├── .DS_Store ├── examples ├── .DS_Store ├── ATTACK_ALL.xlsx └── ATTACK_Attribution.xlsx ├── LICENSE ├── README.md └── Invoke-ATTACKAPI.ps1 /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3rWard0g/Invoke-ATTACKAPI/HEAD/.DS_Store -------------------------------------------------------------------------------- /examples/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3rWard0g/Invoke-ATTACKAPI/HEAD/examples/.DS_Store -------------------------------------------------------------------------------- /examples/ATTACK_ALL.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3rWard0g/Invoke-ATTACKAPI/HEAD/examples/ATTACK_ALL.xlsx -------------------------------------------------------------------------------- /examples/ATTACK_Attribution.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3rWard0g/Invoke-ATTACKAPI/HEAD/examples/ATTACK_Attribution.xlsx -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Roberto Rodriguez 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Invoke-ATTACKAPI [DEPRECATED] 2 | # WE RECOMMEND TO USE: https://github.com/Cyb3rWard0g/ATTACK-Python-Client 3 | 4 | A PowerShell script to interact with the MITRE ATT&CK Framework via its own API in order to gather information about techniques, 5 | tactics, groups, software and references provided by the MITRE ATT&CK Team @MITREattack. **THIS SCRIPT IS STILL USING THE DEPRECATED MEEDIAWIKI API. IT HAS NOT BEEN UPDATED YET TO USE THE PUBLIC TAXII SERVERS API** 6 | 7 | # Goals 8 | * Provide an easy way to interact with the MITRE ATT&CK Framework via its own API and PowerShell to the community. 9 | * Expedite the acquisition of data from ATT&CK when preparing for a Hunting Campaign. 10 | * Learn PowerShell Dynamic Parameters :) 11 | 12 | # Resources 13 | * [MITRE ATT&CK API](https://attack.mitre.org/wiki/Using_the_API) 14 | * [Semantic MediaWiki API](https://www.semantic-mediawiki.org/wiki/Help:API) 15 | * [Get-ATTack](https://github.com/SadProcessor/SomeStuff/blob/master/Get-ATTaCK.ps1) 16 | * Walter Legowski [@SadProcessor](https://twitter.com/SadProcessor) 17 | 18 | # Getting Started 19 | 20 | ## Requirements 21 | * PowerShell version 3+ 22 | 23 | ## Installing /Importing 24 | ``` 25 | git clone https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI.git 26 | cd Invoke-ATTACKAPI 27 | Import-Module .\Invoke-ATTACKAPI.ps1 28 | 29 | /$$$$$$ /$$$$$$$$ /$$$$$$$$ /$$$ /$$$$$$ /$$ /$$ /$$$$$$ /$$$$$$$ /$$$$$$ 30 | /$$__ $$|__ $$__/|__ $$__//$$ $$ /$$__ $$| $$ /$$/ /$$__ $$| $$__ $$|_ $$_/ 31 | | $$ \ $$ | $$ | $$ | $$$ | $$ \__/| $$ /$$/ | $$ \ $$| $$ \ $$ | $$ 32 | | $$$$$$$$ | $$ | $$ /$$ $$/$$| $$ | $$$$$/ | $$$$$$$$| $$$$$$$/ | $$ 33 | | $$__ $$ | $$ | $$ | $$ $$_/| $$ | $$ $$ | $$__ $$| $$____/ | $$ 34 | | $$ | $$ | $$ | $$ | $$\ $$ | $$ $$| $$\ $$ | $$ | $$| $$ | $$ 35 | | $$ | $$ | $$ | $$ | $$$$/$$| $$$$$$/| $$ \ $$ | $$ | $$| $$ /$$$$$$ 36 | |__/ |__/ |__/ |__/ \____/\_/ \______/ |__/ \__/ |__/ |__/|__/ |______/ V.0.9[BETA] 37 | 38 | Adversarial Tactics, Techniques & Common Knowledge API 39 | 40 | [*] Author: Roberto Rodriguez @Cyb3rWard0g 41 | 42 | [++] Pulling MITRE ATT&CK Data 43 | 44 | ``` 45 | 46 | ## Examples 47 | ### This query matches all techniques 48 | ``` 49 | Invoke-ATTACKAPI -Category -Technique 50 | 51 | ID : {T1001} 52 | Bypass : {} 53 | Contributor : {} 54 | Requires System : {} 55 | Data Source : {Packet capture, Process use of network, Process monitoring, Network protocol analysis} 56 | Description : {Command and control (C2) communications are hidden (but not necessarily encrypted) in an 57 | attempt to make the content more difficult to discover or decipher and to make the 58 | communication less conspicuous and hide commands from being seen. This encompasses many 59 | methods, such as adding junk data to protocol traffic, using steganography, commingling 60 | legitimate traffic with C2 communications traffic, or using a non-standard data encoding 61 | system, such as a modified Base64 encoding for the message body of an HTTP request.} 62 | Mitigation : {Network intrusion detection and prevention systems that use network signatures to 63 | identify traffic for specific adversary malware can be used to mitigate activity at the 64 | network level. Signatures are often for unique indicators within protocols and may be 65 | based on the specific obfuscation technique used by a particular adversary or tool, and 66 | will likely be different across various malware families and versions. Adversaries will 67 | likely change tool C2 signatures over time or construct protocols in such a way as to 68 | avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]} 69 | Tactic : Command and Control 70 | Analytic Details : {Analyze network data for uncommon data flows (e.g., a client sending significantly more 71 | data than it receives from a server). Processes utilizing the network that do not normally 72 | 73 | have network communication or have never been seen before are suspicious. Analyze packet 74 | contents to detect communications that do not follow the expected protocol behavior for 75 | the port that is being used.[[CiteRef::University of Birmingham C2]]} 76 | TechniqueName : {Data Obfuscation} 77 | FullText : Technique/T1001 78 | Link Text : {[[Technique/T1001|Data Obfuscation]]} 79 | Reference : {University of Birmingham C2, FireEye APT28, Axiom, FireEye APT30...} 80 | Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...} 81 | Name : {Data Obfuscation} 82 | CAPEC ID : {} 83 | Requires Permission : {} 84 | URL : https://attack.mitre.org/wiki/Technique/T1001 85 | ............. 86 | .................. 87 | 88 | ID : {T1068} 89 | Bypass : {Anti-virus, System access controls} 90 | Contributor : {John Lambert, Microsoft Threat Intelligence Center} 91 | Requires System : {Unpatched software or otherwise vulnerable target. Depending on the target and goal, the 92 | system and exploitable service may need to be remotely accessible from the internal 93 | network. In the case of privilege escalation, the adversary likely already has user 94 | permissions on the target system.} 95 | Data Source : {Windows Error Reporting, File monitoring, Process monitoring} 96 | Description : {Exploitation of a software vulnerability occurs when an adversary takes advantage of a 97 | programming error in a program, service, or within the operating system software or 98 | kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities 99 | may allow adversaries to run a command or binary on a remote system for lateral movement, 100 | escalate a current process to a higher privilege level, or bypass security mechanisms. 101 | Exploits may also allow an adversary access to privileged accounts and credentials. One 102 | example of this is MS14-068, which can be used to forge Kerberos tickets using domain 103 | user permissions.[[CiteRef::Technet MS14-068]][[CiteRef::ADSecurity Detecting Forged 104 | Tickets]]} 105 | Mitigation : {Update software regularly by employing patch management for internal enterprise 106 | endpoints and servers. Develop a robust cyber threat intelligence capability to determine 107 | what types and levels of threat may use software exploits and 0-days against a particular 108 | organization. Make it difficult for adversaries to advance their operation through 109 | exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, 110 | virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation 111 | Experience Toolkit.[[CiteRef::SRD EMET]]} 112 | Tactic : {Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation} 113 | Analytic Details : {Software exploits may not always succeed or may cause the exploited process to become 114 | unstable or crash. Software and operating system crash reports may contain useful 115 | contextual information about attempted exploits that correlate with other malicious 116 | activity. Exploited processes may exhibit behavior that is unusual for the specific 117 | process, such as spawning additional processes or reading and writing to files.} 118 | TechniqueName : {Exploitation of Vulnerability} 119 | FullText : Technique/T1068 120 | Link Text : {[[Technique/T1068|Exploitation of Vulnerability]]} 121 | Reference : {ADSecurity Detecting Forged Tickets, Bitdefender APT28 Dec 2015, ESET Sednit July 2015, 122 | ESET Sednit Part 1...} 123 | Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...} 124 | Name : {Exploitation of Vulnerability} 125 | CAPEC ID : {69} 126 | Requires Permission : {User, Administrator, SYSTEM} 127 | URL : https://attack.mitre.org/wiki/Technique/T1068 128 | ``` 129 | 130 | ### This query matches the page Technique with ID T1014 131 | ``` 132 | Invoke-ATTACKAPI -Category -Technique -ID T1014 133 | 134 | ID : {T1014} 135 | Bypass : {Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting...} 136 | Contributor : {} 137 | Requires System : {} 138 | Data Source : {BIOS, MBR, System calls} 139 | Description : {Rootkits are programs that hide the existence of malware by intercepting and modifying 140 | operating system API calls that supply system information. Rootkits or rootkit enabling 141 | functionality may reside at the user or kernel level in the operating system or lower, to 142 | include a [[Technique/T1062|Hypervisor]], Master Boot Record, or the 143 | [[Technique/T1019|System Firmware]].[[CiteRef::Wikipedia Rootkit]] 144 | 145 | Adversaries may use rootkits to hide the presence of programs, files, network 146 | connections, services, drivers, and other system components.} 147 | Mitigation : {Identify potentially malicious software that may contain rootkit functionality, and 148 | audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like 149 | AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software 150 | Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet 151 | Applocker vs SRP]]} 152 | Tactic : Defense Evasion 153 | Analytic Details : {Some rootkit protections may be built into anti-virus or operating system software. 154 | There are dedicated rootkit detection tools that look for specific types of rootkit 155 | behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes 156 | to the MBR.[[CiteRef::Wikipedia Rootkit]]} 157 | TechniqueName : {Rootkit} 158 | FullText : Technique/T1014 159 | Link Text : {[[Technique/T1014|Rootkit]]} 160 | Reference : {Wikipedia Rootkit, Beechey 2010, Windows Commands JPCERT, NSA MS AppLocker...} 161 | Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...} 162 | Name : {Rootkit} 163 | CAPEC ID : {} 164 | Requires Permission : {Administrator, SYSTEM} 165 | URL : https://attack.mitre.org/wiki/Technique/T1014 166 | ``` 167 | 168 | ### This query matches against all the group that use a specific software (in this case Cobalt Strike). SYNTAX: "Software: \" 169 | ``` 170 | Invoke-ATTACKAPI -Category -Group -Tool 'Software: Cobalt Strike' 171 | 172 | Tool : {Software: Cobalt Strike, Software: KOMPROGO, Software: WINDSHIELD, Software: SOUNDBITE...} 173 | Alias : {APT32, OceanLotus Group} 174 | ID : {G0050} 175 | URL : https://attack.mitre.org/wiki/Group/G0050 176 | TechniqueName : {Scheduled Task, Regsvr32, PowerShell, Custom Command and Control Protocol...} 177 | FullText : Group/G0050 178 | Reference : {FireEye APT32 May 2017, GitHub Malleable C2, GitHub Invoke-Obfuscation} 179 | Link Text : {[[Group/G0050|APT32]]} 180 | Name : {APT32} 181 | Description : {[[Group/G0050|APT32]] is a threat group that has been active since at least 2014. The group 182 | has targeted multiple private sector industries as well as with foreign governments, 183 | dissidents, and journalists. The group's operations are aligned with Vietnamese state 184 | interests.[[CiteRef::FireEye APT32 May 2017]]} 185 | TechniqueID : {Technique/T1053, Technique/T1117, Technique/T1086, Technique/T1094...} 186 | Display Title : Group: APT32, OceanLotus Group 187 | ``` 188 | 189 | ### [BETA] Exporting custom results to a CSV 190 | ``` 191 | Invoke-ATTACKAPI -Category -Technique | where-object -Property ID -GE "T1134" | 192 | select @{Name="Name"; Expression={$_.Name -join ","}}, @{Name="Tactic"; Expression={$_.Tactic -join ","}}, 193 | @{Name ="ID"; Expression={$_.ID -join ","}}, @{Name="Description"; Expression={$_.Description -join ","}}, 194 | @{Name="Analytic details"; Expression={$_.'Analytic Details' -join ","}}, @{Name="Data Source"; 195 | Expression={$_.'Data Source' -join ","}} | export-csv F:\wardog\scripts\demo6.csv -NoTypeInformation 196 | ``` 197 | 198 | ### Showing an up to date ATT&CK Matrix for Enterprise 199 | ``` 200 | Invoke-ATTACKAPI -Matrix | select Persistence, 'Privilege Escalation', 'Defense Evasion','Credential Access', Discovery, 'Lateral Movement', Execution, Collection, Exfiltration, 'Command and Control' | ft 201 | 202 | Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution 203 | ----------- -------------------- --------------- ----------------- --------- ---------------- --------- 204 | .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript AppleScript 205 | Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Application Shimming 206 | AppInit DLLs AppInit DLLs Bypass User Account Control Brute Force File and Directory Discovery Exploitation of Vulnerability Command-Line Interface 207 | Application Shimming Application Shimming Clear Command History Create Account Network Service Scanning Logon Scripts Execution through API 208 | Authentication Package Bypass User Account Control Code Signing Credential Dumping Network Share Discovery Pass the Hash Execution through Mod... 209 | Bootkit DLL Injection Component Firmware Credentials in Files Peripheral Device Discovery Pass the Ticket Graphical User Interface 210 | Change Default File Association DLL Search Order Hijacking Component Object Model Hijacking Exploitation of Vulnerability Permission Groups Discovery Remote Desktop Protocol InstallUtil 211 | Component Firmware Dylib Hijacking Deobfuscate/Decode Files or Information Input Capture Process Discovery Remote File Copy Launchctl 212 | Component Object Model Hijacking Exploitation of Vulnerability Disabling Security Tools Input Prompt Query Registry Remote Services PowerShell 213 | Cron Job File System Permissions Weakness DLL Injection Keychain Remote System Discovery Replication Through Removable Media Process Hollowing 214 | DLL Search Order Hijacking Launch Daemon DLL Search Order Hijacking Network Sniffing Security Software Discovery Shared Webroot Regsvcs/Regasm 215 | Dylib Hijacking Local Port Monitor DLL Side-Loading Private Keys System Information Discovery Taint Shared Content Regsvr32 216 | External Remote Services New Service Exploitation of Vulnerability Securityd Memory System Network Configuration Discovery Third-party Software Rundll32 217 | File System Permissions Weakness Path Interception File Deletion Two-Factor Authentication Interception System Network Connections Discovery Windows Admin Shares Scheduled Task 218 | Hidden Files and Directories Plist Modification File System Logical Offsets System Owner/User Discovery Windows Remote Management Scripting 219 | Hypervisor Scheduled Task Gatekeeper Bypass System Service Discovery Service Execution 220 | Launch Agent Service Registry Permissions Weakness Hidden Files and Directories System Time Discovery Source 221 | Launch Daemon Setuid and Setgid Hidden Users Space after Filename 222 | Launchctl Startup Items Hidden Window Third-party Software 223 | LC_LOAD_DYLIB Addition Sudo HISTCONTROL Trap 224 | Local Port Monitor Valid Accounts Indicator Blocking Trusted Developer Uti... 225 | Login Item Web Shell Indicator Removal from Tools Windows Management In... 226 | Logon Scripts Indicator Removal on Host Windows Remote Manage... 227 | Modify Existing Service Install Root Certificate 228 | Netsh Helper DLL InstallUtil 229 | New Service Launchctl 230 | Office Application Startup LC_MAIN Hijacking 231 | Path Interception Masquerading 232 | Plist Modification Modify Registry 233 | Rc.common Network Share Connection Removal 234 | Redundant Access NTFS Extended Attributes 235 | Registry Run Keys / Start Folder Obfuscated Files or Information 236 | Re-opened Applications Plist Modification 237 | Scheduled Task Process Hollowing 238 | Security Support Provider Redundant Access 239 | Service Registry Permissions Weakness Regsvcs/Regasm 240 | Shortcut Modification Regsvr32 241 | Startup Items Rootkit 242 | System Firmware Rundll32 243 | Trap Scripting 244 | Valid Accounts Software Packing 245 | Web Shell Space after Filename 246 | Windows Management Instrumentation Event Subscription Timestomp 247 | Winlogon Helper DLL Trusted Developer Utilities 248 | Valid Accounts 249 | ``` 250 | 251 | ### Getting an up to date ATT&CK Matrix for Enterprise and exporting it to a csv file 252 | ``` 253 | Invoke-ATTACKAPI -Matrix | select Persistence, 'Privilege Escalation', 'Defense Evasion','Credential Access', 254 | Discovery, 'Lateral Movement', Execution, Collection, Exfiltration, 'Command and Control' | 255 | Export-Csv C:\wardog\scripts\matrix.csv -NoTypeInformation 256 | ``` 257 | 258 | ### Showing an up to date table of Groups/APTs with the techniques and tools attributed to them 259 | ``` 260 | Invoke-ATTACKAPI -Attribution | ft 261 | 262 | Group Group Alias Group ID Tactic TechniqueName TechniqueID Tool 263 | ----- ----------- -------- ------ ------------- ----------- ---- 264 | admin@338 admin@338 G0018 Discovery System Time Discovery Technique/T1124 Software: Net, net.exe 265 | admin@338 admin@338 G0018 Defense Evasion Network Share Connection Removal Technique/T1126 Software: Net, net.exe 266 | admin@338 admin@338 G0018 Command and Control Commonly Used Port Technique/T1043 Software: LOWBALL 267 | admin@338 admin@338 G0018 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 Software: LOWBALL 268 | admin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 Software: netstat, netstat.exe 269 | admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 Software: BUBBLEWRAP, Backdoor.APT... 270 | admin@338 admin@338 G0018 Discovery Account Discovery Technique/T1087 271 | admin@338 admin@338 G0018 Execution Command-Line Interface Technique/T1059 272 | admin@338 admin@338 G0018 Discovery System Service Discovery Technique/T1007 273 | admin@338 admin@338 G0018 Defense Evasion Masquerading Technique/T1036 274 | admin@338 admin@338 G0018 Discovery Remote System Discovery Technique/T1018 Software: Net, net.exe 275 | admin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 Software: Net, net.exe 276 | admin@338 admin@338 G0018 Lateral Movement Windows Admin Shares Technique/T1077 Software: Net, net.exe 277 | admin@338 admin@338 G0018 {Defense Evasion, Privilege Escalation} DLL Injection Technique/T1055 Software: PoisonIvy, Poison Ivy 278 | admin@338 admin@338 G0018 Discovery System Service Discovery Technique/T1007 Software: Net, net.exe 279 | admin@338 admin@338 G0018 Discovery Account Discovery Technique/T1087 Software: Net, net.exe 280 | admin@338 admin@338 G0018 Command and Control Standard Non-Application Layer Protocol Technique/T1095 Software: BUBBLEWRAP, Backdoor.APT... 281 | admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 Software: Systeminfo, systeminfo.exe 282 | admin@338 admin@338 G0018 Credential Access Create Account Technique/T1136 Software: Net, net.exe 283 | admin@338 admin@338 G0018 Discovery Permission Groups Discovery Technique/T1069 284 | admin@338 admin@338 G0018 Discovery Network Share Discovery Technique/T1135 Software: Net, net.exe 285 | admin@338 admin@338 G0018 Command and Control Web Service Technique/T1102 Software: LOWBALL 286 | admin@338 admin@338 G0018 Execution Service Execution Technique/T1035 Software: Net, net.exe 287 | admin@338 admin@338 G0018 Discovery File and Directory Discovery Technique/T1083 288 | admin@338 admin@338 G0018 Discovery Permission Groups Discovery Technique/T1069 Software: Net, net.exe 289 | admin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 290 | admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 291 | admin@338 admin@338 G0018 Command and Control Standard Application Layer Protocol Technique/T1071 Software: LOWBALL 292 | admin@338 admin@338 G0018 Command and Control Standard Cryptographic Protocol Technique/T1032 Software: PoisonIvy, Poison Ivy 293 | admin@338 admin@338 G0018 {Collection, Credential Access} Input Capture Technique/T1056 Software: PoisonIvy, Poison Ivy 294 | admin@338 admin@338 G0018 Command and Control Standard Application Layer Protocol Technique/T1071 Software: BUBBLEWRAP, Backdoor.APT... 295 | admin@338 admin@338 G0018 Discovery System Network Configuration Discovery Technique/T1016 Software: ipconfig, ipconfig.exe 296 | admin@338 admin@338 G0018 Discovery System Network Configuration Discovery Technique/T1016 297 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Collection Data from Local System Technique/T1005 298 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Execution Service Execution Technique/T1035 Software: xCmd 299 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Lateral Movement Pass the Hash Technique/T1075 Software: Pass-The-Hash Toolkit 300 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Execution Service Execution Technique/T1035 Software: Net, net.exe 301 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Discovery Remote System Discovery Technique/T1018 Software: Net, net.exe 302 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Collection Email Collection Technique/T1114 303 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Lateral Movement Pass the Hash Technique/T1075 304 | ``` 305 | 306 | ### Showing an up to date table of the techniques and tools attributed to a Group/APT with Group ID G0051 (FIN7) 307 | ``` 308 | Invoke-ATTACKAPI -Attribution | Where-Object -Property 'Group ID' -EQ 'G0046' | ft 309 | 310 | Group Group Alias Group ID Tactic TechniqueName TechniqueID Tool Description 311 | ----- ----------- -------- ------ ------------- ----------- ---- ----------- 312 | FIN7 FIN7 G0046 Discovery Process Discovery Technique/T1057 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain information about running processes on the victim.[[CiteRef::Fir... 313 | FIN7 FIN7 G0046 Persistence Registry Run Keys / Start Folder Technique/T1060 {[[Group/G0046|FIN7]] malware has created a Registry Run key pointing to its malicious LNK file to establ... 314 | FIN7 FIN7 G0046 Discovery Query Registry Technique/T1012 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] queries Registry keys in preparation for setting Run keys to achieve pers... 315 | FIN7 FIN7 G0046 Persistence Registry Run Keys / Start Folder Technique/T1060 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] achieves persistence by setting a Registry Run key, with the path dependi... 316 | FIN7 FIN7 G0046 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] has been observed being used to download [[Software/S0146|TEXTMATE]] and ... 317 | FIN7 FIN7 G0046 {Execution, Persistence, Privilege Escalation} Application Shimming Technique/T1138 {[[Group/G0046|FIN7]] has used application shim databases for persistence.[[CiteRef::FireEye FIN7 Shim Da... 318 | FIN7 FIN7 G0046 {Execution, Persistence, Privilege Escalation} Scheduled Task Technique/T1053 {[[Group/G0046|FIN7]] malware has created scheduled tasks to establish persistence.[[CiteRef::FireEye FIN... 319 | FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: Carbanak, Anunak {The [[Software/S0030|Carbanak]] malware communicates to its command server using HTTP with an encrypted ... 320 | FIN7 FIN7 G0046 Collection Screen Capture Technique/T1113 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain screenshots from the victim.[[CiteRef::FireEye FIN7 April 2017]]} 321 | FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef... 322 | FIN7 FIN7 G0046 Execution Windows Management Instrumentation Technique/T1047 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can use WMI queries to gather system information.[[CiteRef::FireEye FIN7 Ap... 323 | FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: TEXTMATE, DNSMessenger {[[Software/S0146|TEXTMATE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]]} 324 | FIN7 FIN7 G0046 Discovery System Information Discovery Technique/T1082 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain information about the OS, processor, and BIOS.[[CiteRef::FireEye... 325 | FIN7 FIN7 G0046 {Collection, Credential Access} Input Capture Technique/T1056 Software: Carbanak, Anunak {[[Software/S0030|Carbanak]] contains keylogger functionality.[[CiteRef::Kaspersky Carbanak]]} 326 | FIN7 FIN7 G0046 Command and Control Standard Cryptographic Protocol Technique/T1032 Software: Carbanak, Anunak {[[Software/S0030|Carbanak]] encrypts the message body of HTTP traffic with RC2 and Base64 encoding.