Merge pull request #102 from Delta-Sierra/master

delete x_ prefix from mitre_attack_pattern
pull/104/head
Alexandre Dulaunoy 2017-10-26 10:36:02 +02:00 committed by GitHub
commit aed963c52d
15 changed files with 6124 additions and 4481 deletions

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,10 +1,15 @@
{
"name": "Tool",
"authors": [
"MITRE"
],
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"source": "https://github.com/mitre/cti",
"version": 4,
"values": [
{
"value": "at",
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe",
"meta": {
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
@ -12,14 +17,14 @@
"synonyms": [
"at",
"at.exe"
]
}
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
"value": "at",
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe"
},
{
"value": "route",
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe",
"meta": {
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
@ -27,25 +32,25 @@
"synonyms": [
"route",
"route.exe"
]
}
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
},
"value": "route",
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe"
},
{
"value": "Tasklist",
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
}
},
"value": "Tasklist",
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]"
},
{
"value": "Windows Credential Editor",
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
"meta": {
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
@ -53,14 +58,14 @@
"synonyms": [
"Windows Credential Editor",
"WCE"
]
}
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"value": "Windows Credential Editor",
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE"
},
{
"value": "schtasks",
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe",
"meta": {
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
@ -68,34 +73,35 @@
"synonyms": [
"schtasks",
"schtasks.exe"
]
}
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
"value": "schtasks",
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe"
},
{
"value": "UACMe",
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
}
},
"value": "UACMe",
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]"
},
{
"value": "ifconfig",
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
}
},
"value": "ifconfig",
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]"
},
{
"value": "Mimikatz",
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
@ -103,39 +109,38 @@
"https://github.com/gentilkiwi/mimikatz"
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
}
},
"value": "Mimikatz",
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]"
},
{
"value": "xCmd",
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
}
},
"value": "xCmd",
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]"
},
{
"value": "Systeminfo",
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: Systeminfo, systeminfo.exe",
"meta": {
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"Systeminfo",
"systeminfo.exe"
]
}
"systeminfo.exe",
"Systeminfo"
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"value": "Systeminfo",
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: systeminfo.exe, Systeminfo"
},
{
"value": "netsh",
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe",
"meta": {
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
@ -143,14 +148,14 @@
"synonyms": [
"netsh",
"netsh.exe"
]
}
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"value": "netsh",
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe"
},
{
"value": "dsquery",
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"meta": {
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
@ -158,73 +163,73 @@
"synonyms": [
"dsquery",
"dsquery.exe"
]
}
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
},
"value": "dsquery",
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe"
},
{
"value": "gsecdump",
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"http://www.truesec.com/Tools/Tool/gsecdump%20v2.0b5"
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
}
},
"value": "gsecdump",
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]"
},
{
"value": "Ping",
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: Ping, ping.exe",
"meta": {
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"Ping",
"ping.exe"
]
}
"ping.exe",
"Ping"
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
"value": "Ping",
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: ping.exe, Ping"
},
{
"value": "Fgdump",
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
}
},
"value": "Fgdump",
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]"
},
{
"value": "Lslsass",
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
}
},
"value": "Lslsass",
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]"
},
{
"value": "Pass-The-Hash Toolkit",
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
}
},
"value": "Pass-The-Hash Toolkit",
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]"
},
{
"value": "FTP",
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe",
"meta": {
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
@ -232,14 +237,14 @@
"synonyms": [
"FTP",
"ftp.exe"
]
}
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
"value": "FTP",
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe"
},
{
"value": "ipconfig",
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe",
"meta": {
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
@ -247,14 +252,29 @@
"synonyms": [
"ipconfig",
"ipconfig.exe"
]
}
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"value": "ipconfig",
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"synonyms": [
"certutil",
"certutil.exe"
],
"uuid": "3e205e84-9f90-4b4b-8896-c82189936a15"
},
"value": "certutil",
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.[[Citation: TechNet Certutil]]\n\nAliases: certutil, certutil.exe"
},
{
"value": "nbtstat",
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe",
"meta": {
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
@ -262,14 +282,14 @@
"synonyms": [
"nbtstat",
"nbtstat.exe"
]
}
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
"value": "nbtstat",
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe"
},
{
"value": "HTRAN",
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"meta": {
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
@ -277,14 +297,14 @@
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
}
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
"value": "HTRAN",
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool"
},
{
"value": "netstat",
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe",
"meta": {
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
@ -292,36 +312,36 @@
"synonyms": [
"netstat",
"netstat.exe"
]
}
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"value": "netstat",
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe"
},
{
"value": "pwdump",
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
}
},
"value": "pwdump",
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]"
},
{
"value": "Cachedump",
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
}
},
"value": "Cachedump",
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry.[[Citation: Mandiant APT1]]"
},
{
"value": "Net",
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"meta": {
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
@ -330,12 +350,13 @@
"synonyms": [
"Net",
"net.exe"
]
}
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"value": "Net",
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe"
},
{
"value": "PsExec",
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
@ -343,13 +364,12 @@
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
}
},
"value": "PsExec",
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]"
},
{
"value": "Arp",
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe",
"meta": {
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
@ -357,51 +377,57 @@
"synonyms": [
"Arp",
"arp.exe"
]
}
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
"value": "Arp",
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe"
},
{
"value": "cmd",
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe",
"meta": {
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx",
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx"
"https://technet.microsoft.com/en-us/library/cc755121.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx",
"https://technet.microsoft.com/en-us/library/bb490880.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
]
}
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"value": "cmd",
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"uuid": "3da22160-12d9-4d27-a99f-338e8de3844a"
},
"value": "Cobalt Strike",
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[[Citation: cobaltstrike manual]]\n\nThe list of techniques below focuses on Cobalt Strikes ATT&CK-relevant tactics."
},
{
"value": "Reg",
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe",
"meta": {
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://technet.microsoft.com/en-us/library/cc732643.aspx"
],
"synonyms": [
"Reg",
"reg.exe"
]
}
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"value": "Reg",
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe"
}
],
"type": "mitre-tool",
"authors": [
"MITRE"
],
"version": 2,
"source": "https://github.com/mitre/cti",
"name": "Tool",
"description": "Name of ATT&CK software",
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
}

View File

@ -1,8 +1,8 @@
{
"version": 3,
"description": "ATT&CK Tactic",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"version": 4,
"type": "mitre-attack-pattern",
"name": "Attack Pattern",
"icon": "map",
"description": "ATT&CK Tactic"
"icon": "map"
}

View File

@ -1,8 +1,8 @@
{
"uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e",
"version": 5,
"icon": "chain",
"name": "Course of Action",
"description": "ATT&CK Mitigation",
"type": "mitre-course-of-action",
"icon": "chain",
"version": 4
"uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e"
}

View File

@ -1,8 +1,8 @@
{
"type": "mitre-intrusion-set",
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"description": "Name of ATT&CK Group",
"version": 5,
"version": 6,
"icon": "user-secret",
"type": "mitre-intrusion-set",
"name": "Intrusion Set"
}

View File

@ -1,8 +1,8 @@
{
"version": 3,
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"description": "Name of ATT&CK software",
"type": "mitre-malware",
"version": 4,
"name": "Malware",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"icon": "optin-monster",
"type": "mitre-malware"
"description": "Name of ATT&CK software"
}

View File

@ -2,7 +2,7 @@
"name": "Tool",
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
"icon": "gavel",
"version": 3
"version": 4,
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649"
}

View File

@ -29,9 +29,9 @@ for element in os.listdir('.'):
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['x_mitre_data_sources'] = temp['x_mitre_data_sources']
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['x_mitre_platforms'] = temp['x_mitre_platforms']
value['meta']['mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
@ -41,6 +41,7 @@ galaxy['type'] = "mitre-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "c4e851fa-775f-11e7-8163-b774922098cd"
galaxy['version'] = args.version
galaxy['icon'] = "map"
cluster = {}
cluster['name'] = "Attack Pattern"

View File

@ -33,6 +33,7 @@ galaxy['type'] = "mitre-course-of-action"
galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "6fcb4472-6de4-11e7-b5f7-37771619e14e"
galaxy['version'] = args.version
galaxy['icon'] = "chain"
cluster = {}
cluster['name'] = "Course of Action"

View File

@ -38,6 +38,7 @@ galaxy['type'] = "mitre-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1023f364-7831-11e7-8318-43b5531983ab"
galaxy['version'] = args.version
galaxy['icon'] = "user-secret"
cluster = {}
cluster['name'] = "intrusion Set"

View File

@ -39,6 +39,7 @@ galaxy['type'] = "mitre-malware"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "d752161c-78f6-11e7-a0ea-bfa79b407ce4"
galaxy['version'] = args.version
galaxy['icon'] = "optin-monster"
cluster = {}
cluster['name'] = "Malware"

View File

@ -39,6 +39,7 @@ galaxy['type'] = "mitre-tool"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "d5cbd1a2-78f6-11e7-a833-7b9bccca9649"
galaxy['version'] = args.version
galaxy['icon'] = "gavel"
cluster = {}
cluster['name'] = "Tool"