Skip to content

Instantly share code, notes, and snippets.

@jorritfolmer

jorritfolmer/mitre-edr-evals-carbanak-fin7-to-splunk.md

Last active January 23, 2022 11:31
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jorritfolmer/98250b6abb14fd320d93cf17201d5eaf to your computer and use it in GitHub Desktop.
Save jorritfolmer/98250b6abb14fd320d93cf17201d5eaf to your computer and use it in GitHub Desktop.
Download ZIP
Onboarding MITRE EDR evaluations round 3 (Carbanak+FIN7) into Splunk
Raw
mitre-edr-evals-carbanak-fin7-to-splunk.md

MITRE EDR evaluations round 3

For easier Splunking use the steps and Python script below.

Download MITRE EDR json files

wget https://attackevals.mitre-engenuity.org/downloadable_JSON/AhnLab_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Bitdefender_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CheckPoint_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cisco_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CrowdStrike_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cybereason_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CyCraft_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cylance_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cynet_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Elastic_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ESET_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fidelis_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/FireEye_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fortinet_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/F-Secure_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/GoSecure_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Malwarebytes_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/McAfee_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/MicroFocus_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Microsoft_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/OpenText_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/PaloAltoNetworks_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ReaQta_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/SentinelOne_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Sophos_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Symantec_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/TrendMicro_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Uptycs_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/VMware_Results.json

Python script

Usage:

$ for i in $(ls *json); do python transpose_mitre_edr_evals.py $i carbanak_fin7 >> r3.log;done
$ /opt/splunk/bin/splunk add oneshot r3.log -index main -sourcetype attackeval:json

Script:

# Copyright 2021-2022 Jorrit Folmer
# This script is MIT licensed: free to use and provided "as is" without warranty of any kind.

# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/AhnLab_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Bitdefender_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CheckPoint_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cisco_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CrowdStrike_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cybereason_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CyCraft_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cylance_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cynet_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Elastic_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ESET_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fidelis_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/FireEye_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fortinet_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/F-Secure_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/GoSecure_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Malwarebytes_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/McAfee_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/MicroFocus_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Microsoft_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/OpenText_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/PaloAltoNetworks_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ReaQta_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/SentinelOne_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Sophos_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Symantec_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/TrendMicro_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Uptycs_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/VMware_Results.json


from __future__ import print_function
from builtins import str
import json
import sys

try:
    filename = sys.argv[1]
    contents = json.loads(open(filename).read())
except Exception as e:
    print("Usage: %s <file.json> <adversary_name>" % sys.argv[0])
    print("")
    print("%s" % str(e))
    exit(1)
try:
    adv = sys.argv[2]
except Exception as e:
    print("Usage: %s <file.json> <adversary_name>" % sys.argv[0])
    print("")
    print("%s" % str(e))
    exit(2)

for adversary in contents.get('Adversaries', {}):
    detadv = adversary.get('Adversary_Name','')
    if adv!=detadv:
        continue
    for scenario in adversary.get('Detections_By_Step',{}).values():
        for k,v in scenario.items():
            #print(k)
            #print(json.dumps(v,indent=2))
            try:
                steps = v
                #steps = t.get('Steps',[])
            except AttributeError as e:
                continue
            for s in steps:
                #print(json.dumps(s,indent=2))
                newdict = dict()
                substeps = s.get('Substeps',[])
                for ss in substeps:
                    #print(json.dumps(ss,indent=2))
                    newdict['Step'] = ss.get('Substep','')
                    newdict['Technique'] = ss.get('Technique',{}).get('Technique_Id')
                    newdict['TacticGroup'] = ss.get('Tactic',[]).get('Tactic_Name','')
                    newdict['Technique_Name'] = ss.get('Technique',{}).get('Technique_Name')
                    newdict['Capability_Requirements'] = ss.get('Capability_Requirements','')
                    det = []
                    dettxt = []
                    detmod = []
                    detds = []
                    for d in ss.get('Detections',''):
                        det.append(d.get('Detection_Type',''))
                        if d.get('Detection_Note','') != '':
                            dettxt.append(d.get('Detection_Note',''))
                        for mod in d.get('Modifiers',[]):
                            detmod.append(mod)
                        for ds in d.get('Datasources',[]):
                            detds.append(ds)
                    newdict['Detection'] = det
                    newdict['Adversary'] = detadv
                    newdict['DetectionText'] = dettxt
                    newdict['DetectionModifiers'] = detmod
                    newdict['Datasources'] = detds
                    newdict['Procedure'] = ss.get('Criteria','')
                    print(json.dumps(newdict,indent=2,sort_keys=True))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment