MITRE ATT&CK framework these days has become ubiquitous with almost every blue and red teaming task. Recently, I was working on a task to collate MITRE ATT&CK Tactics, Techniques, Procedures and their mapping to the adversary groups and the log collection that is required.
Came across a great tool Mitre-Assistant where you can get Mac/Linux/Windows clients to get insights on MITRE ATT&CK framework.
In my scenario, I’ve used the windows client from https://github.com/dfirence/mitre-assistant/releases/tag/v.0.0.17 -> https://github.com/dfirence/mitre-assistant/releases/download/v.0.0.17/mitre-assistant-x64-win.zip
For the first time use:
Follow instructions at https://dfirence.github.io/mitre-assistant/Getting_Started/Install_and_Setup/
Note: There is no auto-update functionality. Do run this every week for updates.
C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe download -m enterprise
===========================================================================================
Downlading Matrix : enterprise
Downloading From : https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
===========================================================================================
[ INFO ] New File Created: C:\Users\test-pc/.mitre-assistant/matrixes/enterprise.json
C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe baseline -m enterprise
Matrix Type For Baseline: enterprise
[ INFO ] New File Created: C:\Users\test-pc/.mitre-assistant/baselines/baseline-enterprise.json
C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe search -m enterprise -t "t1210"
+-------+--------+-----------+------------------+-------+---------------------------------+---------------+-------------------------+
| INDEX | STATUS | PLATFORMS | TACTIC | TID | TECHNIQUE | SUBTECHNIQUES | DATA SOURCES |
+-------+--------+-----------+------------------+-------+---------------------------------+---------------+-------------------------+
| 1 | Active | linux | lateral-movement | T1210 | Exploitation of Remote Services | n_a | file-monitoring |
| | | windows | | | | | process-monitoring |
| | | macos | | | | | windows-error-reporting |
+-------+--------+-----------+------------------+-------+---------------------------------+---------------+-------------------------+
More Commands:
mitre-assistant-x64-win.exe search -m enterprise -t "stats"
mitre-assistant-x64-win.exe search -m enterprise -t "stats:malware"
mitre-assistant-x64-win.exe search -m enterprise -t "stats:adversaries"More at:
- https://dfirence.github.io/mitre-assistant/Getting_Started/Searching/How_To/Using_Search_Stats
- https://dfirence.github.io/mitre-assistant/Getting_Started/Searching/Search_Terms_Glossary/
To filter: (on Linux, make use of grep)
C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe search -m enterprise -t "stats:datasources" | findstr "dll"
| 17 | dll-monitoring | 17 | 38 | 9% | 8% |
| 27 | loaded-dlls | 10 | 27 | 5% | 6% |
Tidbits! 