/ATTACK-Tools

Utilities for MITRE™ ATT&CK

Primary LanguagePLpgSQL

ATT&CK™-Tools

Utilities for MITRE™ ATT&CK™

This repository contains the following:

  • ATT&CK™ Data Model: a relational data model for ATT&CK™ and STIX™.
  • ATT&CK™ View: an adversary emulation planning tool.

Content

  • Release Notes
  • Overview
  • The ATT&CK™ Data Model
  • Accessing ATT&CK™ Data with SQL
  • License

Release Notes

  • There are 32 and 64-bit builds (32.zip and 64.zip)
  • ATT&CK™ View database is bundled within the same archive (32.zip and 64.zip) and must be located at same location as the executable
  • All executables are digitally signed
  • ATT&CK™ View IS FREE

Overview

ATT&CK™ View is a planning tool that help defenders in designing an adversary emulation plans based on MITRE™ ATT&CK™ framework in a structured approach. As a demonstration, ATT&CK™ View comes bundled with a full adversary emulation plan for APT3 developed by MITRE™ (SOURCE : https://attack.mitre.org/wiki/Adversary_Emulation_Plans).

Following is a description to the various UI elements.

Planner View, in this view, plans and tests can be created, edited, copied or deleted, there are also options available to export tests (check “Spreadsheet View” for other export options):

  • Export plan diagram to a bitmap image
  • Export the currently loaded (active) plan techniques to MITRE™ Navigator, this option allows exporting a second plan techniques alongside the currently loaded plan for comparison.

Navigator Export Options

Exported Plan with Comparison

Test Editor, the Test Editor allows for mapping tests to ATT&CK™ Techniques, color-mark and tag tests, select a testing framework (for example, cobalt-strike, metasploit or built-in OS tools/commands, additionally, custom frameworks can be added), lookup ATOMIC™ Red Team Tests (https://atomicredteam.io) in addition to other meta-data (test results, lessons learned, captured IOC's, etc.).

Spreadsheet View, this view lists all tests according to their order, this view can be exported to Excel and HTML formats. The fields to be exported can be specified too.

Plan Exported to Excel

Plan Exported to HTML

Coverage View, this view helps in highlighting the plan coverage in relation to a certain adversary (group) techniques, by showing the techniques that have not been planned for (this is the list labeled “Techniques not in Plan", this list can also be used to quickly add missing techniques to the plan). Additionally, this view highlights techniques used in the plan that do not map to the adversary under emulation (this is the list in the middle, the techniques are highlighted with a different color)

Search View, this view is meant to provide a search functionality through all content (plans, tests, tags, and the rest of the associated meta-data) in addition to ATT&CK™ framework and ATOMIC™ Tests.

The “View...” action depends on the content type, if it is part of a plan or test, it will show up in it’s own editor. If the content is related to ATT&CK™ or ATOMIC™ frameworks, it will point the default web browser to the related external URL.

The search also highlights where the content was found, for example, in a test “implementation” field, or ATT&CK™ Technique “description”, etc., to make it easier to jump quickly to the desired source, the search view can be grouped and re-arranged in the form of a pivot table (the second screen shot)

Organized Search View

The ATT&CK™ Data Model

There are many use cases for ATT&CK™ framework, many of which depend on existing tools being ATT&CK™-enabled, to make this process easier, the database in this repository can help in getting up to speed with integrating existing tools with ATT&CK™, build your own tooling or fuse ATT&CK™ with other existing frameworks.

The database is based on SQLite for simplicity and portability, however, it is better to think of terms of a data model instead of the underlying technology used in implementation, this is very important, as it enables exploring other useful models and applications and then narrow down to technology.

The following is a conceptual model that can be implemented using any database technology (The attack_view_db_structure.sql is a good starting point).

Accessing ATT&CK™ Data with SQL

To have a better understanding about the database structure, following is a list of sample SQL queries used to read ATT&CK™. To run the following SQL queries, you will need a SQLite management tool, there are many free and paid tools available supporting Windows, macOS and Linux (https://www.sqlite.org/cvstrac/wiki?p=ManagementTools)

Some output truncated for brevity

Get the list of ATT&CK™ techniques

SQL

SELECT name FROM sdos_object WHERE type IS "attack-pattern";

OUTPUT

name
.bash_profile and .bashrc
Access Token Manipulation
Accessibility Features
Account Discovery
Account Manipulation
...

Get the list of ATT&CK™ techniques names with their STIX 2.0 identifier

SQL

SELECT id, name FROM sdos_object WHERE type IS "attack-pattern";

OUTPUT

idname
attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8.bash_profile and .bashrc
attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48Access Token Manipulation
attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3Accessibility Features
attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08Account Discovery
attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27Account Manipulation
...

The id field is a unique key that will be used frequently in many SQL queries

The external references are stored in external_references table, since one ATT&CK™ technique can have one or more references, the link between the two tables is the technique identifier (check previous query), I will list multiple ways to access the external references

Get the list of ATT&CK™ techniques with external names

SQL

SELECT name, external_id
FROM sdos_object INNER JOIN external_references ON 
     sdos_object.id = external_references.fk_object_id
WHERE 
  sdos_object.type IS "attack-pattern"
  AND 
  external_references.source_name IS "mitre-attack";

OUTPUT

nameexternal_id
.bash_profile and .bashrcT1156
Access Token ManipulationT1134
Accessibility FeaturesT1015
Account DiscoveryT1087
Account ManipulationT1098
...

List all ATT&CK™ techniques associated with "Windows" platform

SQL

SELECT name, external_id
FROM sdos_object INNER JOIN external_references ON
     sdos_object.id = external_references.fk_object_id
WHERE 
  sdos_object.type IS "attack-pattern" AND 
  x_mitre_platforms_windows IS "true" AND 
  external_references.source_name IS "mitre-attack";

OUTPUT

nameexternal_id
Access Token ManipulationT1134
Accessibility FeaturesT1015
Account DiscoveryT1087
Account ManipulationT1098
AppCert DLLsT1182
...

List all Malware objects along with their description

SQL

SELECT name, description FROM sdos_object 
WHERE type IS "malware";

OUTPUT

namedescription
3PARA RAT3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. (Citation: CrowdStrike Putter Panda)

Aliases: 3PARA RAT
4H RAT4H RAT is malware that has been used by Putter Panda since at least 2007. (Citation: CrowdStrike Putter Panda)

Aliases: 4H RAT
ADVSTORESHELLADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)

Aliases: ADVSTORESHELL, NETUI, EVILTOSS, AZZY, Sedreco
ASPXSpyASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. (Citation: Dell TG-3390)

Aliases: ASPXSpy, ASPXTool
Agent.btzAgent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)

Aliases: Agent.btz
...

List all Adversaries (intrusion-sets) along with their description

SQL

SELECT name, description FROM sdos_object 
WHERE type IS "intrusion-set";

OUTPUT

namedescription
APT1APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)
APT12APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)
APT16APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)
APT17APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)
APT18APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)
...

List all Tools and Malware used by a certain Adversary

All STIX 2.0 Domain Objects (SDO) relations are stored in "relationship" table. The following query is a nested query used to get the tools/malware used by APT3:

SQL

SELECT name, description
FROM sdos_object
WHERE (type IS "malware" OR type IS "tool") -- Query for tools or malware
  AND id IN (SELECT target_ref -- filter tools/malware associated with APT3
             FROM relationship
             WHERE relationship_type IS "uses" -- Source "uses" Target
               AND source_ref IS -- Source is APT3 identifier
                   "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9");

OUTPUT

namedescription
OSInfoOSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)

Aliases: OSInfo
PlugXPlugX is a remote access tool (RAT) that uses modular plugins. (Citation: Lastline PlugX Analysis) It has been used by multiple threat groups. (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)

Aliases: PlugX, Sogu, Kaba, Korplug
RemoteCMDRemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)

Aliases: RemoteCMD
SHOTPUTSHOTPUT is a custom backdoor used by APT3. (Citation: FireEye Clandestine Wolf)

Aliases: SHOTPUT, Backdoor.APT.CookieCutter, Pirpi
schtasksschtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)

Aliases: schtasks, schtasks.exe
...

Get ATOMIC™ test(s) associated with an ATT&CK™ technique

ATOMIC™ Tests are stored in three tables

  • atomic_test table, this table simply maps ATOMIC™ tests to ATT&CK™ techniques. Each atomic_test record has one or more atomic_attack_test records that contains the actual test details
  • atomic_attack_test, this tables holds the actual ATOMIC™ test details, each test has one or more input arguments represented with an atomic_input_arguments record
  • atomic_input_arguments, holds tests input arguments details

The following SQL statement retrieves the ATOMIC™ test(s) associated with ATT&CK™ technique "T1031"

SQL

SELECT name, description, executor_name, executor_command
FROM atomic_attack_test
  WHERE fk_atomic_attack_id IN 
    (SELECT id FROM atomic_attack 
     WHERE fk_attack_external_id IS "T1031");

OUTPUT

namedescriptionexecutor_nameexecutor_command
Modify Fax service to run PowerShellThis test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
command_promptsc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
sc start Fax
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"

License

Copyright 2018 Nader Shalabi. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met: 
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
   the following disclaimer. 
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
   and the following disclaimer in the documentation and/or other materials provided with the 
   distribution. 

THIS SOFTWARE IS PROVIDED BY NADER SHALABI ''AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NADER SHALABI
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The views and conclusions contained in the software and documentation are those of the authors and
should not be interpreted as representing official policies, either expressed or implied, of Nader Shalabi.