Skip to content

Instantly share code, notes, and snippets.

@cutler-scott-newrelic

cutler-scott-newrelic/G0016.json

Created July 22, 2021 15:32
Show Gist options
  • Save cutler-scott-newrelic/a4e4fa0c1ce6979265d92001b353c6fd to your computer and use it in GitHub Desktop.
Save cutler-scott-newrelic/a4e4fa0c1ce6979265d92001b353c6fd to your computer and use it in GitHub Desktop.
Download ZIP
Generate a Google Sheet from Elastic SIEM data
Raw
README.md

About

This python file is an example of some of the Google Sheet API programming I've been doing.

It takes the following inputs:

  1. Kibana URL and authentication
  2. MITRE ATT&CK navigator save file (JSON)
  3. MITRE ATT&CK data (automatically downloaded by the library)
  4. Existing Google SpreadSheet ID

And it writes/modifies two existing sheets in the google spreadsheet (MITRE Mapping, Rule List). The goal of the script is to track our coverage of various MITRE ATT&CK techniques and threat groups by mapping/coorelating them to Kibana detection rules. This is a work in progress and still has some major issues, mainly it does not CREATE a spreadsheet, embedded sheets, or headers.

Raw
G0016.json
{
"description": "Enterprise techniques used by APT29, ATT&CK group G0016 v2.0",
"name": "APT29 (G0016)",
"domain": "enterprise-attack",
"versions": {
"layer": "4.2",
"attack": "9",
"navigator": "4.3"
},
"techniques": [
{
"techniqueID": "T1548",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1548.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has bypassed UAC.(Citation: Mandiant No Easy Breach)"
},
{
"score": 1,
"techniqueID": "T1087",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.(Citation: Volexity SolarWinds)"
},
{
"techniqueID": "T1098",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1098.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has added credentials to OAuth Applications and Service Principals.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) "
},
{
"score": 1,
"techniqueID": "T1098.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.(Citation: Volexity SolarWinds)(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)"
},
{
"techniqueID": "T1583",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1583.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has acquired C2 domains through resellers.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)"
},
{
"score": 1,
"techniqueID": "T1583.006",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has registered algorithmically generated Twitter handles that are used for C2 by malware, such as [HAMMERTOSS](https://attack.mitre.org/software/S0037).(Citation: FireEye APT29)"
},
{
"techniqueID": "T1071",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1071.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds)"
},
{
"techniqueID": "T1560",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1560.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"techniqueID": "T1547",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1547.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach)"
},
{
"score": 1,
"techniqueID": "T1547.009",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) drops a Windows shortcut file for execution.(Citation: FireEye APT29 Nov 2018)"
},
{
"techniqueID": "T1059",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1059.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used encoded PowerShell scripts uploaded to [CozyCar](https://attack.mitre.org/software/S0046) installations to download and install [SeaDuke](https://attack.mitre.org/software/S0053). [APT29](https://attack.mitre.org/groups/G0016) also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020).(Citation: Symantec Seaduke 2015)(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Nov 2018)"
},
{
"score": 1,
"techniqueID": "T1059.003",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used cmd.exe to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)"
},
{
"score": 1,
"techniqueID": "T1059.006",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has developed malware variants written in Python.(Citation: ESET Dukes October 2019)"
},
{
"techniqueID": "T1584",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1584.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has compromised domains to use for C2.(Citation: MSTIC NOBELIUM Mar 2021)"
},
{
"score": 1,
"techniqueID": "T1555",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1005",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has extracted files from compromised networks.(Citation: Volexity SolarWinds) "
},
{
"techniqueID": "T1001",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1001.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used steganography to hide C2 communications in images.(Citation: ESET Dukes October 2019)"
},
{
"techniqueID": "T1074",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1074.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) staged data and files in password-protected archives on a victim's OWA server.(Citation: Volexity SolarWinds)"
