├── make
    ├── .gitkeep
    └── sphinx.mk
├── docs
    ├── extra
    │   └── .gitignore
    ├── _static
    │   ├── readme.md
    │   ├── gaps.png
    │   ├── winex1.png
    │   ├── winex2.png
    │   ├── 4688_ex.png
    │   ├── cldtrlex1.png
    │   ├── cldtrlex2.png
    │   ├── favicon.ico
    │   ├── linuxex1.png
    │   ├── sensors.png
    │   ├── threats.png
    │   ├── WMI-example.png
    │   ├── methodology.png
    │   ├── networkex1.png
    │   ├── visibility.png
    │   ├── attack_ex_pc.png
    │   ├── dataelement_ex.png
    │   ├── msdn_4688_ex.png
    │   ├── ctid_logo_white.png
    │   ├── relationship_ex.png
    │   ├── sensor_comparisons.png
    │   ├── build_sensor_mappings.png
    │   ├── definitioncorrelation_ex.png
    │   ├── msdn_4688_ex_attributes.png
    │   ├── css
    │   │   ├── smap.css
    │   │   └── ctid.css
    │   └── js
    │   │   └── ctid.js
    ├── changelog.rst
    ├── _templates
    │   ├── source-buttons.html
    │   ├── searchbox.html
    │   ├── header.html
    │   ├── footer.html
    │   └── layout.html
    ├── methodology
    │   ├── index.rst
    │   ├── step3.rst
    │   ├── step1.rst
    │   └── step2.rst
    ├── example_technique_mappings
    │   ├── index.rst
    │   ├── linux.rst
    │   ├── network.rst
    │   ├── cloudtrail.rst
    │   └── windows.rst
    ├── definitions.rst
    ├── levels
    │   ├── index.rst
    │   └── mapping_sysmon.rst
    ├── index.rst
    ├── conf.py
    ├── use_cases.rst
    └── overview.rst
├── .gitattributes
├── mappings
    ├── input
    │   ├── config.json
    │   ├── enterprise
    │   │   ├── xlsx
    │   │   │   ├── Sensor Mappings.xlsx
    │   │   │   ├── ~$Sensor Mappings.xlsx
    │   │   │   ├── Sensor ID to Data Source to API v2.xlsx
    │   │   │   └── enterprise-attack-v13.1-datasources.xlsx
    │   │   └── csv
    │   │   │   ├── Sysmon-sensors-mappings-enterprise.csv
    │   │   │   ├── Auditd-sensors-mappings-enterprise.csv
    │   │   │   └── WinEvtx-sensors-mappings-enterprise.csv
    │   └── enterprise-attack-v13.1-datasources.csv
    └── README.md
├── .gitignore
├── .editorconfig
├── Makefile
├── .github
    ├── ISSUE_TEMPLATE
    │   ├── feature_request.md
    │   └── bug_report.md
    └── workflows
    │   └── sphinx.yml
├── pyproject.toml
├── src
    ├── util
    │   ├── stix_schemas.py
    │   ├── create_mappings.py
    │   ├── README.md
    │   ├── generate_docs.py
    │   ├── cli_validator.py
    │   └── create_heatmaps.py
    ├── README.md
    └── parse
    │   └── README.md
├── CONTRIBUTING.md
├── README.md
└── LICENSE.txt


/make/.gitkeep:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/docs/extra/.gitignore:
--------------------------------------------------------------------------------
1 | */
2 | 


--------------------------------------------------------------------------------
/docs/_static/readme.md:
--------------------------------------------------------------------------------
1 | Just to put images, will be deleted later
2 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | ; Force unix line endings for all text files
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/mappings/input/config.json:
--------------------------------------------------------------------------------
1 | {
2 |     "attack_version": "13.1",
3 |     "mappings_version": "1.0"
4 | }


--------------------------------------------------------------------------------
/docs/_static/gaps.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/gaps.png


--------------------------------------------------------------------------------
/docs/_static/winex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/winex1.png


--------------------------------------------------------------------------------
/docs/_static/winex2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/winex2.png


--------------------------------------------------------------------------------
/docs/_static/4688_ex.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/4688_ex.png


--------------------------------------------------------------------------------
/docs/_static/cldtrlex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/cldtrlex1.png


--------------------------------------------------------------------------------
/docs/_static/cldtrlex2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/cldtrlex2.png


--------------------------------------------------------------------------------
/docs/_static/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/favicon.ico


--------------------------------------------------------------------------------
/docs/_static/linuxex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/linuxex1.png


--------------------------------------------------------------------------------
/docs/_static/sensors.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/sensors.png


--------------------------------------------------------------------------------
/docs/_static/threats.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/threats.png


--------------------------------------------------------------------------------
/docs/_static/WMI-example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/WMI-example.png


--------------------------------------------------------------------------------
/docs/_static/methodology.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/methodology.png


--------------------------------------------------------------------------------
/docs/_static/networkex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/networkex1.png


--------------------------------------------------------------------------------
/docs/_static/visibility.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/visibility.png


--------------------------------------------------------------------------------
/docs/_static/attack_ex_pc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/attack_ex_pc.png


--------------------------------------------------------------------------------
/docs/_static/dataelement_ex.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/dataelement_ex.png


--------------------------------------------------------------------------------
/docs/_static/msdn_4688_ex.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/msdn_4688_ex.png


--------------------------------------------------------------------------------
/docs/_static/ctid_logo_white.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/ctid_logo_white.png


--------------------------------------------------------------------------------
/docs/_static/relationship_ex.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/relationship_ex.png


--------------------------------------------------------------------------------
/docs/_static/sensor_comparisons.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/sensor_comparisons.png


--------------------------------------------------------------------------------
/docs/_static/build_sensor_mappings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/build_sensor_mappings.png


--------------------------------------------------------------------------------
/docs/_static/definitioncorrelation_ex.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/definitioncorrelation_ex.png


--------------------------------------------------------------------------------
/docs/_static/msdn_4688_ex_attributes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/docs/_static/msdn_4688_ex_attributes.png


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | __pycache__/
 2 | build/
 3 | dist/
 4 | sdist/
 5 | *.egg-info/
 6 | coverage.xml
 7 | docs/_build/
 8 | .mypy_cache/
 9 | *.tmp
10 | TODO*
11 | .DS_Store
12 | .vscode/


--------------------------------------------------------------------------------
/mappings/input/enterprise/xlsx/Sensor Mappings.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/mappings/input/enterprise/xlsx/Sensor Mappings.xlsx


--------------------------------------------------------------------------------
/mappings/input/enterprise/xlsx/~$Sensor Mappings.xlsx:
--------------------------------------------------------------------------------
1 | Mike Cunningham                                        M i k e   C u n n i n g h a m                                                                               


--------------------------------------------------------------------------------
/mappings/input/enterprise/xlsx/Sensor ID to Data Source to API v2.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/mappings/input/enterprise/xlsx/Sensor ID to Data Source to API v2.xlsx


--------------------------------------------------------------------------------
/mappings/input/enterprise/xlsx/enterprise-attack-v13.1-datasources.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/sensor-mappings-to-attack/HEAD/mappings/input/enterprise/xlsx/enterprise-attack-v13.1-datasources.xlsx


--------------------------------------------------------------------------------
/docs/_static/css/smap.css:
--------------------------------------------------------------------------------
1 | /* custom tweaks to smap CSS that are not part of the base ctid.css */
2 | div.table-responsive table {
3 |     table-layout: fixed;
4 |     word-wrap: break-word;
5 | }
6 | .btn-primary {
7 |     margin: 2px 0px;
8 | }
9 | 


--------------------------------------------------------------------------------
/docs/changelog.rst:
--------------------------------------------------------------------------------
 1 | Changelog
 2 | =========
 3 | 
 4 | Sensor Mappings to ATT&CK 1.0
 5 | -----------------------------
 6 | 
 7 | 1.0.0 -- December 14, 2023
 8 | 
 9 |     The initial release of Sensor Mappings to ATT&CK includes the model, methodology,
10 |     mappings, and worked examples.


--------------------------------------------------------------------------------
/.editorconfig:
--------------------------------------------------------------------------------
 1 | # Standard text editor settings.
 2 | # See: https://editorconfig.org/
 3 | 
 4 | root = true
 5 | 
 6 | [*]
 7 | end_of_line =  = lf
 8 | insert_final_newline = true
 9 | 
10 | [*.{js, py}]
11 | charset = utf-8
12 | indent_style = space
13 | indent_size = 4
14 | 
15 | [Makefile]
16 | indent_style = tab
17 | 


--------------------------------------------------------------------------------
/docs/_templates/source-buttons.html:
--------------------------------------------------------------------------------
 1 | {%- if show_source and has_source and sourcename %}
 2 | <a
 3 |   class="btn btn-sm btn-light text-decoration-none"
 4 |   href="{{ pathto('_sources/' + sourcename, true)|e }}"
 5 |   rel="nofollow"
 6 | >
 7 |   <span class="btn-icon"><span class="fas fa-code"></span></span>
 8 |   <span class="btn-text">View source</span>
 9 | </a>
10 | {%- endif %}
11 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # See `make help` for a list of all available commands.
 3 | #
 4 | 
 5 | include make/*.mk
 6 | 
 7 | .DEFAULT_GOAL := help
 8 | ROOTDIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
 9 | 
10 | .PHONY: help
11 | help: ## Show Makefile help
12 | 	@grep -hE '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
13 | 		awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' | \
14 | 		sort
15 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an idea for this project
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 | 
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 | 
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 | 
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 | 


--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
 1 | [tool.poetry]
 2 | name = "sensor-mappings-to-attack"
 3 | version = "1.0.0"
 4 | description = ""
 5 | authors = ["Center for Threat-Informed Defense <ctid@mitre.org>"]
 6 | license = "Apache License"
 7 | readme = "README.md"
 8 | package-mode = false
 9 | 
10 | [tool.poetry.dependencies]
11 | python = "^3.10"
12 | pytz = "^2023.3"
13 | stix2 = "^3.0.1"
14 | pandas = "^2.2.0"
15 | tqdm = "^4.66.1"
16 | openpyxl = "^3.1.2"
17 | requests = "^2.31.0"
18 | schema = "^0.7.5"
19 | python-dateutil = "^2.8.2"
20 | numpy = "^2.2.0"
21 | python-slugify = "^8.0.4"
22 | 
23 | [tool.poetry.group.dev.dependencies]
24 | sphinx = "6.2"
25 | sphinx-autobuild = "^2021.3.14"
26 | sphinx-wagtail-theme = "^6.5.0"
27 | 
28 | [build-system]
29 | requires = ["poetry-core"]
30 | build-backend = "poetry.core.masonry.api"
31 | 


--------------------------------------------------------------------------------
/make/sphinx.mk:
--------------------------------------------------------------------------------
 1 | SOURCEDIR = docs/
 2 | BUILDDIR = docs/_build/
 3 | 
 4 | .PHONY: docs docs-html docs-pdf
 5 | 
 6 | docs-ci: ## Generate HTML documentation for publishing to GitHub Pages.
 7 | 	sphinx-build -M dirhtml "$(SOURCEDIR)" "$(BUILDDIR)" -W --keep-going
 8 | 
 9 | docs-html: ## Generate HTML documentation for local viewing.
10 | 	sphinx-build -M html "$(SOURCEDIR)" "$(BUILDDIR)"
11 | 
12 | docs-pdf: ## Generate PDF documentation.
13 | 	poetry export --dev --without-hashes -f requirements.txt -o docs/requirements.txt
14 | 	docker run --rm -v "$(PWD)/docs":/docs sphinxdoc/sphinx-latexpdf:4.3.1 \
15 | 		bash -c "pip install -r requirements.txt && sphinx-build -M latexpdf /docs /docs/_build"
16 | 	rm docs/requirements.txt
17 | 
18 | docs-server: ## Run server for local editing of docs.
19 | 	sphinx-autobuild -b dirhtml -a "$(SOURCEDIR)" "$(BUILDDIR)"
20 | 


--------------------------------------------------------------------------------
/docs/_templates/searchbox.html:
--------------------------------------------------------------------------------
 1 | {%- if builder != "singlehtml" %}
 2 | <div id="searchbox" class="searchbox mb-6 px-1" role="search">
 3 |     <form id="search-form" action="{{ pathto('search') }}" autocomplete="off" method="get" role="search">
 4 |         <div class="input-group">
 5 |             <div class="input-group-prepend">
 6 |                 <div class="input-group-text border-right-0 bg-white py-3 pl-3 pr-2"><span class="fas fa-search"></span>
 7 |                 </div>
 8 |             </div>
 9 |             <input class="form-control py-3 pr-3 pl-1 h-100 border-left-0" type="search" name="q"
10 |                 placeholder="Search docs" aria-label="Search docs" id="searchinput" />
11 |         </div>
12 |         <input type="hidden" name="check_keywords" value="yes" />
13 |         <input type="hidden" name="area" value="default" />
14 |     </form>
15 | </div>
16 | {%- endif %}
17 | 


--------------------------------------------------------------------------------
/mappings/README.md:
--------------------------------------------------------------------------------
 1 | # Mappings
 2 | The mappings folder contains inputs and outputs related to the tool suite.
 3 | 
 4 | 
 5 | ## Input
 6 | Contains files used as input for running tool suite.
 7 | 
 8 | ### `attack-domain`
 9 | Inputs for creating mappings to different domains should be organized by the attack-domain.
10 | e.g., to create mappings to the 'enterprise' attack domain, input files would be stored in `mappings/input/enterprise`
11 | 
12 | ---
13 | 
14 | ## STIX
15 | Contains STIX bundle files output from running the `src/parse/generate_stix.py` file. Outputs will be stored in corresponding `attack-domain` folders.
16 | 
17 | ---
18 | 
19 | ## layers
20 | Contains ATT&CK Navigator files output from running the `src/util/create_heatmaps.py` file.Outputs will be stored in corresponding `attack-domain` folders.
21 | 
22 | e.g., to create ATT&CK Navigator layers for the `enterprise` attack domain, use STIX bundle files stored in `mappings/stix/enterprise` to generate Navigator layers in the folder `mappings/layers/enterprise`


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Create a report to help us improve
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 | 
13 | **To Reproduce**
14 | Steps to reproduce the behavior:
15 | 1. Go to '...'
16 | 2. Click on '....'
17 | 3. Scroll down to '....'
18 | 4. See error
19 | 
20 | **Expected behavior**
21 | A clear and concise description of what you expected to happen.
22 | 
23 | **Screenshots**
24 | If applicable, add screenshots to help explain your problem.
25 | 
26 | **Desktop (please complete the following information):**
27 |  - OS: [e.g. iOS]
28 |  - Browser [e.g. chrome, safari]
29 |  - Version [e.g. 22]
30 | 
31 | **Smartphone (please complete the following information):**
32 |  - Device: [e.g. iPhone6]
33 |  - OS: [e.g. iOS8.1]
34 |  - Browser [e.g. stock browser, safari]
35 |  - Version [e.g. 22]
36 | 
37 | **Additional context**
38 | Add any other context about the problem here.
39 | 


--------------------------------------------------------------------------------
/docs/methodology/index.rst:
--------------------------------------------------------------------------------
 1 | Mapping Methodology
 2 | ===================
 3 | 
 4 | Philosophy
 5 | ----------
 6 | 
 7 | Mappings are created by analyzing each in-scope sensor in relation to ATT&CK Data
 8 | Sources. Events collected by sensors are at a different level of abstraction than ATT&CK
 9 | objects, so they cannot always perfectly detect the adversary behaviors that they are
10 | mapped to. By completing the connection of conceptual data sources and components to
11 | concrete logs, sensors, and other security capabilities, cyber defenders have
12 | information to help identify relevant security data to collect for specific behaviors
13 | and environments.
14 | 
15 | Process
16 | -------
17 | 
18 | .. image:: ../_static/build_sensor_mappings.png
19 |    :width: 700
20 | 
21 | The Sensor Mappings to ATT&CK mapping methodology consists of the following steps:
22 | 
23 | .. toctree::
24 |     :hidden:
25 | 
26 |     step1
27 |     step2
28 |     step3
29 | 
30 | - :doc:`step1`: Identify the types of events the sensor can emit.
31 | - :doc:`step2`: For each identified event, understand the security capabilities it provides.
32 | - :doc:`step3`: Identify the ATT&CK Data Sources mappable to event IDs.
33 | 


--------------------------------------------------------------------------------
/docs/example_technique_mappings/index.rst:
--------------------------------------------------------------------------------
 1 | Example Scenarios
 2 | =================
 3 | 
 4 | Examples are provided to depict how these mappings can be used to get from Sensor Events
 5 | to ATT&CK Data Sources to ATT&CK Techniques. It should be stated up front that there is
 6 | no easy, one-to-one mapping from data source to technique. In addition, not all events
 7 | are created equal in regard to visibility of specific techniques, and two events with
 8 | the same field names can in fact represent different data. Some amount of analyst
 9 | judgement is required and, whenever judgement is involved, there can be differences in
10 | opinion. The mapping methodology and these examples are provided to demonstrate the
11 | judgement and rationale to apply when identifying specific event visibility into
12 | techniques. Of course, additonal customized considerations must also be given when
13 | looking to provide insight into a specific environment.
14 | 
15 | .. toctree::
16 | 
17 |     windows
18 |     linux
19 |     cloudtrail
20 |     network
21 | 
22 | Note that the initial SMAP work was developed using ATT&CKv13.1. The mappings include
23 | some data components that are not represented in ATT&CKv13.1 and may not be represented
24 | in more recent versions of ATT&CK. The reason for this is that ATT&CK does not include 
25 | data components that do not currently have a relationship to a (sub-)technique. These 
26 | mapped data components are being tracked by the ATT&CK team and will be considered for 
27 | incorporation in future versions of ATT&CK as the overall ATT&CK catalog evolves.


