From aa9b3454fe343d8e830e5612918f44b35b23cd1e Mon Sep 17 00:00:00 2001 From: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com> Date: Fri, 17 Apr 2026 23:30:19 -0400 Subject: [PATCH] Fix Azure AD CSV Index and MITRE ATT&CK Navigator JSON (#3301) Co-authored-by: Bhavin Patel --- atomics/T1071.004/src/T1071-dns-beacon.ps1 | 2 +- bin/generate-atomic-docs.rb | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/atomics/T1071.004/src/T1071-dns-beacon.ps1 b/atomics/T1071.004/src/T1071-dns-beacon.ps1 index 9a5d81b1..8aa6052c 100644 --- a/atomics/T1071.004/src/T1071-dns-beacon.ps1 +++ b/atomics/T1071.004/src/T1071-dns-beacon.ps1 @@ -13,6 +13,6 @@ Do { $TimeNow = Get-Date Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout $Jitter = (Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1 - Start-Sleep -Seconds $C2Interval + Start-Sleep -Seconds ($C2Interval * $Jitter) } Until ($TimeNow -ge $RunEnd) \ No newline at end of file diff --git a/bin/generate-atomic-docs.rb b/bin/generate-atomic-docs.rb index ecdd1f56..7f80ab2b 100755 --- a/bin/generate-atomic-docs.rb +++ b/bin/generate-atomic-docs.rb @@ -59,7 +59,7 @@ class AtomicRedTeamDocs generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/office-365-index.csv", only_platform: /office-365/, attack_platform: /office/ generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/google-workspace-index.csv", only_platform: /google-workspace/, attack_platform: /identity/ generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/azure-ad-index.csv", only_platform: /azure-ad/, attack_platform: /identity/ - generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/azure-ad-index.csv", only_platform: /esxi/, attack_platform: /esxi/ + generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/esxi-index.csv", only_platform: /esxi/, attack_platform: /esxi/ generate_yaml_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/index.yaml" ["windows", "macos", "linux", "office-365", "azure-ad", "google-workspace", "saas", "iaas", "containers", "iaas:gcp", "iaas:azure", "iaas:aws", "esxi"].each do | platform| @@ -241,10 +241,10 @@ class AtomicRedTeamDocs layer = { "name" => layer_name, - "versions" => { "attack": "16", "navigator": "5.1.0", "layer": "4.5" }, + "versions" => { "attack": "18", "navigator": "5.3.0", "layer": "4.5" }, "description" => layer_name + " MITRE ATT&CK Navigator Layer", "domain" => "enterprise-attack", - "filters"=> filters, + "filters"=> filters, "gradient" => { "colors" => ["#ffffff", "#ce232e" @@ -265,11 +265,11 @@ class AtomicRedTeamDocs "techniques" => techniques } end - + # # Process the current technique and update the list - # + # def update_techniquesList(current_technique, current_techniqueParent, techniques_list, atomic_yaml, comments) if not atomic_yaml['attack_technique'].include?(".") then tech_parent = techniques_list.find { |h| h["techniqueID"] == atomic_yaml['attack_technique'].split('.')[0] } @@ -298,7 +298,7 @@ class AtomicRedTeamDocs techniques_list.push(current_technique) end end - + # # Generates a MITRE ATT&CK Navigator Layer based on contributed techniques # @@ -385,7 +385,7 @@ class AtomicRedTeamDocs win_technique['score'] += 1 win_technique['comment'] += "- " + atomic['name'] + "\n" end - if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then + if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then has_macos_tests = true macos_technique['score'] += 1 macos_technique['comment'] += "- " + atomic['name'] + "\n" @@ -441,7 +441,7 @@ class AtomicRedTeamDocs esxi_technique['comment'] += "- " + atomic['name'] + "\n" end end - + # Update full Atomic Layer update_techniquesList(technique, techniqueParent, techniques, atomic_yaml, false) # Update all other Atomic Layers @@ -483,9 +483,9 @@ class AtomicRedTeamDocs end end end - + puts techniques_iaas_gcp - + layer = get_layer techniques, "Atomic Red Team" layer_win = get_layer techniques_win, "Atomic Red Team (Windows)" layer_mac = get_layer techniques_mac, "Atomic Red Team (macOS)"