2020-06-29 23:17:38 -06:00
|
|
|
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
2021-03-03 22:12:11 -09:00
|
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
|
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
|
|
|
# 2.0.
|
2020-06-29 23:17:38 -06:00
|
|
|
|
|
|
|
|
"""Mitre attack info."""
|
2020-12-18 12:46:16 -09:00
|
|
|
import re
|
|
|
|
|
import time
|
2022-02-24 16:37:23 -09:00
|
|
|
from pathlib import Path
|
2022-11-01 11:14:40 -08:00
|
|
|
from typing import Optional
|
2020-09-24 01:03:29 -05:00
|
|
|
|
|
|
|
|
import json
|
|
|
|
|
import requests
|
|
|
|
|
from collections import OrderedDict
|
|
|
|
|
|
2023-02-07 14:26:29 -05:00
|
|
|
from semver import Version
|
2022-11-01 11:14:40 -08:00
|
|
|
from .utils import cached, clear_caches, get_etc_path, get_etc_glob_path, read_gzip, gzip_compress
|
2020-09-24 01:03:29 -05:00
|
|
|
|
2020-06-29 23:17:38 -06:00
|
|
|
PLATFORMS = ['Windows', 'macOS', 'Linux']
|
2024-05-23 17:36:51 -04:00
|
|
|
CROSSWALK_FILE = get_etc_path('attack-crosswalk.json')
|
|
|
|
|
TECHNIQUES_REDIRECT_FILE = get_etc_path('attack-technique-redirects.json')
|
2020-12-18 12:46:16 -09:00
|
|
|
|
2020-09-24 01:03:29 -05:00
|
|
|
tactics_map = {}
|
|
|
|
|
|
|
|
|
|
|
2022-11-01 11:14:40 -08:00
|
|
|
@cached
|
|
|
|
|
def load_techniques_redirect() -> dict:
|
|
|
|
|
return json.loads(TECHNIQUES_REDIRECT_FILE.read_text())['mapping']
|
|
|
|
|
|
|
|
|
|
|
2024-05-23 17:36:51 -04:00
|
|
|
def get_attack_file_path() -> Path:
|
2020-09-24 01:03:29 -05:00
|
|
|
pattern = 'attack-v*.json.gz'
|
|
|
|
|
attack_file = get_etc_glob_path(pattern)
|
2022-12-08 15:49:49 -05:00
|
|
|
if len(attack_file) < 1:
|
2020-09-24 01:03:29 -05:00
|
|
|
raise FileNotFoundError(f'Missing required {pattern} file')
|
2022-12-08 15:49:49 -05:00
|
|
|
elif len(attack_file) != 1:
|
|
|
|
|
raise FileExistsError(f'Multiple files found with {pattern} pattern. Only one is allowed')
|
2024-05-23 17:36:51 -04:00
|
|
|
return Path(attack_file[0])
|
2020-09-24 01:03:29 -05:00
|
|
|
|
2020-06-29 23:17:38 -06:00
|
|
|
|
2024-05-23 17:36:51 -04:00
|
|
|
_, _attack_path_base = str(get_attack_file_path()).split('-v')
|
2022-03-04 08:20:44 -09:00
|
|
|
_ext_length = len('.json.gz')
|
|
|
|
|
CURRENT_ATTACK_VERSION = _attack_path_base[:-_ext_length]
|
|
|
|
|
|
|
|
|
|
|
2022-02-24 16:37:23 -09:00
|
|
|
def load_attack_gz() -> dict:
|
2022-03-04 08:20:44 -09:00
|
|
|
|
2020-09-24 01:03:29 -05:00
|
|
|
return json.loads(read_gzip(get_attack_file_path()))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
attack = load_attack_gz()
|
2020-06-29 23:17:38 -06:00