[[Cit... 327 | FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can execute PowerShell scripts.[[CiteRef::FireEye FIN7 April 2017]]} 328 | FIN7 FIN7 G0046 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[... 329 | FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] is a PowerShell backdoor.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef::C... 330 | FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[... 331 | FIN7 FIN7 G0046 Defense Evasion Masquerading Technique/T1036 {[[Group/G0046|FIN7]] has created a scheduled task named “AdobeFlashSync” to establish persistence.[[Cite... 332 | FIN7 FIN7 G0046 Defense Evasion Obfuscated Files or Information Technique/T1027 Software: POWERSOURCE, DNSMessenger {If the victim is using PowerShell 3.0 or later, [[Software/S0145|POWERSOURCE]] writes its decoded payloa... 333 | FIN7 FIN7 G0046 Defense Evasion File Deletion Technique/T1107 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can delete a specified file.[[CiteRef::FireEye FIN7 April 2017]]} 334 | FIN7 FIN7 G0046 Execution Command-Line Interface Technique/T1059 Software: TEXTMATE, DNSMessenger {[[Software/S0146|TEXTMATE]] executes cmd.exe to provide a reverse shell to attackers.[[CiteRef::FireEye... 335 | ``` 336 | 337 | ### Getting an up to date table of Groups/APTs with the techniques and tools attributed to them and exporting it to a csv file 338 | ``` 339 | Invoke-ATTACKAPI -Attribution | select Group, 'Group Alias','Group ID', Tactic, TechniqueName, 340 | TechniqueID, Tool, @{Name='Description'; Expression={$_.Description}}, 'Data Source'| 341 | export-csv -NoTypeInformation C:\Documents\ATTACK_Attribution.csv 342 | ``` 343 | 344 | ### Showing an up to date table with all the valuable information from the MITRE ATTACK DB at once 345 | ``` 346 | Invoke-ATTACKAPI -All | ft 347 | 348 | Tactic TechniqueName TechniqueID Group Group Alias Group ID Tool 349 | ------ ------------- ----------- ----- ----------- -------- ---- 350 | Collection Screen Capture Technique/T1113 APT28 {APT28, Sednit, Sofacy, Pawn Storm...} G0007 351 | Collection Screen Capture Technique/T1113 APT28 {APT28, Sednit, Sofacy, Pawn Storm...} G0007 Software: XAgentOSX 352 | Collection Data from Local System Technique/T1005 APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 353 | Collection Screen Capture Technique/T1113 Cleaver {Cleaver, TG-2889, Threat Group 2889} G0003 Software: TinyZBot 354 | Collection Screen Capture Technique/T1113 APT32 {APT32, OceanLotus Group} G0050 Software: Cobalt Strike 355 | Collection Screen Capture Technique/T1113 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: CosmicDuke, TinyBaron,... 356 | Collection Data Staged Technique/T1074 APT30 APT30 G0013 Software: SPACESHIP 357 | Collection Data from Local System Technique/T1005 Ke3chang Ke3chang G0004 358 | Collection Data from Local System Technique/T1005 Lazarus Group {Lazarus Group, HIDDEN COBRA, Guardians of Peace} G0032 359 | Collection Data from Local System Technique/T1005 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: CosmicDuke, TinyBaron,... 360 | Collection Data from Local System Technique/T1005 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: PinchDuke 361 | Collection Data from Local System Technique/T1005 APT30 APT30 G0013 Software: FLASHFLOOD 362 | Collection Screen Capture Technique/T1113 RTM RTM G0048 Software: RTM 363 | Collection Screen Capture Technique/T1113 MONSOON {MONSOON, Operation Hangover} G0042 Software: BADNEWS 364 | Collection Screen Capture Technique/T1113 menuPass {menuPass, Stone Panda, APT10, Red Apollo...} G0045 Software: RedLeaves, BUGJUICE 365 | Collection Email Collection Technique/T1114 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: SeaDuke, SeaDaddy, Sea... 366 | Collection Email Collection Technique/T1114 APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 367 | Collection Screen Capture Technique/T1113 Sandworm Team {Sandworm Team, Quedagh} G0034 Software: BlackEnergy, Black Energy 368 | Collection Screen Capture Technique/T1113 FIN7 FIN7 G0046 Software: HALFBAKED 369 | Collection Screen Capture Technique/T1113 Dust Storm Dust Storm G0031 Software: ZLib 370 | Collection Screen Capture Technique/T1113 Dragonfly {Dragonfly, Energetic Bear} G0035 Software: Trojan.Karagany 371 | Collection Screen Capture Technique/T1113 menuPass {menuPass, Stone Panda, APT10, Red Apollo...} G0045 Software: EvilGrab 372 | Collection Screen Capture Technique/T1113 Group5 Group5 G0043 373 | Collection Screen Capture Technique/T1113 Gamaredon Group Gamaredon Group G0047 Software: Pteranodon 374 | Collection Data Staged Technique/T1074 APT30 APT30 G0013 Software: FLASHFLOOD 375 | ``` 376 | 377 | ### Getting an up to date table with all the valuable information from the MITRE ATTACK DB at once and exporting it to a csv file 378 | ``` 379 | Invoke-ATTACKAPI -All | select @{Name='Tactic'; Expression={$_.tactic -join ','}}, @{Name='TechniqueName'; 380 | Expression={$_.techniquename -join ','}}, techniqueID, group, @{Name='Group Alias'; Expression={$_.'Group alias' 381 | -join ','}}, 'Group ID', @{Name='Tool'; Expression={$_.Tool -join ','}}, @{Name='Description'; 382 | Expression={$_.Description -join ','}}, @{Name='Data Source'; Expression={$_.'Data Source' -join ','}}, 383 | @{Name='Bypass'; Expression={$_.Bypass -join ','}}, @{Name='Analytic Details'; Expression={$_.'Analytic Details' 384 | -join ','}}, @{Name='Mitigation'; Expression={$_.Mitigation -join ','}}, @{Name='Platform'; 385 | Expression={$_.Platform -join ','}}, @{Name='Requires Permission'; Expression={$_.'Requires Permission' -join 386 | ','}}, @{Name='Requires System'; Expression={$_.'Requires System' -join ','}}, @{Name='CAPEC ID'; 387 | Expression={$_.'CAPEC ID' -join ','}}, @{Name='Contributor'; Expression={$_.Contributor -join ','}}, 388 | @{Name='URL'; Expression={$_.URL -join ','}} | Export-Csv -NoTypeInformation C:\\Downloads\ATTACK_ALL.csv 389 | ``` 390 | 391 | # Author 392 | * Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) 393 | # Contributors 394 | # Contributing 395 | Feel free to submit a PR and make this script a better one for the community. 396 | # TO-DO 397 | -------------------------------------------------------------------------------- /Invoke-ATTACKAPI.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-ATTACKAPI 2 | { 3 | <# 4 | .SYNOPSIS 5 | A PS script to interact with the MITRE ATT&CK Framework via its own API 6 | 7 | .DESCRIPTION 8 | Use this script to interact with the MITRE ATT&CK Framework via its API and gather information about techniques, 9 | tactics, groups, software and references provided by the MITRE ATT&CK Team @MITREattack 10 | 11 | Almost all data in ATT&CK can be accessed using the Semantic MediaWiki Ask API. URLs targeting 12 | the API are constructed in the following pattern 13 | /api.php?action=ask&format=&query= 14 | where is a specific output format (usually json or jsonfm) and 15 | refers to a query that specifies the data that will be retrieved. Queries are structured as if they are 16 | targeting the Semantic MediaWiki #ask parser function. 17 | 18 | Queries are constructed by combining one or more page selectors with a set of display parameters. 19 | A simple selector for all techniques is [[Category:Technique]] and a simple display parameter is 20 | ?Has display name which maps to the name of the ATT&CK Technique. To construct the query, the selector 21 | is combined with the display parameter by placing a | symbol in between. So the combined query 22 | is [[Category:Technique]]|?Has display name. This query will retrieve all ATT&CK techniques along 23 | with their display name. To run this we just have to URL encode the combined query and place it in the URL. 24 | The final query is: 25 | 26 | https://attack.mitre.org/api.php?action=ask&format=jsonfm&query=%5B%5BCategory%3ATechnique%5D%5D%7C%3FHas%20display%20name 27 | 28 | .PARAMETER Sync 29 | Connects to the MITRE ATT&CK framework and dumps all its data to an object. 30 | The output of this is needed before running any other parameters. 31 | 32 | .PARAMETER Matrix 33 | Switch that you can use to display an up to date ATT&CK Matrix for Enterprise 34 | 35 | .PARAMETER Category 36 | Page selector switch. 37 | 38 | .PARAMETER Technique 39 | Page Selector to show all Techniques at once with their respective properties. 40 | 41 | .PARAMETER Group 42 | Page Selector to show all Groups at once with their respective properties. 43 | 44 | .PARAMETER Software 45 | Page Selector to show all Software at once with their respective properties. 46 | 47 | .PARAMETER Tactic 48 | Page Selector to show all Tactics at once with their respective properties. 49 | 50 | .PARAMETER Reference 51 | Page Selector to show all References at once with their respective properties. 52 | 53 | .PARAMETER Attribution 54 | Switch used to display a table with techniques and Tools attributed to a specific Group/APT 55 | 56 | .PARAMETER All 57 | Switch used to get all the valuable information from the MITRE ATTACK DB at once. 58 | 59 | .PARAMETER FullText 60 | Depending on what page selector you choose, the values of this parameter vary. 61 | This is usually an ID, and it is available with every single page selector. 62 | 63 | .PARAMETER ID 64 | Depending on what page selector you choose, the values of this parameter vary. 65 | This is property 'Has ID', and it is available with Technique, Group and Software page selectors 66 | 67 | .PARAMETER Name 68 | Depending on what page selector you choose, the values of this parameter vary. 69 | This is usually property 'Has display name' or 'Has title', and it is available with 70 | every single page selector. 71 | 72 | .PARAMETER TechniqueTactic 73 | This is property 'Has tactic', and it is available only with Technique page selector. 74 | 75 | .PARAMETER Platform 76 | This is property 'Has platform', and it is available only with Technique page selector. 77 | 78 | .PARAMETER Alias 79 | This is property 'Has alias', and it is available only with Group page selector. 80 | 81 | .PARAMETER TechniqueID 82 | This is property 'Has technique'.fulltext , and it is available in Group and Software pages selector. 83 | 84 | .PARAMETER TechniqueName 85 | This is property 'Has technique'.displaytitle , and it is available in Group and Software pages selector. 86 | 87 | .PARAMETER Tool 88 | This is property 'Uses software, it is available only with Group page selector. 89 | 90 | .PARAMETER Type 91 | This is property 'Has software type' , and it is available only with Software page selector. 92 | 93 | .PARAMETER Key 94 | This is property 'Citation key' , and it is available only with Reference page selector. 95 | 96 | .PARAMETER Author 97 | This is property 'Has authors'.fulltext , and it is available only with Reference page selector. 98 | 99 | .PARAMETER Date 100 | Available only with Reference page selector. 101 | 102 | .PARAMETER Year 103 | Available only with Reference page selector. 104 | 105 | .EXAMPLE 106 | This query matches all techniques 107 | 108 | Invoke-ATTACKAPI -Category -Technique 109 | 110 | ID : {T1001} 111 | Bypass : {} 112 | Contributor : {} 113 | Requires System : {} 114 | Data Source : {Packet capture, Process use of network, Process monitoring, Network protocol analysis} 115 | Description : {Command and control (C2) communications are hidden (but not necessarily encrypted) in an 116 | attempt to make the content more difficult to discover or decipher and to make the 117 | communication less conspicuous and hide commands from being seen. This encompasses many 118 | methods, such as adding junk data to protocol traffic, using steganography, commingling 119 | legitimate traffic with C2 communications traffic, or using a non-standard data encoding 120 | system, such as a modified Base64 encoding for the message body of an HTTP request.