ATT&CK matrix: order of techniques match official matrix

This commit is contained in:
VakarisZ 2019-11-20 12:00:25 +02:00
parent d10be52c2d
commit 2811bb29d5
6 changed files with 4681 additions and 4436 deletions

View File

@ -1,6 +1,5 @@
import flask_restful
import json
from flask import jsonify, request
from flask import jsonify, request, json, current_app
from monkey_island.cc.auth import jwt_required
from monkey_island.cc.services.attack.attack_config import AttackConfig
@ -11,7 +10,11 @@ __author__ = "VakarisZ"
class AttackConfiguration(flask_restful.Resource):
@jwt_required()
def get(self):
return jsonify(configuration=AttackConfig.get_config()['properties'])
return current_app.response_class(json.dumps({"configuration": AttackConfig.get_config()},
indent=None,
separators=(",", ":"),
sort_keys=False) + "\n",
mimetype=current_app.config['JSONIFY_MIMETYPE'])
@jwt_required()
def post(self):

View File

@ -15,7 +15,7 @@ class AttackConfig(object):
@staticmethod
def get_config():
config = mongo.db.attack.find_one({'name': 'newconfig'})
config = mongo.db.attack.find_one({'name': 'newconfig'})['properties']
return config
@staticmethod

View File

@ -2,43 +2,90 @@ SCHEMA = {
"title": "ATT&CK configuration",
"type": "object",
"properties": {
"lateral_movement": {
"title": "Lateral movement",
"execution": {
"title": "Execution",
"type": "object",
"properties": {
"T1210": {
"title": "T1210 Exploitation of Remote services",
"type": "bool",
"value": True,
"necessary": False,
"description": "Exploitation of a software vulnerability occurs when an adversary "
"takes advantage of a programming error in a program, service, or within the "
"operating system software or kernel itself to execute adversary-controlled code."
},
"T1075": {
"title": "T1075 Pass the hash",
"type": "bool",
"value": True,
"necessary": False,
"description": "Pass the hash (PtH) is a method of authenticating as a user without "
"having access to the user's cleartext password."
},
"T1105": {
"title": "T1105 Remote file copy",
"T1059": {
"title": "T1059 Command line interface",
"type": "bool",
"value": True,
"necessary": True,
"description": "Files may be copied from one system to another to stage "
"adversary tools or other files over the course of an operation."
"description": "Adversaries may use command-line interfaces to interact with systems "
"and execute other software during the course of an operation.",
},
"T1021": {
"title": "T1021 Remote services",
"T1129": {
"title": "T1129 Execution through module load",
"type": "bool",
"value": True,
"necessary": False,
"depends_on": ["T1110"],
"description": "An adversary may use Valid Accounts to log into a service"
" specifically designed to accept remote connections."
"description": "The Windows module loader can be instructed to load DLLs from arbitrary "
"local paths and arbitrary Universal Naming Convention (UNC) network paths.",
"depends_on": ["T1078", "T1003"]
},
"T1106": {
"title": "T1106 Execution through API",
"type": "bool",
"value": True,
"necessary": False,
"description": "Adversary tools may directly use the Windows application "
"programming interface (API) to execute binaries.",
"depends_on": ["T1210"]
},
"T1086": {
"title": "T1086 Powershell",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries can use PowerShell to perform a number of actions,"
" including discovery of information and execution of code.",
},
"T1064": {
"title": "T1064 Scripting",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may use scripts to aid in operations and "
"perform multiple actions that would otherwise be manual.",
},
"T1035": {
"title": "T1035 Service execution",
"type": "bool",
"value": True,
"necessary": False,
"description": "Adversaries may execute a binary, command, or script via a method "
"that interacts with Windows services, such as the Service Control Manager.",
"depends_on": ["T1210"]
}
}
},
"defence_evasion": {
"title": "Defence evasion",
"type": "object",
"properties": {
"T1197": {
"title": "T1197 BITS jobs",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may abuse BITS to download, execute, "
"and even clean up after running malicious code."
},
"T1107": {
"title": "T1107 File Deletion",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may remove files over the course of an intrusion "
"to keep their footprint low or remove them at the end as part "
"of the post-intrusion cleanup process."
},
"T1222": {
"title": "T1222 File permissions modification",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
}
}
},
@ -79,97 +126,18 @@ SCHEMA = {
}
}
},
"defence_evasion": {
"title": "Defence evasion",
"type": "object",
"properties": {
"T1197": {
"title": "T1197 BITS jobs",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may abuse BITS to download, execute, "
"and even clean up after running malicious code."
},
"T1107": {
"title": "T1107 File Deletion",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may remove files over the course of an intrusion "
"to keep their footprint low or remove them at the end as part "
"of the post-intrusion cleanup process."
},
"T1222": {
"title": "T1222 File permissions modification",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
}
}
},
"execution": {
"title": "Execution",
"type": "object",
"properties": {
"T1035": {
"title": "T1035 Service execution",
"type": "bool",
"value": True,
"necessary": False,
"description": "Adversaries may execute a binary, command, or script via a method "
"that interacts with Windows services, such as the Service Control Manager.",
"depends_on": ["T1210"]
},
"T1129": {
"title": "T1129 Execution through module load",
"type": "bool",
"value": True,
"necessary": False,
"description": "The Windows module loader can be instructed to load DLLs from arbitrary "
"local paths and arbitrary Universal Naming Convention (UNC) network paths.",
"depends_on": ["T1078", "T1003"]
},
"T1106": {
"title": "T1106 Execution through API",
"type": "bool",
"value": True,
"necessary": False,
"description": "Adversary tools may directly use the Windows application "
"programming interface (API) to execute binaries.",
"depends_on": ["T1210"]
},
"T1059": {
"title": "T1059 Command line interface",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may use command-line interfaces to interact with systems "
"and execute other software during the course of an operation.",
},
"T1086": {
"title": "T1086 Powershell",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries can use PowerShell to perform a number of actions,"
" including discovery of information and execution of code.",
},
"T1064": {
"title": "T1064 Scripting",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may use scripts to aid in operations and "
"perform multiple actions that would otherwise be manual.",
}
}
},
"discovery": {
"title": "Discovery",
"type": "object",
"properties": {
"T1018": {
"title": "T1018 Remote System Discovery",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries will likely attempt to get a listing of other systems by IP address, "
"hostname, or other logical identifier on a network for lateral movement."
},
"T1082": {
"title": "T1082 System information discovery",
"type": "bool",
@ -180,14 +148,6 @@ SCHEMA = {
"operating system and hardware, including version, patches, hotfixes, "
"service packs, and architecture."
},
"T1018": {
"title": "T1018 Remote System Discovery",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries will likely attempt to get a listing of other systems by IP address, "
"hostname, or other logical identifier on a network for lateral movement."
},
"T1016": {
"title": "T1016 System network configuration discovery",
"type": "bool",
@ -200,6 +160,46 @@ SCHEMA = {
}
}
},
"lateral_movement": {
"title": "Lateral movement",
"type": "object",
"properties": {
"T1210": {
"title": "T1210 Exploitation of Remote services",
"type": "bool",
"value": True,
"necessary": False,
"description": "Exploitation of a software vulnerability occurs when an adversary "
"takes advantage of a programming error in a program, service, or within the "
"operating system software or kernel itself to execute adversary-controlled code."
},
"T1075": {
"title": "T1075 Pass the hash",
"type": "bool",
"value": True,
"necessary": False,
"description": "Pass the hash (PtH) is a method of authenticating as a user without "
"having access to the user's cleartext password."
},
"T1105": {
"title": "T1105 Remote file copy",
"type": "bool",
"value": True,
"necessary": True,
"description": "Files may be copied from one system to another to stage "
"adversary tools or other files over the course of an operation."
},
"T1021": {
"title": "T1021 Remote services",
"type": "bool",
"value": True,
"necessary": False,
"depends_on": ["T1110"],
"description": "An adversary may use Valid Accounts to log into a service"
" specifically designed to accept remote connections."
}
}
},
"collection": {
"title": "Collection",
"type": "object",
@ -219,14 +219,6 @@ SCHEMA = {
"title": "Command and Control",
"type": "object",
"properties": {
"T1065": {
"title": "T1065 Uncommonly used port",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may conduct C2 communications over a non-standard "
"port to bypass proxies and firewalls that have been improperly configured."
},
"T1090": {
"title": "T1090 Connection proxy",
"type": "bool",
@ -235,6 +227,14 @@ SCHEMA = {
"description": "A connection proxy is used to direct network traffic between systems "
"or act as an intermediary for network communications."
},
"T1065": {
"title": "T1065 Uncommonly used port",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may conduct C2 communications over a non-standard "
"port to bypass proxies and firewalls that have been improperly configured."
},
"T1188": {
"title": "T1188 Multi-hop proxy",
"type": "bool",