},
{
"score": 1,
"techniqueID": "T1140",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used 7-Zip to decode its [Raindrop](https://attack.mitre.org/software/S0565) malware.(Citation: Symantec RAINDROP January 2021)"
},
{
"techniqueID": "T1587",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1587.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) developed [SUNSPOT](https://attack.mitre.org/software/S0562), [SUNBURST](https://attack.mitre.org/software/S0559), [TEARDROP](https://attack.mitre.org/software/S0560), and [Raindrop](https://attack.mitre.org/software/S0565); [SUNSPOT](https://attack.mitre.org/software/S0562) and [SUNBURST](https://attack.mitre.org/software/S0559) were tailored to be incorporated into SolarWind's Orion software library.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1587.003",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has created self-signed digital certificates to enable mutual TLS authentication for malware.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)"
},
{
"techniqueID": "T1484",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1484.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.(Citation: Microsoft 365 Defender Solorigate)"
},
{
"score": 1,
"techniqueID": "T1482",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.(Citation: Volexity SolarWinds) They also used [AdFind](https://attack.mitre.org/software/S0552) to enumerate domains and to discover trust between federated domains.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1568",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.(Citation: Volexity SolarWinds)"
},
{
"techniqueID": "T1114",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1114.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.(Citation: Volexity SolarWinds)"
},
{
"techniqueID": "T1546",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1546.003",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used WMI event subscriptions for persistence.(Citation: Mandiant No Easy Breach)(Citation: ESET Dukes October 2019)(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1546.008",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used sticky-keys to obtain unauthenticated, privileged console access.(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Domain Fronting)"
},
{
"techniqueID": "T1048",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1048.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.(Citation: Volexity SolarWinds)"
},
{
"score": 1,
"techniqueID": "T1190",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.(Citation: NCSC APT29 July 2020)(Citation: Volexity SolarWinds)"
},
{
"score": 1,
"techniqueID": "T1203",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.(Citation: F-Secure The Dukes)"
},
{
"score": 1,
"techniqueID": "T1133",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used compromised identities to access VPNs and remote access tools.(Citation: MSTIC NOBELIUM Mar 2021)"
},
{
"score": 1,
"techniqueID": "T1083",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.(Citation: Volexity SolarWinds)"
},
{
"techniqueID": "T1606",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1606.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.(Citation: Volexity SolarWinds)"
},
{
"score": 1,
"techniqueID": "T1606.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) created tokens using compromised SAML signing certificates.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)"
},
{
"techniqueID": "T1562",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1562.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1562.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used AUDITPOL to prevent the collection of audit logs.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1562.004",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used netsh to configure firewall rules that limited certain UDP outbound packets.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1070",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) removed evidence of email export requests using Remove-MailboxExportRequest.(Citation: Volexity SolarWinds) They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.(Citation: FireEye SUNBURST Backdoor December 2020)"
},
{
"score": 1,
"techniqueID": "T1070.004",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) routinely removed their tools, including custom backdoors, once remote access was achieved. [APT29](https://attack.mitre.org/groups/G0016) has also used [SDelete](https://attack.mitre.org/software/S0195) to remove artifacts from victims.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Mandiant No Easy Breach)"
},
{
"score": 1,
"techniqueID": "T1070.006",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) modified timestamps of backdoors to match legitimate Windows files.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1105",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has downloaded additional tools, such as [TEARDROP](https://attack.mitre.org/software/S0560) malware and [Cobalt Strike](https://attack.mitre.org/software/S0154), to a compromised host following initial access.(Citation: FireEye SUNBURST Backdoor December 2020)"
