Comments (3)
Cyb3rWard0g
commented on August 17, 2024
So far, I can only use the Software original descriptions and use relationships defined to map:
Group -> tactics -> techniques -> software (When Available)
Group Winnit:
I am replicating the same functionality as the PowerShell script I shared earlier and provide a similar output:
Thank you!
from cti.
jburns12
commented on August 17, 2024
Hey @Cyb3rWard0g ! This is a great question. The 'Has Technique Object?' property is available in the STIX content as a description on a relationship object. For your case, you'd be looking for relationships that have the source_ref that is the ID of the software (tool or malware) object and the target_ref of an attack-pattern. Here's an example of how to do that for the Winnti software:
from stix2 import TAXIICollectionSource, Filter
from stix2.utils import get_type_from_id
from taxii2client import Collection
# Establish TAXII2 Collection instance for Enterprise ATT&CK collection
collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
# Supply the collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)
def get_technique_software_descriptions(src, sw_stix_id):
rels = [
r for r in src.relationships(sw_stix_id, 'uses')
if get_type_from_id(r.target_ref) in ['attack-pattern']
]
return rels
def get_software_by_name(src, name):
software = src.query([
Filter("type", "=", "tool"),
Filter("name", "=", name)
])
if len(software) == 0:
software = src.query([
Filter("type", "=", "malware"),
Filter("name", "=", name)
])
return software
def get_technique_by_id(src, id):
technique = src.query([
Filter("id", "=", id)
])
return technique
software = get_software_by_name(tc_source, "Winnti")[0]
rels = get_technique_software_descriptions(tc_source, software)
for rel in rels:
print(rel["description"])
print(rel["target_ref"])
print(get_technique_by_id(tc_source, rel["target_ref"])[0]["name"])
You could replace the get_software_by_name with a get_software_by_id similar to get_technique_by_id here if you wanted to just loop through all of the software (tools/malware) to get the techniques used by each one and corresponding descriptions.
Regarding relationship objects, attack-patterns will always be found as a target_ref and intrusion-sets will always be found as a source_ref. Therefore, tools/malware can be found as either. That has helped me in remembering how to set up my code to grab the correct content.
I hope this is helpful, and thanks again!
from cti.
Cyb3rWard0g
commented on August 17, 2024
Hey @jburns12 !! omg lol how did I miss the relationship description property??. It was 3am already so it must have been the time hahaha. Thank you so much for all the information!! I appreciate the details and the example 👍 💯
from cti.
Related Issues (20)
- Mitre Taxii Service Throwing 502 Errors
- Some revoked attack pattern miss the revoked-by relation in mobile domain HOT 2
- x_mitre_domains field for x-mitre-matrices populated only for ics
- Microsoft Defender Detection HOT 4
- [T1059.009] Cloud API - Typo in source name HOT 2
- v13.0 bundle ids match in both mitre/cti and mitre-attack/attack-stix-data, but content is different
- x_mitre_data_sources missing for Mobile ATT&CK attack-patterns HOT 2
- ICS platform information
- Some relationship missing when v12, v13 release HOT 2
- Alias of APT37 has a typo HOT 1
- The CAPEC dataset is not updated with the one available on capec.mitre.org
- Missing Some Records in 'Data Sources' HOT 1
- Request for ATT&CK version to be added to objects
- ATT&CK attack-patterns no longer have external_references to CAPEC HOT 1
- Bug: All MITRE ATT&CK ICS Techniques have "x_mitre_platforms": [ "None" ] HOT 2
- Certificate Expired
- cti-taxii.mitre.org timing out since Saturday, March 2, 2024 HOT 1
- https://cti-taxii.mitre.org seems to be down HOT 4
- Bad URL for "Dell PSP ZeuS" in "T1001.101 Junk Data" in the 11.0, 12.0, 13.0, and 14.1 MITRE ATT&CK Frameworks HOT 1
- Taxii Server seems to be timing out HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cti.