If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly (usually, the interactive graphs). Please view the post on dogesec.com for the full interactive viewing experience.
tl;dr
Software, Data Sources, Data Components, Campaigns, and more, make MITRE ATT&CK even more powerful than you might first realise. In this post I uncover the parts of ATT&CK you might not be aware of.
ATT&CK STIX objects
The ATT&CK data is built on STIX objects and structured like so;
Lets break this down by looking at each ATT&CK object type individually to show how I built this diagram;
Follow along
In this post I am going to provide queries you can use to analyse and filter MITRE ATT&CK data.
If you would like to follow along, and keep a searchable copy of ATT&CK locally, you can import the data using stix2arango.
Once you’ve installed stix2arango, you can run the following command to import v15.1 of the MITRE ATT&CK Enterprise, ICS, and Mobile data;
python3 utilities/arango_cti_processor/insert_archive_attack_enterprise.py \
--database blog_mitre_attack_data_structure \
--versions 15_1 && \
python3 utilities/arango_cti_processor/insert_archive_attack_ics.py \
--database blog_mitre_attack_data_structure \
--versions 15_1 && \
python3 utilities/arango_cti_processor/insert_archive_attack_mobile.py \
--database blog_mitre_attack_data_structure \
--versions 15_1
You can then use the query interface in the ArangoDB UI to run the AQL queries in this post.
Understanding the STIX objects
Properties: revoked and x_mitre_deprecated
When I started in this analysis these properties left me confused for a while (I should have read this!), so I’ll start here as you’ll see all my queries use the filter;
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
Lets start with x_mitre_deprecated.
Later in this post I will talk about how STIX course-of-action objects represent ATT&CK Mitigations.
This was not always the case. course-of-action once represented techniques. These still exist in the latest bundles, as the following search uncovers, however, note the x_mitre_deprecated property = true for all these objects.
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "course-of-action"
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Which returns results including the following objects;
{
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (<code>C:\\Windows\\System32\\</code> by default) of a domain controller and/or local computer with a corresponding entry in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages</code>. (Citation: Microsoft Install Password Filter n.d)",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/T1174",
"external_id": "T1174"
},
{
"url": "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx",
"description": "Microsoft. (n.d.). Installing and Registering a Password Filter DLL. Retrieved November 21, 2017.",
"source_name": "Microsoft Install Password Filter n.d"
}
],
"id": "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651",
"modified": "2019-07-25T11:22:19.139Z",
"name": "Password Filter DLL Mitigation",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"type": "course-of-action",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
}
If the x_mitre_deprecated property is found is an object, it will always be true
Searching for any relationships for this x_mitre_deprecated object;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER doc._is_latest == true
AND (doc.source_ref == "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651"
OR doc.target_ref == "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651")
SORT doc.relationship_type
RETURN {
id: doc.id,
type: doc.relationship_type,
source: doc.source_ref,
target: doc.target_ref
}
[
{
"id": "relationship--af088283-7416-466d-86f3-8b55e6d698d4",
"type": "mitigates",
"source": "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651",
"target": "attack-pattern--b8c5c9dd-a662-479d-9428-ae745872537c"
}
]
This relationship search is not important yet, it’ll become clearer in a minute.
As I understand it, the custom x_mitre_deprecated property is used for objects that should no longer exist as an entity.
Now lets consider the revoked property.
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.revoked == true
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "T"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"created": "2017-05-31T21:30:54.176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use [Software Packing](https://attack.mitre.org/techniques/T1045) or otherwise modify the file so it has a different signature, and then re-use the malware.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1066",
"external_id": "T1066"
}
],
"id": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2022-04-25T14:00:00.188Z",
"name": "Indicator Removal from Tools",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"revoked": true,
"spec_version": "2.1",
"type": "attack-pattern",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_defense_bypassed": [
"Log analysis",
"Host intrusion prevention systems",
"Anti-virus"
],
"x_mitre_detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0"
}
Note the revoked property exists but not x_mitre_deprecated. If the revoked property exists it will always be true.
Searching for any relationships for this revoked object;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER doc._is_latest == true
AND (doc.source_ref == "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6"
OR doc.target_ref == "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6")
SORT doc.relationship_type
RETURN {
id: doc.id,
type: doc.relationship_type,
source: doc.source_ref,
target: doc.target_ref
}
[
{
"id": "relationship--5978c8e0-8b60-4ad5-8fc9-9fa1ee4d7387",
"type": "mitigates",
"source": "course-of-action--4b998a71-7b8f-4dcc-8f3f-277f2e740271",
"target": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6"
},
{
"id": "relationship--cb4015bf-e7a4-4b26-8816-1f7a996adf4f",
"type": "revoked-by",
"source": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6",
"target": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92"
}
]
Here you can see a revoked-by relationship to attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92 which is T1027.005. You can see this in the logic of the ATT&CK site hitting the URL for T1066 (attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6) it redirects to T1027.005 (try it: ` https://attack.mitre.org/techniques/T1066`).
So what’s the difference between revoked and x_mitre_deprecated? I’m not entierly sure. My guess is that x_mitre_deprecated has no direct replacement, unlike revoked objects that do, as evidenced by the relationship search.
For most use-case when working with ATT&CK, it’s best to filter objects with these properties out (which I do in this post). The one exception I can think of is migrating between updates. If you’re using objects revoked in an updated, you should replace it with the object it was revoked-by.
ATT&CK object Collection = STIX object x-mitre-collection
Found in:
- Enterprise
- ICS
- Mobile
These objects include a list of all objects in the domain under the x_mitre_contents property.
To search for this object in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-collection"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Note: You can replace mitre_attack_enterprise_vertex_collection with either mitre_attack_mobile_vertex_collection or mitre_attack_ics_vertex_collection to change the ATT&CK matrix. This applies for all of the following searches too.
{
"type": "x-mitre-collection",
"id": "x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"name": "Enterprise ATT&CK",
"x_mitre_version": "15.1",
"description": "ATT&CK for Enterprise provides a knowledge base of real-world adversary behavior targeting traditional enterprise networks. ATT&CK for Enterprise covers the following platforms: Windows, macOS, Linux, PRE, Office 365, Google Workspace, IaaS, Network, and Containers.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-01-17T12:56:55.080Z",
"modified": "2024-05-02T14:00:00.188Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contents": [
{
"object_ref": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298",
"object_modified": "2022-04-25T14:00:00.188Z"
},
{
"OTHER ITEMS IN LIST CUT FOR BREVITY"
}
],
"x_mitre_version": "15.1"
}
]
]
Returns 1 Object in v15.1.
The x_mitre_contents for Enterprise ATT&CK has 1000’s of objects that I’ve cut from the object printed above (OTHER ITEMS IN LIST CUT FOR BREVITY).
To see what x-mitre-collection objects are linked to/from;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER CONTAINS(doc.source_ref, "x-mitre-collection")
OR CONTAINS(doc.target_ref, "x-mitre-collection")
AND doc._stix2arango_note == "v15.1"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| created-by | x-mitre-collection | identity | true |
| object-marking | x-mitre-collection | marking-definition | true |
| x_mitre_contents-object | x-mitre-collection | attack-pattern | true |
| x_mitre_contents-object | x-mitre-collection | campaign | true |
| x_mitre_contents-object | x-mitre-collection | course-of-action | true |
| x_mitre_contents-object | x-mitre-collection | identity | true |
| x_mitre_contents-object | x-mitre-collection | intrusion-set | true |
| x_mitre_contents-object | x-mitre-collection | malware | true |
| x_mitre_contents-object | x-mitre-collection | relationship | true |
| x_mitre_contents-object | x-mitre-collection | tool | true |
| x_mitre_contents-object | x-mitre-collection | x-mitre-data-component | true |
| x_mitre_contents-object | x-mitre-collection | x-mitre-data-source | true |
| x_mitre_contents-object | x-mitre-collection | x-mitre-matrix | true |
| x_mitre_contents-object | x-mitre-collection | x-mitre-tactic | true |
ATT&CK object Matrix = STIX object x-mitre-matrix
Found in:
- Enterprise
- ICS
- Mobile
The Matrix (x-mitre-matrix) object captures specific information about the Matrix for the Domain being covered either Enterprise, ICS, or Mobile.
The main purpose of this object is to group the Tactic objects (x-mitre-tactic) associated with the domain.
These are similar to x-mitre-collection objects (1 per domain), but only include x-mitre-matrix references.
To search for this object in the Enterprise domain;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-matrix"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"tactic_refs": [
"x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592",
"x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400",
"x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca",
"x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5",
"x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
"x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd",
"x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a",
"x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9",
"x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e",
"x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe",
"x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813",
"x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462",
"x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc",
"type": "x-mitre-matrix",
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"external_id": "enterprise-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/matrices/enterprise"
}
],
"modified": "2022-04-01T20:43:55.937Z",
"name": "Enterprise ATT&CK",
"description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"x_mitre_domains": [
"enterprise-attack"
]
}
Returns 1 Object in v15.1.
To see what relationships the x-mitre-matrix object has to/from it, you can run the search;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER CONTAINS(doc.source_ref, "x-mitre-matrix")
OR CONTAINS(doc.target_ref, "x-mitre-matrix")
AND doc._stix2arango_note == "v15.1"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| x_mitre_contents-object | x-mitre-collection | x-mitre-matrix | true |
| tactic | x-mitre-matrix | x-mitre-tactic | true |
| object-marking | x-mitre-matrix | marking-definition | true |
| created-by | x-mitre-matrix | identity | true |
| x-mitre-modified-by | x-mitre-matrix | identity | true |
ATT&CK object Tactic = STIX object x-mitre-tactic
Found in:
- Enterprise
- ICS
- Mobile
Tactics (x-mitre-tactic--) represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
Tactics have IDs in the format: TANNNN.
For example, Tactic TA0043 Reconnaissance, which can be retrieved from the database as follows;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-tactic"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "TA0006"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"type": "x-mitre-tactic",
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"external_id": "TA0006",
"url": "https://attack.mitre.org/tactics/TA0006",
"source_name": "mitre-attack"
}
],
"modified": "2022-04-25T14:00:00.188Z",
"name": "Credential Access",
"description": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_shortname": "credential-access",
"spec_version": "2.1"
}
To search for all Tactic objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-tactic"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "TA")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 14 Objects in v15.1.
To see what x-mitre-tactic objects are linked to/from;
LET tactic_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-tactic"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "TA")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "x-mitre-tactic") OR CONTAINS(doc.target_ref, "x-mitre-tactic"))
AND (doc.source_ref IN tactic_ids OR doc.target_ref IN tactic_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| created-by | x-mitre-tactic | identity | true |
| x-mitre-modified-by | x-mitre-tactic | identity | true |
| object-marking | x-mitre-tactic | marking-definition | true |
| x_mitre_contents-object | x-mitre-collection | x-mitre-tactic | true |
| tactic | x-mitre-matrix | x-mitre-tactic | true |
If you want to find out what is linked to a specific Tactic, you can use the following search (here I use TA0006);
LET vertexDocs = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-tactic"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "TA0006"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
)
FOR vertexDoc IN vertexDocs
FOR edgeDoc IN mitre_attack_enterprise_edge_collection
FILTER edgeDoc.target_ref == vertexDoc.id OR edgeDoc.source_ref == vertexDoc.id
LET keys = ATTRIBUTES(edgeDoc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(edgeDoc, filteredKeys)
Returns 5 objects in v15.1.
ATT&CK object Technique = STIX object attack-pattern
Found in:
- Enterprise
- ICS
- Mobile
Techniques (attack-pattern with Custom Property "x_mitre_is_subtechnique": false) represent ‘how’ an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
Techniques have IDs in the format: TNNNN.
For example, Technique T1595 Active Scanning, which can be retrieved from the database as follows;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "T1595"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"x_mitre_platforms": [
"PRE"
],
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b",
"type": "attack-pattern",
"created": "2020-10-02T16:53:16.526Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1595",
"url": "https://attack.mitre.org/techniques/T1595"
},
{
"source_name": "Botnet Scan",
"url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf",
"description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020."
},
{
"source_name": "OWASP Fingerprinting",
"url": "https://wiki.owasp.org/index.php/OAT-004_Fingerprinting",
"description": "OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020."
}
],
"modified": "2022-05-11T14:00:00.188Z",
"name": "Active Scanning",
"description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_version": "1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
],
"x_mitre_is_subtechnique": false,
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0"
}
Note, how x_mitre_is_subtechnique = false (indicating this is not a sub-technique, which are also represented using attack-pattern objects).
To search for all Technique objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == false
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 202 Objects in v15.1.
To see what Techniques objects are linked to/from ATT&CK…
LET attack_pattern_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == false
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "attack-pattern") OR CONTAINS(doc.target_ref, "attack-pattern"))
AND (doc.source_ref IN attack_pattern_ids OR doc.target_ref IN attack_pattern_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| created-by | attack-pattern | identity | true |
| x-mitre-modified-by | attack-pattern | identity | true |
| object-marking | attack-pattern | marking-definition | true |
| uses | campaign | attack-pattern | false |
| mitigates | course-of-action | attack-pattern | false |
| uses | intrusion-set | attack-pattern | false |
| uses | malware | attack-pattern | false |
| uses | tool | attack-pattern | false |
| x_mitre_contents-object | x-mitre-collection | attack-pattern | true |
| detects | x-mitre-data-component | attack-pattern | false |
| subtechnique-of | attack-pattern | attack-pattern | false |
| revoked-by | attack-pattern | attack-pattern | false |
If you want to find out what is linked to a specific Technique, you can use the following search (here I use T1595);
LET vertexDocs = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == false
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "T1595"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
)
FOR vertexDoc IN vertexDocs
FOR edgeDoc IN mitre_attack_enterprise_edge_collection
FILTER edgeDoc.target_ref == vertexDoc.id OR edgeDoc.source_ref == vertexDoc.id
LET keys = ATTRIBUTES(edgeDoc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(edgeDoc, filteredKeys)
Returns 11 objects in v15.1.
ATT&CK object Sub-Technique = STIX object attack-pattern
Found in:
- Enterprise
- Mobile
Sub-Techniques (attack-pattern with Custom Property "x_mitre_is_subtechnique": true) are a more specific implementation of a Technique (they are children to a parent).
For example, T1595.001 Scanning IP Blocks is a Sub-Technique of Technique T1595 Active Scanning.
Sub-techniques have IDs in the format: TNNNN.NNN.
For example, Sub-Technique T1595.001 Scanning IP Blocks can be retrieved from the database as follows;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == true
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "T1595.001"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"x_mitre_platforms": [
"PRE"
],
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120",
"type": "attack-pattern",
"created": "2020-10-02T16:54:23.193Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1595.001",
"url": "https://attack.mitre.org/techniques/T1595/001"
},
{
"source_name": "Botnet Scan",
"url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf",
"description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020."
}
],
"modified": "2022-04-25T14:00:00.188Z",
"name": "Scanning IP Blocks",
"description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": true,
"x_mitre_version": "1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0"
}
This time note how x_mitre_is_subtechnique = true. This is how Techniques and Sub-Techniques can be differentiated.
To search for all sub-technique objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == true
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 435 Objects in v15.1.