|
|
|
|
|
|
|
|
technique_lookup = {}
|
2020-09-24 01:03:29 -05:00
|
|
|
revoked = {}
|
2020-12-18 12:46:16 -09:00
|
|
|
deprecated = {}
|
2020-06-29 23:17:38 -06:00
|
|
|
|
|
|
|
|
for item in attack["objects"]:
|
2020-09-24 01:03:29 -05:00
|
|
|
if item["type"] == "x-mitre-tactic":
|
|
|
|
|
tactics_map[item['name']] = item['external_references'][0]['external_id']
|
|
|
|
|
|
2020-06-29 23:17:38 -06:00
|
|
|
if item["type"] == "attack-pattern" and item["external_references"][0]['source_name'] == 'mitre-attack':
|
|
|
|
|
technique_id = item['external_references'][0]['external_id']
|
|
|
|
|
technique_lookup[technique_id] = item
|
|
|
|
|
|
2020-09-24 01:03:29 -05:00
|
|
|
if item.get('revoked'):
|
|
|
|
|
revoked[technique_id] = item
|
|
|
|
|
|
2020-12-18 12:46:16 -09:00
|
|
|
if item.get('x_mitre_deprecated'):
|
|
|
|
|
deprecated[technique_id] = item
|
|
|
|
|
|
|
|
|
|
revoked = dict(sorted(revoked.items()))
|
|
|
|
|
deprecated = dict(sorted(deprecated.items()))
|
2020-09-24 01:03:29 -05:00
|
|
|
tactics = list(tactics_map)
|
|
|
|
|
matrix = {tactic: [] for tactic in tactics}
|
|
|
|
|
no_tactic = []
|
2020-06-29 23:17:38 -06:00
|
|
|
attack_tm = 'ATT&CK\u2122'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Enumerate over the techniques and build the matrix back up
|
|
|
|
|
for technique_id, technique in sorted(technique_lookup.items(), key=lambda kv: kv[1]['name'].lower()):
|
2020-09-24 01:03:29 -05:00
|
|
|
kill_chain = technique.get('kill_chain_phases')
|
|
|
|
|
if kill_chain:
|
|
|
|
|
for tactic in kill_chain:
|
|
|
|
|
tactic_name = next(t for t in tactics if tactic['kill_chain_name'] == 'mitre-attack' and t.lower() == tactic['phase_name'].replace("-", " ")) # noqa: E501
|
|
|
|
|
matrix[tactic_name].append(technique_id)
|
|
|
|
|
else:
|
|
|
|
|
no_tactic.append(technique_id)
|
2020-06-29 23:17:38 -06:00
|
|
|
|
|
|
|
|
for tactic in matrix:
|
|
|
|
|
matrix[tactic].sort(key=lambda tid: technique_lookup[tid]['name'].lower())
|
|
|
|
|
|
|
|
|
|
|
2020-09-24 01:03:29 -05:00
|
|
|
technique_lookup = OrderedDict(sorted(technique_lookup.items()))
|
|
|
|
|
techniques = sorted({v['name'] for k, v in technique_lookup.items()})
|
2020-12-09 07:56:55 +01:00
|
|
|
technique_id_list = [t for t in technique_lookup if '.' not in t]
|
|
|
|
|
sub_technique_id_list = [t for t in technique_lookup if '.' in t]
|
2020-09-24 01:03:29 -05:00
|
|
|
|
|
|
|
|
|
2022-11-01 11:14:40 -08:00
|
|
|
def refresh_attack_data(save=True) -> (Optional[dict], Optional[bytes]):
|
2020-09-24 01:03:29 -05:00
|
|
|
"""Refresh ATT&CK data from Mitre."""
|
2024-05-23 17:36:51 -04:00
|
|
|
attack_path = get_attack_file_path()
|
2022-02-24 16:37:23 -09:00
|
|
|
filename, _, _ = attack_path.name.rsplit('.', 2)
|
2020-09-24 01:03:29 -05:00
|
|
|
|
|
|
|
|
def get_version_from_tag(name, pattern='att&ck-v'):
|
|
|
|
|
_, version = name.lower().split(pattern, 1)
|
|
|
|
|
return version
|
|
|
|
|
|
2023-02-07 14:26:29 -05:00
|
|
|
current_version = Version.parse(get_version_from_tag(filename, 'attack-v'), optional_minor_and_patch=True)
|
2020-09-24 01:03:29 -05:00
|
|
|
|
|
|
|
|
r = requests.get('https://api.github.com/repos/mitre/cti/tags')
|
|
|
|
|
r.raise_for_status()
|
|
|
|
|
releases = [t for t in r.json() if t['name'].startswith('ATT&CK-v')]
|
2023-02-07 14:26:29 -05:00
|
|
|
latest_release = max(releases, key=lambda release: Version.parse(get_version_from_tag(release['name']),
|
|
|
|
|
optional_minor_and_patch=True))
|
2020-09-24 01:03:29 -05:00
|
|
|
release_name = latest_release['name']
|
2023-02-07 14:26:29 -05:00
|
|
|
latest_version = Version.parse(get_version_from_tag(release_name), optional_minor_and_patch=True)
|
2020-09-24 01:03:29 -05:00
|
|
|
|
2023-02-07 14:26:29 -05:00
|
|
|
if current_version >= latest_version:
|
2020-09-24 01:03:29 -05:00
|
|
|
print(f'No versions newer than the current detected: {current_version}')
|
2022-11-01 11:14:40 -08:00
|
|
|
return None, None
|
2020-09-24 01:03:29 -05:00
|
|
|
|
|
|
|
|
download = f'https://raw.githubusercontent.com/mitre/cti/{release_name}/enterprise-attack/enterprise-attack.json'
|
|
|
|
|
r = requests.get(download)
|
|
|
|
|
r.raise_for_status()
|
|
|
|
|
attack_data = r.json()
|
|
|
|
|
compressed = gzip_compress(json.dumps(attack_data, sort_keys=True))
|
|
|
|
|
|
|
|
|
|
if save:
|
2024-05-23 17:36:51 -04:00
|
|
|
new_path = get_etc_path(f'attack-v{latest_version}.json.gz')
|
2022-02-24 16:37:23 -09:00
|
|
|
new_path.write_bytes(compressed)
|
|
|
|
|
attack_path.unlink()
|
2020-09-24 01:03:29 -05:00
|
|
|
print(f'Replaced file: {attack_path} with {new_path}')
|
|
|
|
|
|
|
|
|
|
return attack_data, compressed
|
2020-06-29 23:17:38 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def build_threat_map_entry(tactic: str, *technique_ids: str) -> dict:
|
|
|
|
|
"""Build rule threat map from technique IDs."""
|
2022-11-01 11:14:40 -08:00
|
|
|
techniques_redirect_map = load_techniques_redirect()
|
2020-06-29 23:17:38 -06:00
|
|
|
url_base = 'https://attack.mitre.org/{type}/{id}/'
|
2020-09-24 01:03:29 -05:00
|
|
|
tactic_id = tactics_map[tactic]
|
2020-12-09 07:56:55 +01:00
|
|
|
tech_entries = {}
|
|
|
|
|
|
|
|
|
|
def make_entry(_id):
|
|
|
|
|
e = {
|
|
|
|
|
'id': _id,
|
|
|
|
|
'name': technique_lookup[_id]['name'],
|
|
|
|
|
'reference': url_base.format(type='techniques', id=_id.replace('.', '/'))
|
|
|
|
|
}
|
|
|
|
|
return e
|
|
|
|
|
|
|
|
|
|
for tid in technique_ids:
|
2020-12-18 12:46:16 -09:00
|
|
|
# fail if deprecated or else convert if it has been replaced
|
|
|
|
|
if tid in deprecated:
|
|
|
|
|
raise ValueError(f'Technique ID: {tid} has been deprecated and should not be used')
|
|
|
|
|
elif tid in techniques_redirect_map:
|
|
|
|
|
tid = techniques_redirect_map[tid]
|
|
|
|
|
|
|
|
|
|
if tid not in matrix[tactic]:
|
|
|
|
|
raise ValueError(f'Technique ID: {tid} does not fall under tactic: {tactic}')
|
|
|
|
|
|
2020-12-09 07:56:55 +01:00
|
|
|
# sub-techniques
|
|
|
|
|
if '.' in tid:
|
|
|
|
|
parent_technique, _ = tid.split('.', 1)
|
|
|
|
|
tech_entries.setdefault(parent_technique, make_entry(parent_technique))
|
|
|
|
|
tech_entries[parent_technique].setdefault('subtechnique', []).append(make_entry(tid))
|
|
|
|
|
else:
|
|
|
|
|
tech_entries.setdefault(tid, make_entry(tid))
|
|
|
|
|
|
2020-06-29 23:17:38 -06:00
|
|
|
entry = {
|
|
|
|
|
'framework': 'MITRE ATT&CK',
|
|
|
|
|
'tactic': {
|
|
|
|
|
'id': tactic_id,
|
|
|
|
|
'name': tactic,
|
|
|
|
|
'reference': url_base.format(type='tactics', id=tactic_id)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 22:22:59 -07:00
|
|
|
if tech_entries:
|
|
|
|
|
entry['technique'] = sorted(tech_entries.values(), key=lambda x: x['id'])
|
|
|
|
|
|
2020-06-29 23:17:38 -06:00
|
|
|
return entry
|
2020-09-24 01:03:29 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def update_threat_map(rule_threat_map):
|
|
|
|
|
"""Update rule map techniques to reflect changes from ATT&CK."""
