3725d79b1ceb19e83fb1aed44095518c0fcff88fba06a76c0891cfd1f36837",
-                "sha256:c0f22774cd8294078bdf7392ac73cf00bfa1e5e0ed644bd064fdabc5f2a2f481",
-                "sha256:c1862f9f1031b1dee3ff00f1027fcd098ffc82120f43041fe67804b464bbd8a7",
-                "sha256:c8d4ed48eed7414ccb2aaaecbc733ed2a84c299714eae3f0f48db085342d5629",
-                "sha256:cf31e894dabb077a35bbe6963285d4515a387ff657bd25b0530c7168e48f167f",
-                "sha256:d15cb6f8706678dc47fb4e4f8b339937b04eda48a0af1cca95f180db552e7663",
-                "sha256:dfcb5a4056e161307d103bc013478892cfd919f1262c2bb8703220adcb986362",
-                "sha256:e02780da03f84a671bb4205c5968c120f18df081236d7b5462b380fd4f0b497b",
-                "sha256:e2002a59453858c7f3404690ae80f10c924a39f45f6095f18a985a1234c37334",
-                "sha256:e22a82d2b416d9227a500c6860cf13e74060cf10e7daf6695cbf4e6a94e0eee4",
-                "sha256:e41f72f225192d5d4df81dad2974a8943b0f2d664a2a5cfccdf5a01506f5523c",
-                "sha256:f253dad38605486a4590f9368ecbace95865fea0f2b66615d121ac91fd1a1563",
-                "sha256:fddfb31aa2ac550b938d952bca8a87f1db0f8dc930ffa14ce05b5c08d27e7fd1"
+                "sha256:00e44c8afdbe5467e4f7b5851be223be68adb4272f44696ee71fe46b7036a711",
+                "sha256:013d61294b6cd8fe3242932c1c5e36e5d1db2c8afb58606c5a67efce62c1f5fd",
+                "sha256:049fe7579230e44daef03a259faa24511d10ebfa44f69411d99e6a184fe68073",
+                "sha256:14d4f3cd4e8b524ae9b8aa567858beed70c392fdec26dbdb0a8a418392e71708",
+                "sha256:166eac03e48784a6a6e0e5f041cfebb1ab400b394db188c48b3a84737f505b67",
+                "sha256:17ff94e7a83aa8671a25bf5b59326ec26da379ace2ebc4411d690d80a7fbcf23",
+                "sha256:1e12bdc622676ce47ae9abbf455c189e442afdde8818d9da983085df6312e7a1",
+                "sha256:21915eb821a6b3d9d8eefdaf57d6c345b970ad722f856cd71739493ce003ad08",
+                "sha256:288c6a76705dc54fba69fbcb59904ae4ad768b4c768839b8ca5fdadec6dd8cfd",
+                "sha256:32ca72bbc673adbcfecb935bb3fb1b74e663d10a4b241aaa2f5a75fe1d1f90aa",
+                "sha256:356b3576ad078c89a6107caa9c50cc14e98e3a6c4874a37c3e0273e4baf33de8",
+                "sha256:40b951f601af999a8bf2ce8c71e8aaa4e8c6f78ff8afae7b808aae2dc50d4c40",
+                "sha256:572e1787d1460da79590bf44304abbc0a2da944ea64ec549188fa84d89bba7ab",
+                "sha256:58df5c2a0e293bf665a51f8a100d3e9956febfbf1d9aaf8c0677cf70218910c6",
+                "sha256:64e6175c2e53195278d7388c454e0b30997573f3f4bd63697f88d855f7a6a1fc",
+                "sha256:7227b47e73dedaa513cdebb98469705ef0d66eb5a1250144468e9c3097d6b59b",
+                "sha256:7418b6bfc7fe3331541b84bb2141c9baf1ec7132a7ecd9f375912eca810e714e",
+                "sha256:7cbd7574ce8e138bda9df4efc6bf2ab8572c9aff640d8ecfece1b006b68da963",
+                "sha256:7ff61ff178250f9bb3cd89752df0f1dd0e27316a8bd1465351652b1b4a4cdfd3",
+                "sha256:833e1551925ed51e6b44c800e71e77dacd7e49181fdc9ac9a0bf3714d515785d",
+                "sha256:8639cadfda96737427330a094476d4c7a56ac03de7265622fcf4cfe57c8ae18d",
+                "sha256:8c790abda465726cfb8bb08bd4ca9a5d0a7bd77c7ac1ca1b839ad823b948ea28",
+                "sha256:8d2f1fb53a421b410751887eb4ff21386d119ef9cde3797bf5e7ed49fb51a3b3",
+                "sha256:903bbd302a2378f984aef528f76d4c9b1748f318fe1294961c072bdc7f2ffa3e",
+                "sha256:93f81b134a165cc17123626ab8da2e30c0455441d4ab5576eed73a64c025b25c",
+                "sha256:95e69877983ea39b7303570fa6760f81a3eec23d0e3ab2021b7144b94d06202d",
+                "sha256:9633b3034d3d901f0a46b7939f8c4d64427dfba6bbc5a36b1a67364cf148a1b0",
+                "sha256:97e5306482182170ade15c4b0d8386ded995a07d7cc2ca8f27958d34d6736497",
+                "sha256:9f3cba480d3deb69f6ee2c1825060177a22c7826431458c697df88e6aeb3caee",
+                "sha256:aa5b467f15e78b82257319aebc78dd2915e4c1436c3c0d1ad6f53e47ba6e2713",
+                "sha256:abb7a75ed8b968f3061327c433a0fbd17b729947b400747c334a9c29a9af6c58",
+                "sha256:aec52725173bd3a7b56fe91bc56eccb26fbdff1386ef123abb63c84c5b43b63a",
+                "sha256:b11548073a2213d950c3f671aa88e6f83cda6e2fb97a8b6317b1b5b33d850e06",
+                "sha256:b1692f7d6bc45e3200844be0dba153612103db241691088626a33ff1f24a0d88",
+                "sha256:b92e29e58bef6d9cfd340c72b04d74c4b4e9f70c9fa7c78b674d1fec18896dc4",
+                "sha256:be5f425ff1f5f4b3c1e33ad64ab994eed12fc284a6ea71c5243fd564502ecbe5",
+                "sha256:dd0b1e9e891f69e7675ba5c92e28b90eaa045f6ab134ffe70b52e948aa175b3c",
+                "sha256:e30f5ea4ae2346e62cedde8794a56858a67b878dd79f7df76a0767e356b1744a",
+                "sha256:e6a36bb9474218c7a5b27ae476035497a6990e21d04c279884eb10d9b290f1b1",
+                "sha256:e859fcb4cbe93504ea18008d1df98dee4f7766db66c435e4882ab35cf70cac43",
+                "sha256:eb6ea6da4c787111adf40f697b4e58732ee0942b5d3bd8f435277643329ba627",
+                "sha256:ec8c433b3ab0419100bd45b47c9c8551248a5aee30ca5e9d399a0b57ac04651b",
+                "sha256:eff9d20417ff9dcb0d25e2defc2574d10b491bf2e693b4e491914738b7908168",
+                "sha256:f0214eb2a23b85528310dad848ad2ac58e735612929c8072f6093f3585fd342d",
+                "sha256:f276df9830dba7a333544bd41070e8175762a7ac20350786b322b714b0e654f5",
+                "sha256:f3acda1924472472ddd60c29e5b9db0cec629fbe3c5c5accb74d6d6d14773478",
+                "sha256:f70a9e237bb792c7cc7e44c531fd48f5897961701cdaa06cf22fc14965c496cf",
+                "sha256:f9d29ca8a77117315101425ec7ec2a47a22ccf59f5593378fc4077ac5b754fce",
+                "sha256:fa877ca7f6b48054f847b61d6fa7bed5cebb663ebc55e018fda12db09dcc664c",
+                "sha256:fdcec0b8399108577ec290f55551d926d9a1fa6cad45882093a7a07ac5ec147b"
             ],
             "markers": "platform_python_implementation == 'CPython'",
-            "version": "==1.1.1"
+            "version": "==1.1.2"
         },
         "httpagentparser": {
             "hashes": [
@@ -585,6 +586,13 @@
             "index": "pypi",
             "version": "==0.11.0"
         },
+        "pefile": {
+            "hashes": [
+                "sha256:344a49e40a94e10849f0fe34dddc80f773a12b40675bf2f7be4b8be578bdd94a"
+            ],
+            "markers": "python_version >= '3.6'",
+            "version": "==2021.9.3"
+        },
         "policyuniverse": {
             "hashes": [
                 "sha256:184f854fc716754ff07cd9f601923d1ce30a6826617e7c2b252abebe76746b6d",
@@ -793,6 +801,15 @@
             ],
             "version": "==3.12.0"
         },
+        "pyreadline": {
+            "hashes": [
+                "sha256:4530592fc2e85b25b1a9f79664433da09237c1a270e4d78ea5aa3a2c7229e2d1",
+                "sha256:65540c21bfe14405a3a77e4c085ecfce88724743a4ead47c66b84defcf82c32e",
+                "sha256:9ce5fa65b8992dfa373bddc5b6e0864ead8f291c94fbfec05fbd5c836162e67b"
+            ],
+            "markers": "python_version < '3.8' and sys_platform == 'win32'",
+            "version": "==2.1"
+        },
         "pyrsistent": {
             "hashes": [
                 "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2",
@@ -835,6 +852,29 @@
             ],
             "version": "==2021.1"
         },
+        "pywin32": {
+            "hashes": [
+                "sha256:595d397df65f1b2e0beaca63a883ae6d8b6df1cdea85c16ae85f6d2e648133fe",
+                "sha256:87604a4087434cd814ad8973bd47d6524bd1fa9e971ce428e76b62a5e0860fdf",
+                "sha256:88981dd3cfb07432625b180f49bf4e179fb8cbb5704cd512e38dd63636af7a17",
+                "sha256:8c9d33968aa7fcddf44e47750e18f3d034c3e443a707688a008a2e52bbef7e96",
+                "sha256:93367c96e3a76dfe5003d8291ae16454ca7d84bb24d721e0b74a07610b7be4a7",
+                "sha256:9635df6998a70282bd36e7ac2a5cef9ead1627b0a63b17c731312c7a0daebb72",
+                "sha256:98f62a3f60aa64894a290fb7494bfa0bfa0a199e9e052e1ac293b2ad3cd2818b",
+                "sha256:c866f04a182a8cb9b7855de065113bbd2e40524f570db73ef1ee99ff0a5cc2f0",
+                "sha256:dafa18e95bf2a92f298fe9c582b0e205aca45c55f989937c52c454ce65b93c78",
+                "sha256:fb3b4933e0382ba49305cc6cd3fb18525df7fd96aa434de19ce0878133bf8e4a"
+            ],
+            "markers": "python_version < '3.10' and sys_platform == 'win32' and implementation_name == 'cpython'",
+            "version": "==301"
+        },
+        "pywin32-ctypes": {
+            "hashes": [
+                "sha256:24ffc3b341d457d48e8922352130cf2644024a4ff09762a2261fd34c36ee5942",
+                "sha256:9dc2d991b3479cc2df15930958b674a48a227d5361d413827a4cfd0b5876fc98"
+            ],
+            "version": "==0.2.0"
+        },
         "pyyaml": {
             "hashes": [
                 "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
@@ -880,10 +920,10 @@
         },
         "ring": {
             "hashes": [
-                "sha256:f0853e3645a255ecf26291283afd520834ba50d2e0a1d44d930e5bdb944001c4"
+                "sha256:b077ec88c2dc179514a8e1fccd37fb1d5a6d2688891bb6e1ed9c33c4970e5424"
             ],
             "index": "pypi",
-            "version": "==0.9.0"