To see what sub-techniques have relationships to/from;
LET attack_pattern_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == true
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "attack-pattern") OR CONTAINS(doc.target_ref, "attack-pattern"))
AND (doc.source_ref IN attack_pattern_ids OR doc.target_ref IN attack_pattern_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| subtechnique-of | attack-pattern | attack-pattern | false |
| created-by | attack-pattern | identity | true |
| x-mitre-modified-by | attack-pattern | identity | true |
| object-marking | attack-pattern | marking-definition | true |
| revoked-by | attack-pattern | attack-pattern | false |
| mitigates | course-of-action | attack-pattern | false |
| uses | malware | attack-pattern | false |
| x_mitre_contents-object | x-mitre-collection | attack-pattern | true |
| detects | x-mitre-data-component | attack-pattern | false |
| uses | campaign | attack-pattern | false |
| uses | intrusion-set | attack-pattern | false |
| uses | tool | attack-pattern | false |
If you want to find out what is linked to a specific Sub-Technique, you can use the following search (here I use T1595.001);
LET vertexDocs = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == true
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "T1595.001"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
)
FOR vertexDoc IN vertexDocs
FOR edgeDoc IN mitre_attack_enterprise_edge_collection
FILTER edgeDoc.target_ref == vertexDoc.id OR edgeDoc.source_ref == vertexDoc.id
LET keys = ATTRIBUTES(edgeDoc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(edgeDoc, filteredKeys)
Returns 8 objects in v15.1.
ATT&CK object Mitigation = STIX object course-of-action
Found in:
- Enterprise
- ICS
- Mobile
Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
Mitigations have IDs in the format: MNNNN.
For example, Mitigation M1049 - Antivirus/Antimalware which can be retrieved from the database as follows:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "course-of-action"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "M1049"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
"type": "course-of-action",
"created": "2019-06-11T17:08:33.055Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "M1049",
"url": "https://attack.mitre.org/mitigations/M1049"
}
],
"modified": "2020-03-31T13:07:15.684Z",
"name": "Antivirus/Antimalware",
"description": "Use signatures or heuristics to detect malicious software.",
"x_mitre_version": "1.1",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0"
}
To search for all Mitigation objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "course-of-action"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "M")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 43 Objects in v15.1.
To see what Mitigation objects are linked to/from;
LET coa_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "course-of-action"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "M"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "M")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "course-of-action") OR CONTAINS(doc.target_ref, "course-of-action"))
AND (doc.source_ref IN coa_ids OR doc.target_ref IN coa_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| mitigates | course-of-action | attack-pattern | false |
| created-by | course-of-action | identity | true |
| x-mitre-modified-by | course-of-action | identity | true |
| object-marking | course-of-action | marking-definition | true |
| x_mitre_contents-object | x-mitre-collection | course-of-action | true |
ATT&CK object Groups = STIX object intrusion-set
Found in:
- Enterprise
- ICS
- Mobile
Groups are sets of related intrusion activity that are tracked by a common name in the security community.
Groups have IDs in the format: GNNNN.
For example, Group G0016 - APT29 which can be retrieved from the DB as follows;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "intrusion-set"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "G0016"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"modified": "2024-04-12T21:15:41.833Z",
"name": "APT29",
"description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)",
"aliases": [
"APT29",
"IRON RITUAL",
"IRON HEMLOCK",
"NobleBaron",
"Dark Halo",
"StellarParticle",
"NOBELIUM",
"UNC2452",
"YTTRIUM",
"The Dukes",
"Cozy Bear",
"CozyDuke",
"SolarStorm",
"Blue Kitsune",
"UNC3524",
"Midnight Blizzard"
],
"x_mitre_deprecated": false,
"x_mitre_version": "6.0",
"x_mitre_contributors": [
"Daniyal Naeem, BT Security",
"Matt Brenton, Zurich Insurance Group",
"Katie Nickels, Red Canary",
"Joe Gumke, U.S. Bank",
"Liran Ravich, CardinalOps"
],
"type": "intrusion-set",
"id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542",
"created": "2017-05-31T21:31:52.748Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0016",
"external_id": "G0016"
}
...
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
Note, the full list of external_references has been cut from the object above for brevity.
To search for all Groups in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "intrusion-set"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "G")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 149 Objects in v15.1.
To see what Groups objects are linked to/from;
LET intrusion_set_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "intrusion-set"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "G")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "intrusion-set") OR CONTAINS(doc.target_ref, "intrusion-set"))
AND (doc.source_ref IN intrusion_set_ids OR doc.target_ref IN intrusion_set_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| uses | intrusion-set | attack-pattern | false |
| created-by | intrusion-set | identity | true |
| x-mitre-modified-by | intrusion-set | identity | true |
| uses | intrusion-set | malware | false |
| object-marking | intrusion-set | marking-definition | true |
| uses | intrusion-set | tool | false |
| x_mitre_contents-object | x-mitre-collection | intrusion-set | true |
| revoked-by | intrusion-set | intrusion-set | false |
| attributed-to | campaign | intrusion-set | false |
ATT&CK object Software = STIX object malware
Found in:
- Enterprise
- ICS
- Mobile
Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK.
Software represented in ATT&CK using malware, is Software built to perform malicious intentions (versus software which has benign intentions, but used maliciously).
Software (Malware) has IDs in the format: SNNNN.
For example, Software S0331 - Agent Tesla,
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "malware"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "S0331"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"modified": "2023-09-11T20:13:18.738Z",
"name": "Agent Tesla",
"description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.3",
"x_mitre_aliases": [
"Agent Tesla"
],
"type": "malware",
"id": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"created": "2019-01-29T18:44:04.748Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0331",
"external_id": "S0331"
},
{
"source_name": "Agent Tesla",
"description": "(Citation: Fortinet Agent Tesla April 2018)(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)"
},
{
"source_name": "Bitdefender Agent Tesla April 2020",
"description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.",
"url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/"
},
{
"source_name": "Talos Agent Tesla Oct 2018",
"description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.",
"url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html"
},
{
"source_name": "Malwarebytes Agent Tesla April 2020",
"description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.",
"url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/"
},
{
"source_name": "DigiTrust Agent Tesla Jan 2017",
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.",
"url": "https://www.digitrustgroup.com/agent-tesla-keylogger/"
},
{
"source_name": "Fortinet Agent Tesla April 2018",
"description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"is_family": true
}
To search for all Malware objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "malware"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 593 Objects in v15.1.
To see what Malware objects are linked to/from;
LET malware_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "malware"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "malware") OR CONTAINS(doc.target_ref, "malware"))
AND (doc.source_ref IN malware_ids OR doc.target_ref IN malware_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| uses | malware | attack-pattern | false |
| created-by | malware | identity | true |
| x-mitre-modified-by | malware | identity | true |
| object-marking | malware | marking-definition | true |
| uses | intrusion-set | malware | false |
| x_mitre_contents-object | x-mitre-collection | malware | true |
| uses | campaign | malware | false |
| revoked-by | malware | malware | false |
ATT&CK object Software = STIX object tool
Found in:
- Enterprise
- Mobile
Software represented as tool STIX Objects represents software built for an original use that was not malicious;
Software (Tools) also have IDs in the format: SNNNN.
For example, Software S0104 - netstat,
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "tool"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "S0104"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"modified": "2024-01-23T19:57:39.135Z",
"name": "netstat",
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.3",
"x_mitre_aliases": [
"netstat"
],
"type": "tool",
"id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
"created": "2017-05-31T21:33:04.545Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0104",
"external_id": "S0104"
},
{
"source_name": "TechNet Netstat",
"description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
To search all Tool objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "tool"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 85 Objects in v15.1.
To see what Tool objects are linked to/from;
LET tool_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "tool"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "tool") OR CONTAINS(doc.target_ref, "tool"))
AND (doc.source_ref IN tool_ids OR doc.target_ref IN tool_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| uses | tool | attack-pattern | false |
| created-by | tool | identity | true |
| x-mitre-modified-by | tool | identity | true |
| object-marking | tool | marking-definition | true |
| uses | campaign | tool | false |
| uses | intrusion-set | tool | false |
| x_mitre_contents-object | x-mitre-collection | tool | true |
| revoked-by | malware | tool | false |
ATT&CK object Campaign = STIX object campaign
Found in:
- Enterprise
- ICS
- Mobile
Campaigns represents activities to achieve an objective.
Campaigns have IDs in the format: CNNNN.