},
{
"score": 1,
"techniqueID": "T1036",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They have also used IP addresses originating from the same country as the victim for their VPN infrastructure.(Citation: FireEye SUNBURST Backdoor December 2020)"
},
{
"score": 1,
"techniqueID": "T1036.004",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) named tasks \\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager in order to appear legitimate.(Citation: Volexity SolarWinds)"
},
{
"score": 1,
"techniqueID": "T1036.005",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) renamed a version of [AdFind](https://attack.mitre.org/software/S0552) to sqlceip.exe or csrss.exe in an attempt to appear as the SQL Server Telemetry Client or Client Service Runtime Process, respectively.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)"
},
{
"score": 1,
"techniqueID": "T1095",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used TCP for C2 communications.(Citation: FireEye APT29 Nov 2018)"
},
{
"score": 1,
"techniqueID": "T1027",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used encoded PowerShell commands.(Citation: FireEye APT29 Nov 2018)"
},
{
"score": 1,
"techniqueID": "T1027.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used UPX to pack files.(Citation: Mandiant No Easy Breach)"
},
{
"techniqueID": "T1003",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1003.006",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) leveraged privileged accounts to replicate directory service data with domain controllers.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"score": 1,
"techniqueID": "T1069",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used the Get-ManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.(Citation: Volexity SolarWinds)"
},
{
"techniqueID": "T1566",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1566.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)"
},
{
"score": 1,
"techniqueID": "T1566.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.(Citation: Mandiant No Easy Breach)"
},
{
"score": 1,
"techniqueID": "T1057",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used multiple command-line utilities to enumerate running processes.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"techniqueID": "T1090",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1090.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) configured at least one instance of [Cobalt Strike](https://attack.mitre.org/software/S0154) to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021)"
},
{
"score": 1,
"techniqueID": "T1090.003",
"showSubtechniques": true,
"comment": "A backdoor used by [APT29](https://attack.mitre.org/groups/G0016) created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.(Citation: Mandiant No Easy Breach)"
},
{
"score": 1,
"techniqueID": "T1090.004",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.(Citation: Mandiant No Easy Breach)"
},
{
"techniqueID": "T1021",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1021.006",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021)"
},
{
"score": 1,
"techniqueID": "T1018",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used [AdFind](https://attack.mitre.org/software/S0552) to enumerate remote systems.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"techniqueID": "T1053",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1053.005",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement.(Citation: Volexity SolarWinds) They have manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.(Citation: FireEye SUNBURST Backdoor December 2020) [APT29](https://attack.mitre.org/groups/G0016) also created a scheduled task to maintain [SUNSPOT](https://attack.mitre.org/software/S0562) persistence when the host booted during the 2020 SolarWinds intrusion.(Citation: CrowdStrike SUNSPOT Implant January 2021) They previously used named and hijacked scheduled tasks to also establish persistence.(Citation: Mandiant No Easy Breach)"
},
{
"techniqueID": "T1218",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1218.011",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used Rundll32.exe to execute payloads.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: FireEye APT29 Nov 2018)"
},
{
"techniqueID": "T1558",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1558.003",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"techniqueID": "T1553",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1553.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) was able to get [SUNBURST](https://attack.mitre.org/software/S0559) signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.(Citation: FireEye SUNBURST Backdoor December 2020)"
},
{
"techniqueID": "T1195",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1195.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) gained initial network access to some victims via a trojanized update of SolarWinds Orion software.(Citation: FireEye SUNBURST Backdoor December 2020)"
},
{
"score": 1,
"techniqueID": "T1082",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used fsutil to check available free space before executing actions that might create large files on disk.(Citation: Microsoft Deep Dive Solorigate January 2021)"
},
{
"techniqueID": "T1016",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1016.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used [GoldFinder](https://attack.mitre.org/software/S0597) to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)"
},
{
"techniqueID": "T1552",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1552.004",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate)"
},
{
"score": 1,
"techniqueID": "T1550",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling [APT29](https://attack.mitre.org/groups/G0016) to access enterprise cloud applications and services.(Citation: Microsoft 365 Defender Solorigate)"
},
{
"score": 1,
"techniqueID": "T1550.003",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used Kerberos ticket attacks for lateral movement.(Citation: Mandiant No Easy Breach)"
},
{
"score": 1,
"techniqueID": "T1550.004",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used a forged duo-sid cookie to bypass MFA set on an email account.(Citation: Volexity SolarWinds)"
},
{
"techniqueID": "T1204",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1204.001",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to click on a malicous link.(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)"
},
{
"score": 1,
"techniqueID": "T1204.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes) (Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)"
},
{
"score": 1,
"techniqueID": "T1078",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used different compromised credentials for remote access and to move laterally.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)"
},
{
"score": 1,
"techniqueID": "T1078.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)"
},
{
"techniqueID": "T1102",
"showSubtechniques": true
},
{
"score": 1,
"techniqueID": "T1102.002",
"showSubtechniques": true,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) has used social media platforms to hide communications to C2 servers.(Citation: ESET Dukes October 2019)"
},
{
"score": 1,
"techniqueID": "T1047",
"showSubtechniques": false,
"comment": "[APT29](https://attack.mitre.org/groups/G0016) used WMI to steal credentials and execute backdoors at a future time.(Citation: Mandiant No Easy Breach) They have also used WMI for the remote execution of files for lateral movement.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)"
}
],
"gradient": {
"colors": [
"#ffffff",
"#66b1ff"
],
"minValue": 0,
"maxValue": 1
},
"legendItems": [
{
"label": "used by APT29",
"color": "#66b1ff"
}
]
}
Raw
main.py
#!/usr/bin/env python3
from collections import defaultdict
from functools import reduce
import requests
import logging
import argparse
import urllib
import sys
import json
import os.path
from dateutil.parser import isoparse
# conda install -c conda-forge google-auth-oauthlib
# conda install -c conda-forge google-api-python-client
from google_auth_oauthlib.flow import InstalledAppFlow
from googleapiclient.discovery import build
from google.oauth2.credentials import Credentials
# pip install mitreattack-python
import mitreattack.attackToExcel.attackToExcel as attackToExcel
import mitreattack.attackToExcel.stixToDf as stixToDf
LOGGER = None
AUTH = None
URL_OBJECT = None
KIBANA_POST_HEADERS = {
'kbn-xsrf': 'true'
}
SPREADSHEET_ID = '<GDRIVE ID OF SHEET>'
TOP_TECHNIQUES = ['T1036', 'T1049', 'T1082', 'T1087', 'T1059']
def main():
global LOGGER
global AUTH
global URL_OBJECT
args = get_args()
LOGGER = initialize_logger(args)
AUTH = (args.username, args.password)
URL_OBJECT = urllib.parse.urlsplit(args.url, 'http')
if not URL_OBJECT.port:
URL_OBJECT = URL_OBJECT._replace(netloc="{}:{}".format(URL_OBJECT.hostname, 5601))
rules = kibana_get_rules_by_tag('priv_esc_tests')
rules.extend(kibana_get_rules_by_tag('AWS'))
service = get_gsheet_service()
write_rulelist(service, rules)
write_mitre_list(service, rules)
def write_mitre_list(service, rules):
# download and parse ATT&CK STIX data
attackdata = attackToExcel.get_stix_data("enterprise-attack")
# get Pandas DataFrames for techniques, associated relationships, and citations
techniques_data = stixToDf.techniquesToDf(attackdata, "enterprise-attack")
techniques_df = techniques_data["techniques"]
attack_navigator_json_fn = 'attack_navigator_layer.json'
platform_filter_list = ["SaaS", "IaaS", "Network", "Containers"]
threat_group_json_fns = ['threat_groups/G0016.json']
with open(attack_navigator_json_fn) as anjf:
attack_navigator_json = json.load(anjf)
threat_group_json = []
