mbrownnycnyc/modify-attackjson.ps1

## modify-attackjson.ps1
$orcacomplianceframework = @"
Collection - Automated Collection - T1119
Collection - Data from Cloud Storage - T1530
Collection - Data from Information Repositories - T1213
Collection - Data Staged - T1074
Collection - Email Collection - T1114
Credential Access - Brute Force - T1110
Credential Access - Forge Web Credentials - T1606
Credential Access - Modify Authentication Process - T1556
Credential Access - Multi-Factor Authentication Request Generation - T1621
Credential Access - Network Sniffing - T1040
Credential Access - Steal Application Access Token - T1528
Credential Access - Steal Web Session Cookie - T1539
Credential Access - Unsecured Credentials - T1552
Credential Access - Steal or Forge Authentication Certificates - T1649
Defense Evasion - Domain Policy Modification - T1484
Defense Evasion - Hide Artifacts - T1564
Defense Evasion - Impair Defenses - T1562
Defense Evasion - Indicator Removal - T1070
Defense Evasion - Modify Authentication Process - T1556
Defense Evasion - Modify Cloud Compute Infrastructure - T1578
Defense Evasion - Unused/Unsupported Cloud Regions - T1535
Defense Evasion - Use Alternate Authentication Material - T1550
Defense Evasion - Valid Accounts - T1078
Discovery - Account Discovery - T1087
Discovery - Cloud Infrastructure Discovery - T1580
Discovery - Cloud Service Discovery - T1526
Discovery - Cloud Storage Object Discovery - T1619
Discovery - Container and Resource Discovery - T1613
Discovery - Network Service Discovery - T1046
Discovery - Network Sniffing - T1040
Discovery - Password Policy Discovery - T1201
Discovery - Permission Groups Discovery - T1069
Discovery - Software Discovery  - T1518
Discovery - System Information Discovery - T1082
Discovery - System Location Discovery - T1614
Discovery - System Network Connections Discovery - T1049
Execution - Serverless Execution - T1648
Execution - User Execution - T1204
Exfiltration - Transfer Data to Cloud Account - T1537
Impact - Account Access Removal - T1531
Impact - Data Destruction - T1485
Impact - Data Encrypted for Impact - T1486
Impact - Defacement - T1491
Impact - Endpoint Denial of Service - T1499
Impact - Network Denial of Service - T1498
Impact - Resource Hijacking - T1496
Initial Access - Drive-by Compromise - T1189
Initial Access - Exploit Public-Facing Application - T1190
Initial Access - Phishing - T1566
Initial Access - Trusted Relationship - T1199
Initial Access - Valid Accounts - T1078
Lateral Movement - Exploitation of Remote Services - T1210
Lateral Movement - Internal Spearphishing - T1534
Lateral Movement - Lateral Tool Transfer - T1570
Lateral Movement - Taint Shared Content - T1080
Lateral Movement - Use Alternate Authentication Material - T1550
Persistence - Account Manipulation - T1098
Persistence - Create Account - T1136
Persistence - Event Triggered Execution - T1546
Persistence - Implant Internal Image - T1525
Persistence - Modify Authentication Process - T1556
Persistence - Office Application Startup - T1137
Persistence - Valid Accounts - T1078
Privilege Escalation - Domain Policy Modification - T1484
Privilege Escalation - Event Triggered Execution - T1546
Privilege Escalation - Valid Accounts - T1078
"@ -split "`n"

$techniquenamesinorcaframework = ($orcacomplianceframework | % {$_ -match "- (?<techname>T\d{4})" | out-null; $matches.techname})


$attacklayerjson = get-content "C:\Users\mattb\Downloads\layer1 (1).json" | convertfrom-json

$techniques = @()

foreach ($technique in $attacklayerjson.techniques | ? {$techniquenamesinorcaframework -contains $_.techniqueid } ) {
  #change the color to #0080ff
  $technique.color = "#000080ff"

