mitre-assistant

A custom, more useful, and much cooler MITRE-CTI-CLIENT.

```bash

Assumes you have installed the rust tool chain

and that you have the cargo package manager

#

Preferably use rust stable channel

# $> cargo install mitre-assistant ```

W.I.P - Status

• [x] Mitre Enterprise Matrix
• [ ] Mitre Mobile Matrix
• [ ] Mitre Pre-Attack Matrix
• [x] Linux - 64bit
• [x] MacOS - 64bit
• [x] Windows - 64bit
• [ ] Data Interchange Format
  • [ ] CSV
  • [ ] JSON
• [ ] Exports
  • [ ] CSV
  • [ ] JSON
  • [ ] Rich Web

Getting Started

You got 3 ways to start using this bad-boy:

1. You can go to the releases section, download the pre-compiled binary for your os. Note: I only provide Debian on Linux

2. If you already have rust stable toolchain installed, then simply use cargo install mitre-assistant

3. Or, if you just love building from source, follow the instructions in the build from source section below.

Releases - Binaries

Head over to the releases section and download the binary for your OS. However, note, I am only supporting binaries for 64 bit versions of:

• MacOS
• Debian
• Windows

Build From Source

If you use a different Linux distro, install the rust toolchain, preferably the stable channel, and follow these steps:

Step 1 - Clone this repo

bash $> git clone https://github.com/dfirence/mitre-assistant.git

Step 2 - Navigate into the repo

bash $> cd mitre-assistant

Step 3 - Build/Compile

bash $> cargo build --release

Step 4 - Move your fresh binary to a system path

In this step, if you wanna call the executable from anywhere, add it to your system path or executable path - i.e., /usr/bin bash $> sudo mv /target/release/mitre-assistant /usr/bin

How to Update with new releases?

text Note: Because this tool is being actively developed, it is recommended to always use the `baseline` subcommand to ensure the dev changes made to the custom JSON database are in effect.

Most of the changes being made until I reach v.1.0 will affect the JSON file produced by this tool. This is because I am exploring how to arrange the data for the outcomes I am pursuing.

So always ensure you run the baseline subcommand after you install or download a new version of the tool, for now.

Why are you doing this?

I work in the Security industry for a provider, my work hinges a lot on this resource from The Mitre Corporation. At some point, if you are like me, you will observe the poor and ridiculous amount of time that is needed to create custom datasets from that resource and collaborate across teams to get into serious work. This helps me not waste time on silly things - i.e., clicking on some website, or asking important questions so I can incorporate the matrix into some form of tactical plans to defend my network, or support new strategies while working with others.

Why not use other existing community tools for this?

I have seen them, used them, and appreciate those that are writing their own. In the end, I am not gonna wait for anyone to do things the way I need them.

Usage

This is a modular tool. The main concept of using this tool is:

```text

        (1)                      (2)                       (3)
         |                        |                         |
         |                        |                         |
    [ Extract ]-------------[ Transform ]---------------[ Load ]
         |                        |                         |
         |                        |                         |
         |                        |                         |
         v                        v                         v
   Download A Matrix         Baseline The Matrix        Search - Ask your question

```

Help Menu

Building from the above concept, let's get into using this bad-boy.

```bash cdiaz@[mitre-assistant]

./target/release/mitre-assistant -h

mitre-assistant v.0.0.1 carlos diaz | @dfirence

Mitre Attack Assistant

    A more useful utility for the ATT&CK Matrix

USAGE: mitre-assistant [SUBCOMMAND]

FLAGS: -h, --help Prints help information -V, --version Prints version information

SUBCOMMANDS: baseline Parse a Matrix into comprehensive insights download Download a Matrix From The Mitre CTI Repo help Prints this message or the help of the given subcommand(s) search Search The Baseline ```

Download

Use the download subcommand to get started, you can specific which matrix to download by using any of the keywords: enterprise or mobile or pre-attack

```bash

Assumes you want to download the enterprise matrix

# $> mitre-assistant download -m enterprise

# Output

Downlading Matrix : enterprise Downloading From : https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

=========================================================================================== |__(+) New File To Be Created: /Users/alice/.mitre-assistant/matrixes/enterprise.json ```

Baseline

Use the baseline subcommand after you download your matrix to create the custom database that is required before you conduct your searches.

You baseline a matrix with any of the keywords: enterprise or mobile or pre-attack

```bash $> mitre-assistant baseline -m enterprise

Output

/Users/alice/.mitre-assistant/matrixes/enterprise.json |__(+) New File To Be Created: /Users/alice/.mitre-assistant/baselines/baseline-enterprise.json ```

Search

Now you are ready to search your matrix.

You have to tell the search subcommand which matrix it is going to work with by using:

• the -m parameter followed by the name of the matrix
• the -t parameter to provide your search term.

Search Terms

|TERM|MATRIX|PURPOSE| |----|------|-------| |datasources|enterprise|Returns all datasources from the matrix| |deprecated|enterprise|Returns all the deprecated techniques from the matrix| |platforms|enterprise|Returns all the platforms (operating systems) from the matrix| |nodatasources|enterprise|Returns all techniques or subtechniques without datasources| |nosub|enterprise|Returns all the active techniques which do not have/use subtechniques| |revoked|enterprise|Returns all of the technique id & name references revoked by Mitre| |stats|enterprise|Returns an overview of uniq counts and total counts of key data elements| |subtechniques|enterprise|Returns all subtechniques from the matrix| |techniques|enterprise|Returns all techniques from the matrix| |tactics|enterprise|Returns all tactics from the matrix| ||| |initial-access|enterprise|Returns all techniques in the Initial Access Tactic| |execution|enterprise|Returns all techniques in the Execution Tactic| |persistence|enterprise|Returns all techniques in the Persistence Tactic| |privilege-escalation|enterprise|Returns all techniques in the Privilege Escalation Tactic| |defense-evasion|enterprise|Returns all techniques in the Defense Evasion Tactic| |credential-access|enterprise|Returns all techniques in the Credential Access Tactic| |discovery|enterprise|Returns all techniques in the Discovery Tactic| |lateral-movement|enterprise|Returns all tecniques in Lateral Movement Tactic| |collection|enterprise|Returns all techniques in the Collection Tactic| |command-and-control|enterprise|Returns all techniques in the Command And Control Tactic| |exfiltration|enterprise|Returns all techniques in the Exfiltration Tactic| |impact|enterprise|Returns all techniques in the Impact Tactic| ||| |aws|enterprise|Returns all techniques in the AWS Platform| |azure|enterprise|Returns all techniques in the AZURE Platform| |azure-ad|enterprise|Returns all techniques in the AZURE-AD Platform| |gcp|enterprise|Returns all techniques in the GCP Platform| |linux|enterprise|Returns all techniques in the LINUX Platform| |macos|enterprise|Returns all techniques in the MACOS Platform| |office-365|enterprise|Returns all techniques in the OFFICE-365 Platform| |saas|enterprise|Returns all techniques in the SAAS Platform| |windows|enterprise|Returns all techniques in the WINDOWS Platform|

Searching The Enterprise Matrix For An Overview Stats Summary

You use the keyword stats in your search term, like this

```bash

Assumed you want the summary of items in the matrix

# $> mitre-assistant search -m enterprise -t "stats" ```

Searching For The Deprecated Techniques

Deprecated techniques seem to be those that are no longer valid and used in a mtrix. You can search for the ones deprecated in the matrix by using a keyword in your search term:

• the -t parameter with the term deprecated

```bash

Assumes you want to see the Deprecated Techniques

# $> mitre-assistant search -m enterprise -t "deprecated" ```

Searching For The Tactics/KillChains

Tactics are well, I guess a higher level object where the techniques are organized into. Read their website.

• the -t parameter with the term tactics

```bash

Assumes you want to see the All Tactics/KillChains

for the enterprise matrix

# $> mitre-assistant search -m enterprise -t "tactics" ```

Searching For The Platforms

Platforms are the relevant operating systems where a technique is exercised or abused by an adversary. To get the platforms in the enterprise matrix use the keyword platforms.

• the -t parameter with the term platforms

```bash

Assumes you want to see the All Platforms

for the enterprise matrix

# $> mitre-assistant search -m enterprise -t "platforms" ```

Searching The Enterprise Matrix For All Techniques By Platform

You can ask the tool to give you all the active techniques based on a specific platform, like this.