+            "version": "==0.9.1"
         },
         "rsa": {
             "hashes": [
@@ -905,58 +945,6 @@
             "git": "https://github.com/guardicode/ScoutSuite",
             "ref": "eac33ac5b0a84e4a2e29682cf3568271eb595003"
         },
-        "simplejson": {
-            "hashes": [
-                "sha256:065230b9659ac38c8021fa512802562d122afb0cf8d4b89e257014dcddb5730a",
-                "sha256:07707ba69324eaf58f0c6f59d289acc3e0ed9ec528dae5b0d4219c0d6da27dc5",
-                "sha256:10defa88dd10a0a4763f16c1b5504e96ae6dc68953cfe5fc572b4a8fcaf9409b",
-                "sha256:140eb58809f24d843736edb8080b220417e22c82ac07a3dfa473f57e78216b5f",
-                "sha256:188f2c78a8ac1eb7a70a4b2b7b9ad11f52181044957bf981fb3e399c719e30ee",
-                "sha256:1c2688365743b0f190392e674af5e313ebe9d621813d15f9332e874b7c1f2d04",
-                "sha256:24e413bd845bd17d4d72063d64e053898543fb7abc81afeae13e5c43cef9c171",
-                "sha256:2b59acd09b02da97728d0bae8ff48876d7efcbbb08e569c55e2d0c2e018324f5",
-                "sha256:2df15814529a4625ea6f7b354a083609b3944c269b954ece0d0e7455872e1b2a",
-                "sha256:352c11582aa1e49a2f0f7f7d8fd5ec5311da890d1354287e83c63ab6af857cf5",
-                "sha256:36b08b886027eac67e7a0e822e3a5bf419429efad7612e69501669d6252a21f2",
-                "sha256:376023f51edaf7290332dacfb055bc00ce864cb013c0338d0dea48731f37e42f",
-                "sha256:3ba82f8b421886f4a2311c43fb98faaf36c581976192349fef2a89ed0fcdbdef",
-                "sha256:3d72aa9e73134dacd049a2d6f9bd219f7be9c004d03d52395831611d66cedb71",
-                "sha256:40ece8fa730d1a947bff792bcc7824bd02d3ce6105432798e9a04a360c8c07b0",
-                "sha256:417b7e119d66085dc45bdd563dcb2c575ee10a3b1c492dd3502a029448d4be1c",
-                "sha256:42b7c7264229860fe879be961877f7466d9f7173bd6427b3ba98144a031d49fb",
-                "sha256:457d9cfe7ece1571770381edccdad7fc255b12cd7b5b813219441146d4f47595",
-                "sha256:4a6943816e10028eeed512ea03be52b54ea83108b408d1049b999f58a760089b",
-                "sha256:5b94df70bd34a3b946c0eb272022fb0f8a9eb27cad76e7f313fedbee2ebe4317",
-                "sha256:5f5051a13e7d53430a990604b532c9124253c5f348857e2d5106d45fc8533860",
-                "sha256:5f7f53b1edd4b23fb112b89208377480c0bcee45d43a03ffacf30f3290e0ed85",
-                "sha256:5fe8c6dcb9e6f7066bdc07d3c410a2fca78c0d0b4e0e72510ffd20a60a20eb8e",
-                "sha256:71a54815ec0212b0cba23adc1b2a731bdd2df7b9e4432718b2ed20e8aaf7f01a",
-                "sha256:7332f7b06d42153255f7bfeb10266141c08d48cc1a022a35473c95238ff2aebc",
-                "sha256:78c6f0ed72b440ebe1892d273c1e5f91e55e6861bea611d3b904e673152a7a4c",
-                "sha256:7c9b30a2524ae6983b708f12741a31fbc2fb8d6fecd0b6c8584a62fd59f59e09",
-                "sha256:86fcffc06f1125cb443e2bed812805739d64ceb78597ac3c1b2d439471a09717",
-                "sha256:87572213965fd8a4fb7a97f837221e01d8fddcfb558363c671b8aa93477fb6a2",
-                "sha256:8e595de17178dd3bbeb2c5b8ea97536341c63b7278639cb8ee2681a84c0ef037",
-                "sha256:917f01db71d5e720b731effa3ff4a2c702a1b6dacad9bcdc580d86a018dfc3ca",
-                "sha256:91cfb43fb91ff6d1e4258be04eee84b51a4ef40a28d899679b9ea2556322fb50",
-                "sha256:aa86cfdeb118795875855589934013e32895715ec2d9e8eb7a59be3e7e07a7e1",
-                "sha256:ade09aa3c284d11f39640aebdcbb748e1996f0c60504f8c4a0c5a9fec821e67a",
-                "sha256:b2a5688606dffbe95e1347a05b77eb90489fe337edde888e23bbb7fd81b0d93b",
-                "sha256:b92fbc2bc549c5045c8233d954f3260ccf99e0f3ec9edfd2372b74b350917752",
-                "sha256:c2d5334d935af711f6d6dfeec2d34e071cdf73ec0df8e8bd35ac435b26d8da97",
-                "sha256:cb0afc3bad49eb89a579103616574a54b523856d20fc539a4f7a513a0a8ba4b2",
-                "sha256:ce66f730031b9b3683b2fc6ad4160a18db86557c004c3d490a29bf8d450d7ab9",
-                "sha256:e29b9cea4216ec130df85d8c36efb9985fda1c9039e4706fb30e0fb6a67602ff",
-                "sha256:e2cc4b68e59319e3de778325e34fbff487bfdb2225530e89995402989898d681",
-                "sha256:e90d2e219c3dce1500dda95f5b893c293c4d53c4e330c968afbd4e7a90ff4a5b",
-                "sha256:f13c48cc4363829bdfecc0c181b6ddf28008931de54908a492dc8ccd0066cd60",
-                "sha256:f550730d18edec4ff9d4252784b62adfe885d4542946b6d5a54c8a6521b56afd",
-                "sha256:fa843ee0d34c7193f5a816e79df8142faff851549cab31e84b526f04878ac778",
-                "sha256:fe1c33f78d2060719d52ea9459d97d7ae3a5b707ec02548575c4fbed1d1d345b"
-            ],
-            "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==3.17.5"
-        },
         "six": {
             "hashes": [
                 "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
@@ -971,20 +959,6 @@
             ],
             "version": "==1.7.0"
         },
-        "stix2": {
-            "hashes": [
-                "sha256:b9b2200e5c429a0a49d67c8902638d2f97df2ba4321e15dde067c5cb80c9e8e1"
-            ],
-            "index": "pypi",
-            "version": "==3.0.0"
-        },
-        "stix2-patterns": {
-            "hashes": [
-                "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4",
-                "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992"
-            ],
-            "version": "==1.3.2"
-        },
         "tempora": {
             "hashes": [
                 "sha256:c54da0f05405f04eb67abbb1dff4448fd91428b58cb00f0f645ea36f6a927950",
@@ -1012,11 +986,11 @@
         },
         "urllib3": {
             "hashes": [
-                "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
-                "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
+                "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
+                "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"
             ],
             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'",
-            "version": "==1.26.6"
+            "version": "==1.26.7"
         },
         "werkzeug": {
             "hashes": [
@@ -1041,11 +1015,11 @@
         },
         "zipp": {
             "hashes": [
-                "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3",
-                "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4"
+                "sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832",
+                "sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==3.5.0"
+            "version": "==3.6.0"
         },
         "zope.event": {
             "hashes": [
@@ -1120,6 +1094,14 @@
             ],
             "version": "==1.4.4"
         },
+        "atomicwrites": {
+            "hashes": [
+                "sha256:6d1784dea7c0c8d4a5172b6c620f40b6e4cbfdf96d783691f2e1302a7b88e197",
+                "sha256:ae70396ad1a434f9c7046fd2dd196fc04b12f9e91ffb859164193be8b6168a7a"
+            ],
+            "markers": "sys_platform == 'win32'",
+            "version": "==1.4.0"
+        },
         "attrs": {
             "hashes": [
                 "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
@@ -1166,6 +1148,14 @@
             "markers": "python_version >= '3.6'",
             "version": "==8.0.1"
         },
+        "colorama": {
+            "hashes": [
+                "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
+                "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
+            ],
+            "markers": "platform_system == 'Windows' and sys_platform == 'win32' and platform_system == 'Windows'",
+            "version": "==0.4.3"
+        },
         "coverage": {
             "hashes": [
                 "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c",
@@ -1240,10 +1230,11 @@
         },
         "filelock": {
             "hashes": [
-                "sha256:18d82244ee114f543149c66a6e0c14e9c4f8a1044b5cdaadd0f82159d6a6ff59",
-                "sha256:929b7d63ec5b7d6b71b0fa5ac14e030b3f70b75747cef1b10da9b879fef15836"
+                "sha256:61a99e9b12b47b685d1389f4cf969c1eba0efd2348a8471f86e01e8c622267af",
+                "sha256:85ecb30757aa19d06bfcdad29cc332b9a3e4851bf59976aea1e8dadcbd9ef883"
             ],
-            "version": "==3.0.12"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+            "version": "==3.2.0"
         },
         "flake8": {
             "hashes": [
@@ -1323,11 +1314,11 @@
         },
         "platformdirs": {
             "hashes": [
-                "sha256:15b056538719b1c94bdaccb29e5f81879c7f7f0f4a153f46086d155dffcd4f0f",
-                "sha256:8003ac87717ae2c7ee1ea5a84a1a61e87f3fbd16eb5aadba194ea30a9019f648"
+                "sha256:367a5e80b3d04d2428ffa76d33f124cf11e8fff2acdaa9b43d545f5c7d661ef2",
+                "sha256:8868bbe3c3c80d42f20156f22e7131d2fb321f5bc86a2a345375c6481a67021d"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==2.3.0"
+            "version": "==2.4.0"
         },
         "pluggy": {
             "hashes": [
@@ -1387,49 +1378,49 @@
         },
         "regex": {
             "hashes": [
-                "sha256:04f6b9749e335bb0d2f68c707f23bb1773c3fb6ecd10edf0f04df12a8920d468",
