Coder Social home page Coder Social logo

attack-detections-collector's Introduction

ATT&CK Detections Collector

Collects a listing of ATT&CK techniques, then discovers ESCU detections for the technique. Results may be saved as HTML or for use with ATT&CK Navigator.

Installation

pip3 install -r requirements.txt

Usage

To display usage, simply run: python3 adc.py -h

usage: adc.py [-h] [-e EXTRACT_IDS [EXTRACT_IDS ...]] [-t TECHNIQUE_IDS [TECHNIQUE_IDS ...]]
              [-d DETECTIONS] [-o OUTFILE] [--as-navigator]
              [--attack-domain {enterprise-attack,mobile-attack,pre-attack}] [--update-cache]

optional arguments:
  -h, --help            show this help message and exit
  -e EXTRACT_IDS [EXTRACT_IDS ...], --extract-ids EXTRACT_IDS [EXTRACT_IDS ...]
                        Extract ATT&CK Techniques IDs from file or URL
  -t TECHNIQUE_IDS [TECHNIQUE_IDS ...], --technique-ids TECHNIQUE_IDS [TECHNIQUE_IDS ...]
                        ATT&CK Techniques IDs to find
  -d DETECTIONS, --detections DETECTIONS
                        Path to ESCU detections root
  -o OUTFILE, --outfile OUTFILE
                        Filename to save results to
  --as-navigator        Save results as ATT&CK Navigator instead of HTML table
  --attack-domain {enterprise-attack,mobile-attack,pre-attack}
                        ATT&CK Framework to leverage
  --update-cache        Update the locally cached ATT&CK database

HTML Output

To query for specific techniques and save results to an HTML file:

python3 adc.py -t T1133 T1078 T1059.001 -o results.html

Or, to pull content from a URL and automagically extract techniques:

python3 adc.py -e  https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html \
    -o results.html

You will have an HTML table containing all detections identified.

ATT&CK Navigator Output

To query for specific techniques and save results to an HTML file:

python3 adc.py -t T1133 T1078 T1059.001 -o results-navigator.json --as-navigator

Or, to pull content from a URL and automagically extract techniques:

python3 adc.py -e  https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html \
    -o results-navigator.json --as-navigator

ATT&CK Navigator Template Customizations

The output for ATT&CK Navigator may be customized by updating attack-navigator-template.json. This script requires a fully functional template that must includes the techniques object within the json.

attack-detections-collector's People

Contributors

drewchurch avatar mlaferrera avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

drewchurch samettonyali siberavci n0psl1de isabella232 dev1nagy sachinpatkar gkhan496 cybersecops arunsigood pabit renozion ethicalsecurity-agency ghas-results shellb0y signalsculptor

attack-detections-collector's Issues

list index out of range in 'load_detections'

Error example

>python adc.py -t T1133 -o results.html
Traceback (most recent call last):
  File "adc.py", line 279, in <module>
    args.detections, navigator_template="attack-navigator-template.json"
  File "adc.py", line 112, in __init__
    self.load_detections()
  File "adc.py", line 128, in load_detections
    uri_path = f"{subdir}{str(path).split(subdir)[1]}"
IndexError: list index out of range

Potential fix to load_detections() function?

Change

uri_path = f"{subdir}{str(path).split(subdir)[1]}"
self.detections.append((uri_path, yaml.safe_load(f)))

to

if len(str(path).split(subdir))>1:
  uri_path = f"{subdir}{str(path).split(subdir)[1]}"
  self.detections.append((uri_path, yaml.safe_load(f)))

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.