forked from p15670423/monkey
ATT&CK matrix: order of techniques match official matrix
This commit is contained in:
parent
d10be52c2d
commit
2811bb29d5
|
@ -1,6 +1,5 @@
|
||||||
import flask_restful
|
import flask_restful
|
||||||
import json
|
from flask import jsonify, request, json, current_app
|
||||||
from flask import jsonify, request
|
|
||||||
|
|
||||||
from monkey_island.cc.auth import jwt_required
|
from monkey_island.cc.auth import jwt_required
|
||||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||||
|
@ -11,7 +10,11 @@ __author__ = "VakarisZ"
|
||||||
class AttackConfiguration(flask_restful.Resource):
|
class AttackConfiguration(flask_restful.Resource):
|
||||||
@jwt_required()
|
@jwt_required()
|
||||||
def get(self):
|
def get(self):
|
||||||
return jsonify(configuration=AttackConfig.get_config()['properties'])
|
return current_app.response_class(json.dumps({"configuration": AttackConfig.get_config()},
|
||||||
|
indent=None,
|
||||||
|
separators=(",", ":"),
|
||||||
|
sort_keys=False) + "\n",
|
||||||
|
mimetype=current_app.config['JSONIFY_MIMETYPE'])
|
||||||
|
|
||||||
@jwt_required()
|
@jwt_required()
|
||||||
def post(self):
|
def post(self):
|
||||||
|
|
|
@ -15,7 +15,7 @@ class AttackConfig(object):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_config():
|
def get_config():
|
||||||
config = mongo.db.attack.find_one({'name': 'newconfig'})
|
config = mongo.db.attack.find_one({'name': 'newconfig'})['properties']
|
||||||
return config
|
return config
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -2,43 +2,90 @@ SCHEMA = {
|
||||||
"title": "ATT&CK configuration",
|
"title": "ATT&CK configuration",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
"lateral_movement": {
|
"execution": {
|
||||||
"title": "Lateral movement",
|
"title": "Execution",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
"T1210": {
|
"T1059": {
|
||||||
"title": "T1210 Exploitation of Remote services",
|
"title": "T1059 Command line interface",
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"description": "Exploitation of a software vulnerability occurs when an adversary "
|
|
||||||
"takes advantage of a programming error in a program, service, or within the "
|
|
||||||
"operating system software or kernel itself to execute adversary-controlled code."
|
|
||||||
},
|
|
||||||
"T1075": {
|
|
||||||
"title": "T1075 Pass the hash",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"description": "Pass the hash (PtH) is a method of authenticating as a user without "
|
|
||||||
"having access to the user's cleartext password."
|
|
||||||
},
|
|
||||||
"T1105": {
|
|
||||||
"title": "T1105 Remote file copy",
|
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
"value": True,
|
||||||
"necessary": True,
|
"necessary": True,
|
||||||
"description": "Files may be copied from one system to another to stage "
|
"description": "Adversaries may use command-line interfaces to interact with systems "
|
||||||
"adversary tools or other files over the course of an operation."
|
"and execute other software during the course of an operation.",
|
||||||
},
|
},
|
||||||
"T1021": {
|
"T1129": {
|
||||||
"title": "T1021 Remote services",
|
"title": "T1129 Execution through module load",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
"value": True,
|
||||||
"necessary": False,
|
"necessary": False,
|
||||||
"depends_on": ["T1110"],
|
"description": "The Windows module loader can be instructed to load DLLs from arbitrary "
|
||||||
"description": "An adversary may use Valid Accounts to log into a service"
|
"local paths and arbitrary Universal Naming Convention (UNC) network paths.",
|
||||||
" specifically designed to accept remote connections."
|
"depends_on": ["T1078", "T1003"]
|
||||||
|
},
|
||||||
|
"T1106": {
|
||||||
|
"title": "T1106 Execution through API",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": False,
|
||||||
|
"description": "Adversary tools may directly use the Windows application "
|
||||||
|
"programming interface (API) to execute binaries.",
|
||||||
|
"depends_on": ["T1210"]
|
||||||
|
},
|
||||||
|
"T1086": {
|
||||||
|
"title": "T1086 Powershell",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Adversaries can use PowerShell to perform a number of actions,"
|
||||||
|
" including discovery of information and execution of code.",
|
||||||
|
},
|
||||||
|
"T1064": {
|
||||||
|
"title": "T1064 Scripting",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Adversaries may use scripts to aid in operations and "
|
||||||
|
"perform multiple actions that would otherwise be manual.",
|
||||||
|
},
|
||||||
|
"T1035": {
|
||||||
|
"title": "T1035 Service execution",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": False,
|
||||||
|
"description": "Adversaries may execute a binary, command, or script via a method "
|
||||||
|
"that interacts with Windows services, such as the Service Control Manager.",
|
||||||
|
"depends_on": ["T1210"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"defence_evasion": {
|
||||||
|
"title": "Defence evasion",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"T1197": {
|
||||||
|
"title": "T1197 BITS jobs",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Adversaries may abuse BITS to download, execute, "
|
||||||
|
"and even clean up after running malicious code."
