-
Notifications
You must be signed in to change notification settings - Fork 0
Mitre Att&ck
resource: Mitre Usage
A real simple approach to populating a fixed-delimited csv from Mitre Att&ck Enterprise JSON.
The below powershell lines are to be executed from a powershell prompt or to be pasted into powershell script.
Next import the csv into your favourite spreadsheet, take care to remove extraneous separators.
I'll attempt to provide a prepared spreadsheet for review later on.NOTE: Mitre delivers a .json which is not well normalised, be carefull and validate your data, minor cleanup is required
$mjson = Get-Content .\enterprise-attack.json | ConvertFrom-Json
$FormatEnumerationLimit=-1
This csv should give you a lot to work with, enriching the data is recommended
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "attack-pattern" | Sort-Object -Property {$_.external_references[0].external_id}| Format-Table -Property {$_.external_references[0].url},{$_.external_references[0].external_id},{$_.external_references[1].external_id},name,x_mitre_network_requirements,x_mitre_impact_type,x_mitre_effective_permissions,{$_.kill_chain_phases.phase_name},{$_.x_mitre_data_sources.count},{$_.x_mitre_data_sources},{$_.x_mitre_platforms.count},{$_.x_mitre_platforms},{$_.x_mitre_permissions_required.count},{$_.x_mitre_permissions_required},x_mitre_remote_support,x_mitre_defense_bypassed | Sort-Object | Out-file ./mitre_base.csv -width 1024
ATT&CK concept STIX Object type
Technique attack-pattern
Group intrusion-set
Software malware or tool
Mitigation course-of-action
Tactic x-mitre-tactic
Matrix x-mitre-matrix
external references
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "attack-pattern" | ForEach-Object external_references
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "intrusion-set" | ForEach-Object external_references
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "malware" | ForEach-Object external_references
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "tool" | ForEach-Object external_references
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "x-mitre-tactic" | ForEach-Object external_references
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "x-mitre-matrix" | ForEach-Object external_references
data sources
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "attack-pattern" | ForEach-Object x_mitre_data_sources
uniques
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "attack-pattern" | ForEach-Object x_mitre_data_sources | Sort-Object -Unique
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "attack-pattern" | ForEach-Object x_mitre_platforms | Sort-Object -Unique
sorting
$mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "x-mitre-tactic" | sort-object -Property {$_.external_references.external_id} | Format-Table -Property {$_.external_references[0].external_id},name,{$_.external_references.url}
lookup tables
$mtools = $mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "tool" | ForEach-Object id
$mmalwr = $mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "malware" | ForEach-Object id
$mgroup = $mjson | ForEach-Object objects | Where-Object -Property type -eq -Value "intrusion-set" | ForEach-Object id
welcome to the blues, commandline.be at your service