For example, Campaign C0022 - Operation Dream Job;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "campaign"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "C0022"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"modified": "2024-04-11T00:31:21.576Z",
"name": "Operation Dream Job",
"description": "[Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)",
"aliases": [
"Operation Dream Job",
"Operation North Star",
"Operation Interception"
],
"first_seen": "2019-09-01T04:00:00.000Z",
"last_seen": "2020-08-01T04:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: ESET Lazarus Jun 2020)",
"x_mitre_last_seen_citation": "(Citation: ClearSky Lazarus Aug 2020)",
"x_mitre_deprecated": false,
"x_mitre_version": "1.2",
"type": "campaign",
"id": "campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b",
"created": "2023-03-17T13:37:42.596Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/campaigns/C0022",
"external_id": "C0022"
},
{
"source_name": "Operation Interception",
"description": "(Citation: ESET Lazarus Jun 2020)"
},
{
"source_name": "Operation North Star",
"description": "(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)"
},
{
"source_name": "McAfee Lazarus Nov 2020",
"description": "Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.",
"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/"
},
{
"source_name": "ESET Lazarus Jun 2020",
"description": "Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf"
},
{
"source_name": "McAfee Lazarus Jul 2020",
"description": "Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.",
"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27"
},
{
"source_name": "ClearSky Lazarus Aug 2020",
"description": "ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.",
"url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf"
},
{
"source_name": "The Hacker News Lazarus Aug 2022",
"description": "Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.",
"url": "https://thehackernews.com/2022/08/north-korea-hackers-spotted-targeting.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_domains": [
"enterprise-attack"
],
"spec_version": "2.1"
}
To search for all Campaign in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "campaign"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "C")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 28 Objects in v15.1.
To see what Campaign objects are linked to/from;
LET campaign_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "campaign"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "C")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "campaign") OR CONTAINS(doc.target_ref, "campaign"))
AND (doc.source_ref IN campaign_ids OR doc.target_ref IN campaign_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| uses | campaign | attack-pattern | false |
| created-by | campaign | identity | true |
| x-mitre-modified-by | campaign | identity | true |
| attributed-to | campaign | intrusion-set | false |
| uses | campaign | malware | false |
| object-marking | campaign | marking-definition | true |
| uses | campaign | tool | false |
| x_mitre_contents-object | x-mitre-collection | campaign | true |
ATT&CK object Data Source = STIX object x-mitre-data-source
Found in:
- Enterprise
- ICS
- Mobile
Data Sources represent the various subjects/topics of information that can be collected by sensors/logs.
Data Sources have IDs in the format: DSNNNN.
For example, Data Source DS0029 - Network Traffic;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-data-source"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "DS0029"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"modified": "2023-04-20T18:38:13.356Z",
"name": "Network Traffic",
"description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
"x_mitre_platforms": [
"IaaS",
"Linux",
"Windows",
"macOS",
"Android",
"iOS"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
],
"x_mitre_version": "1.1",
"x_mitre_contributors": [
"Center for Threat-Informed Defense (CTID)",
"ExtraHop"
],
"x_mitre_collection_layers": [
"Cloud Control Plane",
"Host",
"Network"
],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/datasources/DS0029",
"external_id": "DS0029"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
To search for Data Source objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-data-source"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "DS")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 37 Objects in v15.1.
To see what Data Source objects are linked to/from;
LET data_source_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-data-source"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "DS")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "x-mitre-data-source") OR CONTAINS(doc.target_ref, "x-mitre-data-source"))
AND (doc.source_ref IN data_source_ids OR doc.target_ref IN data_source_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| created-by | x-mitre-data-source | identity | true |
| x-mitre-modified-by | x-mitre-data-source | identity | true |
| object-marking | x-mitre-data-source | marking-definition | true |
| x_mitre_contents-object | x-mitre-collection | x-mitre-data-source | true |
| x-mitre-data-source | x-mitre-data-component | x-mitre-data-source | true |
ATT&CK object Data Component = STIX object x-mitre-data-component
Found in:
- Enterprise
- ICS
- Mobile
Data components are children of Data Sources.