-                "sha256:08d74bfaa4c7731b8dac0a992c63673a2782758f7cfad34cf9c1b9184f911354",
-                "sha256:0fc1f8f06977c2d4f5e3d3f0d4a08089be783973fc6b6e278bde01f0544ff308",
-                "sha256:121f4b3185feaade3f85f70294aef3f777199e9b5c0c0245c774ae884b110a2d",
-                "sha256:1413b5022ed6ac0d504ba425ef02549a57d0f4276de58e3ab7e82437892704fc",
-                "sha256:1743345e30917e8c574f273f51679c294effba6ad372db1967852f12c76759d8",
-                "sha256:28fc475f560d8f67cc8767b94db4c9440210f6958495aeae70fac8faec631797",
-                "sha256:31a99a4796bf5aefc8351e98507b09e1b09115574f7c9dbb9cf2111f7220d2e2",
-                "sha256:328a1fad67445550b982caa2a2a850da5989fd6595e858f02d04636e7f8b0b13",
-                "sha256:473858730ef6d6ff7f7d5f19452184cd0caa062a20047f6d6f3e135a4648865d",
-                "sha256:4cde065ab33bcaab774d84096fae266d9301d1a2f5519d7bd58fc55274afbf7a",
-                "sha256:5f6a808044faae658f546dd5f525e921de9fa409de7a5570865467f03a626fc0",
-                "sha256:610b690b406653c84b7cb6091facb3033500ee81089867ee7d59e675f9ca2b73",
-                "sha256:66256b6391c057305e5ae9209941ef63c33a476b73772ca967d4a2df70520ec1",
-                "sha256:6eebf512aa90751d5ef6a7c2ac9d60113f32e86e5687326a50d7686e309f66ed",
-                "sha256:79aef6b5cd41feff359acaf98e040844613ff5298d0d19c455b3d9ae0bc8c35a",
-                "sha256:808ee5834e06f57978da3e003ad9d6292de69d2bf6263662a1a8ae30788e080b",
-                "sha256:8e44769068d33e0ea6ccdf4b84d80c5afffe5207aa4d1881a629cf0ef3ec398f",
-                "sha256:999ad08220467b6ad4bd3dd34e65329dd5d0df9b31e47106105e407954965256",
-                "sha256:9b006628fe43aa69259ec04ca258d88ed19b64791693df59c422b607b6ece8bb",
-                "sha256:9d05ad5367c90814099000442b2125535e9d77581855b9bee8780f1b41f2b1a2",
-                "sha256:a577a21de2ef8059b58f79ff76a4da81c45a75fe0bfb09bc8b7bb4293fa18983",
-                "sha256:a617593aeacc7a691cc4af4a4410031654f2909053bd8c8e7db837f179a630eb",
-                "sha256:abb48494d88e8a82601af905143e0de838c776c1241d92021e9256d5515b3645",
-                "sha256:ac88856a8cbccfc14f1b2d0b829af354cc1743cb375e7f04251ae73b2af6adf8",
-                "sha256:b4c220a1fe0d2c622493b0a1fd48f8f991998fb447d3cd368033a4b86cf1127a",
-                "sha256:b844fb09bd9936ed158ff9df0ab601e2045b316b17aa8b931857365ea8586906",
-                "sha256:bdc178caebd0f338d57ae445ef8e9b737ddf8fbc3ea187603f65aec5b041248f",
-                "sha256:c206587c83e795d417ed3adc8453a791f6d36b67c81416676cad053b4104152c",
-                "sha256:c61dcc1cf9fd165127a2853e2c31eb4fb961a4f26b394ac9fe5669c7a6592892",
-                "sha256:c7cb4c512d2d3b0870e00fbbac2f291d4b4bf2634d59a31176a87afe2777c6f0",
-                "sha256:d4a332404baa6665b54e5d283b4262f41f2103c255897084ec8f5487ce7b9e8e",
-                "sha256:d5111d4c843d80202e62b4fdbb4920db1dcee4f9366d6b03294f45ed7b18b42e",
-                "sha256:e1e8406b895aba6caa63d9fd1b6b1700d7e4825f78ccb1e5260551d168db38ed",
-                "sha256:e8690ed94481f219a7a967c118abaf71ccc440f69acd583cab721b90eeedb77c",
-                "sha256:ed283ab3a01d8b53de3a05bfdf4473ae24e43caee7dcb5584e86f3f3e5ab4374",
-                "sha256:ed4b50355b066796dacdd1cf538f2ce57275d001838f9b132fab80b75e8c84dd",
-                "sha256:ee329d0387b5b41a5dddbb6243a21cb7896587a651bebb957e2d2bb8b63c0791",
-                "sha256:f3bf1bc02bc421047bfec3343729c4bbbea42605bcfd6d6bfe2c07ade8b12d2a",
-                "sha256:f585cbbeecb35f35609edccb95efd95a3e35824cd7752b586503f7e6087303f1",
-                "sha256:f60667673ff9c249709160529ab39667d1ae9fd38634e006bec95611f632e759"
+                "sha256:0de8ad66b08c3e673b61981b9e3626f8784d5564f8c3928e2ad408c0eb5ac38c",
+                "sha256:1f1125bc5172ab3a049bc6f4b9c0aae95a2a2001a77e6d6e4239fa3653e202b5",
+                "sha256:255791523f80ea8e48e79af7120b4697ef3b74f6886995dcdb08c41f8e516be0",
+                "sha256:28040e89a04b60d579c69095c509a4f6a1a5379cd865258e3a186b7105de72c6",
+                "sha256:37868075eda024470bd0feab872c692ac4ee29db1e14baec103257bf6cc64346",
+                "sha256:3b71213ec3bad9a5a02e049f2ec86b3d7c3e350129ae0f4e2f99c12b5da919ed",
+                "sha256:3be40f720af170a6b20ddd2ad7904c58b13d2b56f6734ee5d09bbdeed2fa4816",
+                "sha256:42952d325439ef223e4e9db7ee6d9087b5c68c5c15b1f9de68e990837682fc7b",
+                "sha256:470f2c882f2672d8eeda8ab27992aec277c067d280b52541357e1acd7e606dae",
+                "sha256:4907fb0f9b9309a5bded72343e675a252c2589a41871874feace9a05a540241e",
+                "sha256:4d87459ad3ab40cd8493774f8a454b2e490d8e729e7e402a0625867a983e4e02",
+                "sha256:4fa7ba9ab2eba7284e0d7d94f61df7af86015b0398e123331362270d71fab0b9",
+                "sha256:5b34d2335d6aedec7dcadd3f8283b9682fadad8b9b008da8788d2fce76125ebe",
+                "sha256:6348a7ab2a502cbdd0b7fd0496d614007489adb7361956b38044d1d588e66e04",
+                "sha256:638e98d069b14113e8afba6a54d1ca123f712c0d105e67c1f9211b2a825ef926",
+                "sha256:66696c8336a1b5d1182464f3af3427cc760118f26d0b09a2ddc16a976a4d2637",
+                "sha256:78cf6a1e023caf5e9a982f5377414e1aeac55198831b852835732cfd0a0ca5ff",
+                "sha256:81e125d9ba54c34579e4539a967e976a3c56150796674aec318b1b2f49251be7",
+                "sha256:81fdc90f999b2147fc62e303440c424c47e5573a9b615ed5d43a5b832efcca9e",
+                "sha256:87e9c489aa98f50f367fb26cc9c8908d668e9228d327644d7aa568d47e456f47",
+                "sha256:8c1ad61fa024195136a6b7b89538030bd00df15f90ac177ca278df9b2386c96f",
+                "sha256:9910869c472e5a6728680ca357b5846546cbbd2ab3ad5bef986ef0bc438d0aa6",
+                "sha256:9925985be05d54b3d25fd6c1ea8e50ff1f7c2744c75bdc4d3b45c790afa2bcb3",
+                "sha256:9a0b0db6b49da7fa37ca8eddf9f40a8dbc599bad43e64f452284f37b6c34d91c",
+                "sha256:9c065d95a514a06b92a5026766d72ac91bfabf581adb5b29bc5c91d4b3ee9b83",
+                "sha256:a6f08187136f11e430638c2c66e1db091105d7c2e9902489f0dbc69b44c222b4",
+                "sha256:ad0517df22a97f1da20d8f1c8cb71a5d1997fa383326b81f9cf22c9dadfbdf34",
+                "sha256:b345ecde37c86dd7084c62954468a4a655fd2d24fd9b237949dd07a4d0dd6f4c",
+                "sha256:b55442650f541d195a535ccec33078c78a9521973fb960923da7515e9ed78fa6",
+                "sha256:c2b180ed30856dfa70cfe927b0fd38e6b68198a03039abdbeb1f2029758d87e7",
+                "sha256:c9e30838df7bfd20db6466fd309d9b580d32855f8e2c2e6d74cf9da27dcd9b63",
+                "sha256:cae4099031d80703954c39680323dabd87a69b21262303160776aa0e55970ca0",
+                "sha256:ce7b1cca6c23f19bee8dc40228d9c314d86d1e51996b86f924aca302fc8f8bf9",
+                "sha256:d0861e7f6325e821d5c40514c551fd538b292f8cc3960086e73491b9c5d8291d",
+                "sha256:d331f238a7accfbbe1c4cd1ba610d4c087b206353539331e32a8f05345c74aec",
+                "sha256:e07049cece3462c626d650e8bf42ddbca3abf4aa08155002c28cb6d9a5a281e2",
+                "sha256:e2cb7d4909ed16ed35729d38af585673f1f0833e73dfdf0c18e5be0061107b99",
+                "sha256:e3770781353a4886b68ef10cec31c1f61e8e3a0be5f213c2bb15a86efd999bc4",
+                "sha256:e502f8d4e5ef714bcc2c94d499684890c94239526d61fdf1096547db91ca6aa6",
+                "sha256:e6f2d2f93001801296fe3ca86515eb04915472b5380d4d8752f09f25f0b9b0ed",
+                "sha256:f588209d3e4797882cd238195c175290dbc501973b10a581086b5c6bcd095ffb"
             ],
-            "version": "==2021.8.28"
+            "version": "==2021.9.30"
         },
         "requests": {
             "hashes": [
@@ -1515,19 +1506,19 @@
         },
         "urllib3": {
             "hashes": [
-                "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
-                "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
+                "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
+                "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"
             ],
             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'",
-            "version": "==1.26.6"
+            "version": "==1.26.7"
         },
         "virtualenv": {
             "hashes": [
-                "sha256:4da4ac43888e97de9cf4fdd870f48ed864bbfd133d2c46cbdec941fed4a25aef",
-                "sha256:a4b987ec31c3c9996cf1bc865332f967fe4a0512c41b39652d6224f696e69da5"
+                "sha256:10062e34c204b5e4ec5f62e6ef2473f8ba76513a9a617e873f1f8fb4a519d300",
+                "sha256:bcc17f0b3a29670dd777d6f0755a4c04f28815395bca279cdcb213b97199a6b8"
             ],
             "index": "pypi",
-            "version": "==20.8.0"
+            "version": "==20.8.1"
         },
         "vulture": {
             "hashes": [
@@ -1539,11 +1530,11 @@
         },
         "zipp": {
             "hashes": [
-                "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3",
-                "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4"
+                "sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832",
+                "sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==3.5.0"
+            "version": "==3.6.0"
         }
     }
 }