|
|
|
|
|
for entry in rule_threat_map:
|
|
|
|
|
for tech in entry['technique']:
|
|
|
|
|
tech['name'] = technique_lookup[tech['id']]['name']
|
2020-12-18 12:46:16 -09:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def retrieve_redirected_id(asset_id: str):
|
|
|
|
|
"""Get the ID for a redirected ATT&CK asset."""
|
|
|
|
|
if asset_id in (tactics_map.values()):
|
|
|
|
|
attack_type = 'tactics'
|
|
|
|
|
elif asset_id in list(technique_lookup):
|
|
|
|
|
attack_type = 'techniques'
|
|
|
|
|
else:
|
|
|
|
|
raise ValueError(f'Unknown asset_id: {asset_id}')
|
|
|
|
|
|
|
|
|
|
response = requests.get(f'https://attack.mitre.org/{attack_type}/{asset_id.replace(".", "/")}')
|
|
|
|
|
text = response.text.strip().strip("'").lower()
|
|
|
|
|
|
|
|
|
|
if text.startswith('<meta http-equiv="refresh"'):
|
|
|
|
|
new_id = re.search(r'url=\/\w+\/(.+)"', text).group(1).replace('/', '.').upper()
|
|
|
|
|
return new_id
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def build_redirected_techniques_map(threads=50):
|
|
|
|
|
"""Build a mapping of revoked technique IDs to new technique IDs."""
|
|
|
|
|
from multiprocessing.pool import ThreadPool
|
|
|
|
|
|
|
|
|
|
technique_map = {}
|
|
|
|
|
|
|
|
|
|
def download_worker(tech_id):
|
|
|
|
|
new = retrieve_redirected_id(tech_id)
|
|
|
|
|
if new:
|
|
|
|
|
technique_map[tech_id] = new
|
|
|
|
|
|
|
|
|
|
pool = ThreadPool(processes=threads)
|
|
|
|
|
pool.map(download_worker, list(technique_lookup))
|
|
|
|
|
pool.close()
|
|
|
|
|
pool.join()
|
|
|
|
|
|
|
|
|
|
return technique_map
|
|
|
|
|
|
|
|
|
|
|
2022-11-01 11:14:40 -08:00
|
|
|
def refresh_redirected_techniques_map(threads: int = 50):
|
2020-12-18 12:46:16 -09:00
|
|
|
"""Refresh the locally saved copy of the mapping."""
|
|
|
|
|
replacement_map = build_redirected_techniques_map(threads)
|
|
|
|
|
mapping = {'saved_date': time.asctime(), 'mapping': replacement_map}
|
|
|
|
|
|
2022-11-01 11:14:40 -08:00
|
|
|
TECHNIQUES_REDIRECT_FILE.write_text(json.dumps(mapping, sort_keys=True, indent=2))
|
|
|
|
|
# reset the cached redirect contents
|
|
|
|
|
clear_caches()
|
2020-12-18 12:46:16 -09:00
|
|
|
|
|
|
|
|
print(f'refreshed mapping file: {TECHNIQUES_REDIRECT_FILE}')
|
|
|
|
|
|
|
|
|
|
|
2022-11-01 11:14:40 -08:00
|
|
|
@cached
|
|
|
|
|
def load_crosswalk_map() -> dict:
|
2020-12-18 12:46:16 -09:00
|
|
|
"""Retrieve the replacement mapping."""
|
2022-11-01 11:14:40 -08:00
|
|
|
return json.loads(CROSSWALK_FILE.read_text())['mapping']
|