--------------------------------------------------------------------------------
/docs/_templates/header.html:
--------------------------------------------------------------------------------
 1 | <header class="container-fluid bg-primary sticky-top">
 2 |   <a class="btn btn-sm btn-light skip-to-content-link" href="#main">{{ _('Skip to content') }}</a>
 3 |   <div class="container-fluid container">
 4 |     <div class="navbar navbar-expand-lg navbar-dark font-weight-bold">
 5 |       {%- if theme_project_name %}
 6 |       <a class="logo" href="{{pathto(master_doc)}}">
 7 |         <h1>{{theme_project_name}}
 8 |           <span class="version">
 9 |             {{version}}
10 |           </span>
11 |         </h1>
12 |       </a>
13 |       {% endif %} {%- if theme_logo and theme_logo != 'None' %}
14 |       <a href="https://ctid.mitre.org/" target="_blank" {% if theme_logo_alt %}title="{{ theme_logo_alt|e }}" {% endif
15 |         %} class="navbar-brand d-none d-lg-block">
16 |         <img src="{{ pathto('_static/' + theme_logo, 1) }}" {%- if theme_logo_width %} width="{{ theme_logo_width|e }}"
17 |           {% endif %} {%- if theme_logo_height %} height="{{ theme_logo_height|e }}" {% endif %} {%- if theme_logo_alt
18 |           %} alt="{{ theme_logo_alt|e }}" {% endif %} {%- if theme_logo_title %} title="{{ theme_logo_title|e }}" {%
19 |           endif %} class="logo-img" />
20 |       </a>
21 |       {% endif %}
22 | 
23 |       <button class="navbar-toggler btn btn-primary d-lg-none" type="button" data-toggle="collapse"
24 |         data-target="#collapseSidebar" aria-expanded="false" aria-controls="collapseExample">
25 |         <span class="navbar-toggler-icon"></span>
26 |         <span class="sr-only">{{ _('menu') }}</span>
27 |       </button>
28 |     </div>
29 |   </div>
30 | </header>


--------------------------------------------------------------------------------
/src/util/stix_schemas.py:
--------------------------------------------------------------------------------
 1 | import datetime
 2 | from schema import Schema, Optional
 3 | 
 4 | 
 5 | data_component_schema = Schema(
 6 |     {
 7 |         # STIX x-mitre-data-component specific properties
 8 |         "modified": str,
 9 |         "name": str,
10 |         Optional("description"): str,
11 | 
12 |         # ATT&CK custom properties
13 |         "x_mitre_data_source_ref": str,
14 |         "x_mitre_modified_by_ref": str,
15 |         "x_mitre_domains": [ str ],
16 |         "x_mitre_version": str,
17 |         "x_mitre_attack_spec_version": str,
18 |         Optional("x_mitre_deprecated", False): bool,
19 |     },
20 |     ignore_extra_keys=True
21 | )
22 | 
23 | data_source_schema = Schema(
24 |     {
25 |         # STIX x-mitre-data-source specific properties
26 |         "modified": str,
27 |         "name": str,
28 |         Optional("description"): str,
29 | 
30 |         # ATT&CK custom properties
31 |         "x_mitre_modified_by_ref": str,
32 |         Optional("x_mitre_platforms"): [ str ],
33 |         Optional("x_mitre_deprecated", False): bool,
34 |         "x_mitre_domains": [ str ],
35 |         "x_mitre_version": str,
36 |         "x_mitre_attack_spec_version": str,
37 |         "x_mitre_contributors": [ str ],
38 |         Optional("x_mitre_collection_layers"): [ str ]
39 |     },
40 |     ignore_extra_keys=True
41 | )
42 | 
43 | sensor_mapping_schema = Schema(
44 |     {
45 |         "event_id": str,
46 |         Optional("description"): str,
47 |         "data_source": str,
48 |         "data_component": str,
49 |         "source": str,
50 |         "relationship": str,
51 |         "target": str,
52 |         Optional("x_mitre_data_source_id"): str
53 |     },
54 |     ignore_extra_keys=True
55 | )


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | ## How to contribute
 4 | 
 5 | Thanks for contributing to Sensor Mappings to ATT&CK!
 6 | 
 7 | You are welcome to comment on issues, open new issues, and open pull requests.
 8 | 
 9 | Pull requests should target the **[main](https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack/tree/main)** branch of the repository.
10 | 
11 | Also, if you contribute any source code, we need you to agree to the following
12 | Developer's Certificate of Origin below.
13 | 
14 | ## Reporting Issues
15 | 
16 | * Describe (in detail) what should have happened. Include any supporting information
17 |   that may be helpful in resolving the issue.
18 | 
19 | * Be sure to include any steps to replicate the issue.
20 | 
21 | ### Developer's Certificate of Origin v1.1
22 | 
23 | ```
24 | By making a contribution to this project, I certify that:
25 | 
26 | (a) The contribution was created in whole or in part by me and I
27 |  have the right to submit it under the open source license
28 |  indicated in the file; or
29 | 
30 | (b) The contribution is based upon previous work that, to the best
31 |  of my knowledge, is covered under an appropriate open source
32 |  license and I have the right under that license to submit that
33 |  work with modifications, whether created in whole or in part
34 |  by me, under the same open source license (unless I am
35 |  permitted to submit under a different license), as indicated
36 |  in the file; or
37 | 
38 | (c) The contribution was provided directly to me by some other
39 |  person who certified (a), (b) or (c) and I have not modified
40 |  it.
41 | 
42 | (d) I understand and agree that this project and the contribution
43 |  are public and that a record of the contribution (including all
44 |  personal information I submit with it, including my sign-off) is
45 |  maintained indefinitely and may be redistributed consistent with
46 |  this project or the open source license(s) involved.
47 | ```
48 | 


--------------------------------------------------------------------------------
/docs/example_technique_mappings/linux.rst:
--------------------------------------------------------------------------------
 1 | Linux Example Scenario
 2 | ======================
 3 | 
 4 | The Linux example explores `Local Account (T1136.001)
 5 | <https://attack.mitre.org/techniques/T1136/001>`__ and usage of the mappings done under
 6 | this project to provide visibility using the Auditd events: ``ADD_USER`` and
 7 | ``ANOM_ADD_ACCOUNT``.
 8 | 
 9 | 
10 | Create Local Account (T1136.001)
11 | --------------------------------
12 | 
13 | This example explores Auditd events mapped to the User Account Creation data component and
14 | their potential visibility into detecting activity associated with Create Local Account
15 | (T1136.001).
16 | 
17 | .. image:: ../_static/linuxex1.png
18 | 
19 | **Looking at the event data, is this enough evidence to conclude that a user account was
20 | created per T1136.001?** It could be inferred by the name of the technique and the names
21 | of the Auditd events of ADD_USER and ANOM_ADD_ACCOUNT that these events may be
22 | associated with the technique. Further context is needed, though to see if these events
23 | can be directly associated with the technique. Use ``/var/log/audit/audit.log`` to
24 | search on event names.
25 | 
26 | **ADD_USER:**
27 | 
28 | *Yes.* This event is triggered when a user account is created, which in this case could
29 | be directly associated with User Account Creation of a local account.
30 | 
31 | **ANOM_ADD_ACCOUNT:**
32 | 
33 | *No.* This event is only triggered when the addition of account ends abnormally. It does
34 | not simply provide information specifically for new account creation.
35 | 
36 | *References:*
37 | 
38 | * `Linux man page - auditd(8) <https://www.man7.org/linux/man-pages/man8/auditd.8.html>`_
39 | 
40 | .. warning::
41 | 
42 |   Systemd Journal is a Linux system service that collects and stores logging data. Systemd
43 |   Journal reflects user creation activity and attendant commands but does not appear to
44 |   display the event names in RHEL-derived distributions. Also, Systemd Journal is not 100%
45 |   accurate. For example, user creation/deletion events are not copied from auditd to the
46 |   journal with perfect fidelity, depending on distribution.
47 | 


--------------------------------------------------------------------------------
/src/README.md:
--------------------------------------------------------------------------------
 1 | # Tools for Sensor Mappings to MITRE ATT&CK®
 2 | 
 3 | This directory contains a Python package of tools for working with data generated from sensors mappings to ATT&CK.
 4 | 
 5 | ## Set up
 6 | 
 7 | You will need the following prerequisites to run the tools:
 8 | 
 9 | 1. [Python (≥3.10)](https://www.python.org/downloads/)
10 | 2. [Python Poetry](https://python-poetry.org/docs/#installation)
11 | 
12 | Once you have the repository cloned, run the following one-time command to initialize a virtual environment and install dependencies:
13 | 
14 | ```
15 | poetry install
16 | ```
17 | 
18 | Once the dependencies are installed, you will need to activate the [virtual environment](https://python-poetry.org/docs/basic-usage/#activating-the-virtual-environment) in each terminal window prior to using the Python tools.
19 | 
20 | ```
21 | poetry shell
22 | ```
23 | 
24 | ## Tools
25 | 
26 | The tools are organized into the following subdirectories. Click the link to view detailed instructions for working with those tools.
27 | 
28 | | Directory                     | Description                                                                         |
29 | | ----------------------------- | ----------------------------------------------------------------------------------- |
30 | | [`parse/`](./parse)           | Script for parsing sensor data and mappings spreadsheets.                           |
31 | | [`util/`](./util)             | Utility scripts to process mappings data, such as Navigator layers, CSV files, etc. |
32 | 
33 | ## Creating mappings
34 | To use the tool suite, execution the files in the following order:
35 | 1. Create the auxilary files by running `util/create_mappings.py`
36 | 2. Create mappings by running `parse/generate_stix.py`
37 | 3. (Optional) Validate bundles by running `util/cli_validator.py`
38 | 4. Create ATT&CK Navigation layers by running `util/create_heatmaps.py`
39 | 5. Update Sphinx mapping tables by running `util/generate_docs.py`
40 | 
41 | 
42 | ## Customization
43 | 
44 | To create customized mappings, edit the input data in the [`inputs/`](../mappings/input) directory and then use the tools above to regenerate the outputs.
45 | 


--------------------------------------------------------------------------------
/docs/definitions.rst:
--------------------------------------------------------------------------------
 1 | Definitions
 2 | ===========
 3 | 
 4 | This page defines the key terms used throughout our research.
 5 | 
 6 | Data Component
 7 |    Data Components are constituent pieces of the data source, which are best described
 8 |    separately. Components may have their own set of metadata (describing the associated
 9 |    fields/values associated with the source) and activities (describing actions of the
10 |    source). ATT&CK Data Sources and Data Components can be found `here
11 |    <https://attack.mitre.org/datasources/>`__.
12 | 
13 | Data Elements
14 |    Data Elements are names, definitions, and attributes that are being used or captured
15 |    in an event.
16 | 
17 |    .. image:: _static/msdn_4688_ex.png
18 |       :width: 500
19 | 
20 | Data Source
21 |    Data Sources represents information collected by a sensor or logging system that may
22 |    identify properties or values relevant to identifying the adversarial action being
23 |    ATT&CK Data Sources and Data Components can be found `here
24 |    <https://attack.mitre.org/datasources/>`__. performed, sequence of actions, or the
25 |    results of those actions.
26 | 
27 | MITRE ATT&CK
28 |    MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and
29 |    techniques based on real-world observations. ATT&CK focuses on how external
30 |    adversaries compromise and operate within computer networks.
31 | 
32 | Sensor
33 |    A sensor is an agent or service capable of detecting or measuring information across
34 |    many different sources on a host or network in real-time. Sensors provide raw data
35 |    with high precision and accuracy.
36 | 
37 | [Sub-]Technique
38 |    Techniques represent the "how" of cyber intrusions, i.e. the means by which
39 |    adversaries achieve tactical objective. Sub-techniques break down techniques into
40 |    more fine-grained descriptions of adversary behaviors.
41 | 
42 | Telemetry
43 |    Telemetry consists of discrete events that are generated by sensors, e.g. log data.
44 |    Telemetry may be delivered in various formats (e.g., json, csv, etc.) and is often
45 |    streamed in near real-time.
46 | 
47 |    .. image:: _static/4688_ex.png
48 |       :width: 500
49 | 


--------------------------------------------------------------------------------
/docs/levels/index.rst:
--------------------------------------------------------------------------------
 1 | Sensor Mapping
 2 | ==============
 3 | 
 4 | The scope of this project includes mappings to ATT&CK Data Sources from Host Sensors,
 5 | which gather data from endpoints in the environment (e.g., Windows, Linux), and Network
 6 | Sensors, which gather data gather from network communications, typically outbound
 7 | connections.
 8 | 
 9 | The initial SMAP work was developed using ATT&CKv13.1. The mappings include some data 
10 | components that are not represented in ATT&CKv13.1 and may not be represented in more
11 | recent versions of ATT&CK. The reason for this is that ATT&CK does not include data
12 | components that do not currently have a relationship to a (sub-)technique. These 
13 | mapped data components are being tracked by the ATT&CK team and will be considered for 
14 | incorporation in future versions of ATT&CK as the overall ATT&CK catalog evolves.
15 | 
16 | View Mappings
17 | -------------
18 | 
19 | .. raw:: html
20 | 
21 |     <p>
22 |         <a class="btn btn-primary" target="_blank" href="../xlsx/Sensor%20Mappings.xlsx">
23 |         <i class="fa fa-file-excel-o"></i> Download Mappings – Excel</a>
24 |     </p>
25 | 
26 | You can download a spreadsheet containing the mappings for all sensors or dive into the
27 | details for a specific sensor:
28 | 
29 | .. toctree::
30 |     :maxdepth: 1
31 | 
32 |     mapping_auditd
33 |     mapping_cloudtrail
34 |     mapping_osquery
35 |     mapping_sysmon
36 |     mapping_winevtx
37 |     mapping_zeek
38 | 
39 | .. image:: ../_static/sensors.png
40 | 
41 | Visualize Coverage
42 | ------------------
43 | 
44 | .. raw:: html
45 | 
46 |     <p>
47 |         <a class="btn btn-primary" target="_blank" href="https://mitre-attack.github.io/attack-navigator/#layerURL=https://center-for-threat-informed-defense.github.io/sensor-mappings-to-attack/navigator/Auditd-heatmap.json">
48 |         <i class="fa fa-map-signs"></i> Open Sensor Coverage in ATT&CK Navigator</a>
49 |     </p>
50 | 
51 | The Navigator layer connects sensors → data sources → techniques. Each sensor is color
52 | coded to the techniques that it is mapped to. Techniques with multiple sensors are
53 | shaded in green: lighter green means fewer sensors and darker green means more sensors.
54 | 
55 | .. image:: ../_static/sensor_comparisons.png
56 | 


--------------------------------------------------------------------------------
/docs/index.rst:
--------------------------------------------------------------------------------
 1 | Sensor Mappings to ATT&CK
 2 | =========================
 3 | 
 4 | The Sensor Mappings to ATT&CK Project (SMAP) is a collection of resources to assist
 5 | security operations teams and security leaders with understanding which tools,
 6 | capabilities, and events can help provide visibility into real-world adversary behaviors
 7 | potentially occurring in their environments. SMAP builds on `MITRE ATT&CK®
 8 | <https://attack.mitre.org/>`_ Data Sources by connecting the conceptual data source
 9 | representions of information that can be collected to concrete logs, sensors, and other
10 | security capabilities that provide that type of data.
11 | 
12 | This project is created and maintained by `MITRE Center for Threat-Informed
13 | Defense (Center) <https://ctid.mitre.org>`_ and is funded by our `research
14 | participants
15 | <https://ctid.mitre.org/projects/sensor-mappings-to-attack#participants-section>`_,
16 | in futherance of our mission to advance the start of the art and the state of the
17 | practice in threat-informed defense globally. This work complements the Center's
18 | `Security Stack Mappings
19 | <https://github.com/center-for-threat-informed-defense/security-stack-mappings>`_
20 | project by allowing defenders to use both resources to understand their overall
21 | defensive coverage and make threat-informed decisions.
22 | 
23 | .. toctree::
24 |     :maxdepth: 2
25 |     :caption: Contents
26 | 
27 |     overview
28 |     definitions
29 |     methodology/index
30 |     levels/index
31 |     use_cases
32 |     example_technique_mappings/index
33 |     changelog
34 | 
35 | Notice
36 | ------
37 | 
38 | © 2023 MITRE. Approved for public release. Document number CT0089.
39 | 
40 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
41 | file except in compliance with the License. You may obtain a copy of the License at
42 | http://www.apache.org/licenses/LICENSE-2.0
43 | 
44 | Unless required by applicable law or agreed to in writing, software distributed under
45 | the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
46 | KIND, either express or implied. See the License for the specific language governing
47 | permissions and limitations under the License.
48 | 
49 | This project makes use of ATT&CK®: `ATT&CK Terms of Use
50 | <https://attack.mitre.org/resources/terms-of-use/>`__
51 | 


--------------------------------------------------------------------------------
/.github/workflows/sphinx.yml:
--------------------------------------------------------------------------------
 1 | name: Build Sphinx Docs
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [main]
 6 |   pull_request:
 7 | 
 8 | permissions:
 9 |   contents: read
10 |   pages: write
11 |   id-token: write
12 | 
13 | jobs:
14 |   docs:
15 |     runs-on: ubuntu-latest
16 | 
17 |     steps:
18 |     - uses: actions/checkout@v4
19 |     - uses: actions/setup-python@v4
20 |       with:
21 |         python-version: '3.10'
22 |     - name: Install Poetry
23 |       run: curl -sSL https://install.python-poetry.org/ | python -
24 |     - name: Add Poetry to PATH
25 |       run: echo "$HOME/.poetry/bin" >> $GITHUB_PATH
26 |     - name: Install dependencies
27 |       run: poetry install
28 |     - name: Validate STIX bundles
29 |       run: poetry run python src/util/cli_validator.py
30 |     - name: Copy Mappings Excel to Website
31 |       run: mkdir docs/extra/xlsx && cp "mappings/input/enterprise/xlsx/Sensor Mappings.xlsx" docs/extra/xlsx
32 |     - name: Copy Mappings CSVs to Website
33 |       run: mkdir docs/extra/csv && cp mappings/input/enterprise/csv/*.csv docs/extra/csv
34 |     - name: Copy Navigator Layers to Website
35 |       run: mkdir docs/extra/navigator && cp mappings/layers/enterprise/*.json docs/extra/navigator
36 |     - name: Copy STIX Bundles to Website
37 |       run: mkdir docs/extra/stix && cp mappings/stix/enterprise/*.json docs/extra/stix
38 |     - name: Build HTML docs
39 |       run: poetry run make docs-ci
40 |     - name: Upload HTML docs
41 |       uses: actions/upload-artifact@v4
42 |       with:
43 |         name: sensor-mappings-to-attack-docs-html
44 |         path: docs/_build/dirhtml/
45 | 
46 |   github_pages:
47 |     # This job only runs when committing or merging to main branch.
48 |     if: github.ref_name == 'main'
49 |     needs: docs
50 |     runs-on: ubuntu-latest
51 |     environment:
52 |       name: github-pages
53 |       url: $\{\{ steps.deployment.outputs.page_url \}\}
54 | 
55 |     steps:
56 |     - name: Setup Pages
57 |       uses: actions/configure-pages@v2
58 |     - name: Download HTML docs
59 |       uses: actions/download-artifact@v4
60 |       with:
61 |         name: sensor-mappings-to-attack-docs-html
62 |         path: docs
63 |     - name: Upload artifact
64 |       uses: actions/upload-pages-artifact@v3
65 |       with:
66 |         path: ./docs
67 |     - name: Deploy to GitHub Pages
68 |       id: deployment
69 |       uses: actions/deploy-pages@v4
70 | 


--------------------------------------------------------------------------------
/docs/example_technique_mappings/network.rst:
--------------------------------------------------------------------------------
 1 | Network Example Scenario
 2 | ========================
 3 | 
 4 | This example explores usage of events detected using network traffic to provide
 5 | potential visibility into detecting activity associated with `SNMP (MIB Dump)
 6 | (T1602.001) <https://attack.mitre.org/techniques/T1602/001>`__.
 7 | 
 8 | Data from Configuration Repository: SNMP (T1602.001)
 9 | ----------------------------------------------------
10 | 
11 | The example explores the use of network traffic information to find evidence of the
12 | collection and/or mining of information in a network managed Data from Configuration
13 | Repository: SNMP (T1602.001). Network Traffic Content is a data component of this
14 | technique, and the Zeek events of ``Snmp_report``, ``Ssl_plaintext_data``,
15 | ``http_entity_data`` have been mapped to this data component under this project.
16 | 
17 | .. image:: ../_static/networkex1.png
18 | 
19 | **Looking at the event data, is this enough evidence to conclude that data is being
20 | collected or mined using Simple Network Management Protocol (SNMP) per technique
21 | T1602.001?** To find evidence of an adversary gathering data using SNMP, network traffic
22 | can be monitored and analyzed.
23 | 
24 | **snmp_report:**
25 | 
26 | *Yes.* Monitor and analyze unusual SNMP reply packet content and inspect information
27 | associated with the host that sent it (e.g. snmp traffic originating from unauthorized
28 | or untrusted hosts, signature detection for strings mapped to device configurations,
29 | anomolies in snmp requests).
30 | 
31 | *References:*
32 | 
33 | * `Book of Zeek - snmp_report
34 |   <https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#id-snmp_report>`__
35 | 
36 | **ssl_plaintext_data:**
37 | 
38 | *Yes.* Inspect SSL/TLS messages sent before full session encryption starts for specific
39 | data being collected.
40 | 
41 | *References:*
42 | 
43 | * `Book of Zeek - ssl_plaintext_data
44 |   <https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#id-ssl_plaintext_data>`__
45 | 
46 | **http_entity_data:**
47 | 
48 | *Not likely.* This is useful for Hypertext Transfer Protocol (HTTP) traffic content,
49 | which is also a TCP/IP protocol. SNMP communication through applets is possible using
50 | HTTP protocol, but is less efficient.
51 | 
52 | *References:*
53 | 
54 | * `Book of Zeek - http_entity_data
55 |   <https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#id-http_entity_data>`_
56 | 


--------------------------------------------------------------------------------
/src/parse/README.md:
--------------------------------------------------------------------------------
 1 | # Stix Scripts and Data
 2 | This folder contains mappings of sensor data to STIX along with the parsing tool
 3 | 
 4 | | File                                   | Description                                                                                                       |
 5 | | :------------------------------------- | :---------------------------------------------------------------------------------------------------------------- |
 6 | | [generate_stix.py](#generate_stix)     | Script to build the raw STIX data from the input spreadsheets. Generates a file for each sensor source            |
 7 | 
 8 | ## parse.py
 9 | ### Description
10 | Script to build the raw STIX data from the input spreadsheets to generate STIX data. Exports STIX relationship objects and utilizes the CustomObject decorator in STIX2 for the creation of new Data Source, Data Component and Sensor Mapping STIX objects. The script pulls the specified ATT&CK domain data down in STIX format, using the specified ATT&CK version from the given config_location. A file for referencing all created STIX objects is created in output_folder to avoid overwriting STIX IDs when regenerating outputs.
11 | 
12 | ### Use
13 | | Argument            | Description                                                                          | Default Value                                                                             |
14 | | :------------------ | :----------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------- |
15 | | attack_domain       | attack domain we are mapping. i.e. 'enterprise-attack', 'mobile-attack', 'ics-attack'| enterprise-attack                                                                         |
16 | | config_location     | filepath to the configuration file for the framework                                 | `../../mappings/input/config.json`                                                        |
17 | | mappings_location   | filepath to the CSV spreadsheets to write the mappings                               | `../../mappings/input/enterprise/csv`                                                     |
18 | | output_folder       | folder where STIX bundle files will be saved.                                        | `../../mappings/stix/enterprise`                                                          |
19 | | groups              | flag for making mappings to group objects                                            | N/A                                                                                       |
20 | 
21 | 
22 | Generate STIX data from Enterprise ATT&CK
23 | ```
24 | python generate_stix.py -attack_domain enterprise-attack
25 | ```


--------------------------------------------------------------------------------
/docs/methodology/step3.rst:
--------------------------------------------------------------------------------
 1 | Step 3: Relationship Correlation
 2 | ================================
 3 | 
 4 | Identify the Data Element
 5 | -------------------------
 6 | 
 7 | The next step in reviewing the event ID is **identify the data element**.  As mentioned
 8 | in Step 2, `Event ID 4688: A new process has been created
 9 | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688>`_
10 | provides attributes that describe the data elements needed, such as the logon ID and the
11 | domain it belongs to.
12 | 
13 | .. image:: ../_static/msdn_4688_ex_attributes.png
14 |    :width: 600
15 | 
16 | The use of Data Elements helps to understand key attributes that are related to the
17 | adversary behavior. For example, if an adversary behavior modifies a Windows Registry
18 | value, then defenders need to collect Windows Registry telemetry to get visbility into
19 | that behavior.
20 | 
21 | Additional context on how to establish data elements can be gained by considering:
22 | 
23 | - *How is the adversary conducting a behavior?*
24 | - *What are all the data objects that define the context of the data source?*
25 | - *What are some attributes from the event log that contribute to the activity of the
26 |   adversary behavior?*
27 | 
28 | .. image:: ../_static/dataelement_ex.png
29 |    :width: 700
30 | 
31 | This method can also be used to provide a general idea of what information needs to be
32 | collected.
33 | 
34 | .. tip::
35 | 
36 |    **There is not just one correct way to define data elements**. Please look to your
37 |    organizational needs to help define what data elements mean to you.
38 | 
39 | Identify Relationships among Data Elements
40 | ------------------------------------------
41 | 
42 | By documenting the event collection, source (e.g. creation of a new process), and data
43 | elements (e.g. user account and process), defenders can start to document descriptions
44 | of **interactions among elements through relationships**.
45 | 
46 | .. tip::
47 | 
48 |    Relationships in ATT&CK have been categorized between *activity* and *information*.
49 |    Activity relationships are the ones that make references to the action that triggered
50 |    the generation of the event. Informational relationships are the ones defined based
51 |    on the metadata provided by the event. Therefore, please be aware of alternative data
52 |    elements (i.e., a thread can create a process).
53 | 
54 | .. image:: ../_static/relationship_ex.png
55 |    :width: 700
56 | 
57 | As discussed by `OSSEM <https://github.com/OTRF/OSSEM>`_ at their ATT&CKcon 2018 and
58 | 2019 presentation, the activity of the relationship leads to Data Components. Data
59 | Components help to categorize relationships among data elements based on the security
60 | context they describe (i.e., Creation, Execution, Deletion).
61 | 


--------------------------------------------------------------------------------
/mappings/input/enterprise/csv/Sysmon-sensors-mappings-enterprise.csv:
--------------------------------------------------------------------------------
 1 | EVENT ID,EVENT DESCRIPTION,ATT&CK DATA SOURCE ID,ATT&CK DATA SOURCE,ATT&CK DATA COMPONENT,SOURCE,RELATIONSHIP,TARGET
 2 | 6,Driver loaded,DS0027,Driver,Driver Load,Driver,Loaded,
 3 | 9,The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation,DS0022,File,File Access,Process,Accessed,File
 4 | 11,FileCreate,DS0022,File,File Creation,Process/User,Created,File
 5 | 15,FileCreateStreamHash,DS0022,File,File Creation,File,Created,File Stream Hash
 6 | 23,FileDelete,DS0022,File,File Deletion,Process/User,Deleted,File
 7 | 26,File Delete logged.,DS0022,File,File Deletion,Process/User,Deleted,File
 8 | 2,A process changed a file creation time,DS0022,File,File Modification,Process/User/File,Modified,File
 9 | 7,Image Loaded,DS0011,Module,Module Load,Process/User,Loaded,Module
10 | 18,PipeEvent (Pipe Connected),DS0023,Named Pipe,Named Pipe Connection,Process,Created,Named Pipe
11 | 17,PipeEvent (Pipe Created),DS0023,Named Pipe,Named Pipe Metadata,Process/User,Created,Pipe
12 | 17,PipeEvent (Pipe Created),DS0023,Named Pipe,Named Pipe Metadata,Process/User,Connected To,Pipe
13 | 18,PipeEvent (Pipe Connected),DS0023,Named Pipe,Named Pipe Metadata,Process/User,Connected To,Pipe
14 | 3,Network connection,DS0029,Network Traffic,Network Connection Creation,Process/User,Connected To/From,Ip/Port/Device
15 | 10,ProcessAccess,DS0009,Process,Process Access,Process,Accessed,Process
16 | 1,A new process has been created,DS0009,Process,Process Creation,Process/User,Created,Process
17 | 1,A new process has been created,DS0009,Process,Process Creation,Process/User,Executed,Process
18 | 30,EventID(30),DS0009,Process,Process Metadata,Process,Searched,Ldap
19 | 8,The CreateRemoteThread event detects when a process creates a thread in another process.,DS0009,Process,Process Modification,Process,Modified,Process
20 | 5,Process terminated,DS0009,Process,Process Termination,Process/User,Terminated,Process
21 | 4,Sysmon service state changed.,DS0019,Service,Service Metadata,Service,Stopped/Started,Service
22 | 12,RegistryEvent (Object create and delete),DS0024,Windows Registry,Windows Registry Key Creation,Process/User,Created,Registry
23 | 12,RegistryEvent (Object create and delete),DS0024,Windows Registry,Windows Registry Key Deletion,Process/User,Deleted,Registry
24 | 13,RegistryEvent (Value Set),DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,Registry
25 | 14,RegistryEvent (Key and Value Rename),DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,Registry
26 | 19,WmiEvent (WmiEventFilter activity detected).,DS0005,WMI,WMI Creation,User,Created,WMI Object
27 | 20,WmiEvent (WmiEventConsumer activity detected).,DS0005,WMI,WMI Creation,User,Created,WMI Object
28 | 19,WmiEvent (WmiEventFilter activity detected).,DS0005,WMI,WMI Deletion,User,Deleted,WMI Object
29 | 20,WmiEvent (WmiEventConsumer activity detected).,DS0005,WMI,WMI Deletion,User,Deleted,WMI Object
30 | 


--------------------------------------------------------------------------------
/docs/_static/js/ctid.js:
--------------------------------------------------------------------------------
 1 | const firstSection = document.querySelector("#main section:first-child");
 2 | const firstHeader = firstSection.querySelector("h1, h2, h3, h4, h5, h6");
 3 | 
 4 | /**
 5 |  * Add smooth scroll to page when user clicks on an anchor
 6 |  * This helps enable the active TOC highlight
 7 |  */
 8 | document.querySelectorAll('a[href^="#"]').forEach((anchor) => {
 9 |     anchor.addEventListener("click", function (e) {
10 |         e.preventDefault();
11 |         const href = this.getAttribute("href");
12 |         let el;
13 |         if (href === "#") {
14 |             // Sphinx does this annoying thing where the first TOC entry doesn't
15 |             // have the correct anchor, it's just #.
16 |             el = firstSection;
17 |         } else {
18 |             el = document.querySelector(this.getAttribute("href"));
19 |         }
20 |         el.scrollIntoView({ behavior: "smooth" });
21 |     });
22 | });
23 | 
24 | // Get all headings within the post content section
25 | const headings = document.querySelectorAll("section[id] h1, section[id] h2, section[id] h3, section[id] h4, section[id] h5, section[id] h6");
26 | const navLinks = document.querySelectorAll(".page-toc li a");
27 | 
28 | // Add an event listener listening for scroll
29 | if (navLinks.length > 0) {
30 |     window.addEventListener("scroll", navHighlighter);
31 | }
32 | 
33 | /**
34 |  * On scroll, determine the current heading that is closest to the top of the viewport (but still
35 |  * underneath the navbar) and make it active.
36 |  */
37 | function navHighlighter() {
38 |     // Get current scroll position
39 |     const targetY = + document.querySelector("header").offsetHeight;
40 | 
41 |     let closestEl = null;
42 |     let closestDist = 999999;
43 | 
44 |     // Find the closest heading that is in the viewport (if any).
45 |     for (const heading of headings) {
46 |         const rect = heading.getBoundingClientRect();
47 |         if (rect.top > window.innerHeight) {
48 |             // This element is off screen;
49 |             continue;
50 |         }
51 | 
52 |         // Look for the heading who's midpoint is closest to the target coordinate.
53 |         const yMidpoint = rect.top + rect.height / 2;
54 |         const dist = yMidpoint - targetY;
55 |         if (dist > 0 && dist < closestDist) {
56 |             closestDist = dist;
57 |             closestEl = heading;
58 |         }
59 |     }
60 | 
61 |     // If you found a heading and it matches a navlink, then make that navlink the
62 |     // current active link.
63 |     if (closestEl) {
64 |         let sectionId = closestEl.parentNode.id;
65 |         if (closestEl === firstHeader) {
66 |             // Sphinx does this annoying thing where the first TOC entry doesn't
67 |             // have the correct anchor, it's just #.
68 |             navLinks.forEach(nl => nl.classList.remove("active"));
69 |             navLinks[0].classList.add("active");
70 |         } else {
71 |             for (const navLink of navLinks) {
72 |                 if (navLink.hash === `#${sectionId}`) {
73 |                     navLinks.forEach(nl => nl.classList.remove("active"));
74 |                     navLink.classList.add("active");
75 |                     break;
76 |                 }
77 |             }
78 |         }
79 |     }
80 | }


--------------------------------------------------------------------------------
/docs/conf.py:
--------------------------------------------------------------------------------
 1 | # Configuration file for the Sphinx documentation builder.
 2 | #
 3 | # This file only contains a selection of the most common options. For a full
 4 | # list see the documentation:
 5 | # https://www.sphinx-doc.org/en/master/usage/configuration.html
 6 | 
 7 | # -- Path setup --------------------------------------------------------------
 8 | 
 9 | # If extensions (or modules to document with autodoc) are in another directory,
10 | # add these directories to sys.path here. If the directory is relative to the
11 | # documentation root, use os.path.abspath to make it absolute, like shown here.
12 | #
13 | # import os
14 | # import sys
15 | # sys.path.append("/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/sphinxcontrib/exceltable")
16 | # sys.path.insert(0, os.path.abspath('..'))
17 | from slugify import slugify
18 | 
19 | # -- Project information -----------------------------------------------------
20 | 
21 | project = "Sensor Mappings to ATT&CK"
22 | slug = slugify(project)
23 | googleanalytics_id = (
24 |     "G-YCNX6RGPWX"  # find google analytics id from old analytics_id variable
25 | )
26 | 
27 | author = "Center for Threat-Informed Defense"
28 | copyright_years = "2023"
29 | prs_numbers = "CT0089"
30 | 
31 | # The full version, including alpha/beta/rc tags
32 | version = "v1.0.0"
33 | release = version
34 | 
35 | 
36 | # -- General configuration ---------------------------------------------------
37 | 
38 | # Add any Sphinx extension module names here, as strings. They can be
39 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
40 | # ones.
41 | extensions = [
42 |     "sphinx_wagtail_theme",
43 | ]
44 | 
45 | # Add any paths that contain templates here, relative to this directory.
46 | templates_path = ["_templates"]
47 | 
48 | # List of patterns, relative to source directory, that match files and
49 | # directories to ignore when looking for source files.
50 | # This pattern also affects html_static_path and html_extra_path.
51 | exclude_patterns = ["_build", "Thumbs.db", ".DS_Store"]
52 | 
53 | # -- Options for HTML output -------------------------------------------------
54 | 
55 | # The theme to use for HTML and HTML Help pages.  See the documentation for
56 | # a list of builtin themes.
57 | #
58 | html_theme = "sphinx_wagtail_theme"
59 | html_static_path = ["_static"]
60 | html_extra_path = ["extra"]
61 | html_favicon = "_static/favicon.ico"
62 | html_logo = "_static/ctid_logo_white.png"
63 | html_css_files = [
64 |     "css/ctid.css",
65 |     "css/smap.css",
66 | ]
67 | html_js_files = [
68 |     "js/ctid.js",
69 | ]
70 | html_copy_source = False
71 | html_show_sourcelink = False
72 | html_show_sphinx = False
73 | html_use_smartypants = False
74 | html_context = {
75 |     "copyright_years": copyright_years,
76 |     "prs_numbers": prs_numbers,
77 |     "googleanalytics_id": googleanalytics_id,
78 | }
79 | 
80 | footer_links = [
81 |     [
82 |         "Measure Maximize And Mature Threat-Informed Defense (M3TID)",
83 |         "https://ctid.mitre.org/projects/measure-maximize-and-mature-threat-informed-defense-m3tid/",
84 |     ],
85 |     ["Summiting The Pyramid", "https://ctid.mitre.org/projects/summiting-the-pyramid/"],
86 |     ["Attack Flow", "https://ctid.mitre.org/projects/attack-flow/"],
87 | ]
88 | 
89 | html_theme_options = {
90 |     "logo": "ctid_logo_white.png",
91 |     "logo_alt": "The Center for Threat-Informed Defense",
92 |     "logo_width": 250,
93 |     "project_name": "Sensor Mappings To ATT&CK",
94 |     "footer_links": ",".join(
95 |         [f"{link[0]}|{link[1]}?utm_source={slug}" for link in footer_links]
96 |     ),
97 | }
98 | 


--------------------------------------------------------------------------------
/docs/methodology/step1.rst:
--------------------------------------------------------------------------------
 1 | Step 1:  Identify the Sensor's Events
 2 | =====================================
 3 | 
 4 | Sensors generate logs of real-time data that is indicative of a sequence of actions
 5 | conducted by the user of a computer or network. Typically, sensors can be broken out
 6 | into two categories:
 7 | 
 8 | **Host-based sensor data** is gathered from endpoints in the environment (e.g., Windows,
 9 | MacOS, Linux). Examples include:
10 | 
11 | - Windows Event Log
12 | - Sysmon
13 | - OSQuery
14 | - EDR Products (Carbon Black, Crowdstrike, Microsoft Defender ATP, etc.)
15 | - Services, Processes, Command-lines, Loaded Modules, DLLs
16 | - Files, Registry
17 | - Scheduled Tasks, Cron Jobs, Launch Agents
18 | - User Account, Hardware Info
19 | - Memory Data
20 | 
21 | **Network-based sensor data** is gathered from network communications. Examples include:
22 | 
23 |       - Firewall Logs
24 |       - Proxy Logs
25 |       - IDS/IPS Logs
26 |       - Netflow Data
27 |       - Bro/Zeek
28 |       - Packet Capture
29 | 
30 | One widely used host-based sensor is Windows Event Log (WEL). WEL logs events related to
31 | the system, security, and applications on a Windows operating system. These event logs
32 | can be used to track certain system and application issues and potentially forecast
33 | future problems. Defenders will utilize this tool to help track potential threats and
34 | problems potentially occurring within an organization's environment. The events store
35 | information in a standard format that allows for a clear understanding of the
36 | information collected (i.e., Log name, Event ID, Source, User, Computer, Event
37 | Data/Time, etc.)
38 | 
39 | These sensors or tools have user documentation for the security capabilities of each
40 | platform (e.g., security reference architectures, security benchmarks, security
41 | documentation of various services) and should be reviewed to understand event types
42 | offered by the platform for detecting workloads on the platform. This project focused on
43 | security event logs for data related to the cybersecurity of a computer system, such as
44 | failed and valid logins and file deletions. This user documentation was reviewed to
45 | develop the Events and Event IDs to be mapped for each sensor, including:
46 | 
47 | - `Windows Event Logs from Microsoft
48 |   <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq>`_
49 | - `Ultimate Windows Security Encyclopedia
50 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx>`_
51 | - `Sysmon Event Logs <https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon>`_
52 | - `OSQuery Schema <https://www.osquery.io/schema/5.9.1/>`_
53 | - `Zeek Reference Documentation
54 |   <https://docs.zeek.org/en/master/script-reference/proto-analyzers.html#>`_
55 | - `CloudTrail Documentation <https://docs.aws.amazon.com/cloudtrail/>`_
56 | - `Auditd Linux man page <https://www.man7.org/linux/man-pages/man8/auditd.8.html>`_
57 | 
58 | When selecting events to map, the following considerations were used:
59 | 
60 | - The scope of the events consists of telemetry that can be collected by a sensor or
61 |   logging system which may collect information relevant to identifying the action being
62 |   performed by an adversary, sequence of actions, or the results of those actions.
63 | - The events are considered as native to the sensor and made available on the platform.
64 |   The intent is not to provide a mapping for all settings/features of individual
65 |   platform services. This is a non-trivial undertaking that may be explored at a later
66 |   time.
67 | 


--------------------------------------------------------------------------------
/docs/use_cases.rst:
--------------------------------------------------------------------------------
 1 | Use Cases
 2 | =========
 3 | 
 4 | Target Audience
 5 | ---------------
 6 | 
 7 | The existing communities of Sensors and ATT&CK users include many roles and
 8 | responsibilities associated with organizational detection processes and procedures.
 9 | These roles and responsibilities include:
10 | 
11 | Incident Response (IR) Professional
12 |     Responsibilities include response, management, coordination, and remediation
13 |     activities for cyber incidents such as malware infections, data theft, ransomware
14 |     encryption, denial of service, and control systems intrusions.
15 | 
16 | Chief Information Security Officer (CISO)
17 |     Responsibilities include carrying out information security policies, procedures, and
18 |     controls, and providing the primary interface between senior managers and
19 |     information system owners.
20 | 
21 | Information System Security Officer (ISSO)
22 |     Responsibilities include ensuring the appropriate operational security posture is
23 |     maintained for information systems or programs.
24 | 
25 | Security Operations Center (SOC) Analyst
26 |     Responsibilities include monitoring an organization's networks and systems to detect
27 |     threats and investigating potential security incidents.
28 | 
29 | Security Engineer (SE)
30 |     Responsibilities include developing and implementing security controls and solutions
31 |     to protect networks and systems from unauthorized access and attacks.
32 | 
33 | Usage
34 | -----
35 | 
36 | Understanding Current Visibility
37 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
38 | *What is my coverage for known adversary TTPs given my current tools?*
39 | 
40 | - Understand which techniques you have visibility into given current set of tools and capabilities.
41 | 
42 | .. image:: ./_static/sensors.png
43 | 
44 | Filling Defensive Gaps
45 | ^^^^^^^^^^^^^^^^^^^^^^
46 | *If I were to add Tool X, how does that coverage change?*
47 | 
48 | - Identify tools and capabilities to acquire or enable in order to fill gaps.
49 | 
50 | .. image:: ./_static/gaps.png
51 | 
52 | Find Potential Threats
53 | ^^^^^^^^^^^^^^^^^^^^^^
54 | *I'm concerned about a recent threat report. Can I see it if it were to happen in my
55 | environment and where do I look?*
56 | 
57 | - Determine which tools and capabilities to use to find adversary behaviors.
58 | 
59 | .. image:: ./_static/threats.png
60 | 
61 | User Stories
62 | ------------
63 | 
64 | This section describes user stories associated with organizational detection processes
65 | and procedures, based on the roles and usage identified above.
66 | 
67 | 1. As an IR, I want to ensure I have complete visibility of an active security incident.
68 | 
69 |    Use the mappings to take the observed adversary behaviors as described in ATT&CK to
70 |    understand current visibility of potential suspicious activities and tie in
71 |    actionable intelligence from CTI reporting.
72 | 
73 | 2. As a CISO or ISSO, I need to align defensive posture with the real-world threats
74 |    targeting my industry.
75 | 
76 |    Use the mappings to understand which of tools and capabilities provide visibility
77 |    into specific real-world adversary techniques and where gaps may lie.
78 | 
79 | 3. As a SOC Analyst, I need visibility into threats launched against my organization.
80 | 
81 |    Use the mappings for identified Data Sources associated with adversary techniques
82 |    used to identify areas to look for additional indicators of potential suspicious
83 |    activities.
84 | 
85 | 4. As an SE, I want to detect entire classes of adversarial behavior.
86 | 
87 |    Build in defensive countermeasures for specific adversary TTPs, using the mappings to
88 |    identify areas and fill in defensive coverage gaps by reconfiguring existing or
89 |    adding additional tools or capabilities.
90 | 


--------------------------------------------------------------------------------
/docs/methodology/step2.rst:
--------------------------------------------------------------------------------
 1 | Step 2: Definition Correlation
 2 | ===============================
 3 | 
 4 | What makes sensors useful to defenders is the meaning and context associated with the
 5 | event. For each identified event ID, consult the available documentation to understand
 6 | its capabilities. Gather specific facts about the event ID that will later help in
 7 | mapping the event to the set of ATT&CK Data Sources it is able to detect.
 8 | 
 9 | The most common way to bring context to the event is by applying the description and
10 | other types of metadata such as the Data Elements and Fields. Documented description,
11 | elements, and fields can help provide understanding of what the sensor is truly
12 | capturing, and it makes the mappings process more efficient.
13 | 
14 | Identify the Source of Data
15 | ---------------------------
16 | 
17 | Start with **identifying the source of data**. In a Windows environment, we can collect
18 | information pertaining to "Processes" from built-in event providers such as
19 | Microsoft-Windows-Security-Auditing and open third-party tools, including Sysmon.
20 | 
21 | Additional context on potential source of the data can be gained by considering:
22 | 
23 | - *Why were these security events generated in my environment? (Activity)*
24 | - *What operating system supports its generation? (Platform)*
25 | 
26 | For example, the documentation provided by Microsoft for Windows `Event ID 4688: A new
27 | process has been created
28 | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688>`_
29 | provides context for this event. By the event description, 4688 is generated every time
30 | a new process starts. The information provided by this event includes the user account
31 | that requested the creation of the process, and information of a process that executed a
32 | new process. This event also provides metadata that can help us to describe the data
33 | elements needed later on in Step 3 of this methodology.
34 | 
35 | .. image:: ../_static/msdn_4688_ex.png
36 |    :width: 600
37 | 
38 | - The action that triggered the generation of this event was the creation of a new
39 |   process (Activity).
40 | - This security event can be collected by using the built-in event logging application
41 |   for devices that work with the Windows operating system (Platform). Within a Windows
42 |   environment, it is typically known to have a "process" as a source of data.
43 | 
44 | Correlate to ATT&CK Data Component Definition
45 | ---------------------------------------------
46 | 
47 | To correlate with ATT&CK, the `Data Source <https://attack.mitre.org/datasources/>`_
48 | pages provide definitions for each individual Data Source.
49 | 
50 | .. image:: ../_static/attack_ex_pc.png
51 |    :width: 600
52 | 
53 | Note that the initial SMAP work was developed using ATT&CKv13.1. The mappings include
54 | some data components that are not represented in ATT&CKv13.1 and may not be represented
55 | in more recent versions of ATT&CK. The reason for this is that ATT&CK does not include 
56 | data components that do not currently have a relationship to a (sub-)technique. These 
57 | mapped data components are being tracked by the ATT&CK team and will be considered for 
58 | incorporation in future versions of ATT&CK as the overall ATT&CK catalog evolves.
59 | 
60 | For Process Creation, ATT&CK's definition is : **..the initial construction of an
61 | executable..**. Through key word review, it can be determined that this is the same as
62 | **..a process is created..** Therefore, event ID 4688 can be linked with this ATT&CK
63 | Data Component.
64 | 
65 | A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and
66 | WinEvtx 4696. The image below shows that the definitions all have some correlation with
67 | either starting or executing a process.
68 | 
69 | .. image:: ../_static/definitioncorrelation_ex.png
70 |    :width: 700
71 | 


--------------------------------------------------------------------------------
/docs/_templates/footer.html:
--------------------------------------------------------------------------------
  1 | <footer>
  2 |   {%- if (theme_prev_next_buttons_location == 'bottom' or
  3 |   theme_prev_next_buttons_location == 'both') and (next or prev) %} {#-
  4 |   Translators: This is an ARIA section label for the footer section of the page.
  5 |   -#}
  6 |   <div class="rst-footer-buttons" role="navigation" aria-label="{{ _('Footer') }}">
  7 |     {%- if prev %}
  8 |     <a href="{{ prev.link|e }}" class="btn btn-neutral float-left" title="{{ prev.title|striptags|e }}" accesskey="p"
  9 |       rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> {{
 10 |       _('Previous') }}</a>
 11 |     {%- endif %} {%- if next %}
 12 |     <a href="{{ next.link|e }}" class="btn btn-neutral float-right" title="{{ next.title|striptags|e }}" accesskey="n"
 13 |       rel="next">{{ _('Next') }}
 14 |       <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
 15 |     {%- endif %}
 16 |   </div>
 17 |   {%- endif %}
 18 | 
 19 |   <hr />
 20 | 
 21 |   <div role="contentinfo">
 22 |     {%- block contentinfo %}
 23 |     <div class="row">
 24 |       <div class="col-md-6">
 25 |         <h3>The Center for Threat-Informed Defense</h3>
 26 |         <p>
 27 |           The
 28 |           <a href="https://ctid.mitre.org/" target="_blank">Center
 29 |             for Threat-Informed Defense</a>
 30 |           is a non-profit, privately funded research and development
 31 |           organization. Our mission is to advance the state of the art and the
 32 |           state of the practice in threat-informed defense globally.
 33 |         </p>
 34 |         <div class="footer-row">
 35 |           {%- if theme_logo and theme_logo != 'None' %}
 36 |           <a href="https://ctid.mitre.org/" target="_blank" {% if
 37 |             theme_logo_alt %}title="{{ theme_logo_alt|e }}" {% endif %} class="logo navbar-brand">
 38 |             <img src="{{ pathto('_static/' + theme_logo, 1) }}" {%- if theme_logo_width %}
 39 |               width="{{ theme_logo_width|e }}" {% endif %} {%- if theme_logo_height %}
 40 |               height="{{ theme_logo_height|e }}" {% endif %} {%- if theme_logo_alt %} alt="{{ theme_logo_alt|e }}" {%
 41 |               endif %} {%- if theme_logo_title %} title="{{ theme_logo_title|e }}" {% endif %} class="logo-img" />
 42 |           </a>
 43 |           {% endif %}
 44 |           <div class="social-links">
 45 |             <a href="mailto:ctid@mitre.org" aria-label="email ctid"
 46 |               class="email">
 47 |               <i class="fas fa-2x fa-envelope"></i>
 48 |             </a>
 49 |             <a href="https://www.linkedin.com/showcase/center-for-threat-informed-defense/" target="blank"
 50 |               aria-label="ctid on linkedin" class="linkedin">
 51 |               <i class="fab fa-2x fa-linkedin"></i>
 52 |             </a>
 53 |             <a href="https://www.youtube.com/playlist?list=PLALq3Th79NnpUkRy8TUYVBKvysCp9xwNh" target="blank"
 54 |               class="youtube" aria-label="mitre ctid youtube">
 55 |               <i class="fab fa-2x fa-youtube"></i>
 56 |             </a>
 57 |             <a href="https://github.com/center-for-threat-informed-defense/" target="blank" class="github"
 58 |               aria-label="ctid github">
 59 |               <i class="fab fa-2x fa-github"></i>
 60 |             </a>
 61 |           </div>
 62 |         </div>
 63 |       </div>
 64 |       {% if theme_footer_links %}
 65 |       <div class="col-md-6">
 66 |         <h4>Related Sites</h4>
 67 |         <div class="external-links">
 68 |           {% for link in theme_footer_links.split(',') %} {% set
 69 |           link_text=link.split("|")[0] %} {% set link_url=link.split("|")[1] %}
 70 |           <a class="link" href="{{ link_url }}" target="_blank">{{ link_text }}</a>
 71 |           {% endfor %}
 72 |         </div>
 73 |         <p>
 74 |           {%- if show_copyright %} &#169; {{ copyright_years }} MITRE.
 75 |           Approved for public release. Document number(s) {{ prs_numbers }}. {%-
 76 |           endif %} {%- if build_id and build_url %}
 77 |           <span class="build">
 78 |             {#- Translators: Build is a noun, not a verb -#} {%- trans %}Build{%
 79 |             endtrans -%}
 80 |             <a href="{{ build_url }}">{{ build_id }}</a>.
 81 |           </span>
 82 |           {%- elif commit %}
 83 |           <span class="commit">
 84 |             {#- Translators: the phrase "revision" comes from Git, referring to
 85 |             a commit #} {%- trans %}Revision{% endtrans %}
 86 |             <code>{{ commit }}</code>.
 87 |           </span>
 88 |           {%- endif %} {%- if last_updated %}
 89 |           <span class="lastupdated">
 90 |             {%- trans last_updated=last_updated|e %}Last updated on {{
 91 |             last_updated }}.{% endtrans %}
 92 |           </span>
 93 |           {%- endif -%}
 94 |         </p>
 95 |         {% endif %}
 96 |       </div>
 97 |     </div>
 98 |     {%- endblock %}
 99 |   </div>
100 | 
101 |   {%- block extrafooter %} {% endblock %}
102 | </footer>
103 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [![MITRE ATT&CK® 13.1](https://img.shields.io/badge/MITRE%20ATT%26CK®-v13-red)](https://attack.mitre.org/versions/v13/)
 2 | 
 3 | # Sensor Mappings to ATT&CK
 4 | 
 5 | Sensor Mappings to ATT&CK (SMAP) is a Center for Threat-Informed Defense (Center) project that
 6 | assists security operations teams and security leaders understand which tools, capabilities, and
 7 | events can help detect real-world adversary TTPs in their environments. SMAP builds on [MITRE ATT&CK®](https://attack.mitre.org/)
 8 | Data Sources by connecting the conceptual data source representions of information that can be collected
 9 | to concrete logs, sensors, and other security capabilities that provide that type of data. This work complements
10 | the Center's [Security Stack Mappings](https://github.com/center-for-threat-informed-defense/security-stack-mappings) project by allowing defenders to use both resources to understand their overall defensive coverage and make threat-informed decisions.
11 | 
12 | 
13 | **Table Of Contents:**
14 | 
15 | - [Getting Started](#getting-started)
16 | - [Getting Involved](#getting-involved)
17 | - [Questions and Feedback](#questions-and-feedback)
18 | - [How Do I Contribute?](#how-do-i-contribute)
19 | - [Notice](#notice)
20 | 
21 | ## Getting Started
22 | 
23 | To get started, read the project website. It provides an overview of the goals and
24 | methodologies, defines all the key terms, and contains detailed examples.
25 | 
26 | | Resource                                                                                                                                                                               | Description                                      |
27 | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
28 | | [Project Website](https://center-for-threat-informed-defense.github.io/sensor-mappings-to-attack/)                                                                                     | Documentation, methodology, use cases, examples. |
29 | | [Mappings Spreadsheet](https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack/blob/main/mappings/input/enterprise/xlsx/Sensor%20ID%20to%20Data%20Source.xlsx) | Complete list of Sensor Mappings.                |
30 | | [Navigator Layers](https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack/tree/main/mappings/layers/enterprise)                                               | ATT&CK Navigator views of the Sensor Mappings.   |
31 | | [STIX Bundles](https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack/tree/main/mappings/stix/enterprise)                                                     | Machine-readable list of Sensor Mappings.        |
32 | 
33 | The initial SMAP work was developed using ATT&CKv13.1. The mappings include some data 
34 | components that are not represented in ATT&CKv13.1 and may not be represented in more 
35 | recent versions of ATT&CK. The reason for this is that ATT&CK does not include data 
36 | components that do not currently have a relationship to a (sub-)technique. These 
37 | mapped data components are being tracked by the ATT&CK team and will be considered for 
38 | incorporation in future versions of ATT&CK as the overall ATT&CK catalog evolves.
39 | 
40 | ## Getting Involved
41 | 
42 | There are several ways that you can get involved with this project and help advance
43 | threat-informed defense.
44 | 
45 | Please review the mappings, use them, and tell us what you think. We welcome your review
46 | and feedback on the SMAP mappings, our methodology, and other resources.
47 | 
48 | We are interested developing additional tools and resources to help the community
49 | understand and make threat-informed decisions in their risk management programs. Share
50 | your ideas and we will consider them as we explore additional research projects.
51 | 
52 | ## Questions and Feedback
53 | 
54 | Please submit
55 | [issues](https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack/issues)
56 | for any technical questions/concerns or contact
57 | [ctid@mitre.org](mailto:ctid@mitre.org?subject=subject=Question%20about%20sensor-mappings-to-attack)
58 | directly for more general inquiries.
59 | 
60 | ## How Do I Contribute?
61 | 
62 | We welcome your feedback and contributions to help advance the Summiting project! Please
63 | see the [guidance for contributors](/CONTRIBUTING.md).
64 | 
65 | ## Notice
66 | 
67 | Copyright 2023 MITRE. Approved for public release. Document number CT0089.
68 | 
69 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
70 | file except in compliance with the License. You may obtain a copy of the License at
71 | 
72 | http://www.apache.org/licenses/LICENSE-2.0
73 | 
74 | Unless required by applicable law or agreed to in writing, software distributed under
75 | the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
76 | KIND, either express or implied. See the License for the specific language governing
77 | permissions and limitations under the License.
78 | 
79 | This project makes use of MITRE ATT&CK®
80 | 
81 | [ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)
82 | 


--------------------------------------------------------------------------------
/docs/example_technique_mappings/cloudtrail.rst:
--------------------------------------------------------------------------------
  1 | CloudTrail Example Scenarios
  2 | ============================
  3 | 
  4 | Both CloudTrail examples involve User Account data components. The first reviews the use
  5 | of User Account Modification to provide visibility into `Account Manipulation (T1098)
  6 | <https://attack.mitre.org/techniques/T1098>`__, while the second considers User Account
  7 | Metadata for detection of `Password Policy Discovery (T1201)
  8 | <https://attack.mitre.org/techniques/T1201>`__ behavior.
  9 | 
 10 | Account Manipulation (T1098)
 11 | ----------------------------
 12 | 
 13 | The following are the criteria considered for Account Manipulation (T1098). These were
 14 | directly taken by reviewing the definition of the technique.
 15 | 
 16 | .. image:: ../_static/cldtrlex1.png
 17 | 
 18 | **Looking at the event data, is this enough evidence to conclude that an account was
 19 | manipulated per T1098?** Most CloudTrail events are straightforward, and the associated
 20 | API call performs a User Account Modification that meets the criteria for concluding
 21 | that an Account Manipulation has occurred.
 22 | 
 23 | **TagUser:**
 24 | 
 25 | *Yes.* Careful attention was given to CloudTrail Roles, and related information. For
 26 | example, the “TagUser/UntagUser” API entry was examined to determine that the act of
 27 | Tagging/Untagging met the conditions to change (give or takeaway) access. One concept
 28 | that came up was to explore relevant sub-techniques, in case those could provide
 29 | additional insight in deciding if an event met the defined conditions:
 30 | 
 31 |   * `Additional Cloud Credentials (T1098.001)
 32 |     <https://attack.mitre.org/techniques/T1098/001/>`__
 33 |   * `Additional Cloud Roles (T1098.003)
 34 |     <https://attack.mitre.org/techniques/T1098/003/>`__
 35 | 
 36 | *References:*
 37 | 
 38 |   * `AWS Documentation - AddTags
 39 |     <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AddTags.html>`__
 40 | 
 41 | **UpdateUser:**
 42 | 
 43 | *Yes.* Another interesting event is UpdateUser. As an API call, it does not perform a
 44 | technical action that results in literal modification of concern (i.e., no access or
 45 | permissions for an IAM user is changed). It does not preserve adversary action in a
 46 | purely technical sense. HOWEVER: It does qualify because it could be used to “hide in
 47 | plain sight” The event is worth noting as potential evidence of (an unexpected) name
 48 | change.
 49 | 
 50 | *References:*
 51 | 
 52 | * `AWS Documentation - UpdateUser
 53 |   <https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html>`__
 54 | 
 55 | **UploadSigningCertificate:**
 56 | 
 57 | *Yes.* This provides the name of the IAM user the signing certificate is for and the
 58 | contents of the signing certificate. The elements provide information that can be used
 59 | to look for changes to account objects.
 60 | 
 61 | *References:*
 62 | 
 63 | * `AWS Documentation- UploadSigningCertificate
 64 |   <https://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadSigningCertificate.html>`__
 65 | * `AWS Documentation - SetSecurityTokenServicePreferences
 66 |   <https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetSecurityTokenServicePreferences.html>`__
 67 | 
 68 | Password Policy Discovery (T1201)
 69 | ---------------------------------
 70 | 
 71 | The following are the criteria considered for Password Policy Discovery (T1201). These
 72 | were directly taken by reviewing the definition of the technique.
 73 | 
 74 | .. image:: ../_static/cldtrlex2.png
 75 | 
 76 | **Looking at the event data, is this enough evidence to conclude that attempts were
 77 | being made to access detailed information about the password policy per technique
 78 | T1201?** This technique may be used by adversaries attempting to access/obtain detailed
 79 | password policy information. This policy information may aid the creation of password
 80 | lists for dictionary or brute force attacks.
 81 | 
 82 |  **CreatePolicyVersion:**
 83 | 
 84 | *No.* This contains details about IAM policy versions, but does not provide information
 85 | about attempts to access policy documents.
 86 | 
 87 | *References:*
 88 | 
 89 | * `AWS Documentation - CreatePolicyVersion
 90 |   <https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html>`__
 91 | 
 92 | **GetAccountPasswordPolicy:**
 93 | 
 94 | *Yes.* The description of T1201 references that “password policies can be discovered in
 95 | cloud environments using available APIs such as GetAccountPasswordPolicy in AWS.”
 96 | 
 97 | Select examples of User Account Metadata events:
 98 | 
 99 |    * AttachRolePolicy
100 |    * AttachUserPolicy
101 |    * CreatePolicy
102 |    * CreatePolicyVersion
103 |    * DeleteAccountPasswordPolicy
104 |    * DeletePolicyVersoin
105 |    * DeleteRolePolicy
106 |    * DeleteUserPolicy
107 |    * DetachUserPolicy
108 |    * DetachRolePolicy
109 |    * ChangePassword
110 |    * GenerateCredentialReport
111 |    * GetAccountPasswordPolicy
112 |    * ListAttachedRolePolicies
113 |    * ListEntitiesForPolicy
114 |    * ListPoliciesGrantingServiceAccess
115 | 
116 | *References:*
117 | 
118 | * `AWS Documentation - GetAccountPasswordPolicy
119 |   <https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html>`__
120 | 
121 | **GetLoginProfile:**
122 | 
123 | *No.* This contains information about IAM usernames and password creation dates, not
124 | actual passwords or password policy constructs.
125 | 
126 | *References:*
127 | 
128 | * `AWS Documentation - GetLoginProfile
129 |   <https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html>`__
130 | 


--------------------------------------------------------------------------------
/docs/overview.rst:
--------------------------------------------------------------------------------
 1 | Overview
 2 | ========
 3 | 
 4 | Cyber threat detection starts with understanding the data sources and sensors that can
 5 | be used to detect a given adversary tactic, technique, or procedure (TTP).
 6 | 
 7 | The Sensor Mappings to ATT&CK Project (SMAP) extends MITRE ATT&CK® Data Sources to map
 8 | out how sensors and tools provide visibility into specific adversary TTPs. This helps
 9 | cyber defenders understand whether their sensors and other security capabilities provide
10 | visibility into the adversary behaviors they care most about. And if they cannot provide
11 | visibility, then what should defenders do to change that? This information can be used
12 | to answer questions such as:
13 | 
14 | - What is my coverage for ATT&CK TTPs given my current tools?
15 | - If I were to add Tool X, how does that coverage change?
16 | - If I'm concerned about a recent threat report, how can I look for that threat in my
17 |   environment?
18 | 
19 | The initial SMAP work was developed using ATT&CKv13.1. The mappings include some data 
20 | components that are not represented in ATT&CKv13.1 and may not be represented in more 
21 | recent versions of ATT&CK. The reason for this is that ATT&CK does not include data 
22 | components that do not currently have a relationship to a (sub-)technique. These 
23 | mapped data components are being tracked by the ATT&CK team and will be considered for 
24 | incorporation in future versions of ATT&CK as the overall ATT&CK catalog evolves.
25 | 
26 | Background
27 | ----------
28 | 
29 | ATT&CK began bridging offensive actions with defensive countermeasures `in
30 | version 9.0 <https://medium.com/mitre-attack/attack-april-2021-release-39accaf23c81>`__.
31 | This goal was achieved by tagging each (sub-)technique with defensive-focused fields,
32 | such as what data to collect (Data Sources) and how to analyze that data in order to
33 | identify specific behaviors (Detections).
34 | 
35 | `ATT&CK's Data Sources <http://attack.mitre.org/datasources/>`_ usually fall into one of
36 | the following buckets:
37 | 
38 | - Granular basic system artifacts (e.g., process, file, registry)
39 | - Granular basic user activities (e.g., logon session)
40 | - Abstract types of system artifacts, with children as sub-types (e.g., scheduled jobs)
41 | - Associated network traffic (e.g., wmi and registry), in such cases, it's important to
42 |   capture the set of protocols that encompasses this traffic, so that users may
43 |   understand where they need to look in their logs/PCAPs/DPI appliances/etc.
44 | - Associated cloud (e.g. Instance, Container, Cloud Storage, Cloud Service)
45 | 
46 | ATT&CK Data Sources do not fully describe the specific events or sensors that provide
47 | visibility. This leaves the users with significant work to understand how their tools
48 | map to ATT&CK Data Sources and hinders automated reasoning. This project is intended to
49 | build on ATT&CK Data Sources, extending them to connect *conceptual* data sources to
50 | *concrete* sensors, logs, tools, and other security capabilities. This mapping allows
51 | the users of ATT&CK to go from a technique they're concerned about to capabilities they
52 | might have or could acquire to detect it.
53 | 
54 | Prior research into building on ATT&CK Data Objects has been undertaken by `The Open
55 | Source Security Events Metadata (OSSEM) <https://github.com/OTRF/OSSEM>`__ project and
56 | the Center's `Atomic Data Sources project
57 | <https://github.com/mitre-attack/attack-datasources>`__. OSSEM is a community-led
58 | project created by Roberto and Jose Rodriguez that provides security context telemetry
59 | of behaviors occurring in an environment and metadata describing relationships between
60 | security events and ATT&CK TTPs. Atomic Data Sources developed data source objects and
61 | context to help describe activity within a network and provided a proof-of-concept
62 | approach to mapping ATT&CK Data Sources to sensors.
63 | 
64 | STIX Representation and Mapping Tools
65 | -------------------------------------
66 | 
67 | To make the mapping between sensor events and ATT&CK easily accessible to defenders that
68 | use STIX, the mappings are also published in a machine-readable STIX 2 representation. A
69 | set of Python tools is provided to support data manipulation, including the creation of
70 | new mappings and the customization of existing mappings. A command line interface (CLI)
71 | tool is available for validation of mapping file syntax, ensuring conformity to the data
72 | format specification and accurate references of ATT&CK Data Sources. The CLI tool also
73 | supports the production of ATT&CK Navigator layers and Markdown Summary visualizations
74 | from mapping files. Users can refine and extend the mappings for their needs and build a
75 | local copy of the SMAP artifacts using the scripts in this repository.
76 | 
77 | Get Involved
78 | ------------
79 | 
80 | The mapping between ATT&CK Data Sources and concrete sensors allows cyber defenders to
81 | create a more detailed picture of cyber incidents, including the threat actor, technical
82 | behavior, telemetry collection, and impact. These improvements can be used to develop
83 | better predictions and insights into how we might be attacked in the future by better
84 | understanding of how and why were attacked in the past.
85 | 
86 | We encourage you to review the mappings, use them, and tell us what you think. Please
87 | see the guidance for contributors if you are interested in `contributing
88 | <https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack/blob/main/CONTRIBUTING.md>`_.
89 | You are also welcome to submit issues for any technical questions/concerns or contact
90 | `ctid@mitre.org <mailto:ctid@mitre.org>`_ directly for more general
91 | inquiries.
92 | 


--------------------------------------------------------------------------------
/docs/levels/mapping_sysmon.rst:
--------------------------------------------------------------------------------
  1 | Sysmon
  2 | ======
  3 | 
  4 | Browse the Sysmon mappings on this page, download the mappings (in CSV/STIX format), or
  5 | visualize the sensor coverage in ATT&CK Navigator.
  6 | 
  7 | .. raw:: html
  8 | 
  9 |     <p>
 10 |         <a class="btn btn-primary" target="_blank" href="../../csv/Sysmon-sensors-mappings-enterprise.csv">
 11 |         <i class="fa fa-table"></i> Download CSV</a>
 12 | 
 13 |         <a class="btn btn-primary" target="_blank" href="../../stix/Sysmon-mappings-enterprise.json">
 14 |         <i class="fa fa-file-excel-o"></i> Download STIX</a>
 15 | 
 16 |         <a class="btn btn-primary" target="_blank" href="https://mitre-attack.github.io/attack-navigator/#layerURL=https://center-for-threat-informed-defense.github.io/sensor-mappings-to-attack/navigator/Sysmon-heatmap.json">
 17 |         <i class="fa fa-map-signs"></i> Open in ATT&CK Navigator</a>
 18 |     </p>
 19 | 
 20 | .. MAPPINGS_TABLE Generated at: 2025-03-20T10:08:37.277616Z
 21 | 
 22 | Enterprise
 23 | ----------
 24 | 
 25 | .. list-table::
 26 |   :widths: 50 50
 27 |   :header-rows: 1
 28 | 
 29 |   * - EVENT
 30 |     - ATT&CK MAPPING
 31 | 
 32 |   * - | **1**
 33 |       |
 34 |       | A new process has been created
 35 |     - | **Data Source:** Process
 36 |       | **Data Component:** Process Creation
 37 | 
 38 |   * - | **2**
 39 |       |
 40 |       | A process changed a file creation time
 41 |     - | **Data Source:** File
 42 |       | **Data Component:** File Modification
 43 | 
 44 |   * - | **3**
 45 |       |
 46 |       | Network connection
 47 |     - | **Data Source:** Network Traffic
 48 |       | **Data Component:** Network Connection Creation
 49 | 
 50 |   * - | **4**
 51 |       |
 52 |       | Sysmon service state changed.
 53 |     - | **Data Source:** Service
 54 |       | **Data Component:** Service Metadata
 55 | 
 56 |   * - | **5**
 57 |       |
 58 |       | Process terminated
 59 |     - | **Data Source:** Process
 60 |       | **Data Component:** Process Termination
 61 | 
 62 |   * - | **6**
 63 |       |
 64 |       | Driver loaded
 65 |     - | **Data Source:** Driver
 66 |       | **Data Component:** Driver Load
 67 | 
 68 |   * - | **7**
 69 |       |
 70 |       | Image Loaded
 71 |     - | **Data Source:** Module
 72 |       | **Data Component:** Module Load
 73 | 
 74 |   * - | **8**
 75 |       |
 76 |       | The CreateRemoteThread event detects when a process creates a thread in another process.
 77 |     - | **Data Source:** Process
 78 |       | **Data Component:** Process Modification
 79 | 
 80 |   * - | **9**
 81 |       |
 82 |       | The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation
 83 |     - | **Data Source:** File
 84 |       | **Data Component:** File Access
 85 | 
 86 |   * - | **10**
 87 |       |
 88 |       | ProcessAccess
 89 |     - | **Data Source:** Process
 90 |       | **Data Component:** Process Access
 91 | 
 92 |   * - | **11**
 93 |       |
 94 |       | FileCreate
 95 |     - | **Data Source:** File
 96 |       | **Data Component:** File Creation
 97 | 
 98 |   * - | **12**
 99 |       |
100 |       | RegistryEvent (Object create and delete)
101 |     - | **Data Source:** Windows Registry
102 |       | **Data Component:** Windows Registry Key Creation
103 | 
104 |   * - | **12**
105 |       |
106 |       | RegistryEvent (Object create and delete)
107 |     - | **Data Source:** Windows Registry
108 |       | **Data Component:** Windows Registry Key Deletion
109 | 
110 |   * - | **13**
111 |       |
112 |       | RegistryEvent (Value Set)
113 |     - | **Data Source:** Windows Registry
114 |       | **Data Component:** Windows Registry Key Modification
115 | 
116 |   * - | **14**
117 |       |
118 |       | RegistryEvent (Key and Value Rename)
119 |     - | **Data Source:** Windows Registry
120 |       | **Data Component:** Windows Registry Key Modification
121 | 
122 |   * - | **15**
123 |       |
124 |       | FileCreateStreamHash
125 |     - | **Data Source:** File
126 |       | **Data Component:** File Creation
127 | 
128 |   * - | **17**
129 |       |
130 |       | PipeEvent (Pipe Created)
131 |     - | **Data Source:** Named Pipe
132 |       | **Data Component:** Named Pipe Metadata
133 | 
134 |   * - | **18**
135 |       |
136 |       | PipeEvent (Pipe Connected)
137 |     - | **Data Source:** Named Pipe
138 |       | **Data Component:** Named Pipe Connection
139 | 
140 |   * - | **18**
141 |       |
142 |       | PipeEvent (Pipe Connected)
143 |     - | **Data Source:** Named Pipe
144 |       | **Data Component:** Named Pipe Metadata
145 | 
146 |   * - | **19**
147 |       |
148 |       | WmiEvent (WmiEventFilter activity detected).
149 |     - | **Data Source:** WMI
150 |       | **Data Component:** WMI Creation
151 | 
152 |   * - | **19**
153 |       |
154 |       | WmiEvent (WmiEventFilter activity detected).
155 |     - | **Data Source:** WMI
156 |       | **Data Component:** WMI Deletion
157 | 
158 |   * - | **20**
159 |       |
160 |       | WmiEvent (WmiEventConsumer activity detected).
161 |     - | **Data Source:** WMI
162 |       | **Data Component:** WMI Creation
163 | 
164 |   * - | **20**
165 |       |
166 |       | WmiEvent (WmiEventConsumer activity detected).
167 |     - | **Data Source:** WMI
168 |       | **Data Component:** WMI Deletion
169 | 
170 |   * - | **23**
171 |       |
172 |       | FileDelete
173 |     - | **Data Source:** File
174 |       | **Data Component:** File Deletion
175 | 
176 |   * - | **26**
177 |       |
178 |       | File Delete logged.
179 |     - | **Data Source:** File
180 |       | **Data Component:** File Deletion
181 | 
182 |   * - | **30**
183 |       |
184 |       | EventID(30)
185 |     - | **Data Source:** Process
186 |       | **Data Component:** Process Metadata
187 | .. /MAPPINGS_TABLE
188 | 