for tgj_fn in threat_group_json_fns:
with open(tgj_fn) as tgj:
threat_group_json.append(json.load(tgj))
technique_to_tg_dict = defaultdict(list)
for tgj in threat_group_json:
for t in tgj['techniques']:
technique_to_tg_dict[t['techniqueID']].append(tgj['name'])
def is_in_platform(t_nt):
supported_platforms = t_nt.platforms
for pf in platform_filter_list:
if pf.lower() in supported_platforms.lower():
return True
return False
def get_rules_for_technique(t_nt):
output = []
for rule in rules:
techniques = get_mitre_techniques_from_rule(rule)
if t_nt.ID in techniques:
output.append(rule)
return output
def transform_technique(t_nt):
name_value = t_nt.name
tactics_value = t_nt.tactics
url_value = t_nt.url
id_value = t_nt.ID
rules = get_rules_for_technique(t_nt)
output = [
id_value,
name_value,
tactics_value,
url_value,
','.join(technique_to_tg_dict[id_value]),
'TRUE' if id_value in TOP_TECHNIQUES else 'FALSE',
'',
'TRUE' if len(rules) > 0 else 'FALSE',
','.join(list(map(lambda x: x['name'], rules))),
'TRUE' if any(list(map(lambda x: x['enabled'], rules))) else 'FALSE',
]
return output
values = list(filter(is_in_platform, techniques_df.itertuples(index=False)))
values = list(map(transform_technique, values))
values = sorted(list({tuple(i) for i in values}), key=lambda x: x[2])
range_name = f"MITRE Mapping!2:{str(len(values) + 1)}"
body = {'values': values}
result = service.spreadsheets().values().update(
spreadsheetId=SPREADSHEET_ID, range=range_name,
valueInputOption='USER_ENTERED', body=body).execute()
LOGGER.info(result)
def get_mitre_techniques_from_rule(rule):
output = []
if len(rule['threat']) >= 1:
for threat in rule['threat']:
for technique in threat['technique']:
if 'subtechnique' in technique:
output.extend([st['id'] for st in technique['subtechnique']])
output.append(technique['id'])
return output
def write_rulelist(service, rules):
range_name = f"Rule List!2:{str(len(rules)+1)}"
def transform_rule(rule):
output = [
rule['name'],
rule['description'],
','.join(rule['tags']),
','.join(get_mitre_techniques_from_rule(rule)),
'',
rule['updated_by'],
isoparse(rule['updated_at']).ctime(),
'yes' if 'AWS' in rule['tags'] else 'no',
'yes' if rule['enabled'] else 'no',
'yes' if len(rule['actions']) > 0 else 'no',
'no'
]
return output
body = {'values': list(map(transform_rule, rules))}
result = service.spreadsheets().values().update(
spreadsheetId=SPREADSHEET_ID, range=range_name,
valueInputOption='USER_ENTERED', body=body).execute()
LOGGER.info(result)
def get_gsheet_service():
scopes = ['https://www.googleapis.com/auth/spreadsheets', 'https://www.googleapis.com/auth/userinfo.email', 'openid']
# You will need to get the client_secrets.json from your Google Developer console
credentials_filename = 'credentials.json'
client_secret_filename = 'client_secrets.json'
credentials = None
if not os.path.isfile(credentials_filename):
flow = InstalledAppFlow.from_client_secrets_file(
client_secret_filename,
scopes=scopes
)
flow.run_local_server()
credentials = flow.credentials
with open(credentials_filename, 'w', encoding='utf-8') as f:
f.write(credentials.to_json())
else:
credentials = Credentials.from_authorized_user_file(credentials_filename, scopes=scopes)
service = build('sheets', 'v4', credentials=credentials)
return service
def initialize_logger(args):
log_level = logging.WARNING
if args.verbose == 1:
log_level = logging.INFO
elif args.verbose >= 2:
log_level = logging.DEBUG
logger = logging.getLogger(__name__)
logging_format = logging.Formatter('%(name)s - %(levelname)s - %(message)s')
log_handler = logging.StreamHandler()
logger.setLevel(log_level)
log_handler.setFormatter(logging_format)
logger.addHandler(log_handler)
return logger
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('url', help='The URL for the required Kibana instance')
parser.add_argument('--username', help='The username for authenticating to Kibana')
parser.add_argument('--password', help='The password for authenticating to Kibana')
parser.add_argument('--verbose', '-v', action='count', default=0)
return parser.parse_args()
def kibana_get_rules_by_tag(tag):
output = []
total = 1
page = 1
while len(output) < total:
params = {'filter': f"alert.attributes.tags:{tag}",
'page': page}
r = kibana_api_call('get', '/api/detection_engine/rules/_find', params=params)
if r['total'] <= 0:
return output
total = r['total']
output.extend(r['data'])
page += 1
return output
def kibana_api_call(method, path, params=None):
url_object = URL_OBJECT._replace(path=path)
if params:
r = getattr(sys.modules['requests'], method)(
urllib.parse.urlunsplit(url_object),
headers=KIBANA_POST_HEADERS,
auth=AUTH,
params=params
)
else:
r = getattr(sys.modules['requests'], method)(
urllib.parse.urlunsplit(url_object),
headers=KIBANA_POST_HEADERS,
auth=AUTH
)
if r.ok:
return r.json()
else:
LOGGER.warning("Something went wrong, export failed!")
LOGGER.debug('Status Code: ', r.status_code)
LOGGER.debug(json.dumps(json.loads(r.text), indent=2))
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment