Making MITRE ATT&CK Actionable

The Swimlane Deep Dive team is excited to announce the release of pyattck 2.0 and an equivalent PowerShell version called PSAttck. These open-source tools provide security operations centers (SOCs), defenders and offensive security teams with external data points that enrich MITRE ATT&CK by providing potential commands, queries and even detections for specific techniques. Additionally, these data points enable context related to specific attacker actors or groups, as well as details about different tools used by malicious actors.

By having access to MITRE ATT&CK techniques, actors and tools, security professionals can search logs for potential commands related to a specific technique, allowing them to build and retrieve detections and queries with the information. These open-source projects utilize several other open-source projects to provide actionable context instead of relying on specific domain knowledge and experience with a specific technique, actor or tool listed within MITRE ATT&CK.

NOTE: Not all techniques will have external data properties, but we will be continually expanding this data set to have coverage for all techniques in the future.

pyattck and PSAttck offer access to the following external data points:

• Targets, operations and additional data related to actors.
• Potential commands, queries, detections from open-source projects for individual techniques.
• Data from http://www.thec2matrix.com and additional datasets, providing context to specific tools used by attackers.

More information about these features are available at our Attck site, which contains documentation for pyattck, PSAttck and generated external data.

Both pyattck and PSAttck are available on their respective package management platforms and can be installed as of today!

Installing & Using pyattck

pyattck is available on pypi.org and installable using pip. To install pyattck you can run the following command:

Sponsorships Available

Sponsorships Available

Sponsorships Available

pip install pyattck>=2.0.2

With the release of pyattck 2.0, we have restructured the project to segment the different ATT&CK frameworks. This means you can now access the PRE-ATT&CK, Mobile, and Enterprise frameworks from pyattck. If you want to access data from the Enterprise ATT&CK framework only, then specify the enterprise property:

from pyattck import Attck
attck = Attck()
for technique in attck.enterprise.techniques:
 print(technique.name)
print(technique.id)
 # if the technique has a command_list you can access it here
 if hasattr(technique, 'command_list'):
 print(technique.command_list)

You can access the other MITRE ATT&CK Frameworks using:

• PRE-ATT&CK – attck.preattack
• Mobile ATT&CK – attck.mobile

Additionally, we have added a simple command line utility so you can access this data directly. Once pyattck is installed, you can access the utility by simply calling pyattck from your favorite shell.

pyattck enterprise --help

For more details as it relates to pyattck and installation, configuration options, usage, and general documentation please visit here: https://swimlane.github.io/attck/pyattck/pyattck.

Both pyattck & PSAttck are available on their respective package management platforms and can be installed as of today!

Installing & Using PSAttck

PSAttck is available on https://www.powershellgallery.com/ and installable using Install-Module. PSAttck is compatible with both Windows PowerShell v5 and PowerShell Core. To install PSAttck you can run the following command:

Install-Module -Name PSAttck

PSAttck has the same features as pyattck but in PowerShell. PSAttck utilizes PowerShell classes and enables you to access both the MITRE ATT&CK data and external data sets using the provided functions. Once installed and loaded, you will have access these public functions:

• Get-Attck
• Get-AttckActor
• Get-AttckMalware
• Get-AttckMitigation
• Get-AttckTactic
• Get-AttckTechnique
• Get-AttckTool

Each of these functions have optional parameters which can be used to filter the results. These filters also include the ability to auto-complete the argument values:

PSAttck is a feature-to-feature comparable version of pyattck but written in PowerShell. For more details as it relates to PSAttck and installation, configuration options, usage, and general documentation, visit the repository and our Attck site for additional documentation:

• https://github.com/swimlane/PSAttck
• https://swimlane.github.io/attck/

Looking for more on pyattck, PSAttck and other open-source tools? Visit the new Swimlane Analyst Hub. And make sure to join Swimane’s upcoming webinar, “Automating Attack Testing with SOAR and Atomic Red Team,” for a deep dive into leveraging SOAR to optimize your security control testing capabilities.

Recent Articles By Author

• Automated Malware Analysis with Low-Code Security Automation
• 11 time saving tricks to try with Swimlane ChatBot for Slack
• 11 time saving tricks to try with Swimlane ChatBot for Slack

More from Josh Rickard

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Josh Rickard. Read the original post at: https://swimlane.com/blog/making-mitre-attck-actionable/