File diff suppressed because it is too large Load Diff

View File

@ -37,9 +37,9 @@
"css-loader": "^1.0.1",
"eslint": "^5.16.0",
"eslint-loader": "^2.2.1",
"eslint-plugin-react": "^7.15.1",
"eslint-plugin-react": "^7.16.0",
"file-loader": "^1.1.11",
"glob": "^7.1.4",
"glob": "^7.1.6",
"html-loader": "^0.5.5",
"html-webpack-plugin": "^3.2.0",
"karma": "^3.1.4",
@ -56,21 +56,21 @@
"phantomjs-prebuilt": "^2.1.16",
"react-addons-test-utils": "^15.6.2",
"react-event-timeline": "^1.6.3",
"react-hot-loader": "^4.12.14",
"react-hot-loader": "^4.12.18",
"rimraf": "^2.7.1",
"style-loader": "^0.22.1",
"url-loader": "^1.1.2",
"webpack": "^4.41.0",
"webpack-cli": "^3.3.9",
"webpack-dev-server": "^3.8.1"
"webpack": "^4.41.2",
"webpack-cli": "^3.3.10",
"webpack-dev-server": "^3.9.0"
},
"dependencies": {
"@emotion/core": "^10.0.17",
"@emotion/core": "^10.0.22",
"@kunukn/react-collapse": "^1.2.7",
"bootstrap": "3.4.1",
"classnames": "^2.2.6",
"core-js": "^2.6.9",
"d3": "^5.11.0",
"core-js": "^2.6.10",
"d3": "^5.14.1",
"downloadjs": "^1.4.7",
"fetch": "^1.1.0",
"file-saver": "^2.0.2",
@ -80,24 +80,24 @@
"moment": "^2.24.0",
"node-sass": "^4.13.0",
"normalize.css": "^8.0.0",
"npm": "^6.11.3",
"npm": "^6.13.1",
"pluralize": "^7.0.0",
"prop-types": "^15.7.2",
"rainge": "^1.0.1",
"rc-progress": "^2.5.2",
"react": "^16.10.1",
"react": "^16.12.0",
"react-bootstrap": "^0.32.4",
"react-copy-to-clipboard": "^5.0.1",
"react-copy-to-clipboard": "^5.0.2",
"react-data-components": "^1.2.0",
"react-desktop-notification": "^1.0.9",
"react-dimensions": "^1.3.0",
"react-dom": "^16.10.1",
"react-dom": "^16.12.0",
"react-fa": "^5.0.0",
"react-filepond": "^7.0.1",
"react-graph-vis": "^1.0.2",
"react-graph-vis": "^1.0.5",
"react-json-tree": "^0.11.2",
"react-jsonschema-form": "^1.8.0",
"react-redux": "^5.1.1",
"react-redux": "^5.1.2",
"react-router-dom": "^4.3.1",
"react-spinners": "^0.5.13",
"react-table": "^6.10.3",

View File

@ -37,12 +37,12 @@ class MatrixComponent extends AuthComponent {
if (i <= Object.keys(techType.properties).length) {
rowColumn.technique = Object.values(techType.properties)[i];
if (rowColumn.technique) {
rowColumn.technique.name = Object.keys(techType.properties)[i]
rowColumn.technique.name = Object.keys(techType.properties)[i];
}
} else {
rowColumn.technique = null
rowColumn.technique = null;
}
row[rowColumn.techName] = rowColumn
row[rowColumn.techName] = rowColumn;
});
techniques.push(row)
}