From 4f8c366386552fa9c522684b36a6c3b67a8092d3 Mon Sep 17 00:00:00 2001 From: Thorsten Sick Date: Thu, 28 Oct 2021 16:38:24 +0200 Subject: [PATCH] Adding caldera default values per TTP to attack logger --- app/attack_log.py | 78 ++++++++++++++++++++++++++++++++-------- tests/test_attack_log.py | 8 ++--- 2 files changed, 67 insertions(+), 19 deletions(-) diff --git a/app/attack_log.py b/app/attack_log.py index 70f1c5c..efa9968 100644 --- a/app/attack_log.py +++ b/app/attack_log.py @@ -59,34 +59,76 @@ class AttackLog(): def get_caldera_default_description(self, ability_id: str): """ Returns the default description for this ability based on a db """ - data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "Obtain user from current session"} + data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "Obtain user from current session", + "697e8a432031075e47cccba24417013d": "Copy a VBS file to several startup folders", + "f39161b2fa5d692ebe3972e0680a8f97": "Copy a BAT file to several startup folders", + "16e6823c4656f5cd155051f5f1e5d6ad": "Copy a JSE file to several startup folders", + "443b853ac50a79fc4a85354cb2c90fa2": "Set Regky RunOnce\\0001\\Depend to run a dll", + "2bfafbee8e3edb25974a5d1aa3d9f431": "Set Regky RunOnce\\0001\\Depend , download a bat", + "163b023f43aba758d36f524d146cb8ea": "Set Regkey CurrentVersion\\Run to start a exe"} if ability_id not in data: return None return data[ability_id] - def get_caldera_default_tactics(self, ability_id: str): + def get_caldera_default_tactics(self, ability_id: str, ttp: Optional[str]): """ Returns the default tactics for this ability based on a db """ - data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "System Owner/User Discovery"} - if ability_id not in data: - return None + data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "System Owner/User Discovery", + "697e8a432031075e47cccba24417013d": "Persistence", + "f39161b2fa5d692ebe3972e0680a8f97": "Persistence", + "16e6823c4656f5cd155051f5f1e5d6ad": "Persistence", + "443b853ac50a79fc4a85354cb2c90fa2": "Persistence", + "2bfafbee8e3edb25974a5d1aa3d9f431": "Persistence", + "163b023f43aba758d36f524d146cb8ea": "Persistence", + "697e8a432031075e47cccba24417013d": "Persistence"} - return data[ability_id] + ttp_data = {"t1547": "Persistence", + "t1547.001": "Persistence"} + + if ability_id in data: + return data[ability_id] + + if ttp is not None: + if ttp.lower() in ttp_data: + return ttp_data[ttp.lower()] + + return None - def get_caldera_default_tactics_id(self, ability_id: str): + def get_caldera_default_tactics_id(self, ability_id: str, ttp: Optional[str]): """ Returns the default name for this ability based on a db """ - data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "T1033"} - if ability_id not in data: - return None + data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": "T1033", + "697e8a432031075e47cccba24417013d": "TA0003", + "f39161b2fa5d692ebe3972e0680a8f97": "TA0003", + "16e6823c4656f5cd155051f5f1e5d6ad": "TA0003", + "443b853ac50a79fc4a85354cb2c90fa2": "TA0003", + "2bfafbee8e3edb25974a5d1aa3d9f431": "TA0003", + "163b023f43aba758d36f524d146cb8ea": "TA0003", + "697e8a432031075e47cccba24417013d": "TA0003"} - return data[ability_id] + ttp_data = {"t1547": "TA0003", + "t1547.001": "TA0003"} + + if ability_id in data: + return data[ability_id] + + if ttp is not None: + if ttp.lower() in ttp_data: + return ttp_data[ttp.lower()] + + return None def get_caldera_default_situation_description(self, ability_id: str): """ Returns the default situation description for this ability based on a db """ - data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None} + data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None, + "697e8a432031075e47cccba24417013d": None, + "f39161b2fa5d692ebe3972e0680a8f97": None, + "16e6823c4656f5cd155051f5f1e5d6ad": None, + "443b853ac50a79fc4a85354cb2c90fa2": None, + "2bfafbee8e3edb25974a5d1aa3d9f431": None, + "163b023f43aba758d36f524d146cb8ea": None} if ability_id not in data: return None @@ -95,7 +137,13 @@ class AttackLog(): def get_caldera_default_countermeasure(self, ability_id: str): """ Returns the default countermeasure for this ability based on a db """ - data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None} + data = {"bd527b63-9f9e-46e0-9816-b8434d2b8989": None, + "697e8a432031075e47cccba24417013d": None, + "f39161b2fa5d692ebe3972e0680a8f97": None, + "16e6823c4656f5cd155051f5f1e5d6ad": None, + "443b853ac50a79fc4a85354cb2c90fa2": None, + "2bfafbee8e3edb25974a5d1aa3d9f431": None, + "163b023f43aba758d36f524d146cb8ea": None} if ability_id not in data: return None @@ -127,8 +175,8 @@ class AttackLog(): "logid": logid, "name": kwargs.get("name", self.get_caldera_default_name(ability_id)), "description": kwargs.get("description", self.get_caldera_default_description(ability_id)), - "tactics": kwargs.get("tactics", self.get_caldera_default_tactics(ability_id)), - "tactics_id": kwargs.get("tactics_id", self.get_caldera_default_tactics_id(ability_id)), + "tactics": kwargs.get("tactics", self.get_caldera_default_tactics(ability_id, ttp)), + "tactics_id": kwargs.get("tactics_id", self.get_caldera_default_tactics_id(ability_id, ttp)), "situation_description": kwargs.get("situation_description", self.get_caldera_default_situation_description(ability_id)), # Description for the situation this attack was run in. Set by the plugin or attacker emulation "countermeasure": kwargs.get("countermeasure", self.get_caldera_default_countermeasure(ability_id)), # Set by the attack "obfuscator": kwargs.get("obfuscator", "default"), diff --git a/tests/test_attack_log.py b/tests/test_attack_log.py index b10e00b..5aeccbb 100644 --- a/tests/test_attack_log.py +++ b/tests/test_attack_log.py @@ -408,22 +408,22 @@ class TestMachineConfig(unittest.TestCase): def test_get_caldera_default_tactics_missing(self): """ Testing getting the caldera default tactics """ al = AttackLog() - self.assertEqual(al.get_caldera_default_tactics("missing"), None) + self.assertEqual(al.get_caldera_default_tactics("missing", None), None) def test_get_caldera_default_tactics(self): """ Testing getting the caldera default tactics """ al = AttackLog() - self.assertEqual(al.get_caldera_default_tactics("bd527b63-9f9e-46e0-9816-b8434d2b8989"), "System Owner/User Discovery") + self.assertEqual(al.get_caldera_default_tactics("bd527b63-9f9e-46e0-9816-b8434d2b8989", None), "System Owner/User Discovery") def test_get_caldera_default_tactics_id_missing(self): """ Testing getting the caldera default tactics_id """ al = AttackLog() - self.assertEqual(al.get_caldera_default_tactics_id("missing"), None) + self.assertEqual(al.get_caldera_default_tactics_id("missing", None), None) def test_get_caldera_default_tactics_id(self): """ Testing getting the caldera default tactics_id """ al = AttackLog() - self.assertEqual(al.get_caldera_default_tactics_id("bd527b63-9f9e-46e0-9816-b8434d2b8989"), "T1033") + self.assertEqual(al.get_caldera_default_tactics_id("bd527b63-9f9e-46e0-9816-b8434d2b8989", None), "T1033") def test_get_caldera_default_situation_description_missing(self): """ Testing getting the caldera default situation_description """