-

Invoke-ATTACKAPI - A PowerShell Script To Interact With The MITRE ATT& CK Framework Via Its Own API


A PowerShell script to interact with the MITRE ATT&CK Framework via its own API in order to gather information about techniques, tactics, groups, software and references provided by the MITRE ATT&CK Team @MITREattack.

Goals
  • Provide an easy way to interact with the MITRE ATT&CK Framework via its own API and PowerShell to the community.
  • Expedite the acquisition of data from ATT&CK when preparing for a Hunting Campaign.
  • Learn PowerShell Dynamic Parameters :)

Getting Started

Requirements
  • PowerShell version 3+

Installing /Importing
git clone https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI.git
 cd Invoke-ATTACKAPI
 Import-Module .\Invoke-ATTACKAPI.ps1
 
   /$$$$$$  /$$$$$$$$ /$$$$$$$$ /$$$      /$$$$$$  /$$   /$$        /$$$$$$  /$$$$$$$  /$$$$$$
  /$$__  $$|__  $$__/|__  $$__//$$ $$    /$$__  $$| $$  /$$/       /$$__  $$| $$__  $$|_  $$_/
 | $$  \ $$   | $$      | $$  |  $$$    | $$  \__/| $$ /$$/       | $$  \ $$| $$  \ $$  | $$
 | $$$$$$$$   | $$      | $$   /$$ $$/$$| $$      | $$$$$/        | $$$$$$$$| $$$$$$$/  | $$
 | $$__  $$   | $$      | $$  | $$  $$_/| $$      | $$  $$        | $$__  $$| $$____/   | $$
 | $$  | $$   | $$      | $$  | $$\  $$ | $$    $$| $$\  $$       | $$  | $$| $$        | $$
 | $$  | $$   | $$      | $$  |  $$$$/$$|  $$$$$$/| $$ \  $$      | $$  | $$| $$       /$$$$$$
 |__/  |__/   |__/      |__/   \____/\_/ \______/ |__/  \__/      |__/  |__/|__/      |______/ V.0.9[BETA]
 
             Adversarial Tactics, Techniques & Common Knowledge API
 
 [*] Author: Roberto Rodriguez @Cyb3rWard0g
 
 [++] Pulling MITRE ATT&CK Data

Examples

This query matches all techniques
Invoke-ATTACKAPI -Category -Technique
 
 ID                  : {T1001}
 Bypass              : {}
 Contributor         : {}
 Requires System     : {}
 Data Source         : {Packet capture, Process use of network, Process monitoring, Network protocol analysis}
 Description         : {Command and control (C2) communications are hidden (but not necessarily encrypted) in an
                       attempt to make the content more difficult to discover or decipher and to make the
                       communication less conspicuous and hide commands from being seen. This encompasses many
                       methods, such as adding junk data to protocol traffic, using steganography, commingling
                       legitimate traffic with C2 communications traffic, or using a non-standard data encoding
                       system, such as a modified Base64 encoding for the message body of an HTTP request.}
 Mitigation          : {Network intrusion detection and prevention systems that use network signatures to
                       identify traffic for specific adversary malware can be used to mitigate activity at the
                       network level. Signatures are often for unique indicators within protocols and may be
                       based on the specific obfuscation technique used by a particular adversary or tool, and
                       will likely be different across various malware families and versions. Adversaries will
                       likely change tool C2 signatures over time or construct protocols in such a way as to
                       avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]}
 Tactic              : Command and Control
 Analytic Details    : {Analyze network data for uncommon data flows (e.g., a client sending significantly more
                       data than it receives from a server). Processes utilizing the network that do not normally
 
                       have network communication or have never been seen before are suspicious. Analyze packet
                       contents to detect communications that do not follow the expected protocol behavior for
                       the port that is being used.[[CiteRef::University of Birmingham C2]]}
 TechniqueName       : {Data Obfuscation}
 FullText            : Technique/T1001
 Link Text           : {[[Technique/T1001|Data Obfuscation]]}
 Reference           : {University of Birmingham C2, FireEye APT28, Axiom, FireEye APT30...}
 Platform            : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...}
 Name                : {Data Obfuscation}
 CAPEC ID            : {}
 Requires Permission : {}
 URL                 : https://attack.mitre.org/wiki/Technique/T1001
 .............
 ..................
 
 ID                  : {T1068}
 Bypass              : {Anti-virus, System access controls}
 Contributor         : {John Lambert, Microsoft Threat Intelligence Center}
 Requires System     : {Unpatched software or otherwise vulnerable target. Depending on the target and goal, the
                       system and exploitable service may need to be remotely accessible from the internal
                       network. In the case of privilege escalation, the adversary likely already has user
                       permissions on the target system.}
 Data Source         : {Windows Error Reporting, File monitoring, Process monitoring}
 Description         : {Exploitation of a software vulnerability occurs when an adversary takes advantage of a
                       programming error in a program, service, or within the operating system software or
                       kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities
                       may allow adversaries to run a command or binary on a remote system for lateral movement,
                       escalate a current process to a higher privilege level, or bypass security mechanisms.
                       Exploits may also allow an adversary access to privileged accounts and credentials. One
                       example of this is MS14-068, which can be used to forge Kerberos tickets using domain
                       user permissions.[[CiteRef::Technet MS14-068]][[CiteRef::ADSecurity Detecting Forged
                       Tickets]]}
 Mitigation          : {Update software regularly by employing patch management for internal enterprise
                       endpoints and servers. Develop a robust cyber threat intelligence capability to determine
                       what types and levels of threat may use software exploits and 0-days against a particular
                       organization. Make it difficult for adversaries to advance their operation through
                       exploitation of undiscovered or unpatched vulnerabilities by using sandboxing,
                       virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation
                       Experience Toolkit.[[CiteRef::SRD EMET]]}
 Tactic              : {Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation}
 Analytic Details    : {Software exploits may not always succeed or may cause the exploited process to become
                       unstable or crash. Software and operating system crash reports may contain useful
                       contextual information about attempted exploits that correlate with other malicious
                       activity. Exploited processes may exhibit behavior that is unusual for the specific
                       process, such as spawning additional processes or reading and writing to files.}
 TechniqueName       : {Exploitation of Vulnerability}
 FullText            : Technique/T1068
 Link Text           : {[[Technique/T1068|Exploitation of Vulnerability]]}
 Reference           : {ADSecurity Detecting Forged Tickets, Bitdefender APT28 Dec 2015, ESET Sednit July 2015,
                       ESET Sednit Part 1...}
 Platform            : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...}
 Name                : {Exploitation of Vulnerability}
 CAPEC ID            : {69}
 Requires Permission : {User, Administrator, SYSTEM}
 URL                 : https://attack.mitre.org/wiki/Technique/T1068

This query matches the page Technique with ID T1014
Invoke-ATTACKAPI -Category -Technique -ID T1014
 
 ID                  : {T1014}
 Bypass              : {Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting...}
 Contributor         : {}
 Requires System     : {}
 Data Source         : {BIOS, MBR, System calls}
 Description         : {Rootkits are programs that hide the existence of malware by intercepting and modifying
                       operating system API calls that supply system information. Rootkits or rootkit enabling
                       functionality may reside at the user or kernel level in the operating system or lower, to
                       include a [[Technique/T1062|Hypervisor]], Master Boot Record, or the
                       [[Technique/T1019|System Firmware]].[[CiteRef::Wikipedia Rootkit]]
 
                       Adversaries may use rootkits to hide the presence of programs, files, network
                       connections, services, drivers, and other system components.}
 Mitigation          : {Identify potentially malicious software that may contain rootkit functionality, and
                       audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like
                       AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software
                       Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet
                       Applocker vs SRP]]}
 Tactic              : Defense Evasion
 Analytic Details    : {Some rootkit protections may be built into anti-virus or operating system software.
                       There are dedicated rootkit detection tools that look for specific types of rootkit
                       behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes
                       to the MBR.[[CiteRef::Wikipedia Rootkit]]}
 TechniqueName       : {Rootkit}
 FullText            : Technique/T1014
 Link Text           : {[[Technique/T1014|Rootkit]]}
 Reference           : {Wikipedia Rootkit, Beechey 2010, Windows Commands JPCERT, NSA MS AppLocker...}
 Platform            : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...}
 Name                : {Rootkit}
 CAPEC ID            : {}
 Requires Permission : {Administrator, SYSTEM}
 URL                 : https://attack.mitre.org/wiki/Technique/T1014

This query matches against all the group that use a specific software (in this case Cobalt Strike). SYNTAX: "Software: "
Invoke-ATTACKAPI -Category -Group -Tool 'Software: Cobalt Strike'
 
 Tool          : {Software: Cobalt Strike, Software: KOMPROGO, Software: WINDSHIELD, Software: SOUNDBITE...}
 Alias         : {APT32, OceanLotus Group}
 ID            : {G0050}
 URL           : https://attack.mitre.org/wiki/Group/G0050
 TechniqueName : {Scheduled Task, Regsvr32, PowerShell, Custom Command and Control Protocol...}
 FullText      : Group/G0050
 Reference     : {FireEye APT32 May 2017, GitHub Malleable C2, GitHub Invoke-Obfuscation}
 Link Text     : {[[Group/G0050|APT32]]}
 Name          : {APT32}
 Description   : {[[Group/G0050|APT32]] is a threat group that has been active since at least 2014. The group
                 has targeted multiple private sector industries as well as with foreign governments,
                 dissidents, and journalists. The group's operations are aligned with Vietnamese state
                 interests.[[CiteRef::FireEye APT32 May 2017]]}
 TechniqueID   : {Technique/T1053, Technique/T1117, Technique/T1086, Technique/T1094...}
 Display Title : Group: APT32, OceanLotus Group

[BETA] Exporting custom results to a CSV
Invoke-ATTACKAPI -Category -Technique | where-object -Property ID -GE "T1134" | 
 select @{Name="Name"; Expression={$_.Name -join ","}}, @{Name="Tactic"; Expression={$_.Tactic -join ","}}, 
 @{Name ="ID"; Expression={$_.ID -join ","}}, @{Name="Description"; Expression={$_.Description -join ","}}, 
 @{Name="Analytic details"; Expression={$_.'Analytic Details' -join ","}}, @{Name="Data Source";
 Expression={$_.'Data Source' -join ","}}  | export-csv F:\wardog\scripts\demo6.csv -NoTypeInformation

Showing an up to date ATT&CK Matrix for Enterprise
Invoke-ATTACKAPI -Matrix | select Persistence, 'Privilege Escalation', 'Defense Evasion','Credential Access', Discovery, 'Lateral Movement', Execution, Collection, Exfiltration, 'Command and Control' | ft
 
