From ec6ea1085fbfd5890d9ec5d9458a6457d830243e Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Thu, 10 May 2018 14:10:12 -0600
Subject: [PATCH] pull in attack stix

---
 atomics/atomic_doc_template.md.erb |  5 ++---
 atomics/t1046/t1046.md             |  6 ++++--
 atomics/t1087/t1087.md             |  6 ++++--
 atomics/t1089/t1089.md             |  4 ++--
 atomics/t1099/t1099.md             |  4 ++--
 atomics/t1105/t1105.md             |  4 ++--
 atomics/t1123/t1123.md             |  6 ++++--
 atomics/t1130/t1130.md             |  6 ++++--
 atomics/t1136/t1136.md             |  8 ++++++--
 atomics/t1139/t1139.md             |  7 +++++--
 atomics/t1146/t1146.md             |  4 ++--
 atomics/t1148/t1148.md             |  4 ++--
 atomics/t1158/t1158.md             |  4 ++--
 atomics/t1176/t1176.md             | 10 ++++++++--
 generate_atomic_docs.rb            | 28 +++++++++++++++++++++++-----
 15 files changed, 72 insertions(+), 34 deletions(-)

diff --git a/atomics/atomic_doc_template.md.erb b/atomics/atomic_doc_template.md.erb
index 19d77c95..670fc267 100644
--- a/atomics/atomic_doc_template.md.erb
+++ b/atomics/atomic_doc_template.md.erb
@@ -1,7 +1,6 @@
 # <%= technique['identifier'] %> - <%= technique['name'] -%>
-<%- if technique['identifier'].start_with? 'T' %>
-MITRE ATT&CK Technique: [<%= technique['identifier'] %>](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>)
-<% end -%>
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>)
+<%= technique['description'] %>
 
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
 <% title = "Atomic Test ##{test_number+1} - #{test['name']}" %>
diff --git a/atomics/t1046/t1046.md b/atomics/t1046/t1046.md
index bfcda16c..ae1ec582 100644
--- a/atomics/t1046/t1046.md
+++ b/atomics/t1046/t1046.md
@@ -1,5 +1,7 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1046 - Network Service Scanning Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046)
+Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.
+
+Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
 
 
 - [Atomic Test #1 - Scan a bunch of ports to see if they are open](#atomic-test-1---scan-a-bunch-of-ports-to-see-if-they-are-open)
diff --git a/atomics/t1087/t1087.md b/atomics/t1087/t1087.md
index dac65401..7e7e3091 100644
--- a/atomics/t1087/t1087.md
+++ b/atomics/t1087/t1087.md
@@ -1,5 +1,7 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1087 - Account Discovery Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087)
+Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located <code>HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators</code>. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)
+
+Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
 
 
 - [Atomic Test #1 - List all accounts](#atomic-test-1---list-all-accounts)
diff --git a/atomics/t1089/t1089.md b/atomics/t1089/t1089.md
index f2c14f74..4e9f8e62 100644
--- a/atomics/t1089/t1089.md
+++ b/atomics/t1089/t1089.md
@@ -1,5 +1,5 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1089 - Disabling Security Tools Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1089)
+Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.
 
 
 - [Atomic Test #1 - Disable iptables firewall](#atomic-test-1---disable-iptables-firewall)
diff --git a/atomics/t1099/t1099.md b/atomics/t1099/t1099.md
index 3bf22e68..2d0b128e 100644
--- a/atomics/t1099/t1099.md
+++ b/atomics/t1099/t1099.md
@@ -1,5 +1,5 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1099 - Timestomp Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1099)
+Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
 
 
 - [Atomic Test #1 - Set a file's access timestamp](#atomic-test-1---set-a-files-access-timestamp)
diff --git a/atomics/t1105/t1105.md b/atomics/t1105/t1105.md
index 9fe456a1..af92a49c 100644
--- a/atomics/t1105/t1105.md
+++ b/atomics/t1105/t1105.md
@@ -1,5 +1,5 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1105 - Remote File Copy Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105)
+Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
 
 
 - [Atomic Test #1 - xxxx](#atomic-test-1---xxxx)
diff --git a/atomics/t1123/t1123.md b/atomics/t1123/t1123.md
index 065e0467..77fe379d 100644
--- a/atomics/t1123/t1123.md
+++ b/atomics/t1123/t1123.md
@@ -1,5 +1,7 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1123 - Audio Capture Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1123)
+Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.
+
+Identify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
 
 
 - [Atomic Test #1 - SourceRecorder via Windows command prompt](#atomic-test-1---sourcerecorder-via-windows-command-prompt)
diff --git a/atomics/t1130/t1130.md b/atomics/t1130/t1130.md
index 136e61e9..04b9ba2c 100644
--- a/atomics/t1130/t1130.md
+++ b/atomics/t1130/t1130.md
@@ -1,5 +1,7 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1130 - Install Root Certificate Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1130)
+HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)
+
+Windows Group Policy can be used to manage root certificates and the <code>Flags</code> value of <code>HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots</code> can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)
 
 
 - [Atomic Test #1 - Install root CA on CentOS/RHEL](#atomic-test-1---install-root-ca-on-centosrhel)
diff --git a/atomics/t1136/t1136.md b/atomics/t1136/t1136.md
index b93c00a7..d8c2a932 100644
--- a/atomics/t1136/t1136.md
+++ b/atomics/t1136/t1136.md
@@ -1,5 +1,9 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1136 - Create Account Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
+Use and enforce multifactor authentication. Follow guidelines to prevent or limit adversary access to Valid Accounts that may be used to create privileged accounts within an environment.
+
+Adversaries that create local accounts on systems may have limited access within a network if access levels are properly locked down. These accounts may only be needed for persistence on individual systems and their usefulness depends on the utility of the system they reside on.
+
+Protect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
 
 
 - [Atomic Test #1 - Create a user account on a Linux system](#atomic-test-1---create-a-user-account-on-a-linux-system)
diff --git a/atomics/t1139/t1139.md b/atomics/t1139/t1139.md
index 72b02e3a..49725c43 100644
--- a/atomics/t1139/t1139.md
+++ b/atomics/t1139/t1139.md
@@ -1,5 +1,8 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1139 - Bash History Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1139)
+There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:
+<code>set +o history</code> and <code>set -o history</code> to start logging again;
+<code>unset HISTFILE</code> being added to a user's .bash_rc file; and
+<code>ln -s /dev/null ~/.bash_history</code> to write commands to <code>/dev/null</code>instead.
 
 
 - [Atomic Test #1 - xxxx](#atomic-test-1---xxxx)
diff --git a/atomics/t1146/t1146.md b/atomics/t1146/t1146.md
index eda6825d..6d317641 100644
--- a/atomics/t1146/t1146.md
+++ b/atomics/t1146/t1146.md
@@ -1,5 +1,5 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1146 - Clear Command History Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
+Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their <code>~/.bash_history</code> files. Additionally, making these environment variables readonly can make sure that the history is preserved   (Citation: Securing bash history).
 
 
 - [Atomic Test #1 - Clear Bash history (rm)](#atomic-test-1---clear-bash-history-rm)
diff --git a/atomics/t1148/t1148.md b/atomics/t1148/t1148.md
index a617308f..4b4a30cc 100644
--- a/atomics/t1148/t1148.md
+++ b/atomics/t1148/t1148.md
@@ -1,5 +1,5 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1146 - Clear Command History Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
+Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their <code>~/.bash_history</code> files. Additionally, making these environment variables readonly can make sure that the history is preserved   (Citation: Securing bash history).
 
 
 - [Atomic Test #1 - Disable history collection](#atomic-test-1---disable-history-collection)
diff --git a/atomics/t1158/t1158.md b/atomics/t1158/t1158.md
index 58a57ef0..178fd089 100644
--- a/atomics/t1158/t1158.md
+++ b/atomics/t1158/t1158.md
@@ -1,5 +1,5 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1158 - Hidden Files and Directories Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1158)
+Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.
 
 
 - [Atomic Test #1 - Create a hidden file in a hidden directory](#atomic-test-1---create-a-hidden-file-in-a-hidden-directory)
diff --git a/atomics/t1176/t1176.md b/atomics/t1176/t1176.md
index c993abc3..7b81d23c 100644
--- a/atomics/t1176/t1176.md
+++ b/atomics/t1176/t1176.md
@@ -1,5 +1,11 @@
-# T1234 - Create Account
-MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
+# T1176 - Browser Extensions Mitigation## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
+Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.
+
+Browser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)
+
+Change settings to prevent the browser from installing extensions without sufficient permissions.
+
+Close out all browser sessions when finished using them.
 
 
 - [Atomic Test #1 - Chrome (Developer Mode)](#atomic-test-1---chrome-developer-mode)
diff --git a/generate_atomic_docs.rb b/generate_atomic_docs.rb
index 20ebaf6a..be959b31 100755
--- a/generate_atomic_docs.rb
+++ b/generate_atomic_docs.rb
@@ -2,15 +2,33 @@
 require 'yaml'
 require 'ostruct'
 require 'erb'
+require 'open-uri'
+require 'json'
+
+def attack_technique_library
+  @attack_json ||= begin
+    local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
+    if File.exists? local_attack_json_to_try
+      JSON.parse File.read(local_attack_json_to_try)
+    else
+      JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
+    end
+  end
+end
+
+def attack_technique_info(technique_id)
+  attack_technique_library.fetch("objects").find do |item| 
+    item.fetch('external_references', []).find do |references|
+      references['source_name'] == 'mitre-attack' && references['external_id'] == technique_id.upcase
+    end
+  end
+end
 
 def generate_docs!(path)
   atomic_yaml = YAML.load(File.read path)
 
-  technique = {
-    # TODO GET FROM MITRE
-    'identifier' => "T1234",
-    'name' => "Create Account",
-  }
+  technique = attack_technique_info(atomic_yaml.fetch('attack_technique'))
+  technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
 
   template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-"
   generated_doc = template.result(binding)