  #change the score to 1
  $technique.score = 1

  $techniques += , $technique
}

$attacklayerjson.techniques = $techniques

$attacklayerjson | convertto-json -depth 100 | set-content "C:\Users\mattb\projects\log gap analysis\attack nav layers\detect__orca_compliance.json"
	$orcacomplianceframework = @"
	Collection - Automated Collection - T1119
	Collection - Data from Cloud Storage - T1530
	Collection - Data from Information Repositories - T1213
	Collection - Data Staged - T1074
	Collection - Email Collection - T1114
	Credential Access - Brute Force - T1110
	Credential Access - Forge Web Credentials - T1606
	Credential Access - Modify Authentication Process - T1556
	Credential Access - Multi-Factor Authentication Request Generation - T1621
	Credential Access - Network Sniffing - T1040
	Credential Access - Steal Application Access Token - T1528
	Credential Access - Steal Web Session Cookie - T1539
	Credential Access - Unsecured Credentials - T1552
	Credential Access - Steal or Forge Authentication Certificates - T1649
	Defense Evasion - Domain Policy Modification - T1484
	Defense Evasion - Hide Artifacts - T1564
	Defense Evasion - Impair Defenses - T1562
	Defense Evasion - Indicator Removal - T1070
	Defense Evasion - Modify Authentication Process - T1556
	Defense Evasion - Modify Cloud Compute Infrastructure - T1578
	Defense Evasion - Unused/Unsupported Cloud Regions - T1535
	Defense Evasion - Use Alternate Authentication Material - T1550
	Defense Evasion - Valid Accounts - T1078
	Discovery - Account Discovery - T1087
	Discovery - Cloud Infrastructure Discovery - T1580
	Discovery - Cloud Service Discovery - T1526
	Discovery - Cloud Storage Object Discovery - T1619
	Discovery - Container and Resource Discovery - T1613
	Discovery - Network Service Discovery - T1046
	Discovery - Network Sniffing - T1040
	Discovery - Password Policy Discovery - T1201
	Discovery - Permission Groups Discovery - T1069
	Discovery - Software Discovery - T1518
	Discovery - System Information Discovery - T1082
	Discovery - System Location Discovery - T1614
	Discovery - System Network Connections Discovery - T1049
	Execution - Serverless Execution - T1648
	Execution - User Execution - T1204
	Exfiltration - Transfer Data to Cloud Account - T1537
	Impact - Account Access Removal - T1531
	Impact - Data Destruction - T1485
	Impact - Data Encrypted for Impact - T1486
	Impact - Defacement - T1491
	Impact - Endpoint Denial of Service - T1499
	Impact - Network Denial of Service - T1498
	Impact - Resource Hijacking - T1496
	Initial Access - Drive-by Compromise - T1189
	Initial Access - Exploit Public-Facing Application - T1190
	Initial Access - Phishing - T1566
	Initial Access - Trusted Relationship - T1199
	Initial Access - Valid Accounts - T1078
	Lateral Movement - Exploitation of Remote Services - T1210
	Lateral Movement - Internal Spearphishing - T1534
	Lateral Movement - Lateral Tool Transfer - T1570
	Lateral Movement - Taint Shared Content - T1080
	Lateral Movement - Use Alternate Authentication Material - T1550
	Persistence - Account Manipulation - T1098
	Persistence - Create Account - T1136
	Persistence - Event Triggered Execution - T1546
	Persistence - Implant Internal Image - T1525
	Persistence - Modify Authentication Process - T1556
	Persistence - Office Application Startup - T1137
	Persistence - Valid Accounts - T1078
	Privilege Escalation - Domain Policy Modification - T1484
	Privilege Escalation - Event Triggered Execution - T1546
	Privilege Escalation - Valid Accounts - T1078
	"@ -split "`n"

	$techniquenamesinorcaframework = ($orcacomplianceframework \| % {$_ -match "- (?<techname>T\d{4})" \| out-null; $matches.techname})



	$attacklayerjson = get-content "C:\Users\mattb\Downloads\layer1 (1).json" \| convertfrom-json

	$techniques = @()

	foreach ($technique in $attacklayerjson.techniques \| ? {$techniquenamesinorcaframework -contains $_.techniqueid } ) {
	#change the color to #0080ff
	$technique.color = "#000080ff"

	#change the score to 1
	$technique.score = 1

	$techniques += , $technique
	}

	$attacklayerjson.techniques = $techniques

	$attacklayerjson \| convertto-json -depth 100 \| set-content "C:\Users\mattb\projects\log gap analysis\attack nav layers\detect__orca_compliance.json"