 Persistence                                           Privilege Escalation                  Defense Evasion                         Credential Access                      Discovery                              Lateral Movement                    Execution
 -----------                                           --------------------                  ---------------                         -----------------                      ---------                              ----------------                    ---------
 .bash_profile and .bashrc                             Access Token Manipulation             Access Token Manipulation               Account Manipulation                   Account Discovery                      AppleScript                         AppleScript
 Accessibility Features                                Accessibility Features                Binary Padding                          Bash History                           Application Window Discovery           Application Deployment Software     Application Shimming
 AppInit DLLs                                          AppInit DLLs                          Bypass User Account Control             Brute Force                            File and Directory Discovery           Exploitation of Vulnerability       Command-Line Interface
 Application Shimming                                  Application Shimming                  Clear Command History                   Create Account                         Network Service Scanning               Logon Scripts                       Execution through API
 Authentication Package                                Bypass User Account Control           Code Signing                            Credential Dumping                     Network Share Discovery                Pass the Hash                       Execution through Mod...
 Bootkit                                               DLL Injection                         Component Firmware                      Credentials in Files                   Peripheral Device Discovery            Pass the Ticket                     Graphical User Interface
 Change Default File Association                       DLL Search Order Hijacking            Component Object Model Hijacking        Exploitation of Vulnerability          Permission Groups Discovery            Remote Desktop Protocol             InstallUtil
 Component Firmware                                    Dylib Hijacking                       Deobfuscate/Decode Files or Information Input Capture                          Process Discovery                      Remote File Copy                    Launchctl
 Component Object Model Hijacking                      Exploitation of Vulnerability         Disabling Security Tools                Input Prompt                           Query Registry                         Remote Services                     PowerShell
 Cron Job                                              File System Permissions Weakness      DLL Injection                           Keychain                               Remote System Discovery                Replication Through Removable Media Process Hollowing
 DLL Search Order Hijacking                            Launch Daemon                         DLL Search Order Hijacking              Network Sniffing                       Security Software Discovery            Shared Webroot                      Regsvcs/Regasm
 Dylib Hijacking                                       Local Port Monitor                    DLL Side-Loading                        Private Keys                           System Information Discovery           Taint Shared Content                Regsvr32
 External Remote Services                              New Service                           Exploitation of Vulnerability           Securityd Memory                       System Network Configuration Discovery Third-party Software                Rundll32
 File System Permissions Weakness                      Path Interception                     File Deletion                           Two-Factor Authentication Interception System Network Connections Discovery   Windows Admin Shares                Scheduled Task
 Hidden Files and Directories                          Plist Modification                    File System Logical Offsets                                                    System Owner/User Discovery            Windows Remote Management           Scripting
 Hypervisor                                            Scheduled Task                        Gatekeeper Bypass                                                              System Service Discovery                                                   Service Execution
 Launch Agent                                          Service Registry Permissions Weakness Hidden Files and Directories                                                   System Time Discovery                                                      Source
 Launch Daemon                                         Setuid and Setgid                     Hidden Users                                                                                                                                              Space after Filename
 Launchctl                                             Startup Items                         Hidden Window                                                                                                                                             Third-party Software
 LC_LOAD_DYLIB Addition                                Sudo                                  HISTCONTROL                                                                                                                                               Trap
 Local Port Monitor                                    Valid Accounts                        Indicator Blocking                                                                                                                                        Trusted Developer Uti...
 Login Item                                            Web Shell                             Indicator Removal from Tools                                                                                                                              Windows Management In...
 Logon Scripts                                                                               Indicator Removal on Host                                                                                                                                 Windows Remote Manage...
 Modify Existing Service                                                                     Install Root Certificate
 Netsh Helper DLL                                                                            InstallUtil
 New Service                                                                                 Launchctl
 Office Application Startup                                                                  LC_MAIN Hijacking
 Path Interception                                                                           Masquerading
 Plist Modification                                                                          Modify Registry
 Rc.common                                                                                   Network Share Connection Removal
 Redundant Access                                                                            NTFS Extended Attributes
 Registry Run Keys / Start Folder                                                            Obfuscated Files or Information
 Re-opened Applications                                                                      Plist Modification
 Scheduled Task                                                                              Process Hollowing
 Security Support Provider                                                                   Redundant Access
 Service Registry Permissions Weakness                                                       Regsvcs/Regasm
 Shortcut Modification                                                                       Regsvr32
 Startup Items                                                                               Rootkit
 System Firmware                                                                             Rundll32
 Trap                                                                                        Scripting
 Valid Accounts                                                                              Software Packing
 Web Shell                                                                                   Space after Filename
 Windows Management Instrumentation Event Subscription                                       Timestomp
 Winlogon Helper DLL                                                                         Trusted Developer Utilities
                                                                                             Valid Accounts

Getting an up to date ATT&CK Matrix for Enterprise and exporting it to a csv file
Invoke-ATTACKAPI -Matrix | select Persistence, 'Privilege Escalation', 'Defense Evasion','Credential Access',
 Discovery, 'Lateral Movement', Execution, Collection, Exfiltration, 'Command and Control' | 
 Export-Csv C:\wardog\scripts\matrix.csv -NoTypeInformation

Showing an up to date table of Groups/APTs with the techniques and tools attributed to them
Invoke-ATTACKAPI -Attribution | ft
 