|
||||||
|
},
|
||||||
|
"T1107": {
|
||||||
|
"title": "T1107 File Deletion",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Adversaries may remove files over the course of an intrusion "
|
||||||
|
"to keep their footprint low or remove them at the end as part "
|
||||||
|
"of the post-intrusion cleanup process."
|
||||||
|
},
|
||||||
|
"T1222": {
|
||||||
|
"title": "T1222 File permissions modification",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -79,97 +126,18 @@ SCHEMA = {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"defence_evasion": {
|
|
||||||
"title": "Defence evasion",
|
|
||||||
"type": "object",
|
|
||||||
"properties": {
|
|
||||||
"T1197": {
|
|
||||||
"title": "T1197 BITS jobs",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries may abuse BITS to download, execute, "
|
|
||||||
"and even clean up after running malicious code."
|
|
||||||
},
|
|
||||||
"T1107": {
|
|
||||||
"title": "T1107 File Deletion",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries may remove files over the course of an intrusion "
|
|
||||||
"to keep their footprint low or remove them at the end as part "
|
|
||||||
"of the post-intrusion cleanup process."
|
|
||||||
},
|
|
||||||
"T1222": {
|
|
||||||
"title": "T1222 File permissions modification",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"execution": {
|
|
||||||
"title": "Execution",
|
|
||||||
"type": "object",
|
|
||||||
"properties": {
|
|
||||||
"T1035": {
|
|
||||||
"title": "T1035 Service execution",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"description": "Adversaries may execute a binary, command, or script via a method "
|
|
||||||
"that interacts with Windows services, such as the Service Control Manager.",
|
|
||||||
"depends_on": ["T1210"]
|
|
||||||
},
|
|
||||||
"T1129": {
|
|
||||||
"title": "T1129 Execution through module load",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"description": "The Windows module loader can be instructed to load DLLs from arbitrary "
|
|
||||||
"local paths and arbitrary Universal Naming Convention (UNC) network paths.",
|
|
||||||
"depends_on": ["T1078", "T1003"]
|
|
||||||
},
|
|
||||||
"T1106": {
|
|
||||||
"title": "T1106 Execution through API",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"description": "Adversary tools may directly use the Windows application "
|
|
||||||
"programming interface (API) to execute binaries.",
|
|
||||||
"depends_on": ["T1210"]
|
|
||||||
},
|
|
||||||
"T1059": {
|
|
||||||
"title": "T1059 Command line interface",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries may use command-line interfaces to interact with systems "
|
|
||||||
"and execute other software during the course of an operation.",
|
|
||||||
},
|
|
||||||
"T1086": {
|
|
||||||
"title": "T1086 Powershell",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries can use PowerShell to perform a number of actions,"
|
|
||||||
" including discovery of information and execution of code.",
|
|
||||||
},
|
|
||||||
"T1064": {
|
|
||||||
"title": "T1064 Scripting",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries may use scripts to aid in operations and "
|
|
||||||
"perform multiple actions that would otherwise be manual.",
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"discovery": {
|
"discovery": {
|
||||||
"title": "Discovery",
|
"title": "Discovery",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
|
"T1018": {
|
||||||
|
"title": "T1018 Remote System Discovery",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Adversaries will likely attempt to get a listing of other systems by IP address, "
|
||||||
|
"hostname, or other logical identifier on a network for lateral movement."
|
||||||
|
},
|
||||||
"T1082": {
|
"T1082": {
|
||||||
"title": "T1082 System information discovery",
|
"title": "T1082 System information discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
|
@ -180,14 +148,6 @@ SCHEMA = {
|
||||||
"operating system and hardware, including version, patches, hotfixes, "
|
"operating system and hardware, including version, patches, hotfixes, "
|
||||||
"service packs, and architecture."
|
"service packs, and architecture."
|
||||||
},
|
},
|
||||||
"T1018": {
|
|
||||||
"title": "T1018 Remote System Discovery",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries will likely attempt to get a listing of other systems by IP address, "
|
|
||||||
"hostname, or other logical identifier on a network for lateral movement."
