ATT&CK users can use the initial Server class to instantiate a server object pointing to the framework’s public TAXII server URL https://cti-taxii.mitre.org/taxii/
from taxii2client.v20 import Server
import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)
server = Server("https://cti-taxii.mitre.org/taxii/")
Available API Roots can be referenced from the server object. API Roots are logical groupings of TAXII Channels and Collections and can be thought of as instances of the TAXII API available at different URLs, where each API Root is the “root” URL of that particular instance of the TAXII API:
server.api_roots
[<taxii2client.v20.ApiRoot at 0x20994e51670>]
api_root = server.api_roots[0]
The collections attribute can then be used and get more information about them via their respective available properties:
api_root.collections
[<taxii2client.v20.Collection at 0x20994e54190>, <taxii2client.v20.Collection at 0x20994e62430>, <taxii2client.v20.Collection at 0x20994e62ca0>, <taxii2client.v20.Collection at 0x20994e62100>]
for collection in api_root.collections:
print(collection.title, "->", collection.description)
Enterprise ATT&CK -> This data collection holds STIX objects from Enterprise ATT&CK PRE-ATT&CK -> This data collection holds STIX objects from PRE-ATT&CK Mobile ATT&CK -> This data collection holds STIX objects from Mobile ATT&CK ICS ATT&CK -> This data collection holds STIX objects from ICS ATT&CK
api_root.collections[3].title
'ICS ATT&CK'
api_root.collections[3].id
'02c3ef24-9cd4-48f3-a99f-b74ce24f1d34'
ICS_ATTACK = "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"
According to STIX2 docs, the TAXIICollectionSource API provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
ATTACK_STIX_COLLECTIONS = "https://cti-taxii.mitre.org/stix/collections/"
ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + "/")
TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)
Now that we can query the ICS ATT&CK TAXIICollection. We can use the query method and a set of filter to retrieve STIX objects of type "attack-pattern" -> "Techniques"
ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter("type", "=", "attack-pattern"))
ICS_TECHNIQUES[0]
AttackPattern(type='attack-pattern', id='attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-14T15:25:32.143Z', modified='2021-10-14T15:25:32.143Z', name='Transient Cyber Asset', description='Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: NERC June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.\n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.\n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.\n\nIn the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. (Citation: Maroochy - MITRE - 200808)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='initial-access-ics')], revoked=False, external_references=[ExternalReference(source_name='mitre-ics-attack', url='https://collaborate.mitre.org/attackics/index.php/Technique/T0864', external_id='T0864'), ExternalReference(source_name='NERC June 2021', description=' North American Electric Reliability Corporation. (2021, June 28). Glossary of Terms Used in NERC Reliability Standards. Retrieved October 11, 2021.', url='https://www.nerc.com/files/glossary_of_terms.pdf'), ExternalReference(source_name='Maroochy - MITRE - 200808', description='Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.', url='https://www.mitre.org/sites/default/files/pdf/08%201145.pdf'), ExternalReference(source_name='NIST Apr 2013', description='National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.', url='https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'), ExternalReference(source_name='NAFT Dec 2019', description='North America Transmission Forum. (2019, December). NATF Transient Cyber Asset Guidance. Retrieved September 25, 2020.', url='https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf'), ExternalReference(source_name='Emerson Exchange', description='Emerson Exchange. (n.d.). Increase Security with TPM, Secure Boot, and Trusted Boot. Retrieved September 25, 2020.', url='https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot'), ExternalReference(source_name='National Security Agency Feb 2016', description='National Security Agency. (2016, February). Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems. Retrieved September 25, 2020.', url='https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network Traffic: Network Flows', 'Network Traffic: Network Connections', 'Assets: Asset Inventory'], x_mitre_platforms=['Engineering Workstation'])
for TECHNIQUE in ICS_TECHNIQUES:
print(TECHNIQUE['external_references'][0]['external_id'], "--", TECHNIQUE['name'])
T0864 -- Transient Cyber Asset T0888 -- Remote System Information Discovery T0834 -- Native API T0890 -- Exploitation for Privilege Escalation T0889 -- Modify Program T0821 -- Modify Controller Tasking T0886 -- Remote Services T0837 -- Loss of Protection T0878 -- Alarm Suppression T0806 -- Brute Force I/O T0885 -- Commonly Used Port T0810 -- Data Historian Compromise T0815 -- Denial of View T0818 -- Engineering Workstation Compromise T0866 -- Exploitation of Remote Services T0824 -- I/O Module Discovery T0826 -- Loss of Availability T0829 -- Loss of View T0849 -- Masquerading T0836 -- Modify Parameter T0840 -- Network Connection Enumeration T0844 -- Program Organization Units T0850 -- Role Identification T0851 -- Rootkit T0865 -- Spearphishing Attachment T0882 -- Theft of Operational Information T0860 -- Wireless Compromise T0802 -- Automated Collection T0875 -- Change Program State T0884 -- Connection Proxy T0811 -- Data from Information Repositories T0868 -- Detect Operating Mode T0871 -- Execution through API T0822 -- External Remote Services T0872 -- Indicator Removal on Host T0827 -- Loss of Control T0830 -- Man in the Middle T0841 -- Network Service Scanning T0845 -- Program Upload T0846 -- Remote System Discovery T0852 -- Screen Capture T0856 -- Spoof Reporting Message