 Group     Group Alias                                        Group ID Tactic                                  TechniqueName                           TechniqueID     Tool
 -----     -----------                                        -------- ------                                  -------------                           -----------     ----
 [email protected] [email protected]                                          G0018    Discovery                               System Time Discovery                   Technique/T1124 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Defense Evasion                         Network Share Connection Removal        Technique/T1126 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Command and Control                     Commonly Used Port                      Technique/T1043 Software: LOWBALL
 [email protected] [email protected]                                          G0018    {Command and Control, Lateral Movement} Remote File Copy                        Technique/T1105 Software: LOWBALL
 [email protected] [email protected]                                          G0018    Discovery                               System Network Connections Discovery    Technique/T1049 Software: netstat, netstat.exe
 [email protected] [email protected]                                          G0018    Discovery                               System Information Discovery            Technique/T1082 Software: BUBBLEWRAP, Backdoor.APT...
 [email protected] [email protected]                                          G0018    Discovery                               Account Discovery                       Technique/T1087
 [email protected] [email protected]                                          G0018    Execution                               Command-Line Interface                  Technique/T1059
 [email protected] [email protected]                                          G0018    Discovery                               System Service Discovery                Technique/T1007
 [email protected] [email protected]                                          G0018    Defense Evasion                         Masquerading                            Technique/T1036
 [email protected] [email protected]                                          G0018    Discovery                               Remote System Discovery                 Technique/T1018 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Discovery                               System Network Connections Discovery    Technique/T1049 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Lateral Movement                        Windows Admin Shares                    Technique/T1077 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    {Defense Evasion, Privilege Escalation} DLL Injection                           Technique/T1055 Software: PoisonIvy, Poison Ivy
 [email protected] [email protected]                                          G0018    Discovery                               System Service Discovery                Technique/T1007 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Discovery                               Account Discovery                       Technique/T1087 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Command and Control                     Standard Non-Application Layer Protocol Technique/T1095 Software: BUBBLEWRAP, Backdoor.APT...
 [email protected] [email protected]                                          G0018    Discovery                               System Information Discovery            Technique/T1082 Software: Systeminfo, systeminfo.exe
 [email protected] [email protected]                                          G0018    Credential Access                       Create Account                          Technique/T1136 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Discovery                               Permission Groups Discovery             Technique/T1069
 [email protected] [email protected]                                          G0018    Discovery                               Network Share Discovery                 Technique/T1135 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Command and Control                     Web Service                             Technique/T1102 Software: LOWBALL
 [email protected] [email protected]                                          G0018    Execution                               Service Execution                       Technique/T1035 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Discovery                               File and Directory Discovery            Technique/T1083
 [email protected] [email protected]                                          G0018    Discovery                               Permission Groups Discovery             Technique/T1069 Software: Net, net.exe
 [email protected] [email protected]                                          G0018    Discovery                               System Network Connections Discovery    Technique/T1049
 [email protected] [email protected]                                          G0018    Discovery                               System Information Discovery            Technique/T1082
 [email protected] [email protected]                                          G0018    Command and Control                     Standard Application Layer Protocol     Technique/T1071 Software: LOWBALL
 [email protected] [email protected]                                          G0018    Command and Control                     Standard Cryptographic Protocol         Technique/T1032 Software: PoisonIvy, Poison Ivy
 [email protected] [email protected]                                          G0018    {Collection, Credential Access}         Input Capture                           Technique/T1056 Software: PoisonIvy, Poison Ivy
 [email protected] [email protected]                                          G0018    Command and Control                     Standard Application Layer Protocol     Technique/T1071 Software: BUBBLEWRAP, Backdoor.APT...
 [email protected] [email protected]                                          G0018    Discovery                               System Network Configuration Discovery  Technique/T1016 Software: ipconfig, ipconfig.exe
 [email protected] [email protected]                                          G0018    Discovery                               System Network Configuration Discovery  Technique/T1016
 APT1      {APT1, Comment Crew, Comment Group, Comment Panda} G0006    Collection                              Data from Local System                  Technique/T1005
 APT1      {APT1, Comment Crew, Comment Group, Comment Panda} G0006    Execution                               Service Execution                       Technique/T1035 Software: xCmd
 APT1      {APT1, Comment Crew, Comment Group, Comment Panda} G0006    Lateral Movement                        Pass the Hash                           Technique/T1075 Software: Pass-The-Hash Toolkit
 APT1      {APT1, Comment Crew, Comment Group, Comment Panda} G0006    Execution                               Service Execution                       Technique/T1035 Software: Net, net.exe
 APT1      {APT1, Comment Crew, Comment Group, Comment Panda} G0006    Discovery                               Remote System Discovery                 Technique/T1018 Software: Net, net.exe
 APT1      {APT1, Comment Crew, Comment Group, Comment Panda} G0006    Collection                              Email Collection                        Technique/T1114
 APT1      {APT1, Comment Crew, Comment Group, Comment Panda} G0006    Lateral Movement                        Pass the Hash                           Technique/T1075

Showing an up to date table of the techniques and tools attributed to a Group/APT with Group ID G0051 (FIN7)
Invoke-ATTACKAPI -Attribution | Where-Object -Property 'Group ID' -EQ 'G0046' | ft
 