} 121 | Mitigation : {Network intrusion detection and prevention systems that use network signatures to 122 | identify traffic for specific adversary malware can be used to mitigate activity at the 123 | network level. Signatures are often for unique indicators within protocols and may be 124 | based on the specific obfuscation technique used by a particular adversary or tool, and 125 | will likely be different across various malware families and versions. Adversaries will 126 | likely change tool C2 signatures over time or construct protocols in such a way as to 127 | avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]} 128 | Tactic : Command and Control 129 | Analytic Details : {Analyze network data for uncommon data flows (e.g., a client sending significantly more 130 | data than it receives from a server). Processes utilizing the network that do not normally 131 | 132 | have network communication or have never been seen before are suspicious. Analyze packet 133 | contents to detect communications that do not follow the expected protocol behavior for 134 | the port that is being used.[[CiteRef::University of Birmingham C2]]} 135 | TechniqueName : {Data Obfuscation} 136 | FullText : Technique/T1001 137 | Link Text : {[[Technique/T1001|Data Obfuscation]]} 138 | Reference : {University of Birmingham C2, FireEye APT28, Axiom, FireEye APT30...} 139 | Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...} 140 | Name : {Data Obfuscation} 141 | CAPEC ID : {} 142 | Requires Permission : {} 143 | URL : https://attack.mitre.org/wiki/Technique/T1001 144 | ............. 145 | .................. 146 | 147 | ID : {T1068} 148 | Bypass : {Anti-virus, System access controls} 149 | Contributor : {John Lambert, Microsoft Threat Intelligence Center} 150 | Requires System : {Unpatched software or otherwise vulnerable target. Depending on the target and goal, the 151 | system and exploitable service may need to be remotely accessible from the internal 152 | network. In the case of privilege escalation, the adversary likely already has user 153 | permissions on the target system.} 154 | Data Source : {Windows Error Reporting, File monitoring, Process monitoring} 155 | Description : {Exploitation of a software vulnerability occurs when an adversary takes advantage of a 156 | programming error in a program, service, or within the operating system software or 157 | kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities 158 | may allow adversaries to run a command or binary on a remote system for lateral movement, 159 | escalate a current process to a higher privilege level, or bypass security mechanisms. 160 | Exploits may also allow an adversary access to privileged accounts and credentials. One 161 | example of this is MS14-068, which can be used to forge Kerberos tickets using domain 162 | user permissions.[[CiteRef::Technet MS14-068]][[CiteRef::ADSecurity Detecting Forged 163 | Tickets]]} 164 | Mitigation : {Update software regularly by employing patch management for internal enterprise 165 | endpoints and servers. Develop a robust cyber threat intelligence capability to determine 166 | what types and levels of threat may use software exploits and 0-days against a particular 167 | organization. Make it difficult for adversaries to advance their operation through 168 | exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, 169 | virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation 170 | Experience Toolkit.[[CiteRef::SRD EMET]]} 171 | Tactic : {Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation} 172 | Analytic Details : {Software exploits may not always succeed or may cause the exploited process to become 173 | unstable or crash. Software and operating system crash reports may contain useful 174 | contextual information about attempted exploits that correlate with other malicious 175 | activity. Exploited processes may exhibit behavior that is unusual for the specific 176 | process, such as spawning additional processes or reading and writing to files.} 177 | TechniqueName : {Exploitation of Vulnerability} 178 | FullText : Technique/T1068 179 | Link Text : {[[Technique/T1068|Exploitation of Vulnerability]]} 180 | Reference : {ADSecurity Detecting Forged Tickets, Bitdefender APT28 Dec 2015, ESET Sednit July 2015, 181 | ESET Sednit Part 1...} 182 | Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...} 183 | Name : {Exploitation of Vulnerability} 184 | CAPEC ID : {69} 185 | Requires Permission : {User, Administrator, SYSTEM} 186 | URL : https://attack.mitre.org/wiki/Technique/T1068 187 | 188 | .EXAMPLE 189 | This query matches the page Technique with ID T1014 190 | 191 | Invoke-ATTACKAPI -Category -Technique -ID T1014 192 | 193 | ID : {T1014} 194 | Bypass : {Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting...} 195 | Contributor : {} 196 | Requires System : {} 197 | Data Source : {BIOS, MBR, System calls} 198 | Description : {Rootkits are programs that hide the existence of malware by intercepting and modifying 199 | operating system API calls that supply system information. Rootkits or rootkit enabling 200 | functionality may reside at the user or kernel level in the operating system or lower, to 201 | include a [[Technique/T1062|Hypervisor]], Master Boot Record, or the 202 | [[Technique/T1019|System Firmware]].[[CiteRef::Wikipedia Rootkit]] 203 | 204 | Adversaries may use rootkits to hide the presence of programs, files, network 205 | connections, services, drivers, and other system components.} 206 | Mitigation : {Identify potentially malicious software that may contain rootkit functionality, and 207 | audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like 208 | AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software 209 | Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet 210 | Applocker vs SRP]]} 211 | Tactic : Defense Evasion 212 | Analytic Details : {Some rootkit protections may be built into anti-virus or operating system software. 213 | There are dedicated rootkit detection tools that look for specific types of rootkit 214 | behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes 215 | to the MBR.[[CiteRef::Wikipedia Rootkit]]} 216 | TechniqueName : {Rootkit} 217 | FullText : Technique/T1014 218 | Link Text : {[[Technique/T1014|Rootkit]]} 219 | Reference : {Wikipedia Rootkit, Beechey 2010, Windows Commands JPCERT, NSA MS AppLocker...} 220 | Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP...} 221 | Name : {Rootkit} 222 | CAPEC ID : {} 223 | Requires Permission : {Administrator, SYSTEM} 224 | URL : https://attack.mitre.org/wiki/Technique/T1014 225 | 226 | .EXAMPLE 227 | This query matches against all the group that use a specific software (in this case Cobalt Strike) 228 | SYNTAX: "Software: " 229 | 230 | Invoke-ATTACKAPI -Category -Group -Tool "Software: Cobalt Strike" 231 | 232 | Tool : {Software: Cobalt Strike, Software: KOMPROGO, Software: WINDSHIELD, Software: SOUNDBITE...} 233 | Alias : {APT32, OceanLotus Group} 234 | ID : {G0050} 235 | URL : https://attack.mitre.org/wiki/Group/G0050 236 | TechniqueName : {Scheduled Task, Regsvr32, PowerShell, Custom Command and Control Protocol...} 237 | FullText : Group/G0050 238 | Reference : {FireEye APT32 May 2017, GitHub Malleable C2, GitHub Invoke-Obfuscation} 239 | Link Text : {[[Group/G0050|APT32]]} 240 | Name : {APT32} 241 | Description : {[[Group/G0050|APT32]] is a threat group that has been active since at least 2014. The group 242 | has targeted multiple private sector industries as well as with foreign governments, 243 | dissidents, and journalists. The group's operations are aligned with Vietnamese state 244 | interests.[[CiteRef::FireEye APT32 May 2017]]} 245 | TechniqueID : {Technique/T1053, Technique/T1117, Technique/T1086, Technique/T1094...} 246 | Display Title : Group: APT32, OceanLotus Group 247 | 248 | .EXAMPLE 249 | [BETA] Exporting custom results to a CSV 250 | 251 | Invoke-ATTACKAPI -Category -Technique | where-object -Property ID -GE "T1134" | 252 | select @{Name="Name"; Expression={$_.Name -join ","}}, @{Name="Tactic"; Expression={$_.Tactic -join ","}}, @{Name ="ID"; Expression={$_.ID -join ","}}, 253 | @{Name="Description"; Expression={$_.Description -join ","}}, @{Name="Analytic details"; Expression={$_.'Analytic Details' -join ","}}, 254 | @{Name="Data Source";Expression={$_.'Data Source' -join ","}} | export-csv F:\wardog\scripts\demo6.csv -NoTypeInformation 255 | 256 | .EXAMPLE 257 | Showing an up to date table with all the valuable information from the MITRE ATTACK DB at once 258 | 259 | Invoke-ATTACKAPI -All | ft 260 | 261 | Tactic TechniqueName TechniqueID Group Group Alias Group ID Tool 262 | ------ ------------- ----------- ----- ----------- -------- ---- 263 | Collection Screen Capture Technique/T1113 APT28 {APT28, Sednit, Sofacy, Pawn Storm...} G0007 264 | Collection Screen Capture Technique/T1113 APT28 {APT28, Sednit, Sofacy, Pawn Storm...} G0007 Software: XAgentOSX 265 | Collection Data from Local System Technique/T1005 APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 266 | Collection Screen Capture Technique/T1113 Cleaver {Cleaver, TG-2889, Threat Group 2889} G0003 Software: TinyZBot 267 | Collection Screen Capture Technique/T1113 APT32 {APT32, OceanLotus Group} G0050 Software: Cobalt Strike 268 | Collection Screen Capture Technique/T1113 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: CosmicDuke, TinyBaron,... 269 | Collection Data Staged Technique/T1074 APT30 APT30 G0013 Software: SPACESHIP 270 | Collection Data from Local System Technique/T1005 Ke3chang Ke3chang G0004 271 | Collection Data from Local System Technique/T1005 Lazarus Group {Lazarus Group, HIDDEN COBRA, Guardians of Peace} G0032 272 | Collection Data from Local System Technique/T1005 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: CosmicDuke, TinyBaron,... 273 | Collection Data from Local System Technique/T1005 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: PinchDuke 274 | Collection Data from Local System Technique/T1005 APT30 APT30 G0013 Software: FLASHFLOOD 275 | Collection Screen Capture Technique/T1113 RTM RTM G0048 Software: RTM 276 | Collection Screen Capture Technique/T1113 MONSOON {MONSOON, Operation Hangover} G0042 Software: BADNEWS 277 | Collection Screen Capture Technique/T1113 menuPass {menuPass, Stone Panda, APT10, Red Apollo...} G0045 Software: RedLeaves, BUGJUICE 278 | Collection Email Collection Technique/T1114 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: SeaDuke, SeaDaddy, Sea... 279 | Collection Email Collection Technique/T1114 APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 280 | Collection Screen Capture Technique/T1113 Sandworm Team {Sandworm Team, Quedagh} G0034 Software: BlackEnergy, Black Energy 281 | Collection Screen Capture Technique/T1113 FIN7 FIN7 G0046 Software: HALFBAKED 282 | Collection Screen Capture Technique/T1113 Dust Storm Dust Storm G0031 Software: ZLib 283 | Collection Screen Capture Technique/T1113 Dragonfly {Dragonfly, Energetic Bear} G0035 Software: Trojan.Karagany 284 | Collection Screen Capture Technique/T1113 menuPass {menuPass, Stone Panda, APT10, Red Apollo...