|
|
||||||
},
|
|
||||||
"T1016": {
|
"T1016": {
|
||||||
"title": "T1016 System network configuration discovery",
|
"title": "T1016 System network configuration discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
|
@ -200,6 +160,46 @@ SCHEMA = {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"lateral_movement": {
|
||||||
|
"title": "Lateral movement",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"T1210": {
|
||||||
|
"title": "T1210 Exploitation of Remote services",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": False,
|
||||||
|
"description": "Exploitation of a software vulnerability occurs when an adversary "
|
||||||
|
"takes advantage of a programming error in a program, service, or within the "
|
||||||
|
"operating system software or kernel itself to execute adversary-controlled code."
|
||||||
|
},
|
||||||
|
"T1075": {
|
||||||
|
"title": "T1075 Pass the hash",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": False,
|
||||||
|
"description": "Pass the hash (PtH) is a method of authenticating as a user without "
|
||||||
|
"having access to the user's cleartext password."
|
||||||
|
},
|
||||||
|
"T1105": {
|
||||||
|
"title": "T1105 Remote file copy",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Files may be copied from one system to another to stage "
|
||||||
|
"adversary tools or other files over the course of an operation."
|
||||||
|
},
|
||||||
|
"T1021": {
|
||||||
|
"title": "T1021 Remote services",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": False,
|
||||||
|
"depends_on": ["T1110"],
|
||||||
|
"description": "An adversary may use Valid Accounts to log into a service"
|
||||||
|
" specifically designed to accept remote connections."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
"collection": {
|
"collection": {
|
||||||
"title": "Collection",
|
"title": "Collection",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
@ -219,14 +219,6 @@ SCHEMA = {
|
||||||
"title": "Command and Control",
|
"title": "Command and Control",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
"T1065": {
|
|
||||||
"title": "T1065 Uncommonly used port",
|
|
||||||
"type": "bool",
|
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"description": "Adversaries may conduct C2 communications over a non-standard "
|
|
||||||
"port to bypass proxies and firewalls that have been improperly configured."
|
|
||||||
},
|
|
||||||
"T1090": {
|
"T1090": {
|
||||||
"title": "T1090 Connection proxy",
|
"title": "T1090 Connection proxy",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
|
@ -235,6 +227,14 @@ SCHEMA = {
|
||||||
"description": "A connection proxy is used to direct network traffic between systems "
|
"description": "A connection proxy is used to direct network traffic between systems "
|
||||||
"or act as an intermediary for network communications."
|
"or act as an intermediary for network communications."
|
||||||
},
|
},
|
||||||
|
"T1065": {
|
||||||
|
"title": "T1065 Uncommonly used port",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": True,
|
||||||
|
"description": "Adversaries may conduct C2 communications over a non-standard "
|
||||||
|
"port to bypass proxies and firewalls that have been improperly configured."
|
||||||
|
},
|
||||||
"T1188": {
|
"T1188": {
|
||||||
"title": "T1188 Multi-hop proxy",
|
"title": "T1188 Multi-hop proxy",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -37,9 +37,9 @@
|
||||||
"css-loader": "^1.0.1",
|
"css-loader": "^1.0.1",
|
||||||
"eslint": "^5.16.0",
|
"eslint": "^5.16.0",
|
||||||
"eslint-loader": "^2.2.1",
|
"eslint-loader": "^2.2.1",
|
||||||
"eslint-plugin-react": "^7.15.1",
|
"eslint-plugin-react": "^7.16.0",
|
||||||
"file-loader": "^1.1.11",
|
"file-loader": "^1.1.11",
|
||||||
"glob": "^7.1.4",
|
"glob": "^7.1.6",
|
||||||
"html-loader": "^0.5.5",
|
"html-loader": "^0.5.5",
|
||||||