--------------------------------------------------------------------------------
/src/util/create_mappings.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import csv
  3 | import json
  4 | from pathlib import Path
  5 | 
  6 | import pandas as pd
  7 | 
  8 | 
  9 | def standardize(sheet, *columns_to_exclude):
 10 |     """Helper method to standardize columns used for STIX data."""
 11 |     skip = ["Worksheet Name", "Event Description", "Event ID"] + list(*columns_to_exclude)
 12 | 
 13 |     for idx, row in sheet.iterrows():
 14 |         # Pandas does not have a good way to select only string values in a column, so we iterate by row to do our replacements.
 15 |         for col in sheet.columns:
 16 |             if pd.isna(row[col]):
 17 |                 continue
 18 |             elif isinstance(row[col], str):
 19 |                 sheet.loc[idx, col] = sheet.loc[idx, col].strip()
 20 |                 if col in skip:
 21 |                     # Only strip out the whitespace from this column, iff row[col] is a string
 22 |                     continue
 23 |                 else:
 24 |                     # Match case
 25 |                     sheet.loc[idx, col] = sheet.loc[idx, col].replace(" ", "_")
 26 |                     sheet.loc[idx, col] = sheet.loc[idx, col].lower()
 27 |             # Skip non-string rows
 28 |     sheet.drop_duplicates(inplace=True, ignore_index=True)
 29 |     # After dropping duplicates, revert changes
 30 |     for idx, row in sheet.iterrows():
 31 |         for col in sheet.columns:
 32 |             if pd.isna(row[col]):
 33 |                 continue
 34 |             elif isinstance(row[col], str):
 35 |                 if col in skip:
 36 |                     continue
 37 |                 else:
 38 |                     sheet.loc[idx, col] = sheet.loc[idx, col].replace("_", " ")
 39 |                     sheet.loc[idx, col] = sheet.loc[idx, col].title()
 40 |                     sheet.loc[idx, col] = sheet.loc[idx, col].replace("Wmi", "WMI")
 41 |             # Skip non-string rows
 42 | 
 43 | 
 44 | def get_sheets(spreadsheet_location, config_location):
 45 |     """Helper method to separate combined Excel sheet into individual Dataframes"""
 46 |     with config_location.open("r", encoding="utf-8") as f:
 47 |         config = json.load(f)
 48 |         version = config["attack_version"]
 49 | 
 50 |     df = pd.read_excel(spreadsheet_location, sheet_name="Combined Events", usecols="A,C:I")
 51 |     standardize(df)
 52 | 
 53 |     # Merge in the Data Source ID's from the ATT&CK Data Source CSV
 54 |     datasource_csv_location = spreadsheet_location.parent.parent.parent
 55 |     data_source_ids = pd.read_csv(Path(datasource_csv_location, f"enterprise-attack-v{version}-datasources.csv"), usecols=[0, 1])
 56 | 
 57 |     df = df.merge(data_source_ids, how="left", left_on="Data Source", right_on="name")
 58 |     df.drop(columns=["name"], inplace=True)
 59 |     df.rename(columns={"ID":"Data Source ID"}, inplace=True)
 60 |     df = df[['Worksheet Name', 'Data Source', 'Data Source ID', 'Data Component', 'Event Description',
 61 |         'Event ID', 'Source', 'Relationship', 'Target']]
 62 |     df["Data Source ID"] = df["Data Source ID"].apply(lambda n: -1 if pd.isna(n) else n)
 63 |     # Where a value of `-1` indicates that this is a new ATT&CK Data Source
 64 | 
 65 |     worksheet_names = df["Worksheet Name"].dropna().unique()
 66 |     sheets = []
 67 |     for _worksheet in worksheet_names:
 68 |         _df = df[df["Worksheet Name"] == _worksheet].reset_index(drop=True)
 69 |         sheets.append((_df, _worksheet))
 70 |     return sheets
 71 | 
 72 | 
 73 | def generate_csv_spreadsheet(sheets, mappings_location):
 74 |     """Reads the main XSLX mappings file and creates a spreadsheet for the mappings in CSV"""
 75 |     if not mappings_location.exists():
 76 |         mappings_location.mkdir(parents=True)
 77 | 
 78 |     for sheet, name in sheets:
 79 |         with mappings_location.joinpath(f"{name}-sensors-mappings-enterprise.csv").open('w', newline='', encoding='utf-8') as csvfile:
 80 |             fieldnames = ['EVENT ID', 'EVENT DESCRIPTION', 'ATT&CK DATA SOURCE ID', 'ATT&CK DATA SOURCE', 'ATT&CK DATA COMPONENT', 'SOURCE', 'RELATIONSHIP', 'TARGET']
 81 |             dataframe_fields = ['Event ID', 'Event Description', 'Data Source ID', 'Data Source', 'Data Component', 'Source', 'Relationship', 'Target']
 82 | 
 83 |             writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
 84 |             writer.writeheader()
 85 | 
 86 |             for idx, row in sheet.iterrows():
 87 |                 is_mapped = (pd.notna(row["Data Source"])) and (pd.notna(row["Data Component"])) and (pd.notna(row["Relationship"]))
 88 |                 if not is_mapped:
 89 |                     # Skip this row
 90 |                     continue
 91 |                 csv_row = {}
 92 |                 for i in range(len(fieldnames)):
 93 |                     if pd.isna(row[dataframe_fields[i]]):
 94 |                         csv_row[fieldnames[i]] = None
 95 |                     else:
 96 |                         csv_row[fieldnames[i]] = row[dataframe_fields[i]]
 97 |                 writer.writerow(csv_row)
 98 |                 # Skip any rows without mappable fields
 99 | 
100 | 
101 | def _parse_args():
102 |     ROOT_DIR = Path(__file__).parent.parent.parent
103 | 
104 |     parser = argparse.ArgumentParser(description="Create mappings from sensors data")
105 |     parser.add_argument("-config_location",
106 |                         dest="config_location",
107 |                         help="filepath to the configuration for the framework",
108 |                         type=Path,
109 |                         default=Path(ROOT_DIR, "mappings", "input", "config.json"))
110 |     parser.add_argument("-spreadsheet_location",
111 |                         dest="spreadsheet_location",
112 |                         help="filepath to the Excel spreadsheet for the mappings",
113 |                         type=Path,
114 |                         default=Path(ROOT_DIR, "mappings", "input",
115 |                             "enterprise", "xlsx", "Sensor ID to Data Source to API v2.xlsx"))
116 |     parser.add_argument("-mappings_location",
117 |                         dest="mappings_location",
118 |                         help="filepath to the folder to write CSV spreadsheets",
119 |                         type=Path,
120 |                         default=Path(ROOT_DIR, "mappings", "input",
121 |                             "enterprise", "csv"))
122 |     return parser.parse_args()
123 | 
124 | 
125 | def main():
126 |     args = _parse_args()
127 |     sheets = get_sheets(args.spreadsheet_location, args.config_location)
128 |     generate_csv_spreadsheet(sheets, args.mappings_location)
129 | 
130 | 
131 | if __name__ == '__main__':
132 |     main()
133 | 
134 | 


--------------------------------------------------------------------------------
/docs/_templates/layout.html:
--------------------------------------------------------------------------------
  1 | {%- set url_root = pathto('', 1) -%} {%- if url_root == '#' %}{% set url_root =
  2 | '' %}{% endif -%} {%- if not embedded and docstitle %} {%- set titlesuffix = "
  3 | &mdash; "|safe + docstitle|e -%} {%- else %} {%- set titlesuffix = "" -%} {%-
  4 | endif -%} {%- set hidetoc = '' %} {%- if meta is defined and meta %} {%- if
  5 | 'hidetoc' in meta.keys() %} {%- set hidetoc = meta.get('hidetoc') %} {%- endif
  6 | %} {%- endif %} {%- set sphinx_version_info = sphinx_version.split('.') |
  7 | map('int') | list -%}
  8 | <!DOCTYPE html>
  9 | <html class="no-js" {% if language is not none %}lang="{{ language }}" {% endif %}
 10 |   data-content_root="{{ content_root }}">
 11 | 
 12 | <head>
 13 |   <meta charset="utf-8" />
 14 |   {%- if metatags %} {{ metatags }} {%- endif %}
 15 |   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 16 |   {% block htmltitle %}
 17 |   <title>{{ title|striptags|e }}{{ titlesuffix }}</title>
 18 |   {% endblock %} {%- if favicon_url %}
 19 |   <link rel="shortcut icon" href="{{ favicon_url }}" />
 20 |   {%- endif %} {#- Include our own stylesheets -#} {%- if
 21 |   sphinx_version_info[0]
 22 |   < 4 %} <link rel="stylesheet" type="text/css" href="{{ pathto('_static/' + style, 1) }}" />
 23 |   {%- endif %}
 24 |   <link href="//fonts.googleapis.com/css2?family=Oswald:wght@200..700&display=swap" rel="stylesheet" />
 25 | 
 26 |   <link rel="stylesheet" type="text/css" href="{{ pathto('_static/dist/fontawesome.css', 1) }}" />
 27 |   {#- Include stylesheets from sphinx (e.g. user custom css #} {%- for css in
 28 |   css_files %} {#- Block pygments css; we are manually including ours in
 29 |   theme.css instead #} {%- if css not in ["_static/pygments.css"] %} {%- if
 30 |   css|attr("filename") %} {{ css_tag(css) }} {%- else %}
 31 |   <link rel="stylesheet" href="{{ pathto(css, 1)|e }}" type="text/css" />
 32 |   {%- endif %} {%- endif %} {%- endfor %} {%- block linktags %} {%- if
 33 |   hasdoc('about') %}
 34 |   <link rel="author" title="{{ _('About these documents') }}" href="{{ pathto('about') }}" />
 35 |   {%- endif %} {%- if hasdoc('genindex') %}
 36 |   <link rel="index" title="{{ _('Index') }}" href="{{ pathto('genindex') }}" />
 37 |   {%- endif %} {%- if hasdoc('search') %}
 38 |   <link rel="search" title="{{ _('Search') }}" href="{{ pathto('search') }}" />
 39 |   {%- endif %} {%- if hasdoc('copyright') %}
 40 |   <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}" />
 41 |   {%- endif %}
 42 |   <link rel="top" title="{{ docstitle|e }}" href="{{ pathto(pagename) }}" />
 43 |   {%- if parents %}
 44 |   <link rel="up" title="{{ parents[-1].title|striptags|e }}" href="{{ parents[-1].link|e }}" />
 45 |   {%- endif %} {%- if next %}
 46 |   <link rel="next" title="{{ next.title|striptags|e }}" href="{{ next.link|e }}" />
 47 |   {%- endif %} {%- if prev %}
 48 |   <link rel="prev" title="{{ prev.title|striptags|e }}" href="{{ prev.link|e }}" />
 49 |   {%- endif %} {% endblock -%} {%- block extrahead %}{% endblock -%}
 50 | </head>
 51 | 
 52 | <body>
 53 |   <script type="text/javascript" src="{{ pathto('_static/dist/blocking.js', 1) }}"></script>
 54 |   {%- include "header.html" %}
 55 |   <div class="container-fluid container">
 56 |     <div class="row">
 57 |       <aside class="col-12 col-lg-3 sidebar-container">
 58 |         <div id="collapseSidebar" class="collapse sticky-top d-lg-block pt-5 pr-lg-2">
 59 |           {%- for sidebartemplate in sidebars %} {%- include sidebartemplate
 60 |           %} {%- endfor %}
 61 |           <div class="d-lg-none border-bottom">
 62 |             {# Bottom border for mobile (above content, needs to be expanded.)
 63 |             #}
 64 |           </div>
 65 |         </div>
 66 |       </aside>
 67 |       <div class="col-12 col-lg-9 pt-5">
 68 |         <header class="row align-items-baseline">
 69 |           <div class="col">{% include "breadcrumbs.html" %}</div>
 70 |           <div class="col-sm-12 col-lg-auto mt-3 mt-lg-3">
 71 |             <noscript>
 72 |               <p>
 73 |                 {{ _('JavaScript is required to toggle light/dark mode.') }}.
 74 |               </p>
 75 |             </noscript>
 76 |             <button id="wagtail-theme" class="btn btn-sm btn-light text-decoration-none" type="button">
 77 |               <span class="dark-only"><i class="fas fa-sun"></i> {{ _('Light mode') }}</span>
 78 |               <span class="light-only"><i class="fas fa-moon"></i> {{ _('Dark mode') }}</span>
 79 |             </button>
 80 |             {%- if pagename != "search" -%} {% include "source-buttons.html"
 81 |             %} {% endif %}
 82 |           </div>
 83 |         </header>
 84 |         <div class="row">
 85 |           <div class="col-12">
 86 |             <hr class="w-100 my-4" />
 87 |           </div>
 88 |         </div>
 89 |         <div class="row">
 90 |           <div class="col-12 col-lg-9 order-last order-lg-first rst-content">
 91 |             <main role="main" id="main">
 92 |               {%- block body %} {% endblock -%}
 93 |             </main>
 94 |             {% include "pager.html" %}
 95 |           </div>
 96 |           {% if display_toc and not hidetoc %}
 97 |           <nav class="col-12 col-lg-3 pb-4 d-none d-lg-block">
 98 |             <div class="sticky-top toc page-toc" aria-labelledby="page-toc-heading">
 99 |               <p class="font-weight-bold" id="page-toc-heading">
100 |                 On This Page
101 |               </p>
102 |               {{ toc }}
103 |             </div>
104 |           </nav>
105 |           {% endif %}
106 |         </div>
107 |       </div>
108 |     </div>
109 |   </div>
110 |   <footer class="container-fluid bg-primary text-light">
111 |     <div class="container">{% include "footer.html" %}</div>
112 |   </footer>
113 | 
114 |   {%- if not embedded %} {#- Sphinx >=1.8.0 has this as an external js file.
115 |   Sphinx 4.0 includes in in script_files #} {%- if sphinx_version_info[0] < 4 %} <script id="documentation_options"
116 |     data-url_root="{{ url_root }}" src="{{ pathto('_static/documentation_options.js', 1) }}">
117 |     </script>
118 |     {%- endif -%} {%- for scriptfile in script_files %} {{ js_tag(scriptfile) }}
119 |     {%- endfor %}
120 |     <script type="text/javascript" src="{{ pathto('_static/dist/theme.js', 1) }}"></script>
121 |     <script type="text/javascript" src="{{ pathto('_static/dist/vendor.js', 1) }}"></script>
122 |     {%- endif %} {%- block search %}
123 |     <script type="text/javascript" src="{{ pathto('_static/searchtools.js', 1) }}"></script>
124 |     <script type="text/javascript" src="{{ pathto('_static/language_data.js', 1) }}"></script>
125 |     <script type="text/javascript">
126 |       document.addEventListener("DOMContentLoaded", function () {
127 |         Search.loadIndex("{{ pathto('searchindex.js', 1) }}");
128 |       });
129 |     </script>
130 |     <script type="text/javascript" id="searchindexloader"></script>
131 |     {% endblock -%} {%- block scripts2 %}{% endblock -%} {%- block footer %}{%
132 |     endblock -%} {%- block footer2 %}{% endblock -%}
133 |     {% if googleanalytics_id %}
134 |     <!-- google analytics information -->
135 |     <script async="" src="https://www.googletagmanager.com/gtag/js?id={{googleanalytics_id}}"></script>
136 |     <script>
137 |       window.dataLayer = window.dataLayer || [];
138 |       function gtag() { dataLayer.push(arguments); }
139 |       gtag('js', new Date());
140 |       gtag('config', '{{googleanalytics_id}}', {
141 |         'anonymize_ip': false,
142 |       });
143 |     </script>
144 |     {% endif %}
145 | </body>
146 | 
147 | </html>
148 | 


--------------------------------------------------------------------------------
/src/util/README.md:
--------------------------------------------------------------------------------
 1 | # Utility Scripts
 2 | Contains scripts used to create auxiliary data for mappings and validating mappings.
 3 | 
 4 | | Script                                   | Purpose                                                                                                                                                                                                                               |
 5 | | :--------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 6 | | [create_mappings.py](#create_mappingspy) | From the master excel spreadsheet, generate CSVs for sensor data mappings to be used with the parsing tool.                                                                                                                           |
 7 | | [create_heatmaps.py](#create_heatmapspy) | Enables visualization of the sensor mappings in the ATT&CK Matrix. Builds ATT&CK Navigator heatmap layers from mappings_location. These layers can also be found in the `layers` folder of the attack type in the stix output folder. |
 8 | | [stix_schemas.py](#stix_schemaspy)       | Schema definition file.                                                                                                                                                                                                               |
 9 | | [cli_validator.py](#cli_validatorpy)     | Validates mappings to ensure bundles are packaged properly with all necessary objects                                                                                                                                                 |
10 | | [generate_docs.py](#generate_docspy)     | Create mapping tables in Sphinx pages from CSV files generated from (#create_mappingspy)                                                                                                                                              |
11 | 
12 | ## create_mappings.py
13 | ### Description
14 | From the master excel spreadsheet, separate data by sensor, standardize it and generate CSVs. These will be used to generate STIX data.
15 | ### Use
16 | | Argument             | Description                                              | Default Value                                                                   |
17 | | :------------------- | :------------------------------------------------------- | :------------------------------------------------------------------------------ |
18 | | config_location      | filepath to the configuration for the framework          | `../../mappings/input/config.json`                                              |
19 | | spreadsheet_location | filepath to the Excel spreadsheet for the mappings       | `../../mappings/input/enterprise/xlsx/Sensor ID to Data Source to API v2.xlsx`  |
20 | | mappings_location    | filepath to the folder to write CSV spreadsheets         | `../../mappings/input/enterprise/csv`                                           |
21 | 
22 | Use with default arguments
23 | ```
24 | python create_mappings.py
25 | ```
26 | 
27 | 
28 | ## create_heatmaps.py
29 | ### Description
30 | Enables visualization of the sensor mappings in the ATT&CK Matrix. The script builds ATT&CK Navigator heatmap layers from the mappings_location folder. These layers can also be found in the `layers` folder of the attack domain in the stix output folder.
31 | ### Use
32 | | Argument          | Description                                                                                             | Default Value                     |
33 | | :--------------   | :------------------------------------------------------------------------------------------------------ | :-------------------------------- |
34 | | mappings_location | filepath to the STIX Bundle mappings folder                                                             | `../../mappings/stix/enterprise`  |
35 | | domain            | the domain of ATT&CK to visualize (options: enterprise-attack, ics-attack, mobile-attack)               | enterprise-attack                 |
36 | | output            | folder to write output layers to                                                                        | `../../mappings/stix/layers`      |
37 | | version           | which ATT&CK version to use                                                                             | 13.1                              |
38 | | clear             | if flag is specified, will remove the contents of the output folder before writing layers               | N/A                               |
39 | | map_subtechniques | if flag is specified, will map down to sub-techniques                                                   | N/A                               |
40 | 
41 | 
42 | To build layers from project root:
43 | ```
44 | $ python src/util/create_heatmaps.py -clear -domain enterprise-attack \
45 |     -mappings_location mappings/stix/enterprise
46 | ```
47 | 
48 | ## stix_schemas.py
49 | ### Description
50 | Defines schemas for the cli_validator tool using the [schema library](https://github.com/keleshev/schema).
51 | 
52 | 
53 | ## cli_validator.py
54 | ### Description
55 | The mapping CLI tool provides functionality to validate STIX bundles generated by `parse/generate_stix.py` script. Validity is defined as:
56 | - Containing valid timestamps that follow the format in STIX
57 | - Follows its object schema in `stix_schemas.py`
58 | - "Bundle completeness" to ensure there aren't any missing objects
59 |     - Check if a sensor mapping entry references a newly created Data Source
60 |         - Make sure the STIX entry for this newly created Data Source is present in the bundle
61 |     - Check if a sensor mapping entry references a newly created Data Component
62 |         - If the Data Component is not present in the bundle, check in the ATT&CK dataset
63 |     - Check that the SRO between these two STIX objects
64 |         - If it is not present in the bundle, check if it has already been defined in the ATT&CK dataset
65 | 
66 | ### Use
67 | | Argument             | Description                                                                           | Default Value                            |
68 | | :------------------- | :------------------------------------------------------------------------------------ | :--------------------------------------- |
69 | | attack_domain        | attack domain of the mappings (options: enterprise-attack, ics-attack, mobile-attack) | enterprise-attack                        |
70 | | config_location      | filepath to the configuration for the framework                                       | `../../mappings/input/config.json`       |
71 | | mappings_location    | filepath to folder of STIX bundle mappings                                            | `../../mappings/input/enterprise/csv`    |
72 | | groups               | flag for if mappings to group objects                                                 | N/A                                      |
73 | 
74 | 
75 | ## generate_docs.py
76 | ### Description
77 | A script to update website mapping tables from the CSVs generated by (#create_mappingspy)
78 | 
79 | ### Use
80 | | Argument             | Description                               | Default Value            |
81 | | :------------------- | :---------------------------------------- | :----------------------- |
82 | | docs_location        | filepath to documentation files to edit   | `../../docs/levels/`     |
83 | | mappings_location    | filepath to mapping files directory       | `../../mappings/input/`  |
84 | 


