If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly (usually, the interactive graphs). Please view the post on dogesec.com for the full interactive viewing experience.
tl;dr
Software, Data Sources, Data Components, Campaigns, and more, make MITRE ATT&CK even more powerful than you might first realise. In this post I uncover the parts of ATT&CK you might not be aware of.
Follow along
In this post I am going to provide queries you can use to analyse and filter MITRE ATT&CK data.
If you would like to follow along, and keep a searchable copy of ATT&CK locally, you can import the data using stix2arango.
Once you’ve installed stix2arango, you can run the following command to import v15.1 of the MITRE ATT&CK Enterprise, ICS, and Mobile data;
python3 utilities/arango_cti_processor/insert_archive_attack_enterprise.py \
--database blog_demo \
--versions 15_1 && \
python3 utilities/arango_cti_processor/insert_archive_attack_ics.py \
--database blog_demo \
--versions 15_1 && \
python3 utilities/arango_cti_processor/insert_archive_attack_mobile.py \
--database blog_demo \
--versions 15_1
You can then use the query interface in the ArangoDB UI to run the AQL queries in this post.
ATT&CK STIX objects
The ATT&CK data is built on STIX objects and structured like so;
Lets break this down by looking at each ATT&CK object type individually to show how I built this diagram;
revoked and x_mitre_deprecated
When I started in this analysis these properties left me confused for a while (I should have read this!), so I’ll start here as you’ll see all my queries use the filter;
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
Lets start with x_mitre_deprecated.
Later in this post I will talk about how STIX course-of-action objects represent ATT&CK Mitigations.
This was not always the case. course-of-action once represented techniques. These still exist in the latest bundles, as the following search uncovers, however, note the x_mitre_deprecated property = true for all these objects.
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "course-of-action"
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "T"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Which returns results including the following objects;
{
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (<code>C:\\Windows\\System32\\</code> by default) of a domain controller and/or local computer with a corresponding entry in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages</code>. (Citation: Microsoft Install Password Filter n.d)",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/T1174",
"external_id": "T1174"
},
{
"url": "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx",
"description": "Microsoft. (n.d.). Installing and Registering a Password Filter DLL. Retrieved November 21, 2017.",
"source_name": "Microsoft Install Password Filter n.d"
}
],
"id": "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651",
"modified": "2019-07-25T11:22:19.139Z",
"name": "Password Filter DLL Mitigation",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"type": "course-of-action",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
}
If the x_mitre_deprecated property is found is an object, it will always be true
Searching for any relationships for this x_mitre_deprecated object;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER doc._is_latest == true
AND (doc.source_ref == "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651"
OR doc.target_ref == "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651")
SORT doc.relationship_type
RETURN {
id: doc.id,
type: doc.relationship_type,
source: doc.source_ref,
target: doc.target_ref
}
[
{
"id": "relationship--af088283-7416-466d-86f3-8b55e6d698d4",
"type": "mitigates",
"source": "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651",
"target": "attack-pattern--b8c5c9dd-a662-479d-9428-ae745872537c"
}
]
This relationship search is not important yet, it’ll become clearer in a minute.
As I understand it, the custom x_mitre_deprecated property is used for objects that should no longer exist as an entity.
Now lets considert he revoked property.
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.revoked == true
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "T"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
{
"created": "2017-05-31T21:30:54.176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use [Software Packing](https://attack.mitre.org/techniques/T1045) or otherwise modify the file so it has a different signature, and then re-use the malware.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1066",
"external_id": "T1066"
}
],
"id": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2022-04-25T14:00:00.188Z",
"name": "Indicator Removal from Tools",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"revoked": true,
"spec_version": "2.1",
"type": "attack-pattern",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_defense_bypassed": [
"Log analysis",
"Host intrusion prevention systems",
"Anti-virus"
],
"x_mitre_detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0"
}
Note the revoked property exists but not x_mitre_deprecated. If the revoked property exists it will always be true.
Searching for any relationships for this revoked object;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER doc._is_latest == true
AND (doc.source_ref == "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6"
OR doc.target_ref == "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6")
SORT doc.relationship_type
RETURN {
id: doc.id,
type: doc.relationship_type,
source: doc.source_ref,
target: doc.target_ref
}
[
{
"id": "relationship--5978c8e0-8b60-4ad5-8fc9-9fa1ee4d7387",
"type": "mitigates",
"source": "course-of-action--4b998a71-7b8f-4dcc-8f3f-277f2e740271",
"target": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6"
},
{
"id": "relationship--cb4015bf-e7a4-4b26-8816-1f7a996adf4f",
"type": "revoked-by",
"source": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6",
"target": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92"
}
]
Here you can see a revoked-by relationship to attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92 which is T1027.005. You can see this in the logic of the ATT&CK site hitting the URL for T1066 (attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6) it redirects to T1027.005 (try it: ` https://attack.mitre.org/techniques/T1066`).
So what’s the difference between revoked and x_mitre_deprecated? I’m not entierly sure. My guess is that x_mitre_deprecated has no direct replacement, unlike revoked objects that do, as evidenced by the relationship search.
For most use-case when working with ATT&CK, it’s best to filter objects with these properties out (which I do in this post). The one exception I can think of is migrating between updates. If you’re using objects revoked in an updated, you should replace it with the object it was revoked-by.
ATT&CK object Collection = STIX object x-mitre-collection
Found in:
- Enterprise
- ICS
- Mobile
These are similar to x-mitre-matrix objects (1 per domain), but include a list of all objects in the domain under the x_mitre_contents property.
{
"type": "x-mitre-collection",
"id": "x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"name": "Enterprise ATT&CK",
"x_mitre_version": "15.1",
"description": "ATT&CK for Enterprise provides a knowledge base of real-world adversary behavior targeting traditional enterprise networks. ATT&CK for Enterprise covers the following platforms: Windows, macOS, Linux, PRE, Office 365, Google Workspace, IaaS, Network, and Containers.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-01-17T12:56:55.080Z",
"modified": "2024-05-02T14:00:00.188Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contents": [
{
"object_ref": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298",
"object_modified": "2022-04-25T14:00:00.188Z"
},
{
"OTHER ITEMS IN LIST CUT FOR BREVITY"
}
],
"x_mitre_version": "15.1"
}
]
]
The x_mitre_contents for Enterprise ATT&CK has 1000’s of objects that I’ve cut from the object printed above.
I suspect this object is used for the MITRE ATT&CK TAXII Server to define all the objects in a TAXII Collection (clarification needed).
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-collection"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN [KEEP(doc, filteredKeys)]
Returns 1 Object in v15.1.
To see what x-mitre-collection objects are linked to/from;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER CONTAINS(doc.source_ref, "x-mitre-collection")
OR CONTAINS(doc.target_ref, "x-mitre-collection")
AND doc._stix2arango_note == "v15.1"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Matrix = STIX object x-mitre-matrix
Found in:
- Enterprise
- ICS
- Mobile
The Matrix (x-mitre-matrix) object captures specific information about the Matrix for the Domain being covered either Enterprise, ICS, or Mobile.
Here is the STIX x-mitre-matrix object in the Enterprise matrix:
{
"tactic_refs": [
"x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592",
"x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400",
"x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca",
"x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5",
"x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
"x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd",
"x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a",
"x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9",
"x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e",
"x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe",
"x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813",
"x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462",
"x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc",
"type": "x-mitre-matrix",
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"external_id": "enterprise-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/matrices/enterprise"
}
],
"modified": "2022-04-01T20:43:55.937Z",
"name": "Enterprise ATT&CK",
"description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"x_mitre_domains": [
"enterprise-attack"
]
}
The main purpose of this object is to group the Tactic objects (x-mitre-tactic) associated with the domain.
To search for these objects in the Enterprise domain;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-matrix"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN [KEEP(doc, filteredKeys)]
Returns 1 Object in v15.1.
You can replace mitre_attack_enterprise_vertex_collection with either mitre_attack_mobile_vertex_collection or mitre_attack_ics_vertex_collection to change the ATT&CK matrix. This applies for all of the following searches too.