monkey/monkey_island/cc/models/attack/__init__.py

@@ -0,0 +1 @@
+from monkey_island.cc.models.attack.mitigation import Mitigation

monkey/monkey_island/cc/models/attack/attack_mitigations.py

@@ -1,12 +1,9 @@
-from typing import Dict
-
 from mongoengine import Document, DoesNotExist, EmbeddedDocumentField, ListField, StringField
-from stix2 import AttackPattern, CourseOfAction
-
-from monkey_island.cc.models.attack.mitigation import Mitigation
-from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface
 
 
+# Note: This model is duplicated in
+# deployment_scripts/dump_attack_mitigations/attack_mitigations.py. If the schema changes here, it
+# will also need to be changed there.
 class AttackMitigations(Document):
     COLLECTION_NAME = "attack_mitigations"
 
@@ -19,32 +16,3 @@ class AttackMitigations(Document):
             return AttackMitigations.objects.get(technique_id=technique_id)
         except DoesNotExist:
             raise Exception("Attack technique with id {} does not exist!".format(technique_id))
-
-    def add_mitigation(self, mitigation: CourseOfAction):
-        mitigation_external_ref_id = MitreApiInterface.get_stix2_external_reference_id(mitigation)
-        if mitigation_external_ref_id.startswith("M"):
-            self.mitigations.append(Mitigation.get_from_stix2_data(mitigation))
-
-    def add_no_mitigations_info(self, mitigation: CourseOfAction):
-        mitigation_external_ref_id = MitreApiInterface.get_stix2_external_reference_id(mitigation)
-        if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0:
-            mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation)
-            mitigation_mongo_object["description"] = mitigation_mongo_object[
-                "description"
-            ].splitlines()[0]
-            mitigation_mongo_object["url"] = ""
-            self.mitigations.append(mitigation_mongo_object)
-
-    @staticmethod
-    def mitigations_from_attack_pattern(attack_pattern: AttackPattern):
-        return AttackMitigations(
-            technique_id=MitreApiInterface.get_stix2_external_reference_id(attack_pattern),
-            mitigations=[],
-        )
-
-    @staticmethod
-    def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]):
-        return {
-            key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern)
-            for key, attack_pattern in stix2_dict.items()
-        }

monkey/monkey_island/cc/models/attack/mitigation.py

@@ -1,17 +1,10 @@
 from mongoengine import EmbeddedDocument, StringField
-from stix2 import CourseOfAction
-
-from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface
 
 
+# Note: This model is duplicated in
+# deployment_scripts/dump_attack_mitigations/attack_mitigations.py. If the schema changes here, it
+# will also need to be changed there.
 class Mitigation(EmbeddedDocument):
     name = StringField(required=True)
     description = StringField(required=True)
     url = StringField()
-
-    @staticmethod
-    def get_from_stix2_data(mitigation: CourseOfAction):
-        name = mitigation["name"]
-        description = mitigation["description"]
-        url = MitreApiInterface.get_stix2_external_reference_url(mitigation)
-        return Mitigation(name=name, description=description, url=url)

monkey/monkey_island/cc/services/attack/attack_data

@@ -1 +0,0 @@
-Subproject commit fb8942b1a10f4e734ed75542f2ccae7cbd72c46d

monkey/monkey_island/cc/services/attack/mitre_api_interface.py

@@ -1,52 +0,0 @@
-import os
-from typing import Dict, List
-
-from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter
-
-from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH
-
-
-class MitreApiInterface:
-    ATTACK_DATA_PATH = os.path.join(
-        MONKEY_ISLAND_ABS_PATH, "cc", "services", "attack", "attack_data", "enterprise-attack"
-    )
-
-    @staticmethod
-    def get_all_mitigations() -> Dict[str, CourseOfAction]:
-        file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH)
-        mitigation_filter = [Filter("type", "=", "course-of-action")]
-        all_mitigations = file_system.query(mitigation_filter)
-        all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations}
-        return all_mitigations
-
-    @staticmethod
-    def get_all_attack_techniques() -> Dict[str, AttackPattern]:
-        file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH)
-        technique_filter = [Filter("type", "=", "attack-pattern")]
-        all_techniques = file_system.query(technique_filter)
-        all_techniques = {technique["id"]: technique for technique in all_techniques}
-        return all_techniques
-
-    @staticmethod
-    def get_technique_and_mitigation_relationships() -> List[CourseOfAction]:
-        file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH)
-        technique_filter = [
-            Filter("type", "=", "relationship"),
-            Filter("relationship_type", "=", "mitigates"),
-        ]
-        all_techniques = file_system.query(technique_filter)
-        return all_techniques
-
-    @staticmethod
-    def get_stix2_external_reference_id(stix2_data) -> str:
-        for reference in stix2_data["external_references"]:
-            if reference["source_name"] == "mitre-attack" and "external_id" in reference:
-                return reference["external_id"]
-        return ""
-
-    @staticmethod
-    def get_stix2_external_reference_url(stix2_data) -> str:
-        for reference in stix2_data["external_references"]:
-            if "url" in reference:
-                return reference["url"]
-        return ""

monkey/monkey_island/cc/setup/mongo/database_initializer.py

@@ -1,14 +1,25 @@
+import json
 import logging
+from pathlib import Path
+from pprint import pformat
 
 from pymongo import errors
 
 from monkey_island.cc.database import mongo
 from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations
-from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface
+from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH
 from monkey_island.cc.services.database import Database
 
 logger = logging.getLogger(__name__)
 
