Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tactic for T1506 is not present when calling get_enterprise(stix_format=False) #17

Closed
josehelps opened this issue Jul 17, 2020 · 7 comments
Closed

Tactic for T1506 is not present when calling get_enterprise(stix_format=False) #17

josehelps opened this issue Jul 17, 2020 · 7 comments

Comments

@josehelps
Copy link

Currently using the latest version of the library, when iterating over the techniques returned by get_enterprise the tactic field does not appear present. Base on MITRE it should be get_enterprise

Current example implementation: https://github.com/splunk/security-content/blob/develop/bin/generate.py#L484

The is the print output:

{
  "external_references": [
    {
      "source_name": "mitre-attack",
      "external_id": "T1506",
      "url": "https://attack.mitre.org/techniques/T1506"
    },
    {
      "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.",
      "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html",
      "source_name": "Pass The Cookie"
    },
    {
      "source_name": "Unit 42 Mac Crypto Cookies January 2019",
      "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
      "description": "Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019."
    }
  ],
  "revoked": true,
  "url": "https://attack.mitre.org/techniques/T1506",
  "matrix": "mitre-attack",
  "technique_id": "T1506",
  "technique": "Web Session Cookie",
  "id": "attack-pattern--c5e31fb5-fcbd-48a4-af8c-5a6ed5b932e5",
  "type": "attack-pattern",
  "modified": "2020-01-30T19:59:18.617Z",
  "created": "2019-10-08T20:08:56.205Z"
}
Traceback (most recent call last):
  File "bin/generate.py", line 534, in <module>
    generate_mitre_lookup()
  File "bin/generate.py", line 500, in generate_mitre_lookup
    csv_mitre_rows.append([technique['technique_id'], technique['technique'], '|'.join(technique['tactic']).replace('-',' ').title(), '|'.join(apt_groups)])
KeyError: 'tactic'

Current version:

┌──[jhernandez@jhernandez-mbp-cb9a8]─[~/splunk/security-content on  develop!]
└── # pip show attackcti
Name: attackcti
Version: 0.3.2
Summary: ATTACK CTI Libary
Home-page: https://github.com/hunters-forge/ATTACK-Python-Client
Author: Roberto Rodriguez
Author-email: None
License: BSD
Location: /Users/jhernandez/splunk/security-content/venv/lib/python3.7/site-packages
Requires: taxii2-client, stix2
Required-by:
@Cyb3rWard0g
Copy link
Collaborator

Hey @d1vious ! Thank you for letting me know. I have been a little busy with a few projects but I can take a look at it and see whats going on. I do not see anything changing for that section: https://github.com/mitre/cti/blob/master/enterprise-attack/attack-pattern/attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298.json#L57-L65 but idk if you were aware but TAXII is not always aligned with mitre's cti repo lol so I will have to manually see what happened with the format coming from TAXII server

@josehelps
Copy link
Author

Looks like MITRE framework (and maybe TAXII) is using a new technique number for this one T1550.004 https://attack.mitre.org/techniques/T1550/004/ and as you suggested CTI still using the old technique number: https://github.com/mitre/cti/search?q=T1506+path%3Aenterprise-attack%2Fattack-pattern%2F+filename%3A*.json&unscoped_q=T1506+path%3Aenterprise-attack%2Fattack-pattern%2F+filename%3A*.json

@Cyb3rWard0g
Copy link
Collaborator

ahhh https://attack.mitre.org/techniques/T1056/ thats a revoked one in CTI docs right? https://github.com/mitre/cti/blob/cba073ec9e4bee27821ff1f028eddc3d8221b5b9/enterprise-attack/attack-pattern/attack-pattern--c5e31fb5-fcbd-48a4-af8c-5a6ed5b932e5.json but it is Input Capture in the site?

The library has a function to remove revoked ones. try to remove all the revoked ones and deprecated too just in case. Can you try this one before you run your additional functions? https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/attackcti/attack_api.py#L239 . Just in case. Also, there is a new method that was added #15

That PR was to work with sub-techniques properly. The idea of ATTACKCTI library is to grab everything just in case if one wants to do additional analysis to something that was deprecated or revoked. That's by design. Then we use things like remove_revoked to start cleaning the output. I hope that helps. The latest PR applies to master but I have not updated the Python package in Pip. I was planning on doing that this weekend.

Would you mind installing the library with the second option in the README ? https://github.com/hunters-forge/ATTACK-Python-Client#installation . That should install master.

@Cyb3rWard0g
Copy link
Collaborator

Thank you for your patience @d1vious 🙏 !

@josehelps
Copy link
Author

@Cyb3rWard0g thank you, let me try it out and get back to you with an update.

@josehelps
Copy link
Author

Looks like removing revoked did the trick! Thank you @Cyb3rWard0g 😃.

@Cyb3rWard0g
Copy link
Collaborator

Awesome thank you for letting me know :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josehelps @Cyb3rWard0g