} G0045 Software: EvilGrab 285 | Collection Screen Capture Technique/T1113 Group5 Group5 G0043 286 | Collection Screen Capture Technique/T1113 Gamaredon Group Gamaredon Group G0047 Software: Pteranodon 287 | Collection Data Staged Technique/T1074 APT30 APT30 G0013 Software: FLASHFLOOD 288 | 289 | .EXAMPLE 290 | Show up to date ATT&CK Matrix for Enterprise and export it to a CSV (Technique Names are retrieved as Strings) 291 | 292 | Invoke-ATTACKAPI -Matrix | select Persistence, 'Privilege Escalation', 'Defense Evasion','Credential Access', Discovery, 'Lateral Movement', Execution, Collection, Exfiltration, 'Command and Control' | Export-Csv C:\wardog\scripts\matrix.csv -NoTypeInformation 293 | 294 | .EXAMPLE 295 | Show an up to date table of Groups/APTs with the techniques and tools attributed to them 296 | 297 | Invoke-ATTACKAPI -Attribution | ft 298 | 299 | Group Group Alias Group ID Tactic TechniqueName TechniqueID Tool 300 | ----- ----------- -------- ------ ------------- ----------- ---- 301 | admin@338 admin@338 G0018 Discovery System Time Discovery Technique/T1124 Software: Net, net.exe 302 | admin@338 admin@338 G0018 Defense Evasion Network Share Connection Removal Technique/T1126 Software: Net, net.exe 303 | admin@338 admin@338 G0018 Command and Control Commonly Used Port Technique/T1043 Software: LOWBALL 304 | admin@338 admin@338 G0018 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 Software: LOWBALL 305 | admin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 Software: netstat, netstat.exe 306 | admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 Software: BUBBLEWRAP, Backdoor.APT... 307 | admin@338 admin@338 G0018 Discovery Account Discovery Technique/T1087 308 | admin@338 admin@338 G0018 Execution Command-Line Interface Technique/T1059 309 | admin@338 admin@338 G0018 Discovery System Service Discovery Technique/T1007 310 | admin@338 admin@338 G0018 Defense Evasion Masquerading Technique/T1036 311 | admin@338 admin@338 G0018 Discovery Remote System Discovery Technique/T1018 Software: Net, net.exe 312 | admin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 Software: Net, net.exe 313 | admin@338 admin@338 G0018 Lateral Movement Windows Admin Shares Technique/T1077 Software: Net, net.exe 314 | admin@338 admin@338 G0018 {Defense Evasion, Privilege Escalation} DLL Injection Technique/T1055 Software: PoisonIvy, Poison Ivy 315 | admin@338 admin@338 G0018 Discovery System Service Discovery Technique/T1007 Software: Net, net.exe 316 | admin@338 admin@338 G0018 Discovery Account Discovery Technique/T1087 Software: Net, net.exe 317 | admin@338 admin@338 G0018 Command and Control Standard Non-Application Layer Protocol Technique/T1095 Software: BUBBLEWRAP, Backdoor.APT... 318 | admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 Software: Systeminfo, systeminfo.exe 319 | admin@338 admin@338 G0018 Credential Access Create Account Technique/T1136 Software: Net, net.exe 320 | admin@338 admin@338 G0018 Discovery Permission Groups Discovery Technique/T1069 321 | admin@338 admin@338 G0018 Discovery Network Share Discovery Technique/T1135 Software: Net, net.exe 322 | admin@338 admin@338 G0018 Command and Control Web Service Technique/T1102 Software: LOWBALL 323 | admin@338 admin@338 G0018 Execution Service Execution Technique/T1035 Software: Net, net.exe 324 | admin@338 admin@338 G0018 Discovery File and Directory Discovery Technique/T1083 325 | admin@338 admin@338 G0018 Discovery Permission Groups Discovery Technique/T1069 Software: Net, net.exe 326 | admin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 327 | admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 328 | admin@338 admin@338 G0018 Command and Control Standard Application Layer Protocol Technique/T1071 Software: LOWBALL 329 | admin@338 admin@338 G0018 Command and Control Standard Cryptographic Protocol Technique/T1032 Software: PoisonIvy, Poison Ivy 330 | admin@338 admin@338 G0018 {Collection, Credential Access} Input Capture Technique/T1056 Software: PoisonIvy, Poison Ivy 331 | admin@338 admin@338 G0018 Command and Control Standard Application Layer Protocol Technique/T1071 Software: BUBBLEWRAP, Backdoor.APT... 332 | admin@338 admin@338 G0018 Discovery System Network Configuration Discovery Technique/T1016 Software: ipconfig, ipconfig.exe 333 | admin@338 admin@338 G0018 Discovery System Network Configuration Discovery Technique/T1016 334 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Collection Data from Local System Technique/T1005 335 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Execution Service Execution Technique/T1035 Software: xCmd 336 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Lateral Movement Pass the Hash Technique/T1075 Software: Pass-The-Hash Toolkit 337 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Execution Service Execution Technique/T1035 Software: Net, net.exe 338 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Discovery Remote System Discovery Technique/T1018 Software: Net, net.exe 339 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Collection Email Collection Technique/T1114 340 | APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Lateral Movement Pass the Hash Technique/T1075 341 | 342 | .EXAMPLE 343 | Show an up to date table of the techniques and tools attributed to APT with Group ID G0046 (FIN7) 344 | 345 | Invoke-ATTACKAPI -Attribution | Where-Object -Property 'Group ID' -EQ 'G0046' | ft 346 | 347 | Group Group Alias Group ID Tactic TechniqueName TechniqueID Tool Description 348 | ----- ----------- -------- ------ ------------- ----------- ---- ----------- 349 | FIN7 FIN7 G0046 Discovery Process Discovery Technique/T1057 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain information about running processes on the victim.[[CiteRef::Fir... 350 | FIN7 FIN7 G0046 Persistence Registry Run Keys / Start Folder Technique/T1060 {[[Group/G0046|FIN7]] malware has created a Registry Run key pointing to its malicious LNK file to establ... 351 | FIN7 FIN7 G0046 Discovery Query Registry Technique/T1012 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] queries Registry keys in preparation for setting Run keys to achieve pers... 352 | FIN7 FIN7 G0046 Persistence Registry Run Keys / Start Folder Technique/T1060 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] achieves persistence by setting a Registry Run key, with the path dependi... 353 | FIN7 FIN7 G0046 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] has been observed being used to download [[Software/S0146|TEXTMATE]] and ... 354 | FIN7 FIN7 G0046 {Execution, Persistence, Privilege Escalation} Application Shimming Technique/T1138 {[[Group/G0046|FIN7]] has used application shim databases for persistence.[[CiteRef::FireEye FIN7 Shim Da... 355 | FIN7 FIN7 G0046 {Execution, Persistence, Privilege Escalation} Scheduled Task Technique/T1053 {[[Group/G0046|FIN7]] malware has created scheduled tasks to establish persistence.[[CiteRef::FireEye FIN... 356 | FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: Carbanak, Anunak {The [[Software/S0030|Carbanak]] malware communicates to its command server using HTTP with an encrypted ... 357 | FIN7 FIN7 G0046 Collection Screen Capture Technique/T1113 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain screenshots from the victim.[[CiteRef::FireEye FIN7 April 2017]]} 358 | FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef... 359 | FIN7 FIN7 G0046 Execution Windows Management Instrumentation Technique/T1047 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can use WMI queries to gather system information.[[CiteRef::FireEye FIN7 Ap... 360 | FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: TEXTMATE, DNSMessenger {[[Software/S0146|TEXTMATE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]]} 361 | FIN7 FIN7 G0046 Discovery System Information Discovery Technique/T1082 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain information about the OS, processor, and BIOS.[[CiteRef::FireEye... 362 | FIN7 FIN7 G0046 {Collection, Credential Access} Input Capture Technique/T1056 Software: Carbanak, Anunak {[[Software/S0030|Carbanak]] contains keylogger functionality.[[CiteRef::Kaspersky Carbanak]]} 363 | FIN7 FIN7 G0046 Command and Control Standard Cryptographic Protocol Technique/T1032 Software: Carbanak, Anunak {[[Software/S0030|Carbanak]] encrypts the message body of HTTP traffic with RC2 and Base64 encoding.[[Cit... 364 | FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can execute PowerShell scripts.[[CiteRef::FireEye FIN7 April 2017]]} 365 | FIN7 FIN7 G0046 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[... 366 | FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] is a PowerShell backdoor.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef::C... 367 | FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[... 368 | FIN7 FIN7 G0046 Defense Evasion Masquerading Technique/T1036 {[[Group/G0046|FIN7]] has created a scheduled task named “AdobeFlashSync” to establish persistence.[[Cite... 369 | FIN7 FIN7 G0046 Defense Evasion Obfuscated Files or Information Technique/T1027 Software: POWERSOURCE, DNSMessenger {If the victim is using PowerShell 3.0 or later, [[Software/S0145|POWERSOURCE]] writes its decoded payloa... 370 | FIN7 FIN7 G0046 Defense Evasion File Deletion Technique/T1107 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can delete a specified file.[[CiteRef::FireEye FIN7 April 2017]]} 371 | FIN7 FIN7 G0046 Execution Command-Line Interface Technique/T1059 Software: TEXTMATE, DNSMessenger {[[Software/S0146|TEXTMATE]] executes cmd.exe to provide a reverse shell to attackers.[[CiteRef::FireEye... 372 | 373 | 374 | .LINK 375 | https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI 376 | .LINK 377 | https://attack.mitre.org/wiki/Using_the_API 378 | .LINK 379 | https://github.com/SadProcessor/SomeStuff/blob/master/Get-ATTaCK.ps1 380 | .LINK 381 | https://www.semantic-mediawiki.org/wiki/Semantic_MediaWiki 382 | 383 | .NOTES 384 | This script was inspired by @SadProcessor's Get-ATTack.ps1 script 385 | 386 | #> 387 | 388 | [CmdletBinding(HelpURI='https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI',DefaultParameterSetName='NoParam')] 389 | param( 390 | 391 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='Technique')] 392 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='Group')] 393 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='Software')] 394 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='Tactic')] 395 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='Reference')][switch]$Category, 396 | 397 | [Parameter(Position=1,Mandatory=$true,ParameterSetname='Technique')][switch]$Technique, 398 | [Parameter(Position=1,Mandatory=$true,ParameterSetname='Group')][switch]$Group, 399 | [Parameter(Position=1,Mandatory=$true,ParameterSetname='Software')][switch]$Software, 400 | [Parameter(Position=1,Mandatory=$true,ParameterSetname='Tactic')][switch]$Tactic, 401 | [Parameter(Position=1,Mandatory=$true,ParameterSetname='Reference')][switch]$Reference, 402 | 403 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='SyncATTCK')] 404 | [switch]$Sync, 405 | 406 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='ATTACKMatrix')] 407 | [switch]$Matrix, 408 | 409 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='ATTCKAttribution')] 410 | [switch]$Attribution, 411 | 412 | [Parameter(Position=0,Mandatory=$true,ParameterSetname='ATTCKAll')] 413 | [switch]$All 414 | ) 415 | 416 | DynamicParam 417 | { 418 | $TechniqueSet = $ATTCKLookUp.Technique 419 | $GroupSet = $ATTCKLookUp.Group 420 | $SoftwareSet = $ATTCKLookUp.Software 421 | $TacticSet = $ATTCKLookUp.Tactic 422 | $ReferenceSet = $ATTCKLookUp.Reference 423 | 424 | If($PSCmdlet.ParameterSetName -eq 'Technique') 425 | { 426 | # Create Attribute 427 | $Attrib1 = New-Object System.Management.Automation.ParameterAttribute 428 | $Attrib1.Mandatory = $False 429 | $Attrib1.Position = 2 430 | # Create AttributeCollection object for the attribute 431 | $Collection1 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 432 | # Add our custom attribute 433 | $Collection1.Add($Attrib1) 434 | # Add Validate Set 435 | $ValidateSet1=new-object System.Management.Automation.ValidateSetAttribute($TechniqueSet.FullText) 436 | $Collection1.Add($ValidateSet1) 437 | # Create Runtime Parameter 438 | $DynParam1 = New-Object System.Management.Automation.RuntimeDefinedParameter('FullText', [String], $Collection1) 439 | 440 | # Create Attribute 441 | $Attrib2 = New-Object System.Management.Automation.ParameterAttribute 442 | $Attrib2.Mandatory = $False 443 | $Attrib2.Position = 3 444 | # Create AttributeCollection object for the attribute 445 | $Collection2 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 446 | # Add our custom attribute 447 | $Collection2.Add($Attrib2) 448 | # Add Validate Set 449 | $ValidateSet2=new-object System.Management.Automation.ValidateSetAttribute($TechniqueSet.ID) 450 | $Collection2.Add($ValidateSet2) 451 | # Create Runtime Parameter 452 | $DynParam2 = New-Object System.Management.Automation.RuntimeDefinedParameter('ID', [String], $Collection2) 453 | 454 | # Create Attribute 455 | $Attrib3 = New-Object System.Management.Automation.ParameterAttribute 456 | $Attrib3.Mandatory = $False 457 | $Attrib3.Position = 4 458 | # Create AttributeCollection object for the attribute 459 | $Collection3 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 460 | # Add our custom attribute 461 | $Collection3.Add($Attrib3) 462 | # Add Validate Set 463 | $ValidateSet3=new-object System.Management.Automation.ValidateSetAttribute($TechniqueSet.Name) 464 | $Collection3.Add($ValidateSet3) 465 | # Create Runtime Parameter 466 | $DynParam3 = New-Object System.Management.Automation.RuntimeDefinedParameter('Name', [String], $Collection3) 467 | 468 | # Create Attribute 469 | $Attrib4 = New-Object System.Management.Automation.ParameterAttribute 470 | $Attrib4.Mandatory = $False 471 | $Attrib4.Position = 5 472 | # Create AttributeCollection