Mitre-Assistant

MITRE ATT&CK framework these days has become ubiquitous with almost every blue and red teaming task. Recently, I was working on a task to collate MITRE ATT&CK Tactics, Techniques, Procedures and their mapping to the adversary groups and the log collection that is required.

Came across a great tool Mitre-Assistant where you can get Mac/Linux/Windows clients to get insights on MITRE ATT&CK framework.

In my scenario, I’ve used the windows client from https://github.com/dfirence/mitre-assistant/releases/tag/v.0.0.17¬† -> https://github.com/dfirence/mitre-assistant/releases/download/v.0.0.17/mitre-assistant-x64-win.zip

For the first time use:

Follow instructions at https://dfirence.github.io/mitre-assistant/Getting_Started/Install_and_Setup/

Note: There is no auto-update functionality. Do run this every week for updates.

C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe download -m enterprise
===========================================================================================

Downlading Matrix : enterprise
Downloading From  : https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

===========================================================================================

        [ INFO ] New File Created: C:\Users\test-pc/.mitre-assistant/matrixes/enterprise.json

C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe baseline -m enterprise
Matrix Type For Baseline: enterprise

        [ INFO ] New File Created: C:\Users\test-pc/.mitre-assistant/baselines/baseline-enterprise.json

C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe search -m enterprise -t "t1210"

+-------+--------+-----------+------------------+-------+---------------------------------+---------------+-------------------------+
| INDEX | STATUS | PLATFORMS | TACTIC           | TID   | TECHNIQUE                       | SUBTECHNIQUES | DATA SOURCES            |
+-------+--------+-----------+------------------+-------+---------------------------------+---------------+-------------------------+
| 1     | Active | linux     | lateral-movement | T1210 | Exploitation of Remote Services |      n_a      | file-monitoring         |
|       |        | windows   |                  |       |                                 |               | process-monitoring      |
|       |        | macos     |                  |       |                                 |               | windows-error-reporting |
+-------+--------+-----------+------------------+-------+---------------------------------+---------------+-------------------------+

More Commands:

mitre-assistant-x64-win.exe search -m enterprise -t "stats"

mitre-assistant-x64-win.exe search -m enterprise -t "stats:malware"

mitre-assistant-x64-win.exe search -m enterprise -t "stats:adversaries"

More at:

To filter: (on Linux, make use of grep)

C:\Users\test-pc\Downloads\mitre-assistant-x64-win>mitre-assistant-x64-win.exe search -m enterprise -t "stats:datasources" | findstr "dll"
| 17    | dll-monitoring                     |     17     |      38       |      9%      |       8%        |
| 27    | loaded-dlls                        |     10     |      27       |      5%      |       6%        |

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: