Merge pull request #1012 from cvandeplas/main

chg; [mitre] Deprecating entries in ATT&CK
2024-08-17 12:56:09 +02:00 · 2024-08-17 12:56:09 +02:00 · 8b29b49593
parent fdee22293c 552d80dd9e
commit 8b29b49593
8 changed files with 534 additions and 11 deletions
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -28,6 +28,15 @@
            "args": "",
            "cwd": "${workspaceFolder}/tools"
        },
+        {
+            "name": "gen_mitre_fight",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "args": "",
+            "cwd": "${fileDirname}"
+        },
        {
            "name": "gen_mitre",
            "type": "debugpy",
--- a/clusters/mitre-attack-pattern.json
+++ b/clusters/mitre-attack-pattern.json
--- a/clusters/mitre-intrusion-set.json
+++ b/clusters/mitre-intrusion-set.json
@ -551,6 +551,7 @@
          "type": "revoked-by"
        }
      ],
+      "revoked": true,
      "uuid": "76d59913-1d24-4992-a8ac-05a3eb093f71",
      "value": "Dragonfly 2.0 - G0074"
    },
@ -4045,6 +4046,7 @@
          "type": "revoked-by"
        }
      ],
+      "revoked": true,
      "uuid": "92d5b3fd-3b39-438e-af68-770e447beada",
      "value": "Charming Kitten - G0058"
    },
@ -4515,6 +4517,7 @@
          "type": "revoked-by"
        }
      ],
+      "revoked": true,
      "uuid": "7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70",
      "value": "Stolen Pencil - G0086"
    },
@ -13761,6 +13764,7 @@
          "type": "similar"
        }
      ],
+      "revoked": true,
      "uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
      "value": "MONSOON - G0042"
    },
@ -14083,6 +14087,7 @@
          "type": "revoked-by"
        }
      ],
+      "revoked": true,
      "uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
      "value": "APT34 - G0057"
    },
@ -19098,6 +19103,7 @@
          "type": "revoked-by"
        }
      ],
+      "revoked": true,
      "uuid": "dc5e2999-ca1a-47d4-8d12-a6984b138a1b",
      "value": "UNC2452 - G0118"
    },
@ -21731,5 +21737,5 @@
      "value": "TeamTNT - G0139"
    }
  ],
-  "version": 34
+  "version": 35
 }
--- a/clusters/mitre-malware.json
+++ b/clusters/mitre-malware.json
@ -1027,8 +1027,8 @@
          "Windows"
        ],
        "refs": [
-          "http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/",
-          "https://attack.mitre.org/software/S0016"
+          "https://attack.mitre.org/software/S0016",
+          "https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS"
        ],
        "synonyms": [
          "P2P ZeuS",
@ -6661,6 +6661,7 @@
          "type": "revoked-by"
        }
      ],
+      "revoked": true,
      "uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b",
      "value": "Ngrok - S9000"
    },
@ -11971,6 +11972,7 @@
          "type": "revoked-by"
        }
      ],
+      "revoked": true,
      "uuid": "310f437b-29e7-4844-848c-7220868d074a",
      "value": "Darkmoon - S0209"
    },
@ -53303,5 +53305,5 @@
      "value": "Akira - S1129"
    }
  ],
-  "version": 33
+  "version": 34
 }
--- a/schema_clusters.json
+++ b/schema_clusters.json
@ -42,6 +42,9 @@
          "uuid": {
            "type": "string"
          },
+          "revoked": {
+            "type": "boolean"
+          },
          "related": {
            "type": "array",
            "additionalProperties": false,
--- a/tools/gen_mitre.py
+++ b/tools/gen_mitre.py
@ -175,8 +175,8 @@ for domain in domains:
            # handle deprecated and/or revoked
            # if 'x_mitre_deprecated' in item and item['x_mitre_deprecated']:
            #     value['deprecated'] = True
-            # if 'revoked' in item and item['revoked']:
-            #     value['revoked'] = True
+            if 'revoked' in item and item['revoked']:
+                value['revoked'] = True

            if 'external_references' in item:
                for reference in item['external_references']:
--- a/tools/gen_mitre_fight.py
+++ b/tools/gen_mitre_fight.py
@ -0,0 +1,317 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#    A simple convertor of the MITRE FiGHT to a MISP Galaxy datastructure.
+#    Copyright (C) 2024 Christophe Vandeplas
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from bs4 import BeautifulSoup
+from markdown import markdown
+import json
+import os
+import re
+import requests
+import uuid
+import yaml
+from pymispgalaxies import Cluster, Galaxy
+
+uuid_seed = '8666d04b-977a-434b-82b4-f36271ec1cfb'
+
+fight_url = 'https://fight.mitre.org/fight.yaml'
+
+galaxy_type = "mitre-fight"
+galaxy_description = 'MITRE Five-G Hierarchy of Threats (FiGHT™) is a globally accessible knowledge base of adversary tactics and techniques that are used or could be used against 5G networks.'
