Adding caldera default values per TTP to attack logger

3 years ago · 4f8c366386
parent 7e240908de
commit 4f8c366386
2 changed files with 67 additions and 19 deletions
--- a/app/attack_log.py
+++ b/app/attack_log.py
@ -59,34 +59,76 @@ class AttackLog():
    def get_caldera_default_description(self, ability_id: str):
        """ Returns the default description for this ability based on a db """

-        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "Obtain user from current session"}
+        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "Obtain user from current session",
+                "697e8a432031075e47cccba24417013d": "Copy a VBS file to several startup folders",
+                "f39161b2fa5d692ebe3972e0680a8f97": "Copy a BAT file to several startup folders",
+                "16e6823c4656f5cd155051f5f1e5d6ad": "Copy a JSE file to several startup folders",
+                "443b853ac50a79fc4a85354cb2c90fa2": "Set Regky RunOnce\\0001\\Depend to run a dll",
+                "2bfafbee8e3edb25974a5d1aa3d9f431": "Set Regky RunOnce\\0001\\Depend , download a bat",
+                "163b023f43aba758d36f524d146cb8ea": "Set Regkey CurrentVersion\\Run to start a exe"}
        if ability_id not in data:
            return None

        return data[ability_id]

-    def get_caldera_default_tactics(self, ability_id: str):
+    def get_caldera_default_tactics(self, ability_id: str, ttp: Optional[str]):
        """ Returns the default tactics for this ability based on a db """

-        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "System Owner/User Discovery"}
-        if ability_id not in data:
-            return None
+        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "System Owner/User Discovery",
+                "697e8a432031075e47cccba24417013d": "Persistence",
+                "f39161b2fa5d692ebe3972e0680a8f97": "Persistence",
+                "16e6823c4656f5cd155051f5f1e5d6ad": "Persistence",
+                "443b853ac50a79fc4a85354cb2c90fa2": "Persistence",
+                "2bfafbee8e3edb25974a5d1aa3d9f431": "Persistence",
+                "163b023f43aba758d36f524d146cb8ea": "Persistence",
+                "697e8a432031075e47cccba24417013d": "Persistence"}

-        return data[ability_id]
+        ttp_data = {"t1547": "Persistence",
+                    "t1547.001": "Persistence"}
+
+        if ability_id in data:
+            return data[ability_id]
+
+        if ttp is not None:
+            if ttp.lower() in ttp_data:
+                return ttp_data[ttp.lower()]
+
+        return None

-    def get_caldera_default_tactics_id(self, ability_id: str):
+    def get_caldera_default_tactics_id(self, ability_id: str, ttp: Optional[str]):
        """ Returns the default name for this ability based on a db """

-        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "T1033"}
-        if ability_id not in data:
-            return None
+        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "T1033",
+                "697e8a432031075e47cccba24417013d": "TA0003",
+                "f39161b2fa5d692ebe3972e0680a8f97": "TA0003",
+                "16e6823c4656f5cd155051f5f1e5d6ad": "TA0003",
+                "443b853ac50a79fc4a85354cb2c90fa2": "TA0003",
+                "2bfafbee8e3edb25974a5d1aa3d9f431": "TA0003",
+                "163b023f43aba758d36f524d146cb8ea": "TA0003",
+                "697e8a432031075e47cccba24417013d": "TA0003"}

-        return data[ability_id]
+        ttp_data = {"t1547": "TA0003",
+                    "t1547.001": "TA0003"}
+
+        if ability_id in data:
+            return data[ability_id]
+
+        if ttp is not None:
+            if ttp.lower() in ttp_data:
+                return ttp_data[ttp.lower()]
+
+        return None

    def get_caldera_default_situation_description(self, ability_id: str):
        """ Returns the default situation description for this ability based on a db """

-        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None}
+        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None,
+                "697e8a432031075e47cccba24417013d": None,
+                "f39161b2fa5d692ebe3972e0680a8f97": None,
+                "16e6823c4656f5cd155051f5f1e5d6ad": None,
+                "443b853ac50a79fc4a85354cb2c90fa2": None,
+                "2bfafbee8e3edb25974a5d1aa3d9f431": None,
+                "163b023f43aba758d36f524d146cb8ea": None}
        if ability_id not in data:
            return None

@ -95,7 +137,13 @@ class AttackLog():
    def get_caldera_default_countermeasure(self, ability_id: str):
        """ Returns the default countermeasure for this ability based on a db """

-        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None}
+        data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None,
+                "697e8a432031075e47cccba24417013d": None,
+                "f39161b2fa5d692ebe3972e0680a8f97": None,
+                "16e6823c4656f5cd155051f5f1e5d6ad": None,
+                "443b853ac50a79fc4a85354cb2c90fa2": None,
+                "2bfafbee8e3edb25974a5d1aa3d9f431": None,
+                "163b023f43aba758d36f524d146cb8ea": None}
        if ability_id not in data:
            return None

@ -127,8 +175,8 @@ class AttackLog():
                "logid": logid,
                "name": kwargs.get("name", self.get_caldera_default_name(ability_id)),
                "description": kwargs.get("description", self.get_caldera_default_description(ability_id)),
-                "tactics": kwargs.get("tactics", self.get_caldera_default_tactics(ability_id)),
-                "tactics_id": kwargs.get("tactics_id", self.get_caldera_default_tactics_id(ability_id)),
+                "tactics": kwargs.get("tactics", self.get_caldera_default_tactics(ability_id, ttp)),
+                "tactics_id": kwargs.get("tactics_id", self.get_caldera_default_tactics_id(ability_id, ttp)),
                "situation_description": kwargs.get("situation_description", self.get_caldera_default_situation_description(ability_id)),  # Description for the situation this attack was run in. Set by the plugin or attacker emulation
                "countermeasure": kwargs.get("countermeasure", self.get_caldera_default_countermeasure(ability_id)),  # Set by the attack
                "obfuscator": kwargs.get("obfuscator", "default"),
--- a/tests/test_attack_log.py
+++ b/tests/test_attack_log.py
@ -408,22 +408,22 @@ class TestMachineConfig(unittest.TestCase):
    def test_get_caldera_default_tactics_missing(self):
        """ Testing getting the caldera default tactics """
        al = AttackLog()
-        self.assertEqual(al.get_caldera_default_tactics("missing"), None)
+        self.assertEqual(al.get_caldera_default_tactics("missing", None), None)

    def test_get_caldera_default_tactics(self):
        """ Testing getting the caldera default tactics """
        al = AttackLog()
-        self.assertEqual(al.get_caldera_default_tactics("bd527b63-9f9e-46e0-9816-b8434d2b8989"), "System Owner/User Discovery")
+        self.assertEqual(al.get_caldera_default_tactics("bd527b63-9f9e-46e0-9816-b8434d2b8989", None), "System Owner/User Discovery")

    def test_get_caldera_default_tactics_id_missing(self):
        """ Testing getting the caldera default tactics_id """
        al = AttackLog()
-        self.assertEqual(al.get_caldera_default_tactics_id("missing"), None)
+        self.assertEqual(al.get_caldera_default_tactics_id("missing", None), None)

    def test_get_caldera_default_tactics_id(self):
        """ Testing getting the caldera default tactics_id """
        al = AttackLog()
-        self.assertEqual(al.get_caldera_default_tactics_id("bd527b63-9f9e-46e0-9816-b8434d2b8989"), "T1033")
+        self.assertEqual(al.get_caldera_default_tactics_id("bd527b63-9f9e-46e0-9816-b8434d2b8989", None), "T1033")

    def test_get_caldera_default_situation_description_missing(self):
        """ Testing getting the caldera default situation_description """