To see if this document has any relationships to/from it, you can run the search;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER CONTAINS(doc.source_ref, "x-mitre-matrix")
OR CONTAINS(doc.target_ref, "x-mitre-matrix")
AND doc._stix2arango_note == "v15.1"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Tactic = STIX object x-mitre-tactic
Found in:
- Enterprise
- ICS
- Mobile
Tactics (x-mitre-tactic--) represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
https://attack.mitre.org/tactics/
Tactics have IDs in format: TANNNN
For example, Tactic TA0043 Reconnaissance: https://attack.mitre.org/tactics/TA0043/
{
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"type": "x-mitre-tactic",
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"external_id": "TA0006",
"url": "https://attack.mitre.org/tactics/TA0006",
"source_name": "mitre-attack"
}
],
"modified": "2022-04-25T14:00:00.188Z",
"name": "Credential Access",
"description": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_shortname": "credential-access",
"spec_version": "2.1"
}
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-tactic"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "TA"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "TA")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 14 Objects in v15.1.
To see what x-mitre-tactic objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET tactic_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-tactic"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "TA"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "TA")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "x-mitre-tactic") OR CONTAINS(doc.target_ref, "x-mitre-tactic"))
AND (doc.source_ref IN tactic_ids OR doc.target_ref IN tactic_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Technique = STIX object attack-pattern
Found in:
- Enterprise
- ICS
- Mobile
Techniques (attack-pattern with Custom Property "x_mitre_is_subtechnique": false) represent ‘how’ an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
https://attack.mitre.org/techniques/
Techniques have IDs in format: TNNNN
For example, Technique T1595 Active Scanning: https://attack.mitre.org/techniques/T1595/
{
"x_mitre_platforms": [
"PRE"
],
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b",
"type": "attack-pattern",
"created": "2020-10-02T16:53:16.526Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1595",
"url": "https://attack.mitre.org/techniques/T1595"
},
{
"source_name": "Botnet Scan",
"url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf",
"description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020."
},
{
"source_name": "OWASP Fingerprinting",
"url": "https://wiki.owasp.org/index.php/OAT-004_Fingerprinting",
"description": "OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020."
}
],
"modified": "2022-05-11T14:00:00.188Z",
"name": "Active Scanning",
"description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_version": "1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
],
"x_mitre_is_subtechnique": false,
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0"
}
Note, how x_mitre_is_subtechnique = false indicating this is not a sub-technique.
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == false
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "T"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 202 Objects in v15.1.
To see what attack-pattern (where doc.x_mitre_is_subtechnique == false);
// Step 1: Retrieve the list of IDs
LET attack_pattern_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == false
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "T"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "attack-pattern") OR CONTAINS(doc.target_ref, "attack-pattern"))
AND (doc.source_ref IN attack_pattern_ids OR doc.target_ref IN attack_pattern_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
This search is slightly different to the previous ones to uncover relationships to/from the objects because we first need to identify the IDs of Attack Pattern objects that are Techniques (AND NOT Sub-Techniques).
ATT&CK object Sub-Technique = STIX object attack-pattern
Found in:
- Enterprise
- Mobile
Sub-Techniques (attack-pattern with Custom Property "x_mitre_is_subtechnique": true) are a more specific implementation of a Technique (they are children to a parent).
For example, T1595.001 Scanning IP Blocks is a Sub-Technique of Technique T1595 Active Scanning.
Techniques have IDs in format: TNNNN.NNN
For example, Sub-Technique T1595.001 Scanning IP Blocks: https://attack.mitre.org/techniques/T1595/001/
{
"x_mitre_platforms": [
"PRE"
],
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120",
"type": "attack-pattern",
"created": "2020-10-02T16:54:23.193Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1595.001",
"url": "https://attack.mitre.org/techniques/T1595/001"
},
{
"source_name": "Botnet Scan",
"url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf",
"description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020."
}
],
"modified": "2022-04-25T14:00:00.188Z",
"name": "Scanning IP Blocks",
"description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": true,
"x_mitre_version": "1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0"
}
This time note how x_mitre_is_subtechnique = true. This is how Techniques and Sub-Techniques can be most easily differentiated.
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == true
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "T"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 435 Objects in v15.1.
To see what attack-pattern (where doc.x_mitre_is_subtechnique == true);
// Step 1: Retrieve the list of IDs
LET attack_pattern_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == true
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "T"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "T")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "attack-pattern") OR CONTAINS(doc.target_ref, "attack-pattern"))
AND (doc.source_ref IN attack_pattern_ids OR doc.target_ref IN attack_pattern_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Mitigation = STIX object course-of-action
Found in:
- Enterprise
- ICS
- Mobile
A Course of Action (course-of-action) represents ATT&CK Mitigations.
https://attack.mitre.org/mitigations/
Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
Mitigations have IDs in format: MNNNN
For example, Mitigation M1049 - Antivirus/Antimalware: https://attack.mitre.org/mitigations/M1049/
{
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
"type": "course-of-action",
"created": "2019-06-11T17:08:33.055Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "M1049",
"url": "https://attack.mitre.org/mitigations/M1049"
}
],
"modified": "2020-03-31T13:07:15.684Z",
"name": "Antivirus/Antimalware",
"description": "Use signatures or heuristics to detect malicious software.",
"x_mitre_version": "1.1",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0"
}
To search for Mitigation objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "course-of-action"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "M"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "M")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 43 Objects in v15.1.
To see what Mitigation objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET coa_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "course-of-action"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND doc.external_references != null
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "M"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "M")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "course-of-action") OR CONTAINS(doc.target_ref, "course-of-action"))
AND (doc.source_ref IN coa_ids OR doc.target_ref IN coa_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Groups = STIX object intrusion-set
Found in:
- Enterprise
- ICS
- Mobile
Intrusion Sets (intrusion-set) represent ATT&CK Groups.
https://attack.mitre.org/groups/
Groups are sets of related intrusion activity that are tracked by a common name in the security community.
Groups have IDs in format: GNNNN
For example, Group G0016 - APT29: https://attack.mitre.org/groups/G0016/
{
"modified": "2024-04-12T21:15:41.833Z",
"name": "APT29",
"description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)",
"aliases": [
"APT29",
"IRON RITUAL",
"IRON HEMLOCK",
"NobleBaron",
"Dark Halo",
"StellarParticle",
"NOBELIUM",
"UNC2452",
"YTTRIUM",
"The Dukes",
"Cozy Bear",
"CozyDuke",
"SolarStorm",
"Blue Kitsune",
"UNC3524",
"Midnight Blizzard"
],
"x_mitre_deprecated": false,
"x_mitre_version": "6.0",
"x_mitre_contributors": [
"Daniyal Naeem, BT Security",
"Matt Brenton, Zurich Insurance Group",
"Katie Nickels, Red Canary",
"Joe Gumke, U.S. Bank",
"Liran Ravich, CardinalOps"
],
"type": "intrusion-set",
"id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542",
"created": "2017-05-31T21:31:52.748Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0016",
"external_id": "G0016"
}
...
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
Note, the full list of external_references has been cut from the object above for brevity.
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "intrusion-set"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "G"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "G")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 149 Objects in v15.1.
To see what intrusion-set objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET intrusion_set_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "intrusion-set"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "G"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "G")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "intrusion-set") OR CONTAINS(doc.target_ref, "intrusion-set"))
AND (doc.source_ref IN intrusion_set_ids OR doc.target_ref IN intrusion_set_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Software = STIX object malware
Found in:
- Enterprise
- ICS
- Mobile
Malware (malware) represents ATT&CK Software that is malicious.
https://attack.mitre.org/software/
Software have IDs in format: SNNNN
For example, Software S0331 - Agent Tesla: https://attack.mitre.org/software/S0331/
{
"modified": "2023-09-11T20:13:18.738Z",
"name": "Agent Tesla",
"description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.3",
"x_mitre_aliases": [
"Agent Tesla"
],
"type": "malware",
"id": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"created": "2019-01-29T18:44:04.748Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0331",
"external_id": "S0331"
},
{
"source_name": "Agent Tesla",
"description": "(Citation: Fortinet Agent Tesla April 2018)(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)"
},
{
"source_name": "Bitdefender Agent Tesla April 2020",
"description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.",
"url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/"
},
{
"source_name": "Talos Agent Tesla Oct 2018",
"description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.",
"url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html"
},
{
"source_name": "Malwarebytes Agent Tesla April 2020",
"description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.",
"url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/"
},
{
"source_name": "DigiTrust Agent Tesla Jan 2017",
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.",
"url": "https://www.digitrustgroup.com/agent-tesla-keylogger/"
},
{
"source_name": "Fortinet Agent Tesla April 2018",
"description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"is_family": true
}
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "malware"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "S"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 593 Objects in v15.1.
To see what Malware objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET malware_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "malware"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "S"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "malware") OR CONTAINS(doc.target_ref, "malware"))
AND (doc.source_ref IN malware_ids OR doc.target_ref IN malware_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Software = STIX object tool
Found in:
- Enterprise
- Mobile
Tools (tool) also represents a type of software, but unlike Malware, they represent objects that are that is benign.
https://attack.mitre.org/software/
Tools also have IDs in format: SNNNN
For example, Software S0104 - netstat: https://attack.mitre.org/software/S0104/
{
"modified": "2024-01-23T19:57:39.135Z",
"name": "netstat",
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.3",
"x_mitre_aliases": [
"netstat"
],
"type": "tool",
"id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
"created": "2017-05-31T21:33:04.545Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0104",
"external_id": "S0104"
},
{
"source_name": "TechNet Netstat",
"description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "tool"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "S"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 85 Objects in v15.1.
To see what Tool objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET tool_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "tool"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "S"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "S")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "tool") OR CONTAINS(doc.target_ref, "tool"))
AND (doc.source_ref IN tool_ids OR doc.target_ref IN tool_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Campaign = STIX object campaign
Found in:
- Enterprise
- ICS
- Mobile
Campaign (campaign) represents an security operations to achieve some objective.
https://attack.mitre.org/campaigns/
Campaigns have IDs in format: CNNNN
For example, Campaign C0022 - Operation Dream Job: https://attack.mitre.org/campaigns/C0022/
{
"modified": "2024-04-11T00:31:21.576Z",
"name": "Operation Dream Job",
"description": "[Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)",
"aliases": [
"Operation Dream Job",
"Operation North Star",
"Operation Interception"
],
"first_seen": "2019-09-01T04:00:00.000Z",
"last_seen": "2020-08-01T04:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: ESET Lazarus Jun 2020)",
"x_mitre_last_seen_citation": "(Citation: ClearSky Lazarus Aug 2020)",
"x_mitre_deprecated": false,
"x_mitre_version": "1.2",
"type": "campaign",
"id": "campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b",
"created": "2023-03-17T13:37:42.596Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/campaigns/C0022",
"external_id": "C0022"
},
{
"source_name": "Operation Interception",
"description": "(Citation: ESET Lazarus Jun 2020)"
},
{
"source_name": "Operation North Star",
"description": "(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)"
},
{
"source_name": "McAfee Lazarus Nov 2020",
"description": "Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.",
"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/"
},
{
"source_name": "ESET Lazarus Jun 2020",
"description": "Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf"
},
{
"source_name": "McAfee Lazarus Jul 2020",
"description": "Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.",
"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27"
},
{
"source_name": "ClearSky Lazarus Aug 2020",
"description": "ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.",
"url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf"
},
{
"source_name": "The Hacker News Lazarus Aug 2022",
"description": "Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.",
"url": "https://thehackernews.com/2022/08/north-korea-hackers-spotted-targeting.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_domains": [
"enterprise-attack"
],
"spec_version": "2.1"
}
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "campaign"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "C"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "C")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 28 Objects in v15.1.
To see what Campaign objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET campaign_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "campaign"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "C"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "C")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "campaign") OR CONTAINS(doc.target_ref, "campaign"))
AND (doc.source_ref IN campaign_ids OR doc.target_ref IN campaign_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Data Source = STIX object x-mitre-data-source
Found in:
- Enterprise
- ICS
- Mobile
Data Sources (x-mitre-data-source) represent the various subjects/topics of information that can be collected by sensors/logs.
https://attack.mitre.org/datasources/
Data Sources have IDs in format: DSNNNN
For example, Data Source DS0029 - Network Traffic: https://attack.mitre.org/datasources/DS0029/
{
"modified": "2023-04-20T18:38:13.356Z",
"name": "Network Traffic",
"description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
"x_mitre_platforms": [
"IaaS",
"Linux",
"Windows",
"macOS",
"Android",
"iOS"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
],
"x_mitre_version": "1.1",
"x_mitre_contributors": [
"Center for Threat-Informed Defense (CTID)",
"ExtraHop"
],
"x_mitre_collection_layers": [
"Cloud Control Plane",
"Host",
"Network"
],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/datasources/DS0029",
"external_id": "DS0029"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-data-source"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "DS"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "DS")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 37 Objects in v15.1.
To see what Data Source objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET data_source_ids = (
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-data-source"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "DS"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "DS")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER (CONTAINS(doc.source_ref, "x-mitre-data-source") OR CONTAINS(doc.target_ref, "x-mitre-data-source"))
AND (doc.source_ref IN data_source_ids OR doc.target_ref IN data_source_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Data Component = STIX object x-mitre-data-component
Found in:
- Enterprise
- ICS
- Mobile
Data components are children of Data Sources.
Data Components identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique. For example, Network Traffic is the Data Source and Network Traffic Flow is one of the Data Components linked to it.
Data Components don’t have any ATT&CK specific ID’s.
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"type": "x-mitre-data-component",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2022-04-25T14:00:00.188Z",
"name": "Network Traffic Flow",
"description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)",
"x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"x_mitre_domains": [
"enterprise-attack"
]
}
You can see the relationship to the Data Source in the x_mitre_data_source_ref property (in this case x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3, DS0029 - Network Traffic).
To search for these objects in the Enterprise domain:
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-data-component"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Returns 106 Objects in v15.1.
To see what x-mitre-data-component objects are linked to/from;
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER CONTAINS(doc.source_ref, "x-mitre-data-component")
OR CONTAINS(doc.target_ref, "x-mitre-data-component")
AND doc._stix2arango_note == "v15.1"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
ATT&CK object Asset = STIX object x-mitre-asset
Found in:
- ICS
Assets represent the devices and systems commonly found within Industrial Control System environments. Each asset object includes a mapping of technique relationships that represent the adversary actions that may target the device based on its capability and function.
https://attack.mitre.org/assets/
Assets have IDs in format: ANNNN
For example, Asset A0011 - Virtual Private Network (VPN) Server: https://attack.mitre.org/assets/A0011/
{
"modified": "2023-10-04T18:07:59.333Z",
"name": "Virtual Private Network (VPN) Server",
"description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.",
"x_mitre_sectors": [
"General"
],
"x_mitre_related_assets": [
{
"name": "Virtual Private Network (VPN) terminator",
"related_asset_sectors": [
"General"
],
"description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)"
},
{
"name": "Field VPN",
"related_asset_sectors": [
"General"
],
"description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. "
}
],
"x_mitre_platforms": [
"Windows",
"Linux",
"Embedded"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_version": "1.0",
"type": "x-mitre-asset",
"id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
"created": "2023-09-28T15:13:07.950Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/assets/A0011",
"external_id": "A0011"
},
{
"source_name": "IEC February 2019",
"description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ",
"url": "https://webstore.iec.ch/publication/34421"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1"
}
To search for these objects in the ICS domain:
FOR doc IN mitre_attack_ics_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-asset"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "A"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "A")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN [KEEP(doc, filteredKeys)]
Returns 14 Objects in v15.1.
To see what Asset objects are linked to/from;
// Step 1: Retrieve the list of IDs
LET asset_ids = (
FOR doc IN mitre_attack_ics_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-asset"
AND doc.x_mitre_deprecated != true
AND doc.revoked != true
AND IS_ARRAY(doc.external_references)
// Filter for external references where external_id starts with "A"
LET matching_extRefs = (
FOR extRef IN doc.external_references
FILTER extRef.source_name == "mitre-attack"
AND STARTS_WITH(extRef.external_id, "A")
RETURN extRef
)
// Proceed only if there is at least one matching external reference
FILTER LENGTH(matching_extRefs) > 0
// Keep the document's attributes, excluding those starting with "_"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
// Return the document with the filtered attributes and the matching external references
RETURN doc.id
)
// Step 2: Use the IDs to filter documents in the edge collection
FOR doc IN mitre_attack_ics_edge_collection
FILTER (CONTAINS(doc.source_ref, "x-mitre-asset") OR CONTAINS(doc.target_ref, "x-mitre-asset"))
AND (doc.source_ref IN asset_ids OR doc.target_ref IN asset_ids)
AND doc._stix2arango_note == "v15.1"
LET source_ref_prefix = SPLIT(doc.source_ref, "--")[0]
LET target_ref_prefix = SPLIT(doc.target_ref, "--")[0]
RETURN DISTINCT {
"relationship_type": doc.relationship_type,
"source_ref_object_type": source_ref_prefix,
"target_ref_object_type": target_ref_prefix,
"_is_ref": doc._is_ref
}
CTI Butler
One API. Much CTI. CTI Butler is the API used by the world's leading cyber-security companies.
Discuss this post
Head on over to the DOGESEC community to discuss this post.
Never miss an update
Sign up to receive new articles in your inbox as they published.