+galaxy_source = 'https://fight.mitre.org/'
+
+
+r = requests.get(fight_url)
+fight = yaml.safe_load(r.text)
+
+# with open('fight.yaml', 'w') as f:
+#     f.write(r.text)
+# with open('fight.yaml', 'r') as f:
+#     fight = yaml.safe_load(f)
+
+
+mitre_attack_pattern = Cluster('mitre-attack-pattern')
+
+
+def find_mitre_uuid_from_technique_id(technique_id):
+    try:
+        return mitre_attack_pattern.get_by_external_id(technique_id).uuid
+    except KeyError:
+        print("No MITRE UUID found for technique_id: ", technique_id)
+        return None
+
+
+def clean_ref(text: str) -> str:
+    '''
+    '<a name="1"> \\[1\\] </a> [5GS Roaming Guidelines Version 5.0 (non-confidential), NG.113-v5.0, GSMA, December 2021](https://www.gsma.com/newsroom/wp-content/uploads//NG.113-v5.0.pdf)'
+    '''
+    html = markdown(text.replace('](', ' - ').replace(')', ' ').replace(' [', ''))
+    soup = BeautifulSoup(html, 'html.parser')
+    return soup.get_text().strip()
+
+
+def save_galaxy_and_cluster(json_galaxy, json_cluster, galaxy_fname):
+    # save the Galaxy and Cluster file
+    with open(os.path.join('..', 'galaxies', galaxy_fname), 'w') as f:
+        # sort_keys, even if it breaks the kill_chain_order , but jq_all_the_things requires sorted keys
+        json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
+        f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+    with open(os.path.join('..', 'clusters', galaxy_fname), 'w') as f:
+        json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
+        f.write('\n')  # only needed for the beauty and to be compliant with jq_all_the_things
+
+
+# tactics
+tactics = {}   # key = ID, value = tactic
+for item in fight['tactics']:
+    tactics[item['id']] = item['name'].replace(' ', '-')
+
+#
+# techniques
+#
+technique_galaxy_name = "MITRE FiGHT Techniques"
+technique_cluster = Cluster({
+    'authors': ["MITRE"],
+    'category': 'attack-pattern',
+    'name': technique_galaxy_name,
+    'description': galaxy_description,
+    'source': galaxy_source,
+    'type': galaxy_type,
+    'uuid': "6a1fa29f-85a5-4b1c-956b-ebb7df314486",
+    'version': 1
+})
+
+for item in fight['techniques']:
+    technique_string = item['name'].strip().lower()
+    element = {
+        'value': item['name'].strip(),
+        'description': item['description'].strip(),
+        'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['id'])),
+        'meta': {
+            'kill_chain': [],
+            'refs': [f"https://fight.mitre.org/techniques/{item['id']}"],
+            'external_id': item['id']
+        },
+        'related': []
+    }
+    keys_to_skip = ['id', 'name', 'references', 'tactics', 'description']
+    for keys in item.keys():
+        if keys not in keys_to_skip:
+            element['meta'][keys] = item[keys]
+
+    if 'https://attack.mitre.org/techniques/' in item['description']:
+        # extract the references from the description
+        # add it as ref and build the relationship to the technique using uuid
+        url = re.search(r'(https?://[^\)]+)/(T[^\)]+)', item['description'])
+        if url:
+            extracted_url = url.group(0)
+            element['meta']['refs'].append(extracted_url)
+            technique_uuid = find_mitre_uuid_from_technique_id(url.group(2).replace('/', '.'))
+            if technique_uuid:
+                element['related'].append({
+                    'dest-uuid': technique_uuid,
+                    'type': 'related-to'
+                })
+            else:
+                print("WARNING: No MITRE UUID found for technique_id: ", url.group(2))
+        pass
+
+    try:
+        for ref in item['references']:
+            element['meta']['refs'].append(clean_ref(ref))
+    except KeyError:
+        pass
+
+    for tactic in item['tactics']:
+        element['meta']['kill_chain'].append(f"fight:{tactics[tactic]}")
+
+    for mitigation in item['mitigations']:
+        element['meta']['refs'].append(f"https://fight.mitre.org/mitigations/{mitigation['fgmid']}")
+        # add relationship
+        element['related'].append({
+            'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), mitigation['fgmid'])),
+            'type': 'mitigated-by'
+        })
+
+    for detection in item['detections']:
+        element['meta']['refs'].append(f"https://fight.mitre.org/data%20sources/{detection['fgdsid']}")
+        # add relationship
+        element['related'].append({
+            'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), detection['fgdsid'])),
+            'type': 'detected-by'
+        })
+
+    try:
+        element['related'].append({
+            'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['subtechnique-of'])),
+            'type': 'subtechnique-of'
+        })
+    except KeyError:
+        pass
+
+    element['meta']['refs'] = list(set(element['meta']['refs']))
+    element['meta']['refs'].sort()
+
+    technique_cluster.append(element, skip_duplicates=True)
+