 Group Group Alias Group ID Tactic                                         TechniqueName                       TechniqueID     Tool                                Description
 ----- ----------- -------- ------                                         -------------                       -----------     ----                                -----------
 FIN7  FIN7        G0046    Discovery                                      Process Discovery                   Technique/T1057 Software: HALFBAKED                 {[[Software/S0151|HALFBAKED]] can obtain information about running processes on the victim.[[CiteRef::Fir...
 FIN7  FIN7        G0046    Persistence                                    Registry Run Keys / Start Folder    Technique/T1060                                     {[[Group/G0046|FIN7]] malware has created a Registry Run key pointing to its malicious LNK file to establ...
 FIN7  FIN7        G0046    Discovery                                      Query Registry                      Technique/T1012 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] queries Registry keys in preparation for setting Run keys to achieve pers...
 FIN7  FIN7        G0046    Persistence                                    Registry Run Keys / Start Folder    Technique/T1060 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] achieves persistence by setting a Registry Run key, with the path dependi...
 FIN7  FIN7        G0046    {Command and Control, Lateral Movement}        Remote File Copy                    Technique/T1105 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] has been observed being used to download [[Software/S0146|TEXTMATE]] and ...
 FIN7  FIN7        G0046    {Execution, Persistence, Privilege Escalation} Application Shimming                Technique/T1138                                     {[[Group/G0046|FIN7]] has used application shim databases for persistence.[[CiteRef::FireEye FIN7 Shim Da...
 FIN7  FIN7        G0046    {Execution, Persistence, Privilege Escalation} Scheduled Task                      Technique/T1053                                     {[[Group/G0046|FIN7]] malware has created scheduled tasks to establish persistence.[[CiteRef::FireEye FIN...
 FIN7  FIN7        G0046    Command and Control                            Standard Application Layer Protocol Technique/T1071 Software: Carbanak, Anunak          {The [[Software/S0030|Carbanak]] malware communicates to its command server using HTTP with an encrypted ...
 FIN7  FIN7        G0046    Collection                                     Screen Capture                      Technique/T1113 Software: HALFBAKED                 {[[Software/S0151|HALFBAKED]] can obtain screenshots from the victim.[[CiteRef::FireEye FIN7 April 2017]]}
 FIN7  FIN7        G0046    Command and Control                            Standard Application Layer Protocol Technique/T1071 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef...
 FIN7  FIN7        G0046    Execution                                      Windows Management Instrumentation  Technique/T1047 Software: HALFBAKED                 {[[Software/S0151|HALFBAKED]] can use WMI queries to gather system information.[[CiteRef::FireEye FIN7 Ap...
 FIN7  FIN7        G0046    Command and Control                            Standard Application Layer Protocol Technique/T1071 Software: TEXTMATE, DNSMessenger    {[[Software/S0146|TEXTMATE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]]}
 FIN7  FIN7        G0046    Discovery                                      System Information Discovery        Technique/T1082 Software: HALFBAKED                 {[[Software/S0151|HALFBAKED]] can obtain information about the OS, processor, and BIOS.[[CiteRef::FireEye...
 FIN7  FIN7        G0046    {Collection, Credential Access}                Input Capture                       Technique/T1056 Software: Carbanak, Anunak          {[[Software/S0030|Carbanak]] contains keylogger functionality.[[CiteRef::Kaspersky Carbanak]]}
 FIN7  FIN7        G0046    Command and Control                            Standard Cryptographic Protocol     Technique/T1032 Software: Carbanak, Anunak          {[[Software/S0030|Carbanak]] encrypts the message body of HTTP traffic with RC2 and Base64 encoding.[[Cit...
 FIN7  FIN7        G0046    Execution                                      PowerShell                          Technique/T1086 Software: HALFBAKED                 {[[Software/S0151|HALFBAKED]] can execute PowerShell scripts.[[CiteRef::FireEye FIN7 April 2017]]}
 FIN7  FIN7        G0046    {Command and Control, Lateral Movement}        Remote File Copy                    Technique/T1105                                     {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[...
 FIN7  FIN7        G0046    Execution                                      PowerShell                          Technique/T1086 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] is a PowerShell backdoor.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef::C...
 FIN7  FIN7        G0046    Execution                                      PowerShell                          Technique/T1086                                     {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[...
 FIN7  FIN7        G0046    Defense Evasion                                Masquerading                        Technique/T1036                                     {[[Group/G0046|FIN7]] has created a scheduled task named “AdobeFlashSync” to establish persistence.[[Cite...
 FIN7  FIN7        G0046    Defense Evasion                                Obfuscated Files or Information     Technique/T1027 Software: POWERSOURCE, DNSMessenger {If the victim is using PowerShell 3.0 or later, [[Software/S0145|POWERSOURCE]] writes its decoded payloa...
 FIN7  FIN7        G0046    Defense Evasion                                File Deletion                       Technique/T1107 Software: HALFBAKED                 {[[Software/S0151|HALFBAKED]] can delete a specified file.[[CiteRef::FireEye FIN7 April 2017]]}
 FIN7  FIN7        G0046    Execution                                      Command-Line Interface              Technique/T1059 Software: TEXTMATE, DNSMessenger    {[[Software/S0146|TEXTMATE]] executes cmd.exe to provide  a reverse shell to attackers.[[CiteRef::FireEye...

