mbrownnycnyc/generate-att&ckjson.ps1

## generate-att&ckjson.ps1
#baseline_layer.json is exported layer from the navigator... there certainly is a way to create the json from scratch reviewing specs, but it was very fsat to just do this.
$sourcefile = ".attack nav layers\baseline_layer.json"

$offtechoutfile = ".\attack nav layers\offensive_techs.json"
$deftechoutfile = ".\attack nav layers\defensive_techs.json"


#goal here is to:
# define two att&ck navigator layer json files
#  one is for offensive techniques
#   score of offensive techniques will be 1
#   comment will be the source
#  one if for defenseive techniques
#   score of defensive techniques will be 2
#   comment will be the source
# as a result, you can add the two layers, then combine the layers with an arithmetic operation, then color code by score to understand your gaps. (score of 1 versus 2 versus 3)

#i purposefully write code so that it's easily understood.  I realize I could be more DRY, but top notch performance and low memory footprint isn't necessary for this purpose.


#step 1: build the technique data

$offensivetechniques = @"
T1003;top 43 d3fend (by offensive blast radius count)
T1005;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1012;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1016;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1018;top 43 d3fend (by offensive blast radius count)
T1027;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1027.002;top 43 d3fend (by offensive blast radius count)
T1033;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1036;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1036.004;top 43 d3fend (by offensive blast radius count)
T1036.005;top 43 d3fend (by offensive blast radius count)
T1039;ransomware actors (att&ck v11)
T1041;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1047;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1049;top 43 d3fend (by offensive blast radius count)
T1053.005;top 43 d3fend (by offensive blast radius count)
T1055;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1056.001;top 43 d3fend (by offensive blast radius count)
T1057;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1059.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1059.003;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1059.005;top 43 d3fend (by offensive blast radius count)
T1068;ransomware actors (att&ck v11)
T1069;ransomware actors (att&ck v11)
T1070;top 43 d3fend (by offensive blast radius count)
T1070.004;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1071;top 43 d3fend (by offensive blast radius count)
T1071.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1074.001;top 43 d3fend (by offensive blast radius count)
T1078;top 43 d3fend (by offensive blast radius count)
T1080;ransomware actors (att&ck v11)
T1082;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1083;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1087;ransomware actors (att&ck v11)
T1090;ransomware actors (att&ck v11)
T1095;ransomware actors (att&ck v11)
T1098;top 43 d3fend (by offensive blast radius count)
T1102;ransomware actors (att&ck v11)
T1105;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1106;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1112;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1113;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1124;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1132.001;top 43 d3fend (by offensive blast radius count)
T1133;ransomware actors (att&ck v11)
T1134;ransomware actors (att&ck v11)
T1135;ransomware actors (att&ck v11)
T1136;ransomware actors (att&ck v11)
T1137;top 43 d3fend (by offensive blast radius count)
T1140;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1190;ransomware actors (att&ck v11)
T1197;ransomware actors (att&ck v11)
T1199;ransomware actors (att&ck v11)
T1204.002;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1210;ransomware actors (att&ck v11)
T1213;ransomware actors (att&ck v11)
T1217;ransomware actors (att&ck v11)
T1218;top 43 d3fend (by offensive blast radius count)
T1218.011;top 43 d3fend (by offensive blast radius count)
T1480;ransomware actors (att&ck v11)
T1485;ransomware actors (att&ck v11)
T1489;ransomware actors (att&ck v11)
T1497;ransomware actors (att&ck v11)
T1499;ransomware actors (att&ck v11)
T1505;top 43 d3fend (by offensive blast radius count)
T1518;ransomware actors (att&ck v11)
T1518.001;top 43 d3fend (by offensive blast radius count)
T1530;ransomware actors (att&ck v11)
T1539;ransomware actors (att&ck v11)
T1543.003;top 43 d3fend (by offensive blast radius count)
T1546;top 43 d3fend (by offensive blast radius count)
T1547;top 43 d3fend (by offensive blast radius count)
T1547.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1548;top 43 d3fend (by offensive blast radius count)
T1550;top 43 d3fend (by offensive blast radius count)
T1552;top 43 d3fend (by offensive blast radius count)
T1554;ransomware actors (att&ck v11)
T1555;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1555.003;top 43 d3fend (by offensive blast radius count)
T1560;ransomware actors (att&ck v11)
T1562;top 43 d3fend (by offensive blast radius count)
T1562.001;top 43 d3fend (by offensive blast radius count)
T1564;top 43 d3fend (by offensive blast radius count)
T1566;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
T1566.001;top 43 d3fend (by offensive blast radius count)
T1568;ransomware actors (att&ck v11)
T1571;ransomware actors (att&ck v11)
T1572;ransomware actors (att&ck v11)
T1573.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
T1574;top 43 d3fend (by offensive blast radius count)
T1585;ransomware actors (att&ck v11)
T1588.002;top 43 d3fend (by offensive blast radius count)
T1593;ransomware actors (att&ck v11)
T1594;ransomware actors (att&ck v11)
T1614;ransomware actors (att&ck v11)
T1620;ransomware actors (att&ck v11)
"@

$offensivetechniques = $offensivetechniques -split "`n"

$offtechs = @()

foreach ( $offensivetechnique in $offensivetechniques ) {

  $out = $offensivetechnique -split ";"
  $tempobj = new-object pscustomobject
  $tempobj | add-member -membertype noteproperty -name techniqueID -value $out[0]
  $tempobj | add-member -membertype noteproperty -name comment -value $out[1]

  #populating score of 1 (for offensive technique)
  $tempobj | add-member -membertype noteproperty -name score -value 1

  $tempobj | add-member -membertype noteproperty -name enabled -value "true"

  $offtechs += , $tempobj

}


$defensivetechniques = @"
T1484;EPP,CSPM compliance framework
T1484.001;EPP
"@

$defensivetechniques = $defensivetechniques -split "`n"

$deftechs = @()

foreach ( $defensivetechnique in $defensivetechniques ) {

  $out = $defensivetechnique -split ";"
  $tempobj = new-object pscustomobject
  $tempobj | add-member -membertype noteproperty -name techniqueID -value $out[0]
  $tempobj | add-member -membertype noteproperty -name comment -value $out[1]

  #populating score of 2 (for defensive technique)
  $tempobj | add-member -membertype noteproperty -name score -value 2

  $tempobj | add-member -membertype noteproperty -name enabled -value "true"

  $deftechs += , $tempobj

}


#step 2: create a copy and mutate that copy

#...for offensive techniques
$navigatorofftechs = (get-content $sourcefile | convertfrom-json)

foreach ($offtech in $offtechs) {

  #find the technique data
  $record = $navigatorofftechs.techniques[$navigatorofftechs.techniques.techniqueid.indexof($($offtech.techniqueid))]

  #modify the technique data in the object
  $record | add-member -membertype noteproperty -name comment -value $offtech.comment -force
  $record | add-member -membertype noteproperty -name score -value $offtech.score -force
  $record | add-member -membertype noteproperty -name enabled -value $offtech.enabled -force
}


#...for defensive techniques
$navigatordeftechs = (get-content $sourcefile | convertfrom-json)


foreach ($deftech in $deftechs) {

  #find the technique data
  $record = $navigatordeftechs.techniques[$navigatordeftechs.techniques.techniqueid.indexof($($deftech.techniqueid))]

  #modify the technique data in the object
  $record | add-member -membertype noteproperty -name comment -value $deftech.comment -force
  $record | add-member -membertype noteproperty -name score -value $deftech.score -force
  $record | add-member -membertype noteproperty -name enabled -value $deftech.enabled -force

}

<#quickly validate score is set to 2
$navigatordeftechs.techniques | select techniqueid, score | ? {$deftechs.techniqueid -contains $_.techniqueid} | select score | sort -unique
#>


#step 4: export the data to a file
$navigatorofftechs | convertto-json -depth 100 | set-content $offtechoutfile
$navigatordeftechs | convertto-json -depth 100 | set-content $deftechoutfile
	#baseline_layer.json is exported layer from the navigator... there certainly is a way to create the json from scratch reviewing specs, but it was very fsat to just do this.
	$sourcefile = ".attack nav layers\baseline_layer.json"

	$offtechoutfile = ".\attack nav layers\offensive_techs.json"
	$deftechoutfile = ".\attack nav layers\defensive_techs.json"


	#goal here is to:
	# define two att&ck navigator layer json files
	# one is for offensive techniques
	# score of offensive techniques will be 1
	# comment will be the source
	# one if for defenseive techniques
	# score of defensive techniques will be 2
	# comment will be the source
	# as a result, you can add the two layers, then combine the layers with an arithmetic operation, then color code by score to understand your gaps. (score of 1 versus 2 versus 3)

	#i purposefully write code so that it's easily understood. I realize I could be more DRY, but top notch performance and low memory footprint isn't necessary for this purpose.


	#step 1: build the technique data

	$offensivetechniques = @"
	T1003;top 43 d3fend (by offensive blast radius count)
	T1005;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1012;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1016;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1018;top 43 d3fend (by offensive blast radius count)
	T1027;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1027.002;top 43 d3fend (by offensive blast radius count)
	T1033;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1036;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1036.004;top 43 d3fend (by offensive blast radius count)
	T1036.005;top 43 d3fend (by offensive blast radius count)
	T1039;ransomware actors (att&ck v11)
	T1041;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1047;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1049;top 43 d3fend (by offensive blast radius count)
	T1053.005;top 43 d3fend (by offensive blast radius count)
	T1055;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1056.001;top 43 d3fend (by offensive blast radius count)
	T1057;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1059.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1059.003;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1059.005;top 43 d3fend (by offensive blast radius count)
	T1068;ransomware actors (att&ck v11)
	T1069;ransomware actors (att&ck v11)
	T1070;top 43 d3fend (by offensive blast radius count)
	T1070.004;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1071;top 43 d3fend (by offensive blast radius count)
	T1071.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1074.001;top 43 d3fend (by offensive blast radius count)
	T1078;top 43 d3fend (by offensive blast radius count)
	T1080;ransomware actors (att&ck v11)
	T1082;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1083;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1087;ransomware actors (att&ck v11)
	T1090;ransomware actors (att&ck v11)
	T1095;ransomware actors (att&ck v11)
	T1098;top 43 d3fend (by offensive blast radius count)
	T1102;ransomware actors (att&ck v11)
	T1105;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1106;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1112;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1113;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1124;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1132.001;top 43 d3fend (by offensive blast radius count)
	T1133;ransomware actors (att&ck v11)
	T1134;ransomware actors (att&ck v11)
	T1135;ransomware actors (att&ck v11)
	T1136;ransomware actors (att&ck v11)
	T1137;top 43 d3fend (by offensive blast radius count)
	T1140;ransomware actors (att&ck v11),top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1190;ransomware actors (att&ck v11)
	T1197;ransomware actors (att&ck v11)
	T1199;ransomware actors (att&ck v11)
	T1204.002;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1210;ransomware actors (att&ck v11)
	T1213;ransomware actors (att&ck v11)
	T1217;ransomware actors (att&ck v11)
	T1218;top 43 d3fend (by offensive blast radius count)
	T1218.011;top 43 d3fend (by offensive blast radius count)
	T1480;ransomware actors (att&ck v11)
	T1485;ransomware actors (att&ck v11)
	T1489;ransomware actors (att&ck v11)
	T1497;ransomware actors (att&ck v11)
	T1499;ransomware actors (att&ck v11)
	T1505;top 43 d3fend (by offensive blast radius count)
	T1518;ransomware actors (att&ck v11)
	T1518.001;top 43 d3fend (by offensive blast radius count)
	T1530;ransomware actors (att&ck v11)
	T1539;ransomware actors (att&ck v11)
	T1543.003;top 43 d3fend (by offensive blast radius count)
	T1546;top 43 d3fend (by offensive blast radius count)
	T1547;top 43 d3fend (by offensive blast radius count)
	T1547.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1548;top 43 d3fend (by offensive blast radius count)
	T1550;top 43 d3fend (by offensive blast radius count)
	T1552;top 43 d3fend (by offensive blast radius count)
	T1554;ransomware actors (att&ck v11)
	T1555;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1555.003;top 43 d3fend (by offensive blast radius count)
	T1560;ransomware actors (att&ck v11)
	T1562;top 43 d3fend (by offensive blast radius count)
	T1562.001;top 43 d3fend (by offensive blast radius count)
	T1564;top 43 d3fend (by offensive blast radius count)
	T1566;ransomware actors (att&ck v11),top 43 d3fend (by offensive blast radius count)
	T1566.001;top 43 d3fend (by offensive blast radius count)
	T1568;ransomware actors (att&ck v11)
	T1571;ransomware actors (att&ck v11)
	T1572;ransomware actors (att&ck v11)
	T1573.001;top 20 att&ck (by procedure examples count),top 43 d3fend (by offensive blast radius count)
	T1574;top 43 d3fend (by offensive blast radius count)
	T1585;ransomware actors (att&ck v11)
	T1588.002;top 43 d3fend (by offensive blast radius count)
	T1593;ransomware actors (att&ck v11)
	T1594;ransomware actors (att&ck v11)
	T1614;ransomware actors (att&ck v11)
	T1620;ransomware actors (att&ck v11)
	"@