"html-webpack-plugin": "^3.2.0",
|
"html-webpack-plugin": "^3.2.0",
|
||||||
"karma": "^3.1.4",
|
"karma": "^3.1.4",
|
||||||
|
@ -56,21 +56,21 @@
|
||||||
"phantomjs-prebuilt": "^2.1.16",
|
"phantomjs-prebuilt": "^2.1.16",
|
||||||
"react-addons-test-utils": "^15.6.2",
|
"react-addons-test-utils": "^15.6.2",
|
||||||
"react-event-timeline": "^1.6.3",
|
"react-event-timeline": "^1.6.3",
|
||||||
"react-hot-loader": "^4.12.14",
|
"react-hot-loader": "^4.12.18",
|
||||||
"rimraf": "^2.7.1",
|
"rimraf": "^2.7.1",
|
||||||
"style-loader": "^0.22.1",
|
"style-loader": "^0.22.1",
|
||||||
"url-loader": "^1.1.2",
|
"url-loader": "^1.1.2",
|
||||||
"webpack": "^4.41.0",
|
"webpack": "^4.41.2",
|
||||||
"webpack-cli": "^3.3.9",
|
"webpack-cli": "^3.3.10",
|
||||||
"webpack-dev-server": "^3.8.1"
|
"webpack-dev-server": "^3.9.0"
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@emotion/core": "^10.0.17",
|
"@emotion/core": "^10.0.22",
|
||||||
"@kunukn/react-collapse": "^1.2.7",
|
"@kunukn/react-collapse": "^1.2.7",
|
||||||
"bootstrap": "3.4.1",
|
"bootstrap": "3.4.1",
|
||||||
"classnames": "^2.2.6",
|
"classnames": "^2.2.6",
|
||||||
"core-js": "^2.6.9",
|
"core-js": "^2.6.10",
|
||||||
"d3": "^5.11.0",
|
"d3": "^5.14.1",
|
||||||
"downloadjs": "^1.4.7",
|
"downloadjs": "^1.4.7",
|
||||||
"fetch": "^1.1.0",
|
"fetch": "^1.1.0",
|
||||||
"file-saver": "^2.0.2",
|
"file-saver": "^2.0.2",
|
||||||
|
@ -80,24 +80,24 @@
|
||||||
"moment": "^2.24.0",
|
"moment": "^2.24.0",
|
||||||
"node-sass": "^4.13.0",
|
"node-sass": "^4.13.0",
|
||||||
"normalize.css": "^8.0.0",
|
"normalize.css": "^8.0.0",
|
||||||
"npm": "^6.11.3",
|
"npm": "^6.13.1",
|
||||||
"pluralize": "^7.0.0",
|
"pluralize": "^7.0.0",
|
||||||
"prop-types": "^15.7.2",
|
"prop-types": "^15.7.2",
|
||||||
"rainge": "^1.0.1",
|
"rainge": "^1.0.1",
|
||||||
"rc-progress": "^2.5.2",
|
"rc-progress": "^2.5.2",
|
||||||
"react": "^16.10.1",
|
"react": "^16.12.0",
|
||||||
"react-bootstrap": "^0.32.4",
|
"react-bootstrap": "^0.32.4",
|
||||||
"react-copy-to-clipboard": "^5.0.1",
|
"react-copy-to-clipboard": "^5.0.2",
|
||||||
"react-data-components": "^1.2.0",
|
"react-data-components": "^1.2.0",
|
||||||
"react-desktop-notification": "^1.0.9",
|
"react-desktop-notification": "^1.0.9",
|
||||||
"react-dimensions": "^1.3.0",
|
"react-dimensions": "^1.3.0",
|
||||||
"react-dom": "^16.10.1",
|
"react-dom": "^16.12.0",
|
||||||
"react-fa": "^5.0.0",
|
"react-fa": "^5.0.0",
|
||||||
"react-filepond": "^7.0.1",
|
"react-filepond": "^7.0.1",
|
||||||
"react-graph-vis": "^1.0.2",
|
"react-graph-vis": "^1.0.5",
|
||||||
"react-json-tree": "^0.11.2",
|
"react-json-tree": "^0.11.2",
|
||||||
"react-jsonschema-form": "^1.8.0",
|
"react-jsonschema-form": "^1.8.0",
|
||||||
"react-redux": "^5.1.1",
|
"react-redux": "^5.1.2",
|
||||||
"react-router-dom": "^4.3.1",
|
"react-router-dom": "^4.3.1",
|
||||||
"react-spinners": "^0.5.13",
|
"react-spinners": "^0.5.13",
|
||||||
"react-table": "^6.10.3",
|
"react-table": "^6.10.3",
|
||||||
|
|
|
@ -37,12 +37,12 @@ class MatrixComponent extends AuthComponent {
|
||||||
if (i <= Object.keys(techType.properties).length) {
|
if (i <= Object.keys(techType.properties).length) {
|
||||||
rowColumn.technique = Object.values(techType.properties)[i];
|
rowColumn.technique = Object.values(techType.properties)[i];
|
||||||
if (rowColumn.technique) {
|
if (rowColumn.technique) {
|
||||||
rowColumn.technique.name = Object.keys(techType.properties)[i]
|
rowColumn.technique.name = Object.keys(techType.properties)[i];
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
rowColumn.technique = null
|
rowColumn.technique = null;
|
||||||
}
|
}
|
||||||
row[rowColumn.techName] = rowColumn
|
row[rowColumn.techName] = rowColumn;
|
||||||
});
|
});
|
||||||
techniques.push(row)
|
techniques.push(row)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue