wietze/mitre_attack_oneliners.py

## mitre_attack_oneliners.py
import requests

##########
### MITRE ATT&CK ONELINERS
###   for constructing Python objects
###   with all ATT&CK techniques in them
###   using the latest MITRE ATT&CK data
##########

# Get MITRE ATT&CK technique objects as list
mitre_attack = [technique for technique in (requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json())['objects'] if technique.get('type') == 'attack-pattern']
# e.g. mitre_attack[0] => {'id': 'attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', 'name': '.bash_profile and .bashrc', 'external_references': [{'source_name': 'mitre-attack', 'external_id': 'T1156', 'url': 'https://attack.mitre.org/techniques/T1156'}, {'url': 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/', 'description': 'Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.', 'source_name': 'amnesia malware'}], 'revoked': True, 'type': 'attack-pattern', 'modified': '2020-01-24T14:14:05.452Z', 'created': '2017-12-14T16:46:06.044Z'}

# Get MITRE ATT&CK TIDs and objects as dictionary
mitre_attack_mapping = {technique['external_references'][0]['external_id']:technique for technique in (requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json())['objects'] if technique.get('type') == 'attack-pattern'}
# e.g. mitre_attack_mapping['T1218'] => {'id': 'attack-pattern--457c7820-d331-465a-915e-42f85500ccc4', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'name': 'Signed Binary Proxy Execution', 'description': 'Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.', 'external_references': [{'source_name': 'mitre-attack', 'external_id': 'T1218', 'url': 'https://attack.mitre.org/techniques/T1218'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'attack-pattern', 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}], 'modified': '2020-10-21T18:37:15.275Z', 'created': '2018-04-18T17:59:24.739Z', 'x_mitre_is_subtechnique': False, 'x_mitre_platforms': ['Windows'], 'x_mitre_permissions_required': ['User', 'Administrator'], 'x_mitre_detection': 'Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.', 'x_mitre_defense_bypassed': ['Anti-virus', 'Application control', 'Digital Certificate Validation'], 'x_mitre_contributors': ['Nishan Maharjan, @loki248', 'Hans Christoffer Gaardløs', 'Praetorian'], 'x_mitre_data_sources': ['API monitoring', 'File monitoring', 'Binary file metadata', 'Process use of network', 'Windows Registry', 'Loaded DLLs', 'DLL monitoring', 'Process monitoring', 'Process command-line parameters'], 'x_mitre_version': '2.1'}

# Get MITRE ATT&CK TIDs and names as dictionary
mitre_attack_name_mapping = {technique['external_references'][0]['external_id']:technique['name'] for technique in (requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json())['objects'] if technique.get('type') == 'attack-pattern'}
# e.g. mitre_attack_name_mapping['T1218'] => 'Signed Binary Proxy Execution'
	import requests

	##########
	### MITRE ATT&CK ONELINERS
	### for constructing Python objects
	### with all ATT&CK techniques in them
	### using the latest MITRE ATT&CK data
	##########

	# Get MITRE ATT&CK technique objects as list
	mitre_attack = [technique for technique in (requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json())['objects'] if technique.get('type') == 'attack-pattern']
	# e.g. mitre_attack[0] => {'id': 'attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', 'name': '.bash_profile and .bashrc', 'external_references': [{'source_name': 'mitre-attack', 'external_id': 'T1156', 'url': 'https://attack.mitre.org/techniques/T1156'}, {'url': 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/', 'description': 'Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.', 'source_name': 'amnesia malware'}], 'revoked': True, 'type': 'attack-pattern', 'modified': '2020-01-24T14:14:05.452Z', 'created': '2017-12-14T16:46:06.044Z'}

	# Get MITRE ATT&CK TIDs and objects as dictionary
	mitre_attack_mapping = {technique['external_references'][0]['external_id']:technique for technique in (requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json())['objects'] if technique.get('type') == 'attack-pattern'}
	# e.g. mitre_attack_mapping['T1218'] => {'id': 'attack-pattern--457c7820-d331-465a-915e-42f85500ccc4', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'name': 'Signed Binary Proxy Execution', 'description': 'Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.', 'external_references': [{'source_name': 'mitre-attack', 'external_id': 'T1218', 'url': 'https://attack.mitre.org/techniques/T1218'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'attack-pattern', 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}], 'modified': '2020-10-21T18:37:15.275Z', 'created': '2018-04-18T17:59:24.739Z', 'x_mitre_is_subtechnique': False, 'x_mitre_platforms': ['Windows'], 'x_mitre_permissions_required': ['User', 'Administrator'], 'x_mitre_detection': 'Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.', 'x_mitre_defense_bypassed': ['Anti-virus', 'Application control', 'Digital Certificate Validation'], 'x_mitre_contributors': ['Nishan Maharjan, @loki248', 'Hans Christoffer Gaardløs', 'Praetorian'], 'x_mitre_data_sources': ['API monitoring', 'File monitoring', 'Binary file metadata', 'Process use of network', 'Windows Registry', 'Loaded DLLs', 'DLL monitoring', 'Process monitoring', 'Process command-line parameters'], 'x_mitre_version': '2.1'}

	# Get MITRE ATT&CK TIDs and names as dictionary
	mitre_attack_name_mapping = {technique['external_references'][0]['external_id']:technique['name'] for technique in (requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json())['objects'] if technique.get('type') == 'attack-pattern'}
	# e.g. mitre_attack_name_mapping['T1218'] => 'Signed Binary Proxy Execution'