object for the attribute 473 | $Collection4 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 474 | # Add our custom attribute 475 | $Collection4.Add($Attrib4) 476 | # Add Validate Set 477 | $ValidateSet4=new-object System.Management.Automation.ValidateSetAttribute($TechniqueSet.Tactic) 478 | $Collection4.Add($ValidateSet4) 479 | # Create Runtime Parameter 480 | $DynParam4 = New-Object System.Management.Automation.RuntimeDefinedParameter('TechniqueTactic', [String], $Collection4) 481 | 482 | # Create Attribute 483 | $Attrib5 = New-Object System.Management.Automation.ParameterAttribute 484 | $Attrib5.Mandatory = $False 485 | $Attrib5.Position = 6 486 | # Create AttributeCollection object for the attribute 487 | $Collection5 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 488 | # Add our custom attribute 489 | $Collection5.Add($Attrib5) 490 | # Add Validate Set 491 | $ValidateSet5=new-object System.Management.Automation.ValidateSetAttribute($TechniqueSet.Platform) 492 | $Collection5.Add($ValidateSet5) 493 | # Create Runtime Parameter 494 | $DynParam5 = New-Object System.Management.Automation.RuntimeDefinedParameter('Platform', [String], $Collection5) 495 | 496 | 497 | $Dictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary 498 | 499 | $Dictionary.Add('FullText', $dynParam1) 500 | $Dictionary.Add('ID', $dynParam2) 501 | $Dictionary.Add('Name', $dynParam3) 502 | $Dictionary.Add('TechniqueTactic', $dynParam4) 503 | $Dictionary.Add('Platform', $dynParam5) 504 | 505 | return $Dictionary 506 | } 507 | 508 | If($PSCmdlet.ParameterSetName -eq 'Group') 509 | { 510 | # Create Attribute 511 | $Attrib1 = New-Object System.Management.Automation.ParameterAttribute 512 | $Attrib1.Mandatory = $False 513 | $Attrib1.Position = 2 514 | # Create AttributeCollection object for the attribute 515 | $Collection1 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 516 | # Add our custom attribute 517 | $Collection1.Add($Attrib1) 518 | # Add Validate Set 519 | $ValidateSet1=new-object System.Management.Automation.ValidateSetAttribute($GroupSet.FullText) 520 | $Collection1.Add($ValidateSet1) 521 | # Create Runtime Parameter 522 | $DynParam1 = New-Object System.Management.Automation.RuntimeDefinedParameter('FullText', [String], $Collection1) 523 | 524 | # Create Attribute 525 | $Attrib2 = New-Object System.Management.Automation.ParameterAttribute 526 | $Attrib2.Mandatory = $False 527 | $Attrib2.Position = 3 528 | # Create AttributeCollection object for the attribute 529 | $Collection2 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 530 | # Add our custom attribute 531 | $Collection2.Add($Attrib2) 532 | # Add Validate Set 533 | $ValidateSet2=new-object System.Management.Automation.ValidateSetAttribute($GroupSet.ID) 534 | $Collection2.Add($ValidateSet2) 535 | # Create Runtime Parameter 536 | $DynParam2 = New-Object System.Management.Automation.RuntimeDefinedParameter('ID', [String], $Collection2) 537 | 538 | # Create Attribute 539 | $Attrib3 = New-Object System.Management.Automation.ParameterAttribute 540 | $Attrib3.Mandatory = $False 541 | $Attrib3.Position = 4 542 | # Create AttributeCollection object for the attribute 543 | $Collection3 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 544 | # Add our custom attribute 545 | $Collection3.Add($Attrib3) 546 | # Add Validate Set 547 | $ValidateSet3=new-object System.Management.Automation.ValidateSetAttribute($GroupSet.Name) 548 | $Collection3.Add($ValidateSet3) 549 | # Create Runtime Parameter 550 | $DynParam3 = New-Object System.Management.Automation.RuntimeDefinedParameter('Name', [String], $Collection3) 551 | 552 | # Create Attribute 553 | $Attrib4 = New-Object System.Management.Automation.ParameterAttribute 554 | $Attrib4.Mandatory = $False 555 | $Attrib4.Position = 5 556 | # Create AttributeCollection object for the attribute 557 | $Collection4 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 558 | # Add our custom attribute 559 | $Collection4.Add($Attrib4) 560 | # Add Validate Set 561 | $ValidateSet4=new-object System.Management.Automation.ValidateSetAttribute($GroupSet.Alias) 562 | $Collection4.Add($ValidateSet4) 563 | # Create Runtime Parameter 564 | $DynParam4 = New-Object System.Management.Automation.RuntimeDefinedParameter('Alias', [String], $Collection4) 565 | 566 | # Create Attribute 567 | $Attrib5 = New-Object System.Management.Automation.ParameterAttribute 568 | $Attrib5.Mandatory = $False 569 | $Attrib5.Position = 6 570 | # Create AttributeCollection object for the attribute 571 | $Collection5 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 572 | # Add our custom attribute 573 | $Collection5.Add($Attrib5) 574 | # Add Validate Set 575 | $ValidateSet5=new-object System.Management.Automation.ValidateSetAttribute($GroupSet.TechniqueID) 576 | $Collection5.Add($ValidateSet5) 577 | # Create Runtime Parameter 578 | $DynParam5 = New-Object System.Management.Automation.RuntimeDefinedParameter('TechniqueID', [String], $Collection5) 579 | 580 | # Create Attribute 581 | $Attrib6 = New-Object System.Management.Automation.ParameterAttribute 582 | $Attrib6.Mandatory = $False 583 | $Attrib6.Position = 7 584 | # Create AttributeCollection object for the attribute 585 | $Collection6 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 586 | # Add our custom attribute 587 | $Collection6.Add($Attrib6) 588 | # Add Validate Set 589 | $ValidateSet6=new-object System.Management.Automation.ValidateSetAttribute($GroupSet.TechniqueName) 590 | $Collection6.Add($ValidateSet6) 591 | # Create Runtime Parameter 592 | $DynParam6 = New-Object System.Management.Automation.RuntimeDefinedParameter('TechniqueName', [String], $Collection6) 593 | 594 | # Create Attribute 595 | $Attrib7 = New-Object System.Management.Automation.ParameterAttribute 596 | $Attrib7.Mandatory = $False 597 | $Attrib7.Position = 8 598 | # Create AttributeCollection object for the attribute 599 | $Collection7 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 600 | # Add our custom attribute 601 | $Collection7.Add($Attrib7) 602 | # Add Validate Set 603 | $ValidateSet7=new-object System.Management.Automation.ValidateSetAttribute($GroupSet.Tool) 604 | $Collection7.Add($ValidateSet7) 605 | # Create Runtime Parameter 606 | $DynParam7 = New-Object System.Management.Automation.RuntimeDefinedParameter('Tool', [String], $Collection7) 607 | 608 | $Dictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary 609 | 610 | $Dictionary.Add('FullText', $dynParam1) 611 | $Dictionary.Add('ID', $dynParam2) 612 | $Dictionary.Add('Name', $dynParam3) 613 | $Dictionary.Add('Alias', $dynParam4) 614 | $Dictionary.Add('TechniqueID', $dynParam5) 615 | $Dictionary.Add('TechniqueName', $dynParam6) 616 | $Dictionary.Add('Tool', $dynParam7) 617 | 618 | return $Dictionary 619 | } 620 | 621 | If($PSCmdlet.ParameterSetName -eq 'Software') 622 | { 623 | # Create Attribute 624 | $Attrib1 = New-Object System.Management.Automation.ParameterAttribute 625 | $Attrib1.Mandatory = $False 626 | $Attrib1.Position = 2 627 | # Create AttributeCollection object for the attribute 628 | $Collection1 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 629 | # Add our custom attribute 630 | $Collection1.Add($Attrib1) 631 | # Add Validate Set 632 | $ValidateSet1=new-object System.Management.Automation.ValidateSetAttribute($SoftwareSet.FullText) 633 | $Collection1.Add($ValidateSet1) 634 | # Create Runtime Parameter 635 | $DynParam1 = New-Object System.Management.Automation.RuntimeDefinedParameter('FullText', [String], $Collection1) 636 | 637 | # Create Attribute 638 | $Attrib2 = New-Object System.Management.Automation.ParameterAttribute 639 | $Attrib2.Mandatory = $False 640 | $Attrib2.Position = 3 641 | # Create AttributeCollection object for the attribute 642 | $Collection2 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 643 | # Add our custom attribute 644 | $Collection2.Add($Attrib2) 645 | # Add Validate Set 646 | $ValidateSet2=new-object System.Management.Automation.ValidateSetAttribute($SoftwareSet.ID) 647 | $Collection2.Add($ValidateSet2) 648 | # Create Runtime Parameter 649 | $DynParam2 = New-Object System.Management.Automation.RuntimeDefinedParameter('ID', [String], $Collection2) 650 | 651 | # Create Attribute 652 | $Attrib3 = New-Object System.Management.Automation.ParameterAttribute 653 | $Attrib3.Mandatory = $False 654 | $Attrib3.Position = 4 655 | # Create AttributeCollection object for the attribute 656 | $Collection3 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 657 | # Add our custom attribute 658 | $Collection3.Add($Attrib3) 659 | # Add Validate Set 660 | $ValidateSet3=new-object System.Management.Automation.ValidateSetAttribute($SoftwareSet.Name) 661 | $Collection3.Add($ValidateSet3) 662 | # Create Runtime Parameter 663 | $DynParam3 = New-Object System.Management.Automation.RuntimeDefinedParameter('Name', [String], $Collection3) 664 | 665 | # Create Attribute 666 | $Attrib4 = New-Object System.Management.Automation.ParameterAttribute 667 | $Attrib4.Mandatory = $False 668 | $Attrib4.Position = 5 669 | # Create AttributeCollection object for the attribute 670 | $Collection4 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 671 | # Add our custom attribute 672 | $Collection4.Add($Attrib4) 673 | # Add Validate Set 674 | $ValidateSet4=new-object System.Management.Automation.ValidateSetAttribute($SoftwareSet.TechniqueID) 675 | $Collection4.Add($ValidateSet4) 676 | # Create Runtime Parameter 677 | $DynParam4 = New-Object System.Management.Automation.RuntimeDefinedParameter('TechniqueID', [String], $Collection4) 678 | 679 | # Create Attribute 680 | $Attrib5 = New-Object System.Management.Automation.ParameterAttribute 681 | $Attrib5.Mandatory = $False 682 | $Attrib5.Position = 6 683 | # Create AttributeCollection object for the attribute 684 | $Collection5 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 685 | # Add our custom attribute 686 | $Collection5.Add($Attrib5) 687 | # Add Validate Set 688 | $ValidateSet5=new-object System.Management.Automation.ValidateSetAttribute($SoftwareSet.TechniqueName) 689 | $Collection5.Add($ValidateSet5) 690 | # Create Runtime Parameter 691 | $DynParam5 = New-Object System.Management.Automation.RuntimeDefinedParameter('TechniqueName', [String], $Collection5) 692 | 693 | # Create Attribute 694 | $Attrib6 = New-Object System.Management.Automation.ParameterAttribute 695 | $Attrib6.Mandatory = $False 696 | $Attrib6.Position = 7 697 | # Create AttributeCollection object for the attribute 698 | $Collection6 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 699 | # Add our custom attribute 700 | $Collection6.Add($Attrib6) 701 | # Add Validate Set 702 | $ValidateSet6=new-object System.Management.Automation.ValidateSetAttribute($SoftwareSet.Type) 703 | $Collection6.Add($ValidateSet6) 704 | # Create Runtime Parameter 705 | $DynParam6 = New-Object System.Management.Automation.RuntimeDefinedParameter('Type', [String], $Collection6) 706 | 707 | $Dictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary 708 | 709 | $Dictionary.Add('FullText', $dynParam1) 710 | $Dictionary.Add('ID', $dynParam2) 711 | $Dictionary.Add('Name', $dynParam3) 712 | $Dictionary.Add('TechniqueID', $dynParam4) 713 | $Dictionary.Add('TechniqueName', $dynParam5) 714 | $Dictionary.Add('Type', $dynParam6) 715 | 716 | return $Dictionary 717 | } 718 | 719 | If($PSCmdlet.ParameterSetName -eq 'Tactic') 720 | { 721 | # Create Attribute 722 | $Attrib1 = New-Object System.Management.Automation.ParameterAttribute 723 | $Attrib1.Mandatory = $False 724 | $Attrib1.Position = 2 725 | # Create AttributeCollection object for the attribute 726 | $Collection1 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 727 | # Add our custom attribute 728 | $Collection1.Add($Attrib1) 729 | # Add Validate Set 730 | $ValidateSet1=new-object System.Management.Automation.ValidateSetAttribute($TacticSet.FullText) 731 | $Collection1.Add($ValidateSet1) 732 | # Create Runtime Parameter 733 | $DynParam1 = New-Object System.Management.Automation.RuntimeDefinedParameter('Name', [String], $Collection1) 734 | 735 | $Dictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary 736 | 737 | $Dictionary.Add('Name', $dynParam1) 738 | 739 | return $Dictionary 740 | } 741 | 742 | If($PSCmdlet.ParameterSetName -eq 'Reference') 743 | { 744 | # Create Attribute 745 | $Attrib1 = New-Object System.Management.Automation.ParameterAttribute 746 | $Attrib1.Mandatory = $Fase 747 | $Attrib1.Position = 2 748 | # Create AttributeCollection object for the attribute 749 | $Collection1 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 750 | # Add our custom attribute 751 | $Collection1.Add($Attrib1) 752 | # Add Validate Set 753 | $ValidateSet1=new-object System.Management.Automation.ValidateSetAttribute($ReferenceSet.FullText) 754 | $Collection1.Add($ValidateSet1) 755 | # Create Runtime Parameter 756 | $DynParam1 = New-Object System.Management.Automation.RuntimeDefinedParameter('FullText', [String], $Collection1) 757 | 758 | # Create Attribute 759 | $Attrib2 = New-Object System.Management.Automation.ParameterAttribute 760 | $Attrib2.Mandatory = $False 761 | $Attrib2.Position = 3 762 | # Create AttributeCollection object for the attribute 763 | $Collection2 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 764 | # Add our custom attribute 765 | $Collection2.Add($Attrib2) 766 | # Add Validate Set 767 | $ValidateSet2=new-object System.Management.Automation.ValidateSetAttribute($ReferenceSet.Key) 768 | $Collection2.Add($ValidateSet2) 769 | # Create Runtime Parameter 770 | $DynParam2 = New-Object System.Management.Automation.RuntimeDefinedParameter('Key', [String], $Collection2) 771 | 772 | # Create Attribute 773 | $Attrib3 = New-Object System.Management.Automation.ParameterAttribute 774 | $Attrib3.Mandatory = $False 775 | $Attrib3.Position = 4 776 | # Create AttributeCollection object for the attribute 777 | $Collection3 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 778 | # Add our custom attribute 779 | $Collection3.Add($Attrib3) 780 | # Add Validate Set 781 | $ValidateSet3=new-object System.Management.Automation.ValidateSetAttribute($ReferenceSet.Name) 782 | $Collection3.Add($ValidateSet3) 783 | # Create Runtime Parameter 784 | $DynParam3 = New-Object System.Management.Automation.RuntimeDefinedParameter('Name', [String], $Collection3) 785 | 786 | # Create Attribute 787 | $Attrib4 = New-Object System.Management.Automation.ParameterAttribute 788 | $Attrib4.Mandatory = $False 789 | $Attrib4.Position = 5 790 | # Create AttributeCollection object for the attribute 791 | $Collection4 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 792 | # Add our custom attribute 793 | $Collection4.Add($Attrib4) 794 | # Add Validate Set 795 | $ValidateSet4=new-object System.Management.Automation.ValidateSetAttribute($ReferenceSet.Author) 796 | $Collection4.Add($ValidateSet4) 797 | # Create Runtime Parameter 798 | $DynParam4 = New-Object System.Management.Automation.RuntimeDefinedParameter('Author', [String], $Collection4) 799 | 800 | # Create Attribute 801 | $Attrib5 = New-Object System.Management.Automation.ParameterAttribute 802 | $Attrib5.Mandatory = $False 803 | $Attrib5.Position = 6 804 | # Create AttributeCollection object for the attribute 805 | $Collection5 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 806 | # Add our custom attribute 807 | $Collection5.Add($Attrib5) 808 | # Add Validate Set 809 | $ValidateSet5=new-object System.Management.Automation.ValidateSetAttribute($ReferenceSet.Date) 810 | $Collection5.Add($ValidateSet5) 811 | # Create Runtime Parameter 812 | $DynParam5 = New-Object System.Management.Automation.RuntimeDefinedParameter('Date', [String], $Collection5) 813 | 814 | # Create Attribute 815 | $Attrib6 = New-Object System.Management.Automation.ParameterAttribute 816 | $Attrib6.Mandatory = $False 817 | $Attrib6.Position = 7 818 | # Create AttributeCollection object for the attribute 819 | $Collection6 = new-object System.Collections.ObjectModel.Collection[System.Attribute] 820 | # Add our custom attribute 821 | $Collection6.Add($Attrib6) 822 | # Add Validate Set 823 | $ValidateSet6=new-object System.Management.Automation.ValidateSetAttribute($ReferenceSet.Year) 824 | $Collection6.Add($ValidateSet6) 825 | # Create Runtime Parameter 826 | $DynParam6 = New-Object System.Management.Automation.RuntimeDefinedParameter('Year', [String], $Collection6) 827 | 828 | $Dictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary 829 | 830 | $Dictionary.Add('FullText', $dynParam1) 831 | $Dictionary.Add('Key', $dynParam2) 832 | $Dictionary.Add('Name', $dynParam3) 833 | $Dictionary.Add('Author', $dynParam4) 834 | $Dictionary.Add('Date', $dynParam5) 835 | $Dictionary.Add('Year', $dynParam6) 836 | 837 | return $Dictionary 838 | } 839 | } 840 | 841 | Begin 842 | { 843 | if($PSCmdlet.ParameterSetName -eq 'NoParam'){ 844 | get-help Invoke-ATTACKAPI -Online 845 | get-help Invoke-ATTACKAPI 846 | Break 847 | } 848 | if($PSCmdlet.ParameterSetName -eq 'Technique'){ 849 | if ($DynParam1.IsSet) 850 | { 851 | $Property = "Fulltext" 852 | $match = "$($DynParam1.value)" 853 | $Query = $ATTCKLookUp.Technique | ? -Property $Property -eq $match 854 | 855 | } 856 | elseif ($DynParam2.IsSet) 857 | { 858 | $Property = "ID" 859 | $match = "$($DynParam2.value)" 860 | $Query = $ATTCKLookUp.Technique | ? -Property $Property -eq $match 861 | } 862 | elseif ($DynParam3.IsSet) 863 | { 864 | $Property = "Name" 865 | $match = "$($DynParam3.value)" 866 | $Query = $ATTCKLookUp.Technique | ? -Property $Property -eq $match 867 | } 868 | elseif ($DynParam4.IsSet) 869 | { 870 | $Property = "Tactic" 871 | $match = "$($DynParam4.value)" 872 | $Query = $ATTCKLookUp.Technique | ? -Property $Property -eq $match 873 | } 874 | elseif ($DynParam5.IsSet) 875 | { 876 | $Property = "Platform" 877 | $match = "$($DynParam5.value)" 878 | $Query = $ATTCKLookUp.Technique | ? -Property $Property -eq $match 879 | } 880 | else 881 | { 882 | $Query = $ATTCKLookUp.Technique 883 | } 884 | } 885 | if($PSCmdlet.ParameterSetName -eq 'Group'){ 886 | if ($DynParam1.IsSet) 887 | { 888 | $Property = "Fulltext" 889 | $match = "$($DynParam1.value)" 890 | $Query = $ATTCKLookUp.Group| ? -Property $Property -eq $match 891 | } 892 | elseif ($DynParam2.IsSet) 893 | { 894 | $Property = "ID" 895 | $match = "$($DynParam2.value)" 896 | $Query = $ATTCKLookUp.Group | ? -Property $Property -eq $match 897 | } 898 | elseif ($DynParam3.IsSet) 899 | { 900 | $Property = "Name" 901 | $match = "$($DynParam3.value)" 902 | $Query = $ATTCKLookUp.Group | ? -Property $Property -eq $match 903 | } 904 | elseif ($DynParam4.IsSet) 905 | { 906 | $Property = "Alias" 907 | $match = "$($DynParam4.value)" 908 | $Query = $ATTCKLookUp.Group | ? -Property $Property -eq $match 909 | } 910 | elseif ($DynParam5.IsSet) 911 | { 912 | $Property = "TechniqueID" 913 | $match = "$($DynParam5.value)" 914 | $Query = $ATTCKLookUp.Group | ? -Property $Property -eq $match 915 | } 916 | elseif ($DynParam6.IsSet) 917 | { 918 | $Property = "TechniqueName" 919 | $match = "$($DynParam6.value)" 920 | $Query = $ATTCKLookUp.Group | ? -Property $Property -eq $match 921 | } 922 | elseif ($DynParam7.IsSet) 923 | { 924 | $Property = "Tool" 925 | $match = "$($DynParam7.value)" 926 | $Query = $ATTCKLookUp.Group | ? -Property $Property -eq $match 927 | } 928 | else 929 | { 930 | $Query = $ATTCKLookUp.Group 931 | } 932 | } 933 | if($PSCmdlet.ParameterSetName -eq 'Software'){ 934 | if ($DynParam1.IsSet) 935 | { 936 | $Property = "Fulltext" 937 | $match = "$($DynParam1.value)" 938 | $Query = $ATTCKLookUp.Software| ? -Property $Property -eq $match 939 | } 940 | elseif ($DynParam2.IsSet) 941 | { 942 | $Property = "ID" 943 | $match = "$($DynParam2.value)" 944 | $Query = $ATTCKLookUp.Software | ? -Property $Property -eq $match 945 | } 946 | elseif ($DynParam3.IsSet) 947 | { 948 | $Property = "Name" 949 | $match = "$($DynParam3.value)" 950 | $Query = $ATTCKLookUp.Software | ? -Property $Property -eq $match 951 | } 952 | elseif ($DynParam4.IsSet) 953 | { 954 | $Property = "TechniqueID" 955 | $match = "$($DynParam4.value)" 956 | $Query = $ATTCKLookUp.Software | ? -Property $Property -eq $match 957 | } 958 | elseif ($DynParam5.IsSet) 959 | { 960 | $Property = "TechniqueName" 961 | $match = "$($DynParam5.value)" 962 | $Query = $ATTCKLookUp.Software | ? -Property $Property -eq $match 963 | } 964 | elseif ($DynParam6.IsSet) 965 | { 966 | $Property = "Type" 967 | $match = "$($DynParam6.value)" 968 | $Query = $ATTCKLookUp.Software | ? -Property $Property -eq $match 969 | } 970 | else 971 | { 972 | $Query = $ATTCKLookUp.Software 973 | } 974 | } 975 | if($PSCmdlet.ParameterSetName -eq 'Tactic'){ 976 | if ($DynParam1.IsSet) 977 | { 978 | $Property = "Fulltext" 979 | $match = "$($DynParam1.value)" 980 | $Query = $ATTCKLookUp.Tactic| ? -Property $Property -eq $match 981 | } 982 | else 983 | { 984 | $Query = $ATTCKLookUp.Tactic 985 | } 986 | 987 | } 988 | if($PSCmdlet.ParameterSetName -eq 'Reference'){ 989 | if ($DynParam1.IsSet) 990 | { 991 | $Property = "Fulltext" 992 | $match = "$($DynParam1.value)" 993 | $Query = $ATTCKLookUp.Reference| ? -Property $Property -eq $match 994 | } 995 | elseif ($DynParam2.IsSet) 996 | { 997 | $Property = "Key" 998 | $match = "$($DynParam2.value)" 999 | $Query = $ATTCKLookUp.Reference | ? -Property $Property -eq $match 1000 | } 1001 | elseif ($DynParam3.IsSet) 1002 | { 1003 | $Property = "Name" 1004 | $match = "$($DynParam3.value)" 1005 | $Query = $ATTCKLookUp.Reference | ? -Property $Property -eq $match 1006 | } 1007 | elseif ($DynParam4.IsSet) 1008 | { 1009 | $Property = "Author" 1010 | $match = "$($DynParam4.value)" 1011 | $Query = $ATTCKLookUp.Reference | ? -Property $Property -eq $match 1012 | } 1013 | elseif ($DynParam5.IsSet) 1014 | { 1015 | $Property = "Date" 1016 | $match = "$($DynParam5.value)" 1017 | $Query = $ATTCKLookUp.Reference | ? -Property $Property -eq $match 1018 | } 1019 | elseif ($DynParam6.IsSet) 1020 | { 1021 | $Property = "Year" 1022 | $match = "$($DynParam6.value)" 1023 | $Query = $ATTCKLookUp.Reference | ? -Property $Property -eq $match 1024 | } 1025 | else 1026 | { 1027 | $Query = $ATTCKLookUp.Reference 1028 | } 1029 | } 1030 | if($PSCmdlet.ParameterSetName -eq 'ATTACKMatrix'){ 1031 | $Techniques = $ATTCKLookUp.Technique 1032 | } 1033 | if($PSCmdlet.ParameterSetName -eq 'ATTCKAttribution'){ 1034 | $hastechnique = $ATTCKLookUp.'Techniques subobjects' 1035 | $groups = $ATTCKLookUp.Group 1036 | $TechniquesList = $ATTCKLookUp.Technique 1037 | } 1038 | if($PSCmdlet.ParameterSetName -eq 'ATTCKAll'){ 1039 | $TechniquesList = $ATTCKLookUp.Technique 1040 | } 1041 | } 1042 | Process 1043 | { 1044 | If($PSCmdlet.ParameterSetName -eq 'SyncATTCK') 1045 | { 1046 | write-host "[++] Pulling MITRE ATT&CK Data" -ForegroundColor Yellow 1047 | $Props = @{ 1048 | 'Tactic' = $Null 1049 | 'Technique'= $Null 1050 | 'Group'= $Null 1051 | 'Software'= $Null 1052 | 'Reference'= $Null 1053 | 'Techniques subobjects'= $Null 1054 | } 1055 | 1056 | $Script:ATTCKLookUp = New-Object PSCustomObject -Property $Props 1057 | 1058 | $categories = @('Tactic','Technique','Group','Software','Reference', 'Techniques subobjects') 1059 | 1060 | foreach ($cat in $categories) 1061 | { 1062 | write-host "`n[+++] Collecting $cat `n" -ForegroundColor Green 1063 | if ($cat -eq 'Tactic'){$LookUpQuery = "[[Category:$cat]]|?Has description#-ia|?Citation reference|limit=9999"} 1064 | elseif ($cat -eq 'Technique'){$LookUpQuery = "[[Category:$cat]]|?Has CAPEC ID|?Has ID|?Has analytic details#-ia|?Has contributor|?Has data source|?Has display name|?Has link text|?Has mitigation#-ia|?Has platform|?Has tactic|?Has technical description#-ia|?Has technique name|?Requires permissions|?Requires system|?Bypasses defense|?Citation reference|limit=9999"} 1065 | elseif ($cat -eq 'Group'){$LookUpQuery = "[[Category:$cat]]|?Has ID|?Has alias|?Has description#-ia|?Has display name|?Has link text|?Has technique|?Uses software|?Citation reference|?Has URL|limit=9999"} 1066 | elseif ($cat -eq 'Software'){$LookUpQuery = "[[Category:$cat]]|?Has ID|?Has alias|?Has description#-ia|?Has display name|?Has link text|?Has software type|?Has technique|?Citation reference|limit=9999"} 1067 | elseif ($cat -eq 'Reference'){$LookUpQuery = "[[Citation text::+]]|?Citation key|?Citation text|?Has title|?Has authors|?Retrieved on|?Has URL|limit=9999"} 1068 | elseif ($cat -eq 'Techniques subobjects'){$LookUpQuery = "[[Has technique object::+]]|?Has technique description#-ia|?Has technique object|limit=9999"} 1069 | 1070 | $LookUpURL = 'https://attack.mitre.org/api.php?action=ask&format=json&query=' 1071 | $LookUpEncQuery = [System.Net.WebUtility]::UrlEncode($LookUpQuery) 1072 | $LookUpRequestURL = $LookUpURL + $LookUpEncQuery 1073 | $reply = irm $LookUpRequestURL -Verbose 1074 | $results = (($reply.query.results | gm) | ?{$_.MemberType -eq 'NoteProperty'}).name | %{$reply.query.results.$_} 1075 | 1076 | $Collection =@() 1077 | 1078 | foreach ($object in $results) 1079 | { 1080 | if($Cat -eq 'Technique'){ 1081 | $Props = @{ 1082 | 'FullText' = $object.fulltext 1083 | 'URL' = $object.fullurl 1084 | 'CAPEC ID' = $object.printouts.'Has CAPEC ID' 1085 | 'ID' = $object.printouts.'Has ID' 1086 | 'Analytic Details' = $object.printouts.'Has analytic details' 1087 | 'Contributor' = $object.printouts.'Has contributor' 1088 | 'Data Source' = $object.printouts.'Has data source' 1089 | 'Name' = $object.printouts.'Has display name' 1090 | 'Link Text' = $object.printouts.'Has link text' 1091 | 'Mitigation' = $object.printouts.'Has mitigation' 1092 | 'Platform' = $object.printouts.'Has platform' 1093 | 'Tactic' = $object.printouts.'Has tactic'.fulltext 1094 | 'Description' = $object.printouts.'Has technical description' 1095 | 'TechniqueName' = $object.printouts.'Has technique name' 1096 | 'Requires Permission' = $object.printouts.'Requires permissions' 1097 | 'Requires System' = $object.printouts.'Requires system' 1098 | 'Bypass' = $object.printouts.'Bypasses defense' 1099 | 'Reference' = $object.printouts.'Citation reference' 1100 | } 1101 | $TotalObjects = New-Object PSCustomObject -Property $Props 1102 | $Collection += $TotalObjects 1103 | } 1104 | if($Cat -eq 'Group'){ 1105 | $Props = @{ 1106 | 'FullText' = $object.fulltext 1107 | 'Display Title' = $object.displaytitle 1108 | 'ID' = $object.printouts.'Has ID' 1109 | 'Alias' = $object.printouts.'Has alias' 1110 | 'Description' = $object.printouts.'Has Description' 1111 | 'Name' = $object.printouts.'Has display name' 1112 | 'Link Text' = $object.printouts.'Has link text' 1113 | 'TechniqueName' = $object.printouts.'Has technique'.displaytitle 1114 | 'Tool' = $object.printouts.'Uses software'.displaytitle 1115 | 'TechniqueID' = $object.printouts.'Has technique'.fulltext 1116 | 'URL' = $object.fullurl 1117 | 'Reference' = $object.printouts.'Citation reference' 1118 | } 1119 | $TotalObjects = New-Object PSCustomObject -Property $Props 1120 | $Collection += $TotalObjects 1121 | } 1122 | if($Cat -eq 'Software'){ 1123 | $Props = @{ 1124 | 'FullText' = $object.fulltext 1125 | 'ID' = $object.printouts.'Has ID' 1126 | 'Alias' = $object.printouts.'Has alias' 1127 | 'Description' = $object.printouts.'Has Description' 1128 | 'Name' = $object.printouts.'Has display name' 1129 | 'Link Text' = $object.printouts.'Has link text' 1130 | 'Software Type' = $object.printouts.'Has software type' 1131 | 'TechniqueName' = $object.printouts.'Has technique'.displaytitle 1132 | 'Type' = $object.printouts.'Has software type' 1133 | 'TechniqueID' = $object.printouts.'Has technique'.fulltext 1134 | 'URL' = $object.fullurl 1135 | 'Reference' = $object.printouts.'Citation reference' 1136 | } 1137 | $TotalObjects = New-Object PSCustomObject -Property $Props 1138 | $Collection += $TotalObjects 1139 | } 1140 | if($Cat -eq 'Tactic'){ 1141 | $Props = @{ 1142 | 'Reference' = $object.printouts.'Citation reference' 1143 | 'URL' = $object.fullurl 1144 | 'Description' = $object.printouts.'Has Description' 1145 | 'FullText' = $object.fulltext 1146 | } 1147 | $TotalObjects = New-Object PSCustomObject -Property $Props 1148 | $Collection += $TotalObjects 1149 | } 1150 | if($Cat -eq 'Reference'){ 1151 | $Props = @{ 1152 | 'Fulltext' = $object.fulltext 1153 | 'Key' = $object.printouts.'Citation key' 1154 | 'Text' = $object.printouts.'Citation text' 1155 | 'Name' = $object.printouts.'Has title' 1156 | 'Author' = $object.printouts.'Has authors'.fulltext 1157 | 'Date' = $object.printouts.'Citation text'.replace('(v=ws.10)','').split('(')[1].split(')')[0] 1158 | 'Year' = $object.printouts.'Citation text'.replace('(v=ws.10)','').split('(')[1].split(')')[0].split(',')[0] 1159 | 'Retrieved' = $object.printouts.'Retrieved on'.fulltext 1160 | 'URL' = $object.printouts.'Has URL'.fulltext 1161 | } 1162 | $TotalObjects = New-Object PSCustomObject -Property $Props 1163 | IF($TotalObjects.date -notmatch '\d\d\d\d'){$TotalObjects.date = 'n.d.'} 1164 | IF($TotalObjects.Year -notmatch '\d\d\d\d'){$TotalObjects.Year = 'n.d.'} 1165 | $Collection += $TotalObjects 1166 | } 1167 | if($cat -eq 'Techniques subobjects'){ 1168 | $Props = @{ 1169 | 'Display Title' = $object.displaytitle 1170 | 'TechniqueName' = $object.printouts.'Has technique object'.displaytitle 1171 | 'TechniqueID' = $object.printouts.'Has technique object'.Fulltext 1172 | 'URL' = $object.printouts.'Has technique object'.Fullurl 1173 | 'Description' = $object.printouts.'Has technique description' 1174 | } 1175 | $TotalObjects = New-Object PSCustomObject -Property $Props 1176 | $Collection += $TotalObjects 1177 | } 1178 | $Script:ATTCKLookUp.$cat = $Collection 1179 | } 1180 | } 1181 | } 1182 | elseif($PSCmdlet.ParameterSetName -eq 'ATTACKMatrix') 1183 | { 1184 | $MatrixProps = @{ 1185 | 'InitialAccess' = $Null 1186 | 'Persistence' = $Null 1187 | 'PrivilegeEscalation' = $Null 1188 | 'DefenseEvasion' = $Null 1189 | 'CredentialAccess' = $Null 1190 | 'Discovery' = $Null 1191 | 'LateralMovement' = $Null 1192 | 'Execution' = $Null 1193 | 'Collection' = $Null 1194 | 'Exfiltration' = $Null 1195 | 'CommandControl' = $Null 1196 | } 1197 | $ATTACKMatrix = New-Object PSCustomObject -Property $MatrixProps 1198 | 1199 | $ATTACKMatrix.Persistence = $Techniques | ? -Property Tactic -eq "Persistence" | select -ExpandProperty Name | Sort-Object 1200 | $ATTACKMatrix.PrivilegeEscalation = $Techniques | ? -Property Tactic -eq "Privilege Escalation" | select -ExpandProperty Name | Sort-Object 1201 | $ATTACKMatrix.DefenseEvasion = $Techniques | ? -Property Tactic -eq "Defense Evasion" | select -ExpandProperty Name | Sort-Object 1202 | $ATTACKMatrix.CredentialAccess = $Techniques | ? -Property Tactic -eq "Credential Access" | select -ExpandProperty Name | Sort-Object 1203 | $ATTACKMatrix.Discovery = $Techniques | ? -Property Tactic -eq "Discovery"| select -ExpandProperty Name | Sort-Object 1204 | $ATTACKMatrix.LateralMovement = $Techniques | ? -Property Tactic -eq "Lateral Movement" | select -ExpandProperty Name | Sort-Object 1205 | $ATTACKMatrix.Execution = $Techniques | ? -Property Tactic -eq "Execution"| select -ExpandProperty Name | Sort-Object 1206 | $ATTACKMatrix.Collection = $Techniques | ? -Property Tactic -eq "Collection" | select -ExpandProperty Name | Sort-Object 1207 | $ATTACKMatrix.Exfiltration = $Techniques | ? -Property Tactic -eq "Exfiltration" | select -ExpandProperty Name | Sort-Object 1208 | $ATTACKMatrix.CommandControl = $Techniques | ? -Property Tactic -eq "Command and Control" | select -ExpandProperty Name | Sort-Object 1209 | $ATTACKMatrix.InitialAccess = $Techniques | ? -Property Tactic -eq "Initial Access" | select -ExpandProperty Name | Sort-Object 1210 | 1211 | #Source: https://community.spiceworks.com/topic/795591-output-multiple-arrays-as-columns-in-csv 1212 | #Source: https://stackoverflow.com/questions/23411202/powershell-combine-single-arrays-into-columns 1213 | $max = ( 1214 | $ATTACKMatrix.InitialAccess, 1215 | $ATTACKMatrix.Execution, 1216 | $ATTACKMatrix.Persistence, 1217 | $ATTACKMatrix.PrivilegeEscalation, 1218 | $ATTACKMatrix.DefenseEvasion, 1219 | $ATTACKMatrix.CredentialAccess, 1220 | $ATTACKMatrix.Discovery, 1221 | $ATTACKMatrix.LateralMovement, 1222 | $ATTACKMatrix.Collection, 1223 | $ATTACKMatrix.Exfiltration, 1224 | $ATTACKMatrix.CommandControl | Measure-Object -Maximum -Property Count).Maximum 1225 | 1226 | $ATTACKMatrixTable = @() 1227 | 1228 | For ($i = 0; $i -lt $max; $i++) 1229 | { 1230 | $MatrixTableProps = New-Object Psobject -Property @{ 1231 | 'InitialAccess'= $(If ($ATTACKMatrix.InitialAccess[$i]) {$ATTACKMatrix.InitialAccess[$i]}) 1232 | 'Execution'= $(If ($ATTACKMatrix.Execution[$i]) {$ATTACKMatrix.Execution[$i]}) 1233 | 'Persistence'= $(If ($ATTACKMatrix.Persistence[$i]) {$ATTACKMatrix.Persistence[$i]}) 1234 | 'Privilege Escalation'= $(If ($ATTACKMatrix.PrivilegeEscalation[$i]) {$ATTACKMatrix.PrivilegeEscalation[$i]}) 1235 | 'Defense Evasion'= $(If ($ATTACKMatrix.DefenseEvasion[$i]) {$ATTACKMatrix.DefenseEvasion[$i]}) 1236 | 'Credential Access'= $(If ($ATTACKMatrix.CredentialAccess[$i]) {$ATTACKMatrix.CredentialAccess[$i]}) 1237 | 'Discovery'= $(If ($ATTACKMatrix.Discovery[$i]) {$ATTACKMatrix.Discovery[$i]}) 1238 | 'Lateral Movement'= $(If ($ATTACKMatrix.LateralMovement[$i]) {$ATTACKMatrix.LateralMovement[$i]}) 1239 | 'Collection'= $(If ($ATTACKMatrix.Collection[$i]) {$ATTACKMatrix.Collection[$i]}) 1240 | 'Exfiltration'= $(If ($ATTACKMatrix.Exfiltration[$i]) {$ATTACKMatrix.Exfiltration[$i]}) 1241 | 'Command and Control'= $(If ($ATTACKMatrix.CommandControl[$i]) {$ATTACKMatrix.CommandControl[$i]}) 1242 | } 1243 | $ATTACKMatrixTable += $MatrixTableProps 1244 | } 1245 | return $ATTACKMatrixTable 1246 | } 1247 | elseif($PSCmdlet.ParameterSetName -eq 'ATTCKAttribution') 1248 | { 1249 | $AttriBucket = @() 1250 | foreach ($g in $groups) 1251 | { 1252 | foreach ($grouptool in $g.tool) 1253 | { 1254 | $AttriBucket += $hastechnique | where-object -Property 'Display Title' -EQ $grouptool | select @{Name='Group';Expression={$g.Name}}, @{Name='Group Alias'; Expression={$g.Alias}}, @{Name='Group ID'; Expression={$g.ID}}, TechniqueName, TechniqueID, @{Name='Tool'; Expression={$grouptool}}, description 1255 | } 1256 | $AttriBucket += $hastechnique | where-object -Property 'Display Title' -EQ $g.'Display Title' | select @{Name='Group'; Expression={$g.Name}}, @{Name='Group Alias'; Expression={$g.Alias}}, @{Name='Group ID'; Expression={$g.ID}}, TechniqueName, TechniqueID, description 1257 | } 1258 | 1259 | $AttriFinal =@() 1260 | foreach ($t in $TechniquesList) 1261 | { 1262 | $AttriFinal += $AttriBucket | Where-Object -Property TechniqueID -EQ $t.FullText | select Group, 'Group Alias', 'Group ID', @{Name='Tactic'; Expression={$t.Tactic}}, TechniqueName, TechniqueID, Tool, Description, @{Name='Data Source'; Expression={$t.'Data Source'}} 1263 | } 1264 | $AttriFinal | sort -Property Group 1265 | } 1266 | elseif($PSCmdlet.ParameterSetName -eq 'ATTCKAll') 1267 | { 1268 | $AllAttck = @() 1269 | $HasObject = Invoke-ATTACKAPI -Attribution 1270 | foreach ($t in $TechniquesList) 1271 | { 1272 | $AllAttck += $HasObject | Where-Object -Property TechniqueID -EQ $t.FullText | select Tactic, TechniqueName, TechniqueID, Group, 'Group Alias', 'Group ID', Tool, Description, 'Data Source', @{Name='Bypass'; Expression={$t.Bypass}}, @{Name='Analytic Details'; Expression={$t.'Analytic Details'}}, @{Name='Mitigation'; Expression={$t.Mitigation}},@{Name='Platform'; Expression={$t.Platform}},@{Name='Requires Permission'; Expression={$t.'Requires Permission'}}, @{Name='Requires System'; Expression={$t.'Requires System'}}, @{Name='CAPEC ID'; Expression={$t.'CAPEC ID'}}, @{Name='Contributor'; Expression={$t.Contributor}}, @{Name='URL'; Expression={$t.URL}} 1273 | } 1274 | $AllAttck += $TechniquesList | select Tactic, TechniqueName, @{Name='TechniqueID'; Expression={$_.FullText}}, Description, 'Data Source', Bypass, 'Analytic Details',Mitigation, Platform,'Requires Permission', 'Requires System','CAPEC ID', Contributor, URL 1275 | $AllAttck | sort -Property Tactic 1276 | } 1277 | else 1278 | { 1279 | return $Query 1280 | } 1281 | } 1282 | End{} 1283 | } 1284 | 1285 | write-host ' 1286 | 1287 | /$$$$$$ /$$$$$$$$ /$$$$$$$$ /$$$ /$$$$$$ /$$ /$$ /$$$$$$ /$$$$$$$ /$$$$$$ 1288 | /$$__ $$|__ $$__/|__ $$__//$$ $$ /$$__ $$| $$ /$$/ /$$__ $$| $$__ $$|_ $$_/ 1289 | | $$ \ $$ | $$ | $$ | $$$ | $$ \__/| $$ /$$/ | $$ \ $$| $$ \ $$ | $$ 1290 | | $$$$$$$$ | $$ | $$ /$$ $$/$$| $$ | $$$$$/ | $$$$$$$$| $$$$$$$/ | $$ 1291 | | $$__ $$ | $$ | $$ | $$ $$_/| $$ | $$ $$ | $$__ $$| $$____/ | $$ 1292 | | $$ | $$ | $$ | $$ | $$\ $$ | $$ $$| $$\ $$ | $$ | $$| $$ | $$ 1293 | | $$ | $$ | $$ | $$ | $$$$/$$| $$$$$$/| $$ \ $$ | $$ | $$| $$ /$$$$$$ 1294 | |__/ |__/ |__/ |__/ \____/\_/ \______/ |__/ \__/ |__/ |__/|__/ |______/ V.0.9[BETA] 1295 | 1296 | Adversarial Tactics, Techniques & Common Knowledge API' -ForegroundColor Magenta 1297 | write-host ' 1298 | [*] Author: Roberto Rodriguez @Cyb3rWard0g 1299 | 1300 | ' -ForegroundColor Cyan 1301 | Invoke-ATTACKAPI -Sync --------------------------------------------------------------------------------