--------------------------------------------------------------------------------
/src/util/generate_docs.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import csv
  3 | from datetime import datetime
  4 | import os
  5 | from pathlib import Path
  6 | import re
  7 | 
  8 | 
  9 | def insert_docs(old_doc, doc_lines, tag):
 10 |     start_tag = re.compile(r"\.\. " + tag)
 11 |     end_tag = re.compile(r"\.\. /" + tag)
 12 |     output = list()
 13 | 
 14 |     for line in old_doc:
 15 |         if start_tag.search(line):
 16 |             break
 17 |         output.append(line.rstrip("\n"))
 18 |     else:
 19 |         raise RuntimeError("Did not find start tag")
 20 | 
 21 |     now = datetime.now().isoformat()
 22 |     output.append(f".. {tag} Generated at: {now}Z")
 23 |     output.extend(doc_lines)
 24 |     output.append(f".. /{tag}")
 25 | 
 26 |     for line in old_doc:
 27 |         if end_tag.search(line):
 28 |             break
 29 |     else:
 30 |         raise RuntimeError("Did not find end tag")
 31 | 
 32 |     for line in old_doc:
 33 |         output.append(line.rstrip("\n"))
 34 | 
 35 |     return "\n".join(output)
 36 | 
 37 | 
 38 | def write_doc_files(sensor_tables: dict, docs_location: Path):
 39 |     old_doc_files = [i for i in docs_location.glob("mapping*.rst")]
 40 | 
 41 |     for sensor in sensor_tables:
 42 |         old_doc = Path(docs_location, f"mapping_{sensor.lower()}.rst")
 43 |         tables = sensor_tables[sensor]
 44 |         if old_doc not in old_doc_files:
 45 |             # Create a new file with an empty table
 46 |             # Add header to file
 47 |             if sensor.lower() == "zeek":
 48 |                 sensor = sensor.upper()
 49 |             file_beginning = header_generator(sensor, "=")
 50 |             file_beginning.append(".. raw:: html")
 51 |             file_beginning.append("")
 52 |             file_beginning.append("    <p>")
 53 |             file_beginning.append(
 54 |                 f'        <a class="btn btn-primary" target="_blank" href="../../csv/{sensor}-sensors-mappings-enterprise.csv">'
 55 |             )
 56 |             file_beginning.append(
 57 |                 '        <i class="fa fa-table"></i> Download CSV</a>'
 58 |             )
 59 |             file_beginning.append("")
 60 |             file_beginning.append(
 61 |                 f'        <a class="btn btn-primary" target="_blank" href="../../stix/{sensor}-mappings-enterprise.json">'
 62 |             )
 63 |             file_beginning.append(
 64 |                 '        <i class="fa fa-file-excel-o"></i> Download STIX</a>'
 65 |             )
 66 |             file_beginning.append("")
 67 |             file_beginning.append(
 68 |                 f'        <a class="btn btn-primary" target="_blank" href="https://mitre-attack.github.io/attack-navigator/#layerURL=https://center-for-threat-informed-defense.github.io/sensor-mappings-to-attack/navigator/{sensor}-heatmap.json">'
 69 |             )
 70 |             file_beginning.append(
 71 |                 '        <i class="fa fa-map-signs"></i> Open in ATT&CK Navigator</a>'
 72 |             )
 73 |             file_beginning.append("    </p>")
 74 |             file_beginning.append("")
 75 |             file_beginning.append(".. MAPPINGS_TABLE")
 76 |             file_beginning.append(".. /MAPPINGS_TABLE")
 77 |             with open(old_doc, "w") as _new_file:
 78 |                 _new_file.write("\n".join(file_beginning))
 79 | 
 80 |         with open(old_doc) as file:
 81 |             new_doc = insert_docs(file, tables, "MAPPINGS_TABLE")
 82 |             if new_doc[-1] != "\n":
 83 |                 new_doc += "\n"
 84 |                 # New line at end of file
 85 |         with open(old_doc, "w") as out:
 86 |             out.write(new_doc)
 87 | 
 88 | 
 89 | def generate_table_from_csv(csv_file):
 90 |     """Parse out table data from `csv_file`."""
 91 |     obj_lines = []
 92 |     with csv_file.open("r") as file:
 93 |         reader = csv.DictReader(file)
 94 | 
 95 |         for row in reader:
 96 |             _dict = {
 97 |                 "EVENT ID": row["EVENT ID"],
 98 |                 "EVENT DESCRIPTION": row["EVENT DESCRIPTION"],
 99 |                 "ATT&CK DATA SOURCE": row["ATT&CK DATA SOURCE"],
100 |                 "ATT&CK DATA COMPONENT": row["ATT&CK DATA COMPONENT"],
101 |             }
102 |             if _dict not in obj_lines:
103 |                 obj_lines.append(_dict)
104 |     return obj_lines
105 | 
106 | 
107 | def csv_to_tables(attack_types, mappings_location):
108 |     """Goes through the CSV files for `attack_types` and extracts data for Sphinx tables."""
109 | 
110 |     sensor_table_lists = {}
111 |     # Key = Sensor, Value = [{Attack_Type1: obj_lines}, {Attack_Type2: obj_lines}, ...]
112 |     for attack_type in attack_types:
113 |         current_dir = Path(mappings_location, attack_type, "csv")
114 |         csv_files = [
115 |             filename for filename in current_dir.iterdir() if filename.is_file()
116 |         ]
117 | 
118 |         # Work on each CSV file
119 |         for _csv in csv_files:
120 |             _sensor_ = _csv.name.split("-sensors-mappings")[0]
121 |             obj_lines = generate_table_from_csv(_csv)
122 | 
123 |             if _sensor_ in sensor_table_lists:
124 |                 sensor_table_lists[_sensor_].append({attack_type: obj_lines})
125 |             else:
126 |                 sensor_table_lists[_sensor_] = [{attack_type: obj_lines}]
127 |     return sensor_table_lists
128 | 
129 | 
130 | def generate_mappings_table(sensor_table_lists):
131 |     """Consolidates output from `csv_to_tables` and returns it as a dictionary. Key is a sensor name, Value is a list of table data."""
132 |     sensor_tables = {}
133 |     for sensor in sensor_table_lists:
134 |         attack_types: list = sensor_table_lists[sensor]
135 |         # attack_types is a List of Dictionaries.
136 |         # Key is the attack_type, Value is a list of rows (dictionaries)
137 |         obj_lines = [""]
138 |         for attack_type_dict in attack_types:
139 |             attack_type = list(attack_type_dict.keys())[0]
140 |             if attack_type == "ics":
141 |                 attack_type = attack_type.upper()
142 |             else:
143 |                 attack_type = attack_type.title()
144 | 
145 |             obj_lines.extend(header_generator(attack_type, "-"))
146 | 
147 |             # Add table header
148 |             obj_lines.extend(table_start(sensor))
149 | 
150 |             rows = attack_type_dict[attack_type.lower()]
151 |             # Check if Event IDs are numerical. If so, convert them for sorting
152 |             sample = rows[0]["EVENT ID"]
153 |             try:
154 |                 int(sample)
155 |                 for _dict in rows:
156 |                     new_event_id = int(_dict.pop("EVENT ID"))
157 |                     _dict["EVENT ID"] = new_event_id
158 |             except ValueError:
159 |                 pass
160 |             for row in sorted(rows, key=lambda i: i["EVENT ID"]):
161 |                 obj_lines.extend(extract_row_data(row))
162 |                 obj_lines.append("")
163 |         # Remove the last empty line
164 |         if not obj_lines[-1]:
165 |             obj_lines.pop()
166 |         sensor_tables[sensor] = obj_lines
167 |     return sensor_tables
168 | 
169 | 
170 | def extract_row_data(row: dict):
171 |     # Unwrap multi-line inputs
172 |     description = " ".join(filter(None, row["EVENT DESCRIPTION"].splitlines()))
173 | 
174 |     result = [
175 |         f"  * - | **{row['EVENT ID']}**",
176 |         f"      |",
177 |         f"      | {description}",
178 |         f"    - | **Data Source:** {row['ATT&CK DATA SOURCE']}",
179 |         f"      | **Data Component:** {row['ATT&CK DATA COMPONENT']}",
180 |     ]
181 | 
182 |     return result
183 | 
184 | 
185 | def header_generator(variable_name: str, symbol: str):
186 |     """Generates reusable underline for documents based on `variable_name`"""
187 |     _header = []
188 |     _header.append(variable_name)
189 |     _header.append("".join(f"{symbol}" for _ in range(len(variable_name))))
190 |     _header.append("")
191 |     return _header
192 | 
193 | 
194 | def table_start(sensor):
195 |     """Helper function to create the start of a table"""
196 |     table_header = []
197 |     table_header.append(".. list-table::")
198 |     table_header.append(f"  :widths: 50 50")
199 |     table_header.append("  :header-rows: 1")
200 |     table_header.append("")
201 |     table_header.append("  * - EVENT")
202 |     table_header.append("    - ATT&CK MAPPING")
203 |     table_header.append("")
204 |     return table_header
205 | 
206 | 
207 | def _parse_args():
208 |     ROOT_DIR = Path(__file__).parent.parent.parent
209 |     parser = argparse.ArgumentParser(description="Generate docs for mappings")
210 |     parser.add_argument(
211 |         "-docs",
212 |         dest="docs_location",
213 |         help="Path to documentation files to edit",
214 |         type=Path,
215 |         default=Path(ROOT_DIR, "docs", "levels"),
216 |     )
217 |     parser.add_argument(
218 |         "-mappings",
219 |         dest="mappings_location",
220 |         help="Path to mapping files directory",
221 |         type=Path,
222 |         default=Path(ROOT_DIR, "mappings", "input"),
223 |     )
224 |     return parser.parse_args()
225 | 
226 | 
227 | def main():
228 |     args = _parse_args()
229 | 
230 |     attack_types = [
231 |         i
232 |         for i in os.listdir(args.mappings_location)
233 |         if Path(args.mappings_location, i).is_dir()
234 |     ]
235 |     sensor_table_lists = csv_to_tables(attack_types, args.mappings_location)
236 |     sensor_table_data = generate_mappings_table(sensor_table_lists)
237 |     write_doc_files(sensor_table_data, args.docs_location)
238 | 
239 | 
240 | if __name__ == "__main__":
241 |     main()
242 | 


--------------------------------------------------------------------------------
/docs/example_technique_mappings/windows.rst:
--------------------------------------------------------------------------------
  1 | Windows Example Scenarios
  2 | =========================
  3 | 
  4 | Both Windows-based examples explore `Create or Modify System Process (T1543)
  5 | <https://attack.mitre.org/techniques/T1543>`__ and usage of the mappings done under this
  6 | project to provide visibility into that technique.
  7 | 
  8 | Example 1: Create or Modify System Process (T1543)
  9 | --------------------------------------------------
 10 | 
 11 | As identified in the SMAP mappings, process creation information can be collected by
 12 | Sysmon 1, WinEvtx 4688, WinEvtx 4696. This first example walks through why WinEvtx 4696
 13 | may not be a feasible detection for Create or Modify System Process (T1543).
 14 | 
 15 | .. image:: ../_static/winex1.png
 16 | 
 17 | **Looking at the event data, is this enough evidence to conclude that the process was
 18 | created or modified per T1543?** Let us examine each of the events in order to answer
 19 | this question.
 20 | 
 21 | **Sysmon EID 1:**
 22 | 
 23 | *Yes.* Sysmon EID 1 simply triggers when a new process is created, which (in this
 24 | context) may be created during installation of new software or as part of automated,
 25 | repeated execution of software such as services. This event's attributes provides
 26 | very detailed information about the process and the process execution, which is
 27 | enough to indicate that this technique (Create or Modify System Process) could have
 28 | occurred.
 29 | 
 30 | *References:*
 31 | 
 32 | * `Ultimate IT Security: Sysmon Event ID 1
 33 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001>`__
 34 | 
 35 | **WinEvtx EID 4688:**
 36 | 
 37 | *Yes.* When a system process or a user opens an executable, Windows creates a process in which
 38 | that executable runs. Hence, this event is generated every time a program is started or executed.
 39 | All necessary details about the executed program, who the program ran as, and the process that
 40 | started the process are provided by the event. This provides evidence to indicate that this
 41 | technique (Create or Modify System Process) could have occurred.
 42 | 
 43 | *References:*
 44 | 
 45 | * `Ultimate IT Security: Windows Security Log Event ID 4688
 46 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688>`__
 47 | * `Microsoft Learn: 4688(S) A new process has been created
 48 |   <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688>`__
 49 | 
 50 | **WinEvtx EID 4696:**
 51 | 
 52 | *Maybe.* A primary token is an access token that is typically created only by the
 53 | Windows kernel and is assigned to a process to represent the default security
 54 | information for that process. Every process or thread executed on behalf of a user has a
 55 | copy of the token which is used to identify the user's identity and privileges. This
 56 | primary token is assigned to a process when the process is created, which is why this
 57 | event falls under process creation. This event, however, will only be generated when a
 58 | process (usually a service or a scheduled task) starts under the authority of a
 59 | different user than the user who created the process. In other words, this event
 60 | triggers every time a process runs using the non-current access token. To verify that
 61 | the access token is non-current we need to compare the Security ID, Account Name,
 62 | Account Domain, and Logon ID attributes of the new token information with the subject
 63 | information attributes provided by this event.
 64 | 
 65 | *Background:* An access token contains the security information for a logon session. The
 66 | system creates an access token when a user logs on, and every process executed on behalf
 67 | of the user has a copy of the token. The token identifies the user, the user's groups,
 68 | and the user's privileges. The system uses the token to control access to securable
 69 | objects and to control the ability of the user to perform various system-related
 70 | operations on the local computer. There are two kinds of access token, primary and
 71 | impersonation.
 72 | 
 73 | *Caveat:* This event does not generate when the process starts with the authority of the
 74 | same user that created the process. Therefore, if the new process has the same target
 75 | user as the user of the parent process, this event will not trigger. WinEvtx EID 4688
 76 | includes the primary token assigned to the new process. Also, this event is deprecated
 77 | starting from Windows 7 and Windows 2008 R2, with Windows Server 2008 and Windows Vista
 78 | as minimum OS versions.
 79 | 
 80 | *References:*
 81 | 
 82 | * `Ultimate IT Security: Windows Security Log Event ID 4696
 83 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4696>`__
 84 | * `Ultimate IT Security: Detailed Tracking Events
 85 |   <https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter6#ProCre>`__
 86 | * `Microsoft Learn: 4696(S) A primary token was assigned to process
 87 |   <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696>`__
 88 | * `Microsoft Learn: Access Tokens
 89 |   <https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens>`__
 90 | 
 91 | **Next, we review specific attributes of the event logs.**
 92 | 
 93 | Sysmon EID 1:
 94 | 
 95 |    * ProcessGuid
 96 |    * ProcessId
 97 |    * Image
 98 |    * CommandLine
 99 |    * CurrentDirectory
100 |    * Hashes
101 |    * ParentProcessGuid
102 |    * ParentProcessId
103 |    * ParentImage
104 | 
105 | WinEvtx EID 4688:
106 | 
107 |    * New Process ID
108 |    * New Process Name
109 |    * Token Elevation Type (1 - Default, 2 - Elevated, 3 - Limited)
110 |    * Creator Process ID
111 |    * Creator Process Name
112 |    * Process Command Line
113 | 
114 | WinEvtx EID 4696:
115 | 
116 |    * Target Process ID
117 |    * Target Process Name
118 |    * New Token Information:
119 |    * Security ID
120 |    * Account Name
121 |    * Account Domain
122 |    * Logon ID
123 | 
124 | 
125 | Example 2: Create or Modify System Process (T1543)
126 | --------------------------------------------------
127 | 
128 | As identified in the SMAP mappings, Windows Registry key creation can be collected by
129 | Sysmon 12 and WinEvtx 4657. This example walks through using these events to potentially
130 | provide detection for Create or Modify System Process (T1543).
131 | 
132 | .. image:: ../_static/winex2.png
133 | 
134 | **Looking at the event data, is this enough evidence to conclude that the process was
135 | created or modified per T1543?** Registry key creation/modification/deletion and key
136 | value creation/modification/deletion events all have the event attributes necessary to
137 | indicate that this technique (Create or Modify System Process) could have occurred.
138 | 
139 | **Sysmon EID 12:**
140 | 
141 | *Yes.* Sysmon EID 12 is triggered by CreateKey, DeleteKey, CreateValue, and DeleteValue
142 | events. Newly created windows registry keys (i.e., CreateKey event) may create or modify
143 | system-level processes to store and execute malicious payloads at startup or at
144 | repeatable intervals as part of persistence or privileged escalation.
145 | 
146 | *References:*
147 | 
148 | * `Ultimate IT Security: Sysmon Event ID 12
149 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012>`__
150 | * `Microsoft Learn: Sysmon Event-12 Q&A
151 |   <https://learn.microsoft.com/en-us/answers/questions/883005/sysmon-event-12-eventtype-createvalue-event-only-n>`__
152 | 
153 | **WinEvtx EID 4657:**
154 | 
155 | *Yes.* This event is triggered when registry key values are created, modified, and deleted.
156 | Accessing/opening and closing the registry key is determined by Windows EID 4656 and EID 4658,
157 | respectively. This event will be generated when a new registry key is created with an initial
158 | key value or key value type set.
159 | 
160 | *Caveat:* This event does not generate when a registry key is modified. Also, a newly created
161 | registry key without a key value or key value type set will not trigger this event.
162 | 
163 | *References:*
164 | 
165 | * `Microsoft Learn: 4657(S) A registry value was modified
166 |   <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657>`__
167 | * `Ultimate IT Security: Windows Security Log Event ID 4657
168 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657>`__
169 | 
170 | 
171 | **Sysmon EID 6:**
172 | 
173 | *Yes.* Attaching a driver to the user or kernel-mode of a system, which triggers this event,
174 | creates a new service driver installation and load. An adversary may use this service to
175 | install and execute a malicious driver that can be leveraged as a rootkit, or load a signed
176 | but vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver"
177 | (BYOVD)). This event provides information about the driver being loaded, its hashes, and the
178 | signature information for integrity purposes (signature validity, driver's publisher, and
179 | signature status).
180 | 
181 | *References:*
182 | 
183 | * `Ultimate IT Security: Sysmon Event ID 6
184 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006>`__
185 | * `Microsoft Learn: Sysmon v15.11
186 |   <https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon>`__
187 | * `Atomic Red Team: T1543.003
188 |   <https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md>`__
189 | * `Sysmon Community Guide: Driver Loading
190 |   <https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/driver-loading.md>`__
191 | 
192 | **Next, we review specific attributes of the event logs.**
193 | 
194 | Sysmon EID 12:
195 | 
196 |    * TargetObject
197 |    * EventType (CreateKey, DeleteKey, CreateValue, DeleteValue)
198 | 
199 | WinEvtx EID 4657:
200 | 
201 |    * Object Name
202 |    * Object Value Name
203 |    * Operation Type (New registry value created, Existing registry value modified, Registry value deleted, etc.)
204 |    * Change information ("Old Value Type", "Old Value", "New Value Type", "New Value")
205 | 
206 | Sysmon EID 6:
207 | 
208 |    * ImageLoaded (filepath of the driver loaded)
209 |    * Hashes (of the driver loaded)
210 |    * Signed (true/false)
211 |    * Signature (Signer name of the driver)
212 |    * SignatureStatus (i.e., valid)
213 | 


