mitre-assistant
A custom, more useful, and much cooler MITRE-CTI-CLIENT.
# Assumes you have installed the rust tool chain
# and that you have the `cargo` package manager
#
# Preferably use rust stable channel
#
W.I.P - Status
- Mitre Enterprise Matrix
- Mitre Mobile Matrix
- Mitre Pre-Attack Matrix
- Linux - 64bit
- MacOS - 64bit
- Windows - 64bit
- Data Interchange Format
- CSV
- JSON
- Exports
- CSV
- JSON
- Rich Web
Getting Started
You got 3 ways to start using this bad-boy
:
1. You can go to the releases section, download the pre-compiled binary for your os. Note: I only provide Debian on Linux
2. If you already have rust stable toolchain installed, then simply use cargo install mitre-assistant
3. Or, if you just love building from source, follow the instructions in the build from source section
below.
Releases - Binaries
Head over to the releases section and download the binary for your OS. However, note, I am only supporting binaries for 64 bit versions of:
- MacOS
- Debian
- Windows
Build From Source
If you use a different Linux distro, install the rust toolchain, preferably the stable channel, and follow these steps:
Step 1 - Clone this repo
Step 2 - Navigate into the repo
Step 3 - Build/Compile
Step 4 - Move your fresh binary to a system path
In this step, if you wanna call the executable from anywhere, add it to your system path or executable path - i.e., /usr/bin
How to Update with new releases?
Note: Because this tool is being actively developed,
it is recommended to always use the `baseline` subcommand
to ensure the dev changes made to the custom JSON database
are in effect.
Most of the changes being made until I reach v.1.0 will affect the JSON file produced by this tool. This is because I am exploring how to arrange the data for the outcomes I am pursuing.
So always ensure you run the baseline
subcommand after you install or download a new version of the tool, for now.
Why are you doing this?
I work in the Security industry for a provider, my work hinges a lot on this resource from The Mitre Corporation. At some point, if you are like me, you will observe the poor and ridiculous amount of time that is needed to create custom datasets from that resource and collaborate across teams to get into serious work. This helps me not waste time on silly things - i.e., clicking on some website, or asking important questions so I can incorporate the matrix into some form of tactical plans to defend my network, or support new strategies while working with others.
Why not use other existing community tools for this?
I have seen them, used them, and appreciate those that are writing their own. In the end, I am not gonna wait for anyone to do things the way I need them.
Usage
This is a modular tool. The main concept of using this tool is:
(1) (2) (3)
| | |
| | |
[ Extract ]-------------[ Transform ]---------------[ Load ]
| | |
| | |
| | |
v v v
Download A Matrix Baseline The Matrix Search - Ask your question
Help Menu
Building from the above concept, let's get into using this bad-boy.
>> ./target/release/mitre-assistant
|
&
)
Download
Use the download
subcommand to get started, you can specific which matrix to download by using any of the keywords: enterprise
or mobile
or pre-attack
# Assumes you want to download the `enterprise` matrix
#
# Output
===========================================================================================
===========================================================================================
| )
Baseline
Use the baseline
subcommand after you download your matrix to create the custom database that is required before you conduct your searches.
You baseline a matrix with any of the keywords: enterprise
or mobile
or pre-attack
#Output
| )
Search
Now you are ready to search your matrix.
You have to tell the search subcommand
which matrix it is going to work with by using:
- the
-m
parameter followed by the name of the matrix - the
-t
parameter to provide your search term.
Search Terms
TERM | MATRIX | PURPOSE |
---|---|---|
datasources |
enterprise | Returns all datasources from the matrix |
deprecated |
enterprise | Returns all the deprecated techniques from the matrix |
platforms |
enterprise | Returns all the platforms (operating systems) from the matrix |
nodatasources |
enterprise | Returns all techniques or subtechniques without datasources |
nosub |
enterprise | Returns all the active techniques which do not have/use subtechniques |
revoked |
enterprise | Returns all of the technique id & name references revoked by Mitre |
stats |
enterprise | Returns an overview of uniq counts and total counts of key data elements |
subtechniques |
enterprise | Returns all subtechniques from the matrix |
techniques |
enterprise | Returns all techniques from the matrix |
tactics |
enterprise | Returns all tactics from the matrix |
initial-access |
enterprise | Returns all techniques in the Initial Access Tactic |
execution |
enterprise | Returns all techniques in the Execution Tactic |
persistence |
enterprise | Returns all techniques in the Persistence Tactic |
privilege-escalation |
enterprise | Returns all techniques in the Privilege Escalation Tactic |
defense-evasion |
enterprise | Returns all techniques in the Defense Evasion Tactic |
credential-access |
enterprise | Returns all techniques in the Credential Access Tactic |
discovery |
enterprise | Returns all techniques in the Discovery Tactic |
lateral-movement |
enterprise | Returns all tecniques in Lateral Movement Tactic |
collection |
enterprise | Returns all techniques in the Collection Tactic |
command-and-control |
enterprise | Returns all techniques in the Command And Control Tactic |
exfiltration |
enterprise | Returns all techniques in the Exfiltration Tactic |
impact |
enterprise | Returns all techniques in the Impact Tactic |
aws |
enterprise | Returns all techniques in the AWS Platform |
azure |
enterprise | Returns all techniques in the AZURE Platform |
azure-ad |
enterprise | Returns all techniques in the AZURE-AD Platform |
gcp |
enterprise | Returns all techniques in the GCP Platform |
linux |
enterprise | Returns all techniques in the LINUX Platform |
macos |
enterprise | Returns all techniques in the MACOS Platform |
office-365 |
enterprise | Returns all techniques in the OFFICE-365 Platform |
saas |
enterprise | Returns all techniques in the SAAS Platform |
windows |
enterprise | Returns all techniques in the WINDOWS Platform |
Searching The Enterprise Matrix For An Overview Stats Summary
You use the keyword stats
in your search term, like this
# Assumed you want the summary of items in the matrix
#
TECHNIQUES | SUBTECHNIQUES |
---|---|
TACTICS - TECHNIQUES | TACTICS - SUBTECHNIQUES |
---|---|
Searching The Enterprise Matrix For Techniques By Name
By default, searching by the name of a technique is offered with a partial match. Whereas, searching by technique id is a full match.
This means, you can search for techniques by name entering strings that may be incomplete, and the tool finds all references to your input.
Let's take a look at this example, where we search for any technique that has the word boot
# Assumes you want to search for techniques
# that have the word `boot`
#
The command above results in the image below, notice how the word boot
matches across different techniques.
Searching The Enterprise Matrix For A Single Technique By ID
# Assumes you want to search/query the enterprise matrix
# All terms must be enclosed by double-quotes
#
Searching The Enterprise Matrix For Many Techniques By ID
Cool, now you just have to add a comma ,
in your term and launch it again, dead-simple!
# Assumes you want to search for techniques: T1021 & T1048
#
Searching The Enterprise Matrix & Displaying The Subtechniques
Another cool thing here is display the subtechniques
for your query by using:
- the
-s
flag after your query
# Assumes you want to see the Subtechniques for T1021
Searching The Enterprise Matrix By Tactic*
You can ask the tool to give you all the techniques for a specific Mitre Tactic
. You need to follow the convention used in the tool to get the right tactic.
This section describes how you can quickly ramp up on using tactic queries.
Step 1: List of the Tactics in the Matrix
- the
-t
parameter with the termtactics
# Assumes you want to know the Tactics
#
# Output
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
Step 2: Search By Tactic
Now you can use any of the tactics above in your search query, like this:
- the
-t
parameter with the term{{ tactic_name }}
# Assumes you want to search by the `initial-access` tactic
#
Searching For The Revoked Techniques
Revoked techniques seem to be those that are discontinued and re-arranged now into subtechniques. You can search for the ones revoked
in the matrix by using a keyword in your search term:
- the
-t
parameters with the termrevoked
# Assumes you want to see the Revoked Techniques
#
Searching For The Deprecated Techniques
Deprecated techniques seem to be those that are no longer valid and used in a mtrix. You can search for the ones deprecated
in the matrix by using a keyword in your search term:
- the
-t
parameter with the termdeprecated
# Assumes you want to see the Deprecated Techniques
#
Searching For The Tactics/KillChains
Tactics are well, I guess a higher level object where the techniques are organized into. Read their website.
- the
-t
parameter with the termtactics
# Assumes you want to see the All Tactics/KillChains
# for the enterprise matrix
#
Searching For The Platforms
Platforms are the relevant operating systems where a technique is exercised or abused by an adversary. To get the platforms in the enterprise matrix use the keyword platforms
.
- the
-t
parameter with the termplatforms
# Assumes you want to see the All Platforms
# for the enterprise matrix
#
Searching The Enterprise Matrix For All Techniques By Platform
You can ask the tool to give you all the active techniques based on a specific platform, like this.
- the
-t
parameter with the term{{ platform_name }}
# Assumes you want to see the All Techniques By The Linux Platform
#
The query above produces the image below, notice how the PLATFORMS
column denotes the platform you wanted.
Searching For The Datasources
Protip:
1. Do not follow Mitre blindly, you need to curate their content
and organize it.
Example:
1. DLL Monitoring & Loaded DLLs
Mitre currently has these two datasources, what does this mean?
To me in the security Space, there's only one source, not two.
Datasources are a non-concrete description by Mitre that seems to suggest the context of evidence needed to be successful at pursuing visibility or detection capabilities for the given technique. This query gets you the datasources as provided by Mitre in their CTI github
- the
-t
parameters with the termdatasources
# Assumes you want to see the All Datasources
# for the enterprise matrix
#
Searching Datasources With Cross References: Experimental
At this moment, v.0.0.10 and above allow for experimental cross-references of datasources and platforms
, as well as, tactics
.
This experiment is to understand, based on the suggested datasources by Mitre, where do they fit according to the platforms or tactics.
SPECIAL NOTE: The queries for cross-references only compute counts against the Active Techniques
total. No Subtechniques are taken into account, yet.
To launch a cross-reference query you use a prefix in your term - xref:
, let's look at an example
- the
-t
parameters with the termxref:datasources:{{ reference_type }}
# Assumes you want to cross-reference datasources to platforms
#
Notice the above command uses a colon ":
" character to tell the search engne this is a cross-reference query.
The above command results in the image below.
In contrast, let's launch a cross-reference query against the tactics, like this:
# Assumes you want to cross-reference datasources to tactics
#
And that now produces this image below.
Searching For Edge Cases: Techniques Without a Subtechniques
Some techniques, do not have subtechniques assigned, or as I like to thunk of it, have not been fully updated by Mitre.
Use the keyword nosub
to obtain a list of active techniques that may not have an assigned subtechnique by Mitre.
- the
-t
parameter with the termnosub
# Assumes you want to see the Techniques that do not have Subtechniques
# for the enterprise matrix
#
Searching For Edge Cases: Techniques Without a Datasource
This is the edge-case that drove to create this tool for myself. I found someone's tool incorrectly parsed the matrix and I needed to report to my management the plan of action based on data sources. This is very important for practitioners who leverage the matrix for real world tactical operations.
Reference this example: NO_DATA_SOURCE_SAMPLE
Use the keyword nodatasources
to obtain a list of active techniques that may not have an assigned datasource by Mitre.
- the
-t
parameter with the termnodatasources
# Assumes you want to see the Techniques that do not have Datasources
# for the enterprise matrix
#
Statistical Stuff
As I mentioned, my work with this matrix is at the provider level, I have to devise coverage plans, or brainstorming workshops with my fellow blue-teamers to understand what an emulation plan means in terms of effort, engineering for new content and consequently sizing our systems to increase our visibility and detection needs.
These experiments were very useful to me a couple of years ago as I started learning about the Mitre ATT&CK matrixes.
TODO: Awesome Stuff here
References
SOURCE | URL |
---|---|
Mitre CTI Github | LINK |
Kudos - RUSTACEANS
Many super kudos, to the amazing RUST Community, for their warm embrace of everyone that wants the journey. Seemingly, to all of the super creators of loved tools from python being ported into rust.