+technique_cluster.save('mitre-fight-techniques')
+
+for cluster, duplicate in technique_cluster.duplicates:
+    print(f"Skipped duplicate: {duplicate} in cluster {cluster}")
+
+kill_chain_tactics = technique_cluster.get_kill_chain_tactics()
+
+
+try:
+    technique_galaxy = Galaxy('mitre-fight-techniques')
+    # check if new kill_chain_tactics are present, add them if needed
+    for key, values in kill_chain_tactics.items():
+        if key not in technique_galaxy.kill_chain_order:
+            technique_galaxy.kill_chain_order[key] = []
+        for value in values:
+            if key not in technique_galaxy.kill_chain_order:
+                print(f"New kill_chain_tactic found: {key}:{value}")
+                technique_galaxy.kill_chain_order.append(tactic)
+except (KeyError, FileNotFoundError):
+    technique_galaxy = Galaxy({
+        'description': galaxy_description,
+        'icon': "map",
+        'kill_chain_order': kill_chain_tactics,
+        'name': technique_galaxy_name,
+        'namespace': "mitre",
+        'type': galaxy_type,
+        'uuid': "c22c8c18-0ccd-4033-b2dd-804ad26af4b9",
+        'version': 1
+    })
+
+technique_galaxy.save('mitre-fight-techniques')
+
+
+#
+# mitigations
+#
+mitigation_galaxy_name = "MITRE FiGHT Mitigations"
+mitigation_cluster = Cluster({
+    'authors': ["MITRE"],
+    'category': 'mitigation',
+    'name': mitigation_galaxy_name,
+    'description': galaxy_description,
+    'source': galaxy_source,
+    'type': galaxy_type,
+    'uuid': "fe20707f-2dfb-4436-8520-8fedb8c79668",
+    'version': 1
+})
+
+for item in fight['mitigations']:
+    element = {
+        'value': item['name'].strip(),
+        'description': item['description'].strip(),
+        'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['id'])),
+        'meta': {
+            'kill_chain': [],
+            'refs': [f"https://fight.mitre.org/mitigations/{item['id']}"],
+            'external_id': item['id']
+        },
+        'related': []
+    }
+    # rel to techniques
+    for technique in item['techniques']:
+        element['related'].append({
+            'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), technique)),
+            'type': 'mitigates'
+        })
+    mitigation_cluster.append(element, skip_duplicates=True)
+
+mitigation_cluster.save('mitre-fight-mitigations')
+
+for cluster, duplicate in mitigation_cluster.duplicates:
+    print(f"Skipped duplicate: {duplicate} in cluster {cluster}")
+
+try:
+    mitigation_galaxy = Galaxy('mitre-fight-mitigations')
+except (KeyError, FileNotFoundError):
+    mitigation_galaxy = Galaxy({
+        'description': galaxy_description,
+        'icon': "shield-alt",
+        'name': mitigation_galaxy_name,
+        'namespace': "mitre",
+        'type': galaxy_type,
+        'uuid': "bcd85ca5-5ed7-4536-bca6-d16fb51adf55",
+        'version': 1
+    })
+
+mitigation_galaxy.save('mitre-fight-mitigations')
+
+#
+# data sources / detections
+#
+detection_galaxy_name = "MITRE FiGHT Data Sources"
+detection_cluster = Cluster({
+    'authors': ["MITRE"],
+    'category': 'data-source',
+    'name': detection_galaxy_name,
+    'description': galaxy_description,
+    'source': galaxy_source,
+    'type': galaxy_type,
+    'uuid': "fb4410a1-5a39-4b30-934a-9cdfbcd4d2ad",
+    'version': 1
+})
+
+for item in fight['data sources']:
+    element = {
+        'value': item['name'].strip(),
+        'description': item['description'].strip(),
+        'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['id'])),
+        'meta': {
+            'kill_chain': [],
+            'refs': [f"https://fight.mitre.org/data%sources/{item['id']}"],
+            'external_id': item['id']
+        },
+        'related': []
+    }
+    # rel to techniques
+    for technique in item['techniques']:
+        element['related'].append({
+            'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), technique)),
+            'type': 'detects'
+        })
+    detection_cluster.append(element, skip_duplicates=True)
+
+detection_cluster.save('mitre-fight-datasources')
+
+for cluster, duplicate in detection_cluster.duplicates:
+    print(f"Skipped duplicate: {duplicate} in cluster {cluster}")
+
+try:
+    detection_galaxy = Galaxy('mitre-fight-datasources')
+except (KeyError, FileNotFoundError):
+    detection_galaxy = Galaxy({
+        'description': galaxy_description,
+        'icon': "bell",
+        'name': detection_galaxy_name,
+        'namespace': "mitre",
+        'type': galaxy_type,
+        'uuid': "4ccc2400-55e4-42c2-bb8d-1d41883cef46",
+        'version': 1
+    })
+
+detection_galaxy.save('mitre-fight-datasources')
+
+
+print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")
--- a/tools/requirements.txt
+++ b/tools/requirements.txt
@ -1,5 +1,7 @@
-
-pdfplumber==0.11.0
+pdfplumber==0.11.1
 graphviz==0.20.3
-requests==2.32.2
-
+requests==2.32.3
+PyYAML==6.0.1
+beautifulsoup4==4.12.3
+Markdown==3.6
+PyMISPGalaxies @ git+https://github.com/MISP/PyMISPGalaxies.git