• the -t parameter with the term {{ platform_name }}

```bash

Assumes you want to see the All Techniques By The Linux Platform

# $> mitre-assistant search -m enterprise -t "linux" ```

The query above produces the image below, notice how the PLATFORMS column denotes the platform you wanted.

Searching For The Datasources

```text Protip:

1. Do not follow Mitre blindly, you need to curate their content and organize it.

Example:

1. DLL Monitoring & Loaded DLLs

Mitre currently has these two datasources, what does this mean?

To me in the security Space, there's only one source, not two. ```

Datasources are a non-concrete description by Mitre that seems to suggest the context of evidence needed to be successful at pursuing visibility or detection capabilities for the given technique. This query gets you the datasources as provided by Mitre in their CTI github

• the -t parameters with the term datasources

```bash

Assumes you want to see the All Datasources

for the enterprise matrix

# $> mitre-assistant search -m enterprise -t "datasources" ```

Searching Datasources With Cross References: Experimental

At this moment, v.0.0.10 and above allow for experimental cross-references of datasources and platforms, as well as, tactics.

This experiment is to understand, based on the suggested datasources by Mitre, where do they fit according to the platforms or tactics.

SPECIAL NOTE: The queries for cross-references only compute counts against the Active Techniques total. No Subtechniques are taken into account, yet.

To launch a cross-reference query you use a prefix in your term - xref:, let's look at an example

• the -t parameters with the term xref:datasources:{{ reference_type }}

```bash

Assumes you want to cross-reference datasources to platforms

# $> mitre-assistant search -m enterprise -t "xref:datasources:platforms" ```

Notice the above command uses a colon ":" character to tell the search engne this is a cross-reference query. The above command results in the image below.

In contrast, let's launch a cross-reference query against the tactics, like this:

```bash

Assumes you want to cross-reference datasources to tactics

# $> mitre-assistant search -m enterprise -t "xref:datasources:tactics" ```

And that now produces this image below.

Searching For Edge Cases: Techniques Without a Subtechniques

Some techniques, do not have subtechniques assigned, or as I like to thunk of it, have not been fully updated by Mitre.

Use the keyword nosub to obtain a list of active techniques that may not have an assigned subtechnique by Mitre.

• the -t parameter with the term nosub

```bash

Assumes you want to see the Techniques that do not have Subtechniques

for the enterprise matrix

# $> mitre-assistant search -m enterprise -t "nosub" ```

Searching For Edge Cases: Techniques Without a Datasource

This is the edge-case that drove to create this tool for myself. I found someone's tool incorrectly parsed the matrix and I needed to report to my management the plan of action based on data sources. This is very important for practitioners who leverage the matrix for real world tactical operations.

Reference this example: NODATASOURCE_SAMPLE

Use the keyword nodatasources to obtain a list of active techniques that may not have an assigned datasource by Mitre.

• the -t parameter with the term nodatasources

```bash

Assumes you want to see the Techniques that do not have Datasources

for the enterprise matrix

# $> mitre-assistant search -m enterprise -t "nodatasources" ```

Statistical Stuff

As I mentioned, my work with this matrix is at the provider level, I have to devise coverage plans, or brainstorming workshops with my fellow blue-teamers to understand what an emulation plan means in terms of effort, engineering for new content and consequently sizing our systems to increase our visibility and detection needs.

These experiments were very useful to me a couple of years ago as I started learning about the Mitre ATT&CK matrixes.

TODO: Awesome Stuff here

References

|SOURCE|URL| |------|---| |Mitre CTI Github|LINK|

Kudos - RUSTACEANS

Many super kudos, to the amazing RUST Community, for their warm embrace of everyone that wants the journey. Seemingly, to all of the super creators of loved tools from python being ported into rust.

TODO - Thank Crates Contributions