T0855 -- Unauthorized Command Message T0887 -- Wireless Sniffing T0800 -- Activate Firmware Update Mode T0805 -- Block Serial COM T0809 -- Data Destruction T0814 -- Denial of Service T0817 -- Drive-by Compromise T0877 -- I/O Image T0867 -- Lateral Tool Transfer T0880 -- Loss of Safety T0832 -- Manipulation of View T0833 -- Modify Control Logic T0843 -- Program Download T0848 -- Rogue Master T0881 -- Service Stop T0857 -- System Firmware T0859 -- Valid Accounts T0803 -- Block Command Message T0858 -- Change Operating Mode T0808 -- Control Device Identification T0812 -- Default Credentials T0870 -- Detect Program State T0819 -- Exploit Public-Facing Application T0823 -- Graphical User Interface T0883 -- Internet Accessible Device T0828 -- Loss of Productivity and Revenue T0835 -- Manipulate I/O Image T0838 -- Modify Alarm Settings T0839 -- Module Firmware T0842 -- Network Sniffing T0873 -- Project File Infection T0853 -- Scripting T0869 -- Standard Application Layer Protocol T0804 -- Block Reporting Message T0807 -- Command-Line Interface T0879 -- Damage to Property T0813 -- Denial of Control T0816 -- Device Restart/Shutdown T0820 -- Exploitation for Evasion T0874 -- Hooking T0825 -- Location Identification T0831 -- Manipulation of Control T0801 -- Monitor Process State T0861 -- Point & Tag Identification T0847 -- Replication Through Removable Media T0854 -- Serial Connection Enumeration T0862 -- Supply Chain Compromise T0863 -- User Execution
Reference: https://pypi.org/project/attackcti/
from attackcti import attack_client
lift = attack_client()
ICS_TECHNIQUES = lift.get_ics_techniques()
print("Techniques Count:",len(ICS_TECHNIQUES))
Techniques Count: 78
ICS_TECHNIQUES[0]
AttackPattern(type='attack-pattern', id='attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-14T15:25:32.143Z', modified='2021-10-14T15:25:32.143Z', name='Transient Cyber Asset', description='Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: NERC June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.\n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.\n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.\n\nIn the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. (Citation: Maroochy - MITRE - 200808)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='initial-access-ics')], revoked=False, external_references=[ExternalReference(source_name='mitre-ics-attack', url='https://collaborate.mitre.org/attackics/index.php/Technique/T0864', external_id='T0864'), ExternalReference(source_name='NERC June 2021', description=' North American Electric Reliability Corporation. (2021, June 28). Glossary of Terms Used in NERC Reliability Standards. Retrieved October 11, 2021.', url='https://www.nerc.com/files/glossary_of_terms.pdf'), ExternalReference(source_name='Maroochy - MITRE - 200808', description='Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.', url='https://www.mitre.org/sites/default/files/pdf/08%201145.pdf'), ExternalReference(source_name='NIST Apr 2013', description='National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.', url='https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'), ExternalReference(source_name='NAFT Dec 2019', description='North America Transmission Forum. (2019, December). NATF Transient Cyber Asset Guidance. Retrieved September 25, 2020.', url='https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf'), ExternalReference(source_name='Emerson Exchange', description='Emerson Exchange. (n.d.). Increase Security with TPM, Secure Boot, and Trusted Boot. Retrieved September 25, 2020.', url='https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot'), ExternalReference(source_name='National Security Agency Feb 2016', description='National Security Agency. (2016, February). Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems. Retrieved September 25, 2020.', url='https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network Traffic: Network Flows', 'Network Traffic: Network Connections', 'Assets: Asset Inventory'], x_mitre_platforms=['Engineering Workstation'])
ICS_DATA_SOURCES = []
for TECHNIQUE in ICS_TECHNIQUES:
if 'x_mitre_data_sources' in TECHNIQUE.keys():
for DS in TECHNIQUE['x_mitre_data_sources']:
if DS not in ICS_DATA_SOURCES:
ICS_DATA_SOURCES.append(DS)
ICS_DATA_SOURCES
['Network Traffic: Network Flows', 'Network Traffic: Network Connections', 'Assets: Asset Inventory', 'Network Traffic: Network Traffic Content', 'Application Log: Application Log Content', 'Process: OS API Execution', 'File: File Modification', 'Asset: Software/Firmware', 'Command: Command Execution', 'Logon Session: Logon Session Creation', 'Network Share: Network Share Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Flow', 'Process: Process Creation', 'Operational Databases: Process History/Live Data', 'Operational Databases: Process/Event Alarm', 'File: File Metadata', 'Scheduled Job: Scheduled Job Metadata', 'Scheduled Job: Scheduled Job Modification', 'Service: Service Creation', 'Service: Service Metadata', 'Operational Databases: Device Alarm', 'Asset: Device Configuration/Parameters', 'Drive: Drive Modification', 'Firmware: Firmware Modification', 'Module: Module Load', 'File: File Access', 'Script: Script Execution', 'Logon Session: Logon Session Metadata', 'File: File Deletion', 'User Account: User Account Authentication', 'Windows Registry: Windows Registry Key Deletion', 'Windows Registry: Windows Registry Key Modification', 'Process: Process Termination', 'File: File Creation', 'Drive: Drive Creation']
ICS_GROUPS = lift.get_ics_groups()
for GROUP in ICS_GROUPS:
print(GROUP['name'])
TEMP.Veles Dragonfly 2.0 HEXANE APT33 OilRig Dragonfly Sandworm Team Lazarus Group ALLANITE
ICS_MALWARE = lift.get_ics_malware()
for MALWARE in ICS_MALWARE:
print(MALWARE['name'])
Conficker EKANS Bad Rabbit KillDisk Industroyer Stuxnet REvil Ryuk LockerGoga Triton VPNFilter PLC-Blaster NotPetya WannaCry Flame Backdoor.Oldrea ACAD/Medre.A BlackEnergy Duqu