	$offensivetechniques = $offensivetechniques -split "`n"

	$offtechs = @()

	foreach ( $offensivetechnique in $offensivetechniques ) {

	$out = $offensivetechnique -split ";"
	$tempobj = new-object pscustomobject
	$tempobj \| add-member -membertype noteproperty -name techniqueID -value $out[0]
	$tempobj \| add-member -membertype noteproperty -name comment -value $out[1]

	#populating score of 1 (for offensive technique)
	$tempobj \| add-member -membertype noteproperty -name score -value 1

	$tempobj \| add-member -membertype noteproperty -name enabled -value "true"

	$offtechs += , $tempobj

	}





	$defensivetechniques = @"
	T1484;EPP,CSPM compliance framework
	T1484.001;EPP
	"@

	$defensivetechniques = $defensivetechniques -split "`n"

	$deftechs = @()

	foreach ( $defensivetechnique in $defensivetechniques ) {

	$out = $defensivetechnique -split ";"
	$tempobj = new-object pscustomobject
	$tempobj \| add-member -membertype noteproperty -name techniqueID -value $out[0]
	$tempobj \| add-member -membertype noteproperty -name comment -value $out[1]

	#populating score of 2 (for defensive technique)
	$tempobj \| add-member -membertype noteproperty -name score -value 2

	$tempobj \| add-member -membertype noteproperty -name enabled -value "true"

	$deftechs += , $tempobj

	}



	#step 2: create a copy and mutate that copy

	#...for offensive techniques
	$navigatorofftechs = (get-content $sourcefile \| convertfrom-json)

	foreach ($offtech in $offtechs) {

	#find the technique data
	$record = $navigatorofftechs.techniques[$navigatorofftechs.techniques.techniqueid.indexof($($offtech.techniqueid))]

	#modify the technique data in the object
	$record \| add-member -membertype noteproperty -name comment -value $offtech.comment -force
	$record \| add-member -membertype noteproperty -name score -value $offtech.score -force
	$record \| add-member -membertype noteproperty -name enabled -value $offtech.enabled -force
	}



	#...for defensive techniques
	$navigatordeftechs = (get-content $sourcefile \| convertfrom-json)


	foreach ($deftech in $deftechs) {

	#find the technique data
	$record = $navigatordeftechs.techniques[$navigatordeftechs.techniques.techniqueid.indexof($($deftech.techniqueid))]

	#modify the technique data in the object
	$record \| add-member -membertype noteproperty -name comment -value $deftech.comment -force
	$record \| add-member -membertype noteproperty -name score -value $deftech.score -force
	$record \| add-member -membertype noteproperty -name enabled -value $deftech.enabled -force

	}

	<#quickly validate score is set to 2
	$navigatordeftechs.techniques \| select techniqueid, score \| ? {$deftechs.techniqueid -contains $_.techniqueid} \| select score \| sort -unique
	#>



	#step 4: export the data to a file
	$navigatorofftechs \| convertto-json -depth 100 \| set-content $offtechoutfile
	$navigatordeftechs \| convertto-json -depth 100 \| set-content $deftechoutfile