Data Components identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique. For example, Network Traffic is the Data Source and Network Traffic Flow is one of the Data Components linked to it.
Data Components don’t have any ATT&CK specific ID’s, but they do have a link to a Data Source using the x_mitre_data_source_ref property.
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"type": "x-mitre-data-component",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2022-04-25T14:00:00.188Z",
"name": "Network Traffic Flow",
"description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)",
"x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"x_mitre_domains": [
"enterprise-attack"
]
}
You can see the relationship to the Data Source in the x_mitre_data_source_ref property (in this case x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3, DS0029 - Network Traffic).
To search for Data Component objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-data-component"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 106 Objects in v15.1.
To see what x-mitre-data-component objects are linked to/from;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER CONTAINS(doc.source_ref, "x-mitre-data-component")
OR CONTAINS(doc.target_ref, "x-mitre-data-component")
AND doc._stix2arango_note == "v15.1"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| detects | x-mitre-data-component | attack-pattern | false |
| x_mitre_contents-object | x-mitre-collection | x-mitre-data-component | true |
| object-marking | x-mitre-data-component | marking-definition | true |
| created-by | x-mitre-data-component | identity | true |
| x-mitre-data-source | x-mitre-data-component | x-mitre-data-source | true |
| x-mitre-modified-by | x-mitre-data-component | identity | true |
ATT&CK object Asset = STIX object x-mitre-asset
Found in:
- ICS
Assets represent the devices and systems commonly found within Industrial Control System environments. Each asset object includes a mapping of technique relationships that represent the adversary actions that may target the device based on its capability and function.
Assets have IDs in the format: ANNNN.
For example, Asset A0011 - Virtual Private Network (VPN) Server:
FOR doc IN mitre_attack_ics_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-asset"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND extRef.external_id == "A0011"
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
{
"modified": "2023-10-04T18:07:59.333Z",
"name": "Virtual Private Network (VPN) Server",
"description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.",
"x_mitre_sectors": [
"General"
],
"x_mitre_related_assets": [
{
"name": "Virtual Private Network (VPN) terminator",
"related_asset_sectors": [
"General"
],
"description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)"
},
{
"name": "Field VPN",
"related_asset_sectors": [
"General"
],
"description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. "
}
],
"x_mitre_platforms": [
"Windows",
"Linux",
"Embedded"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_version": "1.0",
"type": "x-mitre-asset",
"id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
"created": "2023-09-28T15:13:07.950Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/assets/A0011",
"external_id": "A0011"
},
{
"source_name": "IEC February 2019",
"description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ",
"url": "https://webstore.iec.ch/publication/34421"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
To search for Asset objects in the ICS domain:
FOR doc IN mitre_attack_ics_vertex_collection
FILTER doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-asset"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "A")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 14 Objects in v15.1.
To see what Asset objects are linked to/from;
LET asset_ids = (
FOR doc IN mitre_attack_ics_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-asset"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "A")
RETURN extRef
)
FILTER LENGTH(matching_extRefs) > 0
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
)
FOR doc IN mitre_attack_ics_edge_collection
FILTER (CONTAINS(doc.source_ref, "x-mitre-asset") OR CONTAINS(doc.target_ref, "x-mitre-asset"))
AND (doc.source_ref IN asset_ids OR doc.target_ref IN asset_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"is_property_ref": doc._is_ref
}
| relationship_type | source_ref_object_type | target_ref_object_type | is_property_ref |
|---|---|---|---|
| created-by | x-mitre-asset | identity | true |
| x-mitre-modified-by | x-mitre-asset | identity | true |
| object-marking | x-mitre-asset | marking-definition | true |
| targets | attack-pattern | x-mitre-asset | false |
| x_mitre_contents-object | x-mitre-collection | x-mitre-asset | true |
CTI Butler
One API. Much CTI. CTI Butler is the API used by the world's leading cyber-security companies.
Discuss this post
Head on over to the dogesec community to discuss this post.
Never miss an update
Sign up to receive new articles in your inbox as they published.