ATT&CK users can use the initial Server class to instantiate a server object pointing to the framework’s public TAXII server URL https://cti-taxii.mitre.org/taxii/
from taxii2client.v20 import Server
server = Server("https://cti-taxii.mitre.org/taxii/")
Available API Roots can be referenced from the server object. API Roots are logical groupings of TAXII Channels and Collections and can be thought of as instances of the TAXII API available at different URLs, where each API Root is the “root” URL of that particular instance of the TAXII API:
server.api_roots
[<taxii2client.v20.ApiRoot at 0x10d8980a0>]
api_root = server.api_roots[0]
The collections attribute can then be used and get more information about them via their respective available properties:
api_root.collections
[<taxii2client.v20.Collection at 0x10d887d90>, <taxii2client.v20.Collection at 0x10d8b88b0>, <taxii2client.v20.Collection at 0x10d8b81f0>, <taxii2client.v20.Collection at 0x10d8b8970>]
for collection in api_root.collections:
print(collection.title, "->", collection.description)
Enterprise ATT&CK -> This data collection holds STIX objects from Enterprise ATT&CK PRE-ATT&CK -> This data collection holds STIX objects from PRE-ATT&CK Mobile ATT&CK -> This data collection holds STIX objects from Mobile ATT&CK ICS ATT&CK -> This data collection holds STIX objects from ICS ATT&CK
api_root.collections[3].title
'ICS ATT&CK'
api_root.collections[3].id
'02c3ef24-9cd4-48f3-a99f-b74ce24f1d34'
ICS_ATTACK = "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"
According to STIX2 docs, the TAXIICollectionSource API provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
ATTACK_STIX_COLLECTIONS = "https://cti-taxii.mitre.org/stix/collections/"
ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + "/")
TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)
Now that we can query the ICS ATT&CK TAXIICollection. We can use the query method and a set of filter to retrieve STIX objects of type "attack-pattern" -> "Techniques"
ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter("type", "=", "attack-pattern"))
print(ICS_TECHNIQUES[0])
{ "type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2020-05-21T17:43:26.506Z", "name": "Alarm Suppression", "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. \n\nIn the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. (Citation: Maroochy - MITRE - 200808)\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: References - Secura - 2019) The method of suppression may greatly depend on the type of alarm in question:\n\n* An alarm raised by a protocol message\n* An alarm signaled with I/O\n* An alarm bit set in a flag (and read)\n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: References - Secura - 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T878", "external_id": "T0878" }, { "source_name": "Maroochy - MITRE - 200808", "description": "Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study\u2013 Maroochy Water Services, Australia. Retrieved March 27, 2018.", "url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf" }, { "source_name": "References - Secura - 2019", "description": "Jos Wetzels, Marina Krotofil. (2019). A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices. Retrieved November 1, 2019.", "url": "https://troopers.de/downloads/troopers19/TROOPERS19%20NGI%20IoT%20diet%20poisoned%20fruit.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Marina Krotofil", "Jos Wetzels - Midnight Blue" ], "x_mitre_data_sources": [ "Alarm history", "Alarm thresholds", "Network protocol analysis", "Packet capture" ], "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ] }
for TECHNIQUE in ICS_TECHNIQUES:
print(TECHNIQUE['external_references'][0]['external_id'], "--", TECHNIQUE['name'])
T0878 -- Alarm Suppression T0806 -- Brute Force I/O T0808 -- Control Device Identification T0812 -- Default Credentials T0870 -- Detect Program State T0819 -- Exploit Public-Facing Application T0874 -- Hooking T0825 -- Location Identification T0829 -- Loss of View T0849 -- Masquerading T0801 -- Monitor Process State T0843 -- Program Download T0846 -- Remote System Discovery T0852 -- Screen Capture T0856 -- Spoof Reporting Message T0855 -- Unauthorized Command Message T0803 -- Block Command Message T0807 -- Command-Line Interface T0809 -- Data Destruction T0814 -- Denial of Service T0817 -- Drive-by Compromise T0866 -- Exploitation of Remote Services T0824 -- I/O Module Discovery T0827 -- Loss of Control T0835 -- Manipulate I/O Image T0833 -- Modify Control Logic T0841 -- Network Service Scanning T0845 -- Program Upload T0848 -- Rogue Master Device T0854 -- Serial Connection Enumeration T0862 -- Supply Chain Compromise T0858 -- Utilize/Change Operating Mode T0804 -- Block Reporting Message T0885 -- Commonly Used Port T0810 -- Data Historian Compromise T0815 -- Denial of View T0818 -- Engineering Workstation Compromise T0822 -- External Remote Services T0872 -- Indicator Removal on Host T0828 -- Loss of Productivity and Revenue T0831 -- Manipulation of Control T0836 -- Modify Parameter T0842 -- Network Sniffing T0873 -- Project File Infection T0850 -- Role Identification T0881 -- Service Stop T0857 -- System Firmware T0859 -- Valid Accounts T0802 -- Automated Collection T0875 -- Change Program State T0879 -- Damage to Property T0813 -- Denial of Control T0816 -- Device Restart/Shutdown T0820 -- Exploitation for Evasion T0877 -- I/O Image T0826 -- Loss of Availability T0830 -- Man in the Middle T0838 -- Modify Alarm Settings T0840 -- Network Connection Enumeration T0844 -- Program Organization Units T0847 -- Replication Through Removable Media T0853 -- Scripting T0869 -- Standard Application Layer Protocol T0863 -- User Execution T0800 -- Activate Firmware Update Mode T0805 -- Block Serial COM T0884 -- Connection Proxy T0811 -- Data from Information Repositories T0868 -- Detect Operating Mode T0871 -- Execution through API T0823 -- Graphical User Interface T0883 -- Internet Accessible Device T0880 -- Loss of Safety T0832 -- Manipulation of View T0839 -- Module Firmware T0861 -- Point & Tag Identification T0867 -- Remote File Copy T0851 -- Rootkit T0865 -- Spearphishing Attachment T0882 -- Theft of Operational Information T0860 -- Wireless Compromise
Reference: https://pypi.org/project/attackcti/
from attackcti import attack_client
lift = attack_client()
ICS_TECHNIQUES = lift.get_ics_techniques()
print("Techniques Count:",len(ICS_TECHNIQUES))
Techniques Count: 81
print(ICS_TECHNIQUES[0])
{ "type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2020-05-21T17:43:26.506Z", "name": "Alarm Suppression", "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. \n\nIn the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. (Citation: Maroochy - MITRE - 200808)\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: References - Secura - 2019) The method of suppression may greatly depend on the type of alarm in question:\n\n* An alarm raised by a protocol message\n* An alarm signaled with I/O\n* An alarm bit set in a flag (and read)\n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: References - Secura - 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Technique/T878", "external_id": "T0878" }, { "source_name": "Maroochy - MITRE - 200808", "description": "Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study\u2013 Maroochy Water Services, Australia. Retrieved March 27, 2018.", "url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf" }, { "source_name": "References - Secura - 2019", "description": "Jos Wetzels, Marina Krotofil. (2019). A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices. Retrieved November 1, 2019.", "url": "https://troopers.de/downloads/troopers19/TROOPERS19%20NGI%20IoT%20diet%20poisoned%20fruit.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Marina Krotofil", "Jos Wetzels - Midnight Blue" ], "x_mitre_data_sources": [ "Alarm history", "Alarm thresholds", "Network protocol analysis", "Packet capture" ], "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ] }
ICS_DATA_SOURCES = []
for TECHNIQUE in ICS_TECHNIQUES:
if 'x_mitre_data_sources' in TECHNIQUE.keys():
for DS in TECHNIQUE['x_mitre_data_sources']:
if DS not in ICS_DATA_SOURCES:
ICS_DATA_SOURCES.append(DS)
ICS_DATA_SOURCES
['Alarm history', 'Alarm thresholds', 'Network protocol analysis', 'Packet capture', 'Sequential event recorder', 'Data historian', 'Netflow/Enclave netflow', 'Authentication logs', 'Windows event logs', 'Web logs', 'Web application firewall logs', 'Application logs', 'File monitoring', 'Windows registry', 'API monitoring', 'File Monitoring', 'Process monitoring', 'Binary file metadata', 'Controller program', 'Network device logs', 'Host network interfaces', 'Process use of network', 'Process command-line parameters', 'Alarm History', 'Sequential Event Recorder', 'process use of network', 'Web proxy', 'SSl/TLS inspection', 'Network intrusion detection system', 'Windows error reporting', 'Asset management', 'Detonation chamber', 'Digital signatures', 'Windows Registry', 'Data loss prevention', 'Malware reverse engineering', 'Controller parameters', 'Anti-virus', 'Third-party application logs', 'Email gateway', 'Mail server']
ICS_GROUPS = lift.get_ics_groups()
for GROUP in ICS_GROUPS:
print(GROUP['name'])
TEMP.Veles Dragonfly 2.0 HEXANE Leafminer APT33 OilRig Dragonfly Sandworm Team Lazarus Group ALLANITE
ICS_MALWARE = lift.get_ics_malware()
for MALWARE in ICS_MALWARE:
print(MALWARE['name'])
Ryuk LockerGoga Stuxnet VPNFilter NotPetya Triton PLC-Blaster WannaCry Flame Industroyer Killdisk Backdoor.Oldrea BlackEnergy 3 ACAD/Medre.A Conficker Bad Rabbit Duqu