Professional Documents
Culture Documents
Automate The Creation of ATT&CK Navigator Group Layer Files With Python ? - by Roberto Rodriguez
Automate The Creation of ATT&CK Navigator Group Layer Files With Python ? - by Roberto Rodriguez
Automate The Creation of ATT&CK Navigator Group Layer Files With Python ? - by Roberto Rodriguez
https://attack.mitre.org/groups/G0005/
What is attackcti?
It is a python library developed as part of the ATTACK-
Python-Client project that I started last year (2018) and
that I use to access up to date ATT&CK content available
in STIX format via a public TAXII server. This project
leverages python classes and functions from the cti-
python-stix2 and cti-taxii-client libraries developed by
MITRE.
I had never heard of the STIX/TAXII 2.0 APIs before so I
decided to start the ATTACK-Python-Client project to
learn more about it. After writing a few scripts to interact
with ATT&CK’s public TAXII server, I decided to write my
own python library. For more information about the
development of the library, I highly recommend to read
the attackcti library documentation.
Install attackcti
You can install the library via pip as shown below
Relationship object
relationship — 5a49400c-2003–463c-8e6e-97b79f560675
[APT12](https://attack.mitre.org/groups/G0005) has u
Intrusion-set object
intrusion-set — c47f937f-1022–4f42–8525-e7a4779a14cb
Attack-pattern object
attack-pattern — 830c9528-df21–472c-8c14-a036bf17d665
https://github.com/mitre/cti/blob/master/USAGE.md#mapping-concepts
ATTCK_STIX_COLLECTIONS = "https://cti-taxii.mitre.or
PRE_ATTCK = "062767bd-02d2-4b72-84ba-56caef0f8658"
MOBILE_ATTCK = "2f669986-b40b-4423-b720-4396ca6a462b
COMPOSITE_DS = CompositeDataSource()
COMPOSITE_DS.add_data_sources([TC_ENTERPRISE_SOURCE,
filter_objects = [
Filter('type', '=', 'attack-pattern'),
Filter('id', '=', [r.target_ref for r in group_rel
]techniques_used = TC_ENTERPRISE_SOURCE.query(filter
You can simply run the following lines of code and you will
be able to retrieve all the attack-patterns used by one
specific intrusion-set:
def get_techniques_used_by_all_groups():
techniques_used = []
for group in groups:
%time techniques_used.append(lift.get_techni
return techniques_used
With an average of 3-4 seconds per
get_techniques_used_by_group() execution times more
than 90 groups, it makes sense that the overall time is
around 4–5 minutes for the overall function. Once again,
it is fine when it is done to one group, but not as fast
when it is applied to more than 90 groups.
all_relationships =
lift.get_relationships_by_object()
filter_objects = [
Filter('type', '=', 'attack-pattern'),
Filter('id', '=', [r.target_ref for r in all_relat
]
TC_ENTERPRISE_SOURCE.query(filter_objects)
groups_use_techniques = []
for gt in group_techniques_ref:
for t in techniques:
if gt['technique_ref'] == t['id']:
tactic_list = list()
for phase in t['kill_chain_phases']:
tactic_list.append(phase['phase_name
gt['technique'] = t['name']
gt['technique_description'] = t['des
gt['tactic'] = tactic_list
gt['technique_id'] = t['external_ref
gt['matrix'] = t['external_referenc
if 'x_mitre_platforms' in t.keys():
gt['platform'] = t['x_mitre_plat
if 'x_mitre_data_sources' in t.keys(
gt['data_sources'] = t['x_mitre_
if 'x_mitre_permissions_required' in
gt['permissions_required'] = t['
if 'x_mitre_effective_permissions' i
gt['effective_permissions'] = t[
groups_use_techniques.append(gt)
groups_use_techniques[0]
We need a template!
You can take the Navigator group layer file from above
and use it as a template to loop through every singe
intrusion-set:
groups = lift.get_groups()
groups = lift.remove_revoked(groups)groups_list = []
for g in groups:
group_dict = dict()
group_dict[g['name']] = []
groups_list.append(group_dict)groups_list[89]
Group techniques by groups
We can then use the output of the
get_techniques_used_by_all_groups() function and start
appending techniques to the dictionaries with the key
name that matches the group name. If there is a match, I
create a new dictionary with specific information that I
could use for my Navigator files.
Dynamic Template:
Click on the (+) icon to the right of the default “layer” tab
and select Open Existing Layer > upload from local
Once you select group layer file, you should get the
following view:
APT12 Automatic Generated Navigator Layer File
References
https://pypi.org/project/attackcti/
https://attackcti.readthedocs.io/en/latest/
https://mitre-attack.github.io/attack-navigator/enterprise/
https://github.com/oasis-open/cti-python-stix2
https://github.com/oasis-open/cti-taxii-client
https://github.com/mitre/cti/blob/master/USAGE.md#map
ping-concepts
https://attack.mitre.org/groups/G0005/