+ATTACK_MITIGATION_PATH = (
+    Path(MONKEY_ISLAND_ABS_PATH)
+    / "cc"
+    / "setup"
+    / "mongo"
+    / f"{AttackMitigations.COLLECTION_NAME}.json"
+)
+
 
 def reset_database():
     Database.reset_db()
@@ -35,20 +46,13 @@ def _try_store_mitigations_on_mongo():
 
 
 def _store_mitigations_on_mongo():
-    stix2_mitigations = MitreApiInterface.get_all_mitigations()
-    mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns(
-        MitreApiInterface.get_all_attack_techniques()
-    )
-    mitigation_technique_relationships = (
-        MitreApiInterface.get_technique_and_mitigation_relationships()
-    )
-    for relationship in mitigation_technique_relationships:
-        mongo_mitigations[relationship["target_ref"]].add_mitigation(
-            stix2_mitigations[relationship["source_ref"]]
-        )
-    for relationship in mitigation_technique_relationships:
-        mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info(
-            stix2_mitigations[relationship["source_ref"]]
-        )
-    for key, mongo_object in mongo_mitigations.items():
-        mongo_object.save()
+    try:
+        with open(ATTACK_MITIGATION_PATH) as f:
+            attack_mitigations = json.load(f)
+
+        logger.debug(f'Loading attack mitigations data:\n{pformat(attack_mitigations["metadata"])}')
+
+        mongodb_collection = mongo.db[AttackMitigations.COLLECTION_NAME]
+        mongodb_collection.insert_many(attack_mitigations["data"])
+    except json.decoder.JSONDecodeError as e:
+        raise Exception(f"Invalid attack mitigations {ATTACK_MITIGATION_PATH} file: {e}")

monkey/monkey_island/monkey_island.spec

@@ -13,7 +13,7 @@ def main():
     # The format of the tuples is (src, dest_dir). See https://pythonhosted.org/PyInstaller/spec-files.html#adding-data-files
     added_datas = [
         ("../common/BUILD", "/common"),
-        ("../monkey_island/cc/services/attack/attack_data", "/monkey_island/cc/services/attack/attack_data")
+        ("../monkey_island/cc/setup/mongo/attack_mitigations.json", "/monkey_island/cc/setup/mongo/attack_mitigations.json")
     ]
 
     a = Analysis(['main.py'],

monkey/monkey_island/pyinstaller_hooks/hook-stix2.py

@@ -1,9 +0,0 @@
-# Workaround for packaging Monkey Island using PyInstaller. See
-# https://github.com/oasis-open/cti-python-stix2/issues/218
-
-import os
-
-from PyInstaller.utils.hooks import get_module_file_attribute
-
-stix2_dir = os.path.dirname(get_module_file_attribute("stix2"))
-datas = [(stix2_dir, "stix2")]

monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json

@@ -0,0 +1 @@
+{"metadata":{"timestamp": "1632959947.9542503", "commit_hash": "fb8942b1a", "origin_url": "https://github.com/guardicore/cti.git"},"data":[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}]}

monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation

@@ -0,0 +1 @@
+[{"_id": "T1066", "mitigations": [}

monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py

@@ -1,14 +0,0 @@
-import pytest
-
-from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface
-
-
-@pytest.mark.slow
-def test_get_all_mitigations():
-    mitigations = MitreApiInterface.get_all_mitigations()
-    assert len(mitigations.items()) >= 282
-    mitigation = next(iter(mitigations.values()))
-    assert mitigation["type"] == "course-of-action"
-    assert mitigation["name"] is not None
-    assert mitigation["description"] is not None
-    assert mitigation["external_references"] is not None

monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py

@@ -0,0 +1,69 @@
+from unittest.mock import MagicMock
+
+import mongomock
+import pytest
+
+from monkey_island.cc.setup.mongo.database_initializer import reset_database
+
+
+@pytest.fixture
+def patch_attack_mitigations_path(monkeypatch, data_for_tests_dir):
+    def inner(file_name):
+        path = data_for_tests_dir / "mongo_mitigations" / file_name
+        monkeypatch.setattr(
+            "monkey_island.cc.setup.mongo.database_initializer.ATTACK_MITIGATION_PATH", path
+        )
+
+    return inner
+
+
+@pytest.fixture(scope="module", autouse=True)
+def patch_dependencies(monkeypatch_session):
+    monkeypatch_session.setattr(
+        "monkey_island.cc.services.config.ConfigService.init_config", lambda: None
+    )
+    monkeypatch_session.setattr(
+        "monkey_island.cc.services.attack.attack_config.AttackConfig.reset_config", lambda: None
+    )
+    monkeypatch_session.setattr(
+        "monkey_island.cc.services.database.jsonify", MagicMock(return_value=True)
+    )
+
+
+@pytest.fixture
+def mock_mongo_client(monkeypatch):
+    mongo = mongomock.MongoClient()
+    mongo.db.validate_collection = MagicMock(return_value=True)
+
+    monkeypatch.setattr("monkey_island.cc.setup.mongo.database_initializer.mongo", mongo)
+    monkeypatch.setattr("monkey_island.cc.services.database.mongo", mongo)
+
+    return mongo
+
+
+def test_store_mitigations_on_mongo(patch_attack_mitigations_path, mock_mongo_client):
+    patch_attack_mitigations_path("attack_mitigations.json")
+
+    reset_database()
+
+    assert len(list(mock_mongo_client.db.attack_mitigations.find({}))) == 3
+
+
+def test_store_mitigations_on_mongo__invalid_mitigation(patch_attack_mitigations_path):
+    patch_attack_mitigations_path("invalid_mitigation")
+
+    with pytest.raises(Exception):
+        reset_database()
+
+
+def test_get_all_mitigations(mock_mongo_client):
+    reset_database()
+
+    mitigations = list(mock_mongo_client.db.attack_mitigations.find({}))
+
+    assert len(mitigations) >= 266
+
+    mitigation = mitigations[0]["mitigations"][0]
+    assert mitigation["name"] is not None
+    assert mitigation["description"] is not None
+    assert mitigation["url"] is not None