Skip to main content
  1. All Posts/

ATTACK-Tools

Tools HTML

ATT&CK™-Tools

Utilities for MITRE™ ATT&CK™

This repository contains the following:

  • ATT&CK™ Data Model: a relational data model for ATT&CK™.
  • ATT&CK™ View: an adversary emulation planning tool.

Content

  • Release Notes
  • Overview
  • The ATT&CK™ Data Model
  • Accessing ATT&CK™ Data with SQL
  • Additional Resources
  • License

Release Notes

  • There are 32 and 64-bit builds (32.zip and 64.zip)
  • attack_view_db.sqlite is a SQLite database for ATT&CK™
  • attack_view_db_structure and attack_view_db_data are SQL scripts used to build the SQLite database
  • enterprise-attack.xml is an XML version of MITRE™ ATT&CK™ JSON

Overview

ATT&CK™ View is a planning tool that help defenders in designing an adversary
emulation plans based on MITRE™ ATT&CK™ framework in a structured approach. As a demonstration, ATT&CK™ View comes bundled
with a full adversary emulation plan for APT3 developed by MITRE™ (SOURCE :
https://attack.mitre.org/wiki/Adversary_Emulation_Plans).

The ATT&CK™ Data Model

There are many use cases for ATT&CK™ framework, many of which depend on existing tools being ATT&CK™-enabled, to make this process easier, the database in this repository can help in getting up to speed with integrating existing tools with ATT&CK™, build your own tooling or fuse ATT&CK™ with other existing frameworks.
The database is based on SQLite for simplicity and portability, however, it is better to think of terms of a data model instead of the underlying technology used in implementation, this is very important, as it enables exploring other useful models and applications and then narrow down to technology.
The following is a conceptual model that can be implemented using any database technology (The attack_view_db_structure.sql is a good starting point).

Accessing ATT&CK™ Data with SQL

To have a better understanding about the database structure, following is a list of sample SQL queries used to read ATT&CK™. To run the following SQL queries, you will need a SQLite management tool, there are many free and paid tools available supporting Windows, macOS and Linux ( https://www.sqlite.org/cvstrac/wiki?p=ManagementTools)
Some output truncated for brevity

Get the list of ATT&CK™ techniques

SQL
SELECT name FROM sdos_object WHERE type IS "attack-pattern";
OUTPUT

name
.bash_profile and .bashrc
Access Token Manipulation
Accessibility Features
Account Discovery
Account Manipulation

Get the list of ATT&CK™ techniques names with their STIX 2.0 identifier

SQL
SELECT id, name FROM sdos_object WHERE type IS "attack-pattern";
OUTPUT

id
name

attack-pattern–01df3350-ce05-4bdf-bdf8-0a919a66d4a8
.bash_profile and .bashrc

attack-pattern–dcaa092b-7de9-4a21-977f-7fcb77e89c48
Access Token Manipulation

attack-pattern–9b99b83a-1aac-4e29-b975-b374950551a3
Accessibility Features

attack-pattern–72b74d71-8169-42aa-92e0-e7b04b9f5a08
Account Discovery

attack-pattern–a10641f4-87b4-45a3-a906-92a149cb2c27
Account Manipulation

The id field is a unique key that will be used frequently in many SQL queries
The external references are stored in external_references table, since one ATT&CK™ technique can have one or more references, the link between the two tables is the technique identifier (check previous query), I will list multiple ways to access the external references

Get the list of ATT&CK™ techniques with external names

SQL

SELECT name, external_id
FROM sdos_object INNER JOIN external_references ON 
     sdos_object.id = external_references.fk_object_id
WHERE 
  sdos_object.type IS "attack-pattern"
  AND 
  external_references.source_name IS "mitre-attack";

OUTPUT

name
external_id

.bash_profile and .bashrc
T1156

Access Token Manipulation
T1134

Accessibility Features
T1015

Account Discovery
T1087

Account Manipulation
T1098

List all ATT&CK™ techniques associated with “Windows” platform

SQL

SELECT name, external_id
FROM sdos_object INNER JOIN external_references ON
     sdos_object.id = external_references.fk_object_id
WHERE 
  sdos_object.type IS "attack-pattern" AND 
  x_mitre_platforms_windows IS "true" AND 
  external_references.source_name IS "mitre-attack";

OUTPUT

name
external_id

Access Token Manipulation
T1134

Accessibility Features
T1015

Account Discovery
T1087

Account Manipulation
T1098

AppCert DLLs
T1182

List all Malware objects along with their description

SQL

SELECT name, description FROM sdos_object 
WHERE type IS "malware";

OUTPUT

name
description

3PARA RAT
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. (Citation: CrowdStrike Putter Panda)Aliases: 3PARA RAT

4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007. (Citation: CrowdStrike Putter Panda)Aliases: 4H RAT

ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)Aliases: ADVSTORESHELL, NETUI, EVILTOSS, AZZY, Sedreco

ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. (Citation: Dell TG-3390)Aliases: ASPXSpy, ASPXTool

Agent.btz
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)Aliases: Agent.btz

List all Adversaries (intrusion-sets) along with their description

SQL

SELECT name, description FROM sdos_object 
WHERE type IS "intrusion-set";

OUTPUT

name
description

APT1
APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)

APT12
APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)

APT16
APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)

APT17
APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)

APT18
APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)

List all Tools and Malware used by a certain Adversary

All STIX 2.0 Domain Objects (SDO) relations are stored in “relationship” table. The following query is a nested query used to get the tools/malware used by APT3:
SQL

SELECT name, description
FROM sdos_object
WHERE (type IS "malware" OR type IS "tool") -- Query for tools or malware
  AND id IN (SELECT target_ref -- filter tools/malware associated with APT3
             FROM relationship
             WHERE relationship_type IS "uses" -- Source "uses" Target
               AND source_ref IS -- Source is APT3 identifier
                   "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9");

OUTPUT

name
description

OSInfo
OSInfo is a custom tool used by APT3 to do internal discovery on a victim’s computer and network. (Citation: Symantec Buckeye)Aliases: OSInfo

PlugX
PlugX is a remote access tool (RAT) that uses modular plugins. (Citation: Lastline PlugX Analysis) It has been used by multiple threat groups. (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)Aliases: PlugX, Sogu, Kaba, Korplug

RemoteCMD
RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal’s PSEXEC…