Invoke-ATTACKAPI: PowerShell script to interact with the MITRE ATT&CK Framework
by do son ·
Invoke-ATTACKAPI
A PowerShell script to interact with the MITRE ATT&CK Framework via its own API in order to gather information about techniques, tactics, groups, software, and references provided by the MITRE ATT&CK Team @MITREattack.
Goals
- Provide an easy way to interact with the MITRE ATT&CK Framework via its own API and PowerShell to the community.
- Expedite the acquisition of data from ATT&CK when preparing for a Hunting Campaign.
- Learn PowerShell Dynamic Parameters 🙂
Installing /Importing
Requirement
- PowerShell version 3+
git clone https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI.git
Examples
This query matches all techniques
Invoke-ATTACKAPI -Category -Technique
ID : {T1001}
Bypass : {}
Contributor : {}
Requires System : {}
Data Source : {Packet capture, Process use of network, Process monitoring, Network protocol analysis}
Description : {Command and control (C2) communications are hidden (but not necessarily encrypted) in an
attempt to make the content more difficult to discover or decipher and to make the
communication less conspicuous and hide commands from being seen. This encompasses many
methods, such as adding junk data to protocol traffic, using steganography, commingling
legitimate traffic with C2 communications traffic, or using a non-standard data encoding
system, such as a modified Base64 encoding for the message body of an HTTP request.}
Mitigation : {Network intrusion detection and prevention systems that use network signatures to
identify traffic for specific adversary malware can be used to mitigate activity at the
network level. Signatures are often for unique indicators within protocols and may be
based on the specific obfuscation technique used by a particular adversary or tool, and
will likely be different across various malware families and versions. Adversaries will
likely change tool C2 signatures over time or construct protocols in such a way as to
avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]}
Tactic : Command and Control
Analytic Details : {Analyze network data for uncommon data flows (e.g., a client sending significantly more
data than it receives from a server). Processes utilizing the network that do not normally
have network communication or have never been seen before are suspicious. Analyze packet
contents to detect communications that do not follow the expected protocol behavior for
the port that is being used.[[CiteRef::University of Birmingham C2]]}
TechniqueName : {Data Obfuscation}
FullText : Technique/T1001
Link Text : {[[Technique/T1001|Data Obfuscation]]}
Reference : {University of Birmingham C2, FireEye APT28, Axiom, FireEye APT30...}
Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...}
Name : {Data Obfuscation}
CAPEC ID : {}
Requires Permission : {}
URL : https://attack.mitre.org/wiki/Technique/T1001
.............
..................
ID : {T1068}
Bypass : {Anti-virus, System access controls}
Contributor : {John Lambert, Microsoft Threat Intelligence Center}
Requires System : {Unpatched software or otherwise vulnerable target. Depending on the target and goal, the
system and exploitable service may need to be remotely accessible from the internal
network. In the case of privilege escalation, the adversary likely already has user
permissions on the target system.}
Data Source : {Windows Error Reporting, File monitoring, Process monitoring}
Description : {Exploitation of a software vulnerability occurs when an adversary takes advantage of a
programming error in a program, service, or within the operating system software or
kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities
may allow adversaries to run a command or binary on a remote system for lateral movement,
escalate a current process to a higher privilege level, or bypass security mechanisms.
Exploits may also allow an adversary access to privileged accounts and credentials. One
example of this is MS14-068, which can be used to forge Kerberos tickets using domain
user permissions.[[CiteRef::Technet MS14-068]][[CiteRef::ADSecurity Detecting Forged
Tickets]]}
Mitigation : {Update software regularly by employing patch management for internal enterprise
endpoints and servers. Develop a robust cyber threat intelligence capability to determine
what types and levels of threat may use software exploits and 0-days against a particular
organization. Make it difficult for adversaries to advance their operation through
exploitation of undiscovered or unpatched vulnerabilities by using sandboxing,
virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation
Experience Toolkit.[[CiteRef::SRD EMET]]}
Tactic : {Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation}
Analytic Details : {Software exploits may not always succeed or may cause the exploited process to become
unstable or crash. Software and operating system crash reports may contain useful
contextual information about attempted exploits that correlate with other malicious
activity. Exploited processes may exhibit behavior that is unusual for the specific
process, such as spawning additional processes or reading and writing to files.}
TechniqueName : {Exploitation of Vulnerability}
FullText : Technique/T1068
Link Text : {[[Technique/T1068|Exploitation of Vulnerability]]}
Reference : {ADSecurity Detecting Forged Tickets, Bitdefender APT28 Dec 2015, ESET Sednit July 2015,
ESET Sednit Part 1...}
Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...}
Name : {Exploitation of Vulnerability}
CAPEC ID : {69}
Requires Permission : {User, Administrator, SYSTEM}
URL : https://attack.mitre.org/wiki/Technique/T1068
Copyright (c) 2017 Roberto Rodriguez
Source: https://github.com/Cyb3rWard0g/