Getting an up to date table of Groups/APTs with the techniques and tools attributed to them and exporting it to a csv file
Invoke-ATTACKAPI -Attribution | select Group, 'Group Alias','Group ID', Tactic, TechniqueName,
 TechniqueID, Tool, @{Name='Description'; Expression={$_.Description}}, 'Data Source'|
  export-csv -NoTypeInformation C:\Documents\ATTACK_Attribution.csv

Showing an up to date table with all the valuable information from the MITRE ATTACK DB at once
Invoke-ATTACKAPI -All | ft
 
 Tactic      TechniqueName           TechniqueID     Group             Group Alias                                         Group ID Tool
 ------      -------------           -----------     -----             -----------                                         -------- ----
 Collection  Screen Capture          Technique/T1113 APT28             {APT28, Sednit, Sofacy, Pawn Storm...}              G0007
 Collection  Screen Capture          Technique/T1113 APT28             {APT28, Sednit, Sofacy, Pawn Storm...}              G0007    Software: XAgentOSX
 Collection  Data from Local System  Technique/T1005 APT1              {APT1, Comment Crew, Comment Group, Comment Panda}  G0006
 Collection  Screen Capture          Technique/T1113 Cleaver           {Cleaver, TG-2889, Threat Group 2889}               G0003    Software: TinyZBot
 Collection  Screen Capture          Technique/T1113 APT32             {APT32, OceanLotus Group}                           G0050    Software: Cobalt Strike
 Collection  Screen Capture          Technique/T1113 APT29             {APT29, The Dukes, Cozy Bear}                       G0016    Software: CosmicDuke, TinyBaron,...
 Collection  Data Staged             Technique/T1074 APT30             APT30                                               G0013    Software: SPACESHIP
 Collection  Data from Local System  Technique/T1005 Ke3chang          Ke3chang                                            G0004
 Collection  Data from Local System  Technique/T1005 Lazarus Group     {Lazarus Group, HIDDEN COBRA, Guardians of Peace}   G0032
 Collection  Data from Local System  Technique/T1005 APT29             {APT29, The Dukes, Cozy Bear}                       G0016    Software: CosmicDuke, TinyBaron,...
 Collection  Data from Local System  Technique/T1005 APT29             {APT29, The Dukes, Cozy Bear}                       G0016    Software: PinchDuke
 Collection  Data from Local System  Technique/T1005 APT30             APT30                                               G0013    Software: FLASHFLOOD
 Collection  Screen Capture          Technique/T1113 RTM               RTM                                                 G0048    Software: RTM
 Collection  Screen Capture          Technique/T1113 MONSOON           {MONSOON, Operation Hangover}                       G0042    Software: BADNEWS
 Collection  Screen Capture          Technique/T1113 menuPass          {menuPass, Stone Panda, APT10, Red Apollo...}       G0045    Software: RedLeaves, BUGJUICE
 Collection  Email Collection        Technique/T1114 APT29             {APT29, The Dukes, Cozy Bear}                       G0016    Software: SeaDuke, SeaDaddy, Sea...
 Collection  Email Collection        Technique/T1114 APT1              {APT1, Comment Crew, Comment Group, Comment Panda}  G0006
 Collection  Screen Capture          Technique/T1113 Sandworm Team     {Sandworm Team, Quedagh}                            G0034    Software: BlackEnergy, Black Energy
 Collection  Screen Capture          Technique/T1113 FIN7              FIN7                                                G0046    Software: HALFBAKED
 Collection  Screen Capture          Technique/T1113 Dust Storm        Dust Storm                                          G0031    Software: ZLib
 Collection  Screen Capture          Technique/T1113 Dragonfly         {Dragonfly, Energetic Bear}                         G0035    Software: Trojan.Karagany
 Collection  Screen Capture          Technique/T1113 menuPass          {menuPass, Stone Panda, APT10, Red Apollo...}       G0045    Software: EvilGrab
 Collection  Screen Capture          Technique/T1113 Group5            Group5                                              G0043
 Collection  Screen Capture          Technique/T1113 Gamaredon Group   Gamaredon Group                                     G0047    Software: Pteranodon
 Collection  Data Staged             Technique/T1074 APT30             APT30                                               G0013    Software: FLASHFLOOD

Getting an up to date table with all the valuable information from the MITRE ATTACK DB at once and exporting it to a csv file
Invoke-ATTACKAPI -All | select @{Name='Tactic'; Expression={$_.tactic -join ','}}, @{Name='TechniqueName';
 Expression={$_.techniquename -join ','}}, techniqueID, group, @{Name='Group Alias'; Expression={$_.'Group alias'
 -join ','}}, 'Group ID', @{Name='Tool'; Expression={$_.Tool -join ','}}, @{Name='Description'; 
 Expression={$_.Description -join ','}}, @{Name='Data Source'; Expression={$_.'Data Source' -join ','}}, 
 @{Name='Bypass'; Expression={$_.Bypass -join ','}}, @{Name='Analytic Details'; Expression={$_.'Analytic Details'
 -join ','}}, @{Name='Mitigation'; Expression={$_.Mitigation -join ','}}, @{Name='Platform'; 
 Expression={$_.Platform -join ','}}, @{Name='Requires Permission'; Expression={$_.'Requires Permission' -join
 ','}}, @{Name='Requires System'; Expression={$_.'Requires System' -join ','}}, @{Name='CAPEC ID'; 
 Expression={$_.'CAPEC ID' -join ','}}, @{Name='Contributor'; Expression={$_.Contributor -join ','}}, 
 @{Name='URL'; Expression={$_.URL -join ','}} | Export-Csv -NoTypeInformation C:\\Downloads\ATTACK_ALL.csv




تعليقات

إرسال تعليق

المشاركات الشائعة من هذه المدونة

-
صورة
Astra - Automated Security Testing For REST API's  is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode. SQL injection Cross site scripting Information Leakage Broken Authentication and session management CSRF (including Blind CSRF) Rate limit CORS misonfiguration (including CORS bypass techniques) JWT attack Coming soon XXE CSP misconfiguration Requirement Linux or MacOS Python 2.7 mongoDB Installation $ git clone https://github.com/flipkart-incubator/Astra $ cd Astra $ sudo pip install -r require...
Plus d'infos »chaker hacker
-
صورة
Snallygaster - Tool To Scan For Secret Files On HTTP Servers Snallygaster is a tool that looks for files accessible on web servers that shouldn't be public and can pose a security risk. Typical examples include publicly accessible git repositories, backup files potentially containing passwords or database dumps. In addition it contains a few checks for other security vulnerabilities. As an introduction to these kinds of issues you may want to watch this talk: Install snallygaster is available  via pypi : pip3 install snallygaster It's a simple python 3 script, so you can just download the file "snallygaster" and execute it. Dependencies are urllib3, beautifulsoup4 and dnspython. Faq Q: I want to contribute / send a patch / a pull request! A: That's great, but please read the  CONTRIBUTIONS.md file. Q: What's that name? A:  Snallygaster  is the name of a dragon that according to some legends was seen in Maryland and other parts of the ...
Plus d'infos »chaker hacker
-
صورة
Intel Processors Now Allows Antivirus to Use Built-in GPUs for Malware Scanning         Global chip-maker Intel on Tuesday  announced  two new technologies—Threat Detection Technology (TDT) and Security Essentials—that not only offer hardware-based built-in security features across Intel processors but also improve threat detection without compromising system performance. Intel's Threat Detection Technology (TDT) offers a new set of features that leverage hardware-level telemetry to help security products detect new classes of threats and exploits. It includes two main capabilities—Accelerated Memory Scanning and Advanced Platform Telemetry. Accelerated Memory Scanning allows antivirus programs to use Intel's integrated GPU to scan and detect memory-based malware attacks while reducing the impact on performance and power consumption.  "Current scanning technologies can detect system memory-based cyber-attacks, but at...
Plus d'infos »chaker hacker