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 


--------------------------------------------------------------------------------
/src/util/cli_validator.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | from dateutil import parser
  3 | import json
  4 | from pathlib import Path
  5 | import re
  6 | import requests
  7 | import sys
  8 | 
  9 | import schema
 10 | from stix2 import Filter, MemoryStore
 11 | from tqdm import tqdm
 12 | 
 13 | from stix_schemas import data_component_schema, data_source_schema, sensor_mapping_schema
 14 | 
 15 | 
 16 | TYPES = {
 17 |     "x-mitre-data-component": data_component_schema, 
 18 |     "x-mitre-data-source": data_source_schema, 
 19 |     "x-mitre-sensor-mapping": sensor_mapping_schema
 20 | } # Global to map schemas to STIX object type
 21 | 
 22 | 
 23 | def load_attack_data(version, attack_domain, groups):
 24 |     """Load pre-existing ATT&CK STIX data as references for validation."""
 25 |     def merge_lists(l1, l2):
 26 |         for item in l2:
 27 |             if item not in l1:
 28 |                 l1.append(item)
 29 |         return l1
 30 | 
 31 | 
 32 |     if groups:
 33 |         enterprise_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/enterprise-attack/enterprise-attack.json"
 34 |         ics_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/ics-attack/ics-attack.json"
 35 |         mobile_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/mobile-attack/mobile-attack.json"
 36 |         attack_data = requests.get(enterprise_url, verify=True).json()["objects"]
 37 |         attack_data = merge_lists(attack_data, requests.get(ics_url, verify=True).json()["objects"])
 38 |         attack_data = merge_lists(attack_data, requests.get(mobile_url, verify=True).json()["objects"])
 39 |     else:
 40 |         attack_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/{attack_domain}/{attack_domain}.json"
 41 |         attack_data = requests.get(attack_url, verify=True).json()["objects"]
 42 | 
 43 |     # Now filter attack_data to only have the information we require
 44 |     attack_objects = []
 45 | 
 46 |     # Find the already-existing SDO's to avoid duplication
 47 |     for attack_object in attack_data:
 48 |         types = ["x-mitre-data-source", "x-mitre-data-component"]
 49 | 
 50 |         if attack_object["type"] in types:
 51 |             if attack_object.get("revoked", False):
 52 |                 continue  # skip revoked objects
 53 |             if attack_object.get("x_mitre_deprecated", False):
 54 |                 continue  # skip deprecated objects
 55 |             attack_objects.append(attack_object)
 56 |     return attack_objects
 57 | 
 58 | 
 59 | def validate_timestamp(instance):
 60 |     """
 61 |     Ensure timestamps contain sane months, days, hours, minutes, seconds. Sourced from the oasis stix2validator library.
 62 |     """
 63 |     ts_re = re.compile(r"^[0-9]{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?Z$")
 64 |     timestamp_props = ['created', 'modified']
 65 |     for tprop in timestamp_props:
 66 |         if tprop in instance:
 67 |             try:
 68 |                 parser.parse(instance[tprop])
 69 |             except ValueError as e:
 70 |                 print(f"\nInvalid timestamp in STIX object id={instance['id']}: {str(e)}\n\
 71 |                       '{tprop}': '{instance[tprop]}'")
 72 |                 sys.exit(1)
 73 |             # If parsing is successful, check against the regex.
 74 |             if not ts_re.match(instance[tprop]):
 75 |                 print(f"\nInvalid timestamp in STIX object id={instance['id']}:\n\
 76 |                       '{tprop}': '{instance[tprop]}'")
 77 |                 sys.exit(1)
 78 | 
 79 | 
 80 | def validate_bundle_completeness(bundle, attack_objects):
 81 |     """
 82 |     Checks for completeness of `bundle`, e.g., not missing any newly created objects. Completeness is defined as:
 83 |     - If a sensor mapping entry references a newly created Data Source, include the entry for it
 84 |     - If a sensor mapping entry references a newly created Data Component, check in the `bundle` and the ATT&CK dataset to make sure it should be included in the `bundle`
 85 |     - Check that the SRO between these two STIX objects exists. If not in `bundle`, check if it has already been defined in the ATT&CK dataset and should not be included
 86 |     """
 87 |     # Load STIX data into MemoryStore for faster searching
 88 |     bundle_objects = MemoryStore(stix_data=bundle["objects"])
 89 |     
 90 |     # Start by validating the SensorMapping items, and the corresponding relationship
 91 |     for sro in bundle_objects.query([Filter("type", "=", "x-mitre-sensor-mapping")]):
 92 |         data_source_name = sro.get("data_source")
 93 | 
 94 |         # Verify that the associated relationship is in the bundle with this mapping
 95 | 
 96 |         # Find the STIX ID associated with the data source
 97 |         filters = [Filter("type", "=", "x-mitre-data-source"), Filter("name", "=", data_source_name)]
 98 | 
 99 |         local_query_results = bundle_objects.query(filters)
100 |         if not local_query_results:
101 |             # Check if the data source is newly created
102 |             if sro.get("x_mitre_data_source_id") == -1:
103 |                 print(f"Bundle is missing an entry for {data_source_name}, which should be present for validation of object {sro['id']}")
104 |                 sys.exit(1)
105 |             else:
106 |                 # Check in ATT&CK MemoryStore
107 |                 query_results = attack_objects.query(filters)
108 |                 if not query_results:
109 |                     print(f"Bundle is missing an entry for {data_source_name}, which should be bundled with object {sro['id']}")
110 |                     sys.exit(1)
111 |                 else:
112 |                     ds_id = query_results[0]["id"]
113 |         else:
114 |             ds_id = local_query_results[0]["id"]
115 |         
116 |         # Find the STIX ID associated with the data component
117 |         data_component_name = sro.get("data_component")
118 | 
119 |         filters = [Filter("type", "=", "x-mitre-data-component"), Filter("name", "=", data_component_name)]
120 | 
121 |         local_query_results = bundle_objects.query(filters)
122 |         if not local_query_results:
123 |             # Check if it is present in ATT&CK data
124 |             query_results = attack_objects.query(filters)
125 |             if query_results:
126 |                 dc_id = query_results[0]["id"]
127 |             else:
128 |                 print(f"Bundle is missing an entry for {data_component_name}, which should be bundled with object {sro['id']}")
129 |                 sys.exit(1)
130 |         else:
131 |             dc_id = local_query_results[0]["id"]
132 | 
133 |         # Look for the relationship in the bundle
134 |         relationship_type = sro.get("relationship")
135 | 
136 |         filters = [Filter("type", "=", "relationship"), Filter("source_ref", "=", ds_id), Filter("target_ref", "=", dc_id), Filter("relationship_type", "=", relationship_type)]
137 | 
138 |         local_query_results = bundle_objects.query(filters)
139 |         if not local_query_results:
140 |             # Check if it is present in ATT&CK data
141 |             query_results = attack_objects.query(filters)
142 |             if not query_results:
143 |                 print(f"Bundle is missing relationship entry for object {sro['id']}")
144 |                 sys.exit(0)
145 |         # Else - valid bundle
146 | 
147 | 
148 | def validate_schemas(bundle, bundle_name):
149 |     """Validate objects in the bundle by checking it against a schema if that type is defined in the `stix_schemas.py` file."""
150 |     for stix_obj in tqdm(bundle["objects"], desc=f"validating {bundle_name} schemas..."):
151 |         stix_type = stix_obj.get("type")
152 |         if stix_type == 'relationship':
153 |             continue
154 |         schema_ = TYPES.get(stix_type)
155 |         if schema_:
156 |             # Verify that it contains necessary properties
157 |             try:
158 |                 schema_.validate(stix_obj)
159 |             except schema.SchemaError as se:
160 |                 print(f"\nFailed to validate STIX object id={stix_obj.get('id')}: {se}")
161 |                 sys.exit(1)
162 |             
163 |             # Verify dates
164 |             validate_timestamp(stix_obj)
165 | 
166 | 
167 | def validate(bundle, bundle_name, attack_objects):
168 |     """Validates a bundle by testing schema correctness and 'completeness' of the bundle, which tests that every Sensor Mapping has its mapping (SRO) and newly created objects."""
169 |     print(f"validating {bundle_name}... ", end="")
170 |     
171 |     validate_schemas(bundle, bundle_name)
172 |     validate_bundle_completeness(bundle, attack_objects)
173 | 
174 |     print("done!")
175 | 
176 | 
177 | def _parse_args():
178 |     # Reuses a lot of parameters used for creating mappings (for obvious reasons)
179 |     ROOT_DIR = Path(__file__).parent.parent.parent
180 |     parser = argparse.ArgumentParser(description="validate STIX bundles")
181 |     parser.add_argument("-mappings_location",
182 |                         dest="mappings_location",
183 |                         type=Path,
184 |                         help="filepath to folder of STIX bundle mappings",
185 |                         default=Path(ROOT_DIR, "mappings", "stix", "enterprise"))
186 |     parser.add_argument("-config_location",
187 |                         dest="config_location",
188 |                         help="filepath to the configuration for the framework. If none is provided, module assumes the bundle was made from the config file in the mappings input folder.",
189 |                         type=Path,
190 |                         default=Path(ROOT_DIR, "mappings", "input", "config.json"))
191 |     parser.add_argument("-attack_domain",
192 |                         dest="attack_domain",
193 |                         help="Attack domain of mapping files",
194 |                         type=str,
195 |                         choices=["enterprise-attack", "ics-attack", "mobile-attack"],
196 |                         default="enterprise-attack")
197 |     parser.add_argument("-groups",
198 |                         action="store_true",
199 |                         help="If specified, mappings contain group objects")
200 |     
201 |     return parser.parse_args()
202 | 
203 | 
204 | def main():
205 |     args = _parse_args()
206 | 
207 |     # Process the config file
208 |     with args.config_location.open("r", encoding="utf-8") as f:
209 |         config = json.load(f)
210 |         version = config["attack_version"]
211 | 
212 |     mapping_data = [file for file in args.mappings_location.glob('*mappings*.json') if file.is_file()]
213 | 
214 |     json_to_validate = []
215 |     for file in mapping_data:
216 |         with file.open("r", encoding="utf-8") as f:
217 |             json_to_validate.append((json.load(f), file.name))
218 |     
219 |     # Store the ATT&CK data for reference
220 |     attack_objects = MemoryStore(stix_data=load_attack_data(version, args.attack_domain, args.groups))
221 | 
222 |     for bundle in json_to_validate:
223 |         validate(*bundle, attack_objects)
224 | 
225 | 
226 | if __name__ == '__main__':
227 |     main()
228 | 


--------------------------------------------------------------------------------
/src/util/create_heatmaps.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import json
  3 | from pathlib import Path
  4 | import random
  5 | import shutil
  6 | 
  7 | import requests
  8 | from stix2 import Filter, MemoryStore
  9 | 
 10 | 
 11 | def rand_color(label):
 12 |     """Generate a random color, while attempting to avoid the color green."""
 13 |     rgb = [random.randint(0, 0xff) for _ in range(3)]
 14 |     if rgb[1] > 128:  # Attempt to keep Green values below a threshold
 15 |         rgb[1] = random.randint(0, 127)
 16 |     rand_color = "#{:02x}{:02x}{:02x}".format(*rgb)
 17 |     return {label: rand_color}
 18 | 
 19 | 
 20 | def create_comparison_layer(input_dir, domain, version):
 21 |     """Take all created layers and create a single sheet that combines comments."""
 22 |     print("generating layer for sensor comparison... ", end="", flush=True)
 23 |     files_to_combine = [file for file in input_dir.glob("*heatmap.json") if file.is_file() and "comparison" not in file.name.lower()]
 24 |     
 25 |     # Combine all the technique dictionaries
 26 |     layers = []
 27 |     for file in files_to_combine:
 28 |         with file.open("r", encoding="utf-8") as f:
 29 |             layers.append(json.load(f))
 30 | 
 31 |     # Each object in all_techniques is a list of technique dictionaries
 32 |     all_techniques = {}
 33 |     
 34 |     sensor_names = [layer["name"] for layer in layers]
 35 |     color_legend = {}
 36 |     
 37 |     # Merge all comments
 38 |     for layer in layers:
 39 |         if layer["name"] not in color_legend:
 40 |             color_legend[layer["name"]] = layer["techniques"][0]["color"]  # Take the first value
 41 |         technique_dicts = layer["techniques"]
 42 |         for technique in technique_dicts:
 43 |             attack_id = technique["techniqueID"]
 44 |             comment = technique["comment"]
 45 |             if attack_id not in all_techniques:
 46 |                 all_techniques[attack_id] = {
 47 |                     "score": 1,
 48 |                     "comment": comment,
 49 |                     "color": technique["color"]
 50 |                 }
 51 |             else:
 52 |                 all_techniques[attack_id]["comment"] += f"\n\n{comment}"
 53 | 
 54 |     # Calculate score at the end
 55 |     for technique in all_techniques:
 56 |         score_value = 0
 57 |         comment = all_techniques[technique]["comment"]
 58 |         for name in sensor_names:
 59 |             if name in comment:
 60 |                 score_value += 1
 61 |         all_techniques[technique]["score"] = score_value
 62 |         if score_value == 1:
 63 |             label_name = comment[:comment.index(":")]
 64 |             all_techniques[technique]["color"] = color_legend[label_name]
 65 |         else:
 66 |             all_techniques[technique].pop("color")  # Allow gradient to color this technique
 67 | 
 68 |     # Convert all_techniques to a list of technique dictionaries
 69 |     techniques = []
 70 |     for technique_dict in all_techniques:
 71 |         _color_ = all_techniques[technique_dict].get("color", {})
 72 |         if _color_:
 73 |             _color_ = {"color": _color_}
 74 |         techniques.append({
 75 |             "techniqueID": technique_dict,
 76 |             "score": all_techniques[technique_dict]["score"],
 77 |             "comment": all_techniques[technique_dict]["comment"]
 78 |         } | _color_
 79 |         )
 80 | 
 81 |     comparison_layer = create_layer("Sensor Comparisons", domain, techniques, version, color_legend=color_legend)
 82 |         
 83 |     output_path = Path(input_dir, "sensor-comparison-heatmap.json")
 84 |     with output_path.open("w", encoding="utf-8") as f:
 85 |         json.dump(comparison_layer, f, indent=4)
 86 |     print("done")
 87 | 
 88 | 
 89 | def create_layer(name, domain, techniques, version, description="", color_legend=[]):
 90 |     """create a Layer"""
 91 |     min_mappings = min(map(lambda t: t["score"], techniques)) if len(techniques) > 0 else 0
 92 |     max_mappings = max(map(lambda t: t["score"], techniques)) if len(techniques) > 0 else 100
 93 |     gradient = ["#b7ffbf", "#063b00"]
 94 |     # check if all the same count of mappings
 95 |     if max_mappings - min_mappings == 0:
 96 |         min_mappings = 0  # set low end of gradient to 0
 97 | 
 98 |     # convert version to just major version
 99 |     if version.startswith("v"):
100 |         version = version[1:]
101 |     version = version.split(".")[0]
102 | 
103 |     if color_legend:
104 |         # Put in proper format
105 |         color_legend = [{
106 |                         "label": label,
107 |                         "color": color_legend[label]
108 |                         }
109 |                         for label in color_legend]
110 |     layer_details = {
111 |         "name": name,
112 |         "versions": {
113 |             "navigator": "4.8.2",
114 |             "layer": "4.4",
115 |             "attack": version
116 |         },
117 |         "sorting": 0,
118 |         "description": description,
119 |         "domain": domain,
120 |         "techniques": techniques,
121 |         "gradient": {
122 |             "colors": gradient,
123 |             "minValue": min_mappings,
124 |             "maxValue": max_mappings
125 |         }
126 |     }
127 | 
128 |     return layer_details | {"legendItems": color_legend}
129 | 
130 | 
131 | def layer_technique_field(attack_id, event_ids, sensor_name, color=None):
132 |     """create a technique for a layer"""
133 |     default_return = {
134 |         "techniqueID": attack_id,
135 |         "score": 1, 
136 |         "comment": f"{sensor_name}: {', '.join(sorted(event_ids))}",  # list of mapped event IDs
137 |     }
138 |     if color:
139 |         default_return["color"] = color[sensor_name]
140 | 
141 |     return default_return
142 | 
143 | 
144 | def to_technique_list(mappings, attack_data, map_subtechniques):
145 |     """
146 |     Take `mappings` MemoryStore object and `attack_data` MemoryStore object. Query the x_mitre_data_source field and return found techniques as a dictionary(attack id -> set of event IDs).
147 |     """
148 |     techniques = {}
149 |     for mapping in mappings.query(Filter("type", "=", "x-mitre-sensor-mapping")):
150 |         attack_data_source_filter = f"{mapping['data_source']}: {mapping['data_component']}"
151 |         atk_patterns = attack_data.query(Filter("x_mitre_data_sources", "contains", attack_data_source_filter))
152 |         if not atk_patterns:
153 |             continue  # Skip new data source & data component combinations
154 |         event_id = mapping["event_id"]
155 |         if map_subtechniques:
156 |             _techniques = [attack_id["external_references"][0]["external_id"] for attack_id in atk_patterns]
157 |         else:
158 |             _techniques = [attack_id["external_references"][0]["external_id"] for attack_id in atk_patterns if not attack_id["x_mitre_is_subtechnique"]]
159 | 
160 |         for attack_id in _techniques:
161 |             if attack_id in techniques:
162 |                 techniques[attack_id].add(event_id)
163 |             else:
164 |                 techniques[attack_id] = set([event_id])
165 |     return techniques
166 | 
167 | 
168 | def create_mappings_heatmap(files_to_visualize, out_dir, domain, version, clear, map_subtechniques):
169 |     """Create a Navigator layer for each mapping file (STIX Bundle)"""
170 |     url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/{domain}/{domain}.json"
171 |     print(f"downloading ATT&CK data from {url} ... ", end="", flush=True)
172 |     attack_data = MemoryStore(stix_data=requests.get(url, verify=True).json()["objects"])
173 |     print("done")
174 | 
175 |     for current_file in files_to_visualize:
176 |         sensor_name = current_file.name[:current_file.name.find("-mappings")]
177 |         print(f"loading mappings from {current_file} ... ", end="", flush=True)
178 |         with current_file.open("r", encoding="utf-8") as f:
179 |             mappings = MemoryStore(stix_data=json.load(f)["objects"])
180 |         print("done")
181 | 
182 |         print(f"generating layer for {sensor_name}... ", end="", flush=True)
183 |         tech_dict = to_technique_list(mappings, attack_data, map_subtechniques)
184 |         layer_color = rand_color(sensor_name)
185 |         techs = [layer_technique_field(attack_id, tech_dict[attack_id], sensor_name, color=layer_color) for attack_id in tech_dict]
186 |         layer = create_layer(name=sensor_name, domain=domain, techniques=techs, version=version, color_legend=layer_color)
187 |         
188 |         if clear:
189 |             print("clearing layers directory...", end="", flush=True)
190 |             shutil.rmtree(out_dir, ignore_errors=True)
191 |             print("done")
192 | 
193 |         # make path if it does not exist
194 |         print(f"writing layers for {sensor_name}... ", end="", flush=True)
195 |         layer_path = Path(out_dir, f"{sensor_name}-heatmap.json")
196 |         layer_path.parent.mkdir(parents=True, exist_ok=True)
197 |         with layer_path.open("w", encoding="utf-8") as f:
198 |             json.dump(layer, f, indent=4)
199 |         print("done\n")
200 | 
201 | 
202 | def _parse_args():
203 |     ROOT_DIR = Path(__file__).parent.parent.parent
204 | 
205 |     parser = argparse.ArgumentParser(description="Create ATT&CK Navigator layers from sensor data mappings")
206 |     parser.add_argument("-mappings_location",
207 |                         dest="mappings_location",
208 |                         help="filepath to the STIX Bundle mappings",
209 |                         type=Path,
210 |                         default=Path(ROOT_DIR, "mappings", "stix",
211 |                             "enterprise"))
212 |     parser.add_argument("-domain",
213 |                         dest="domain",
214 |                         help="The domain of ATT&CK to visualize",
215 |                         type=str,
216 |                         choices=["enterprise-attack", "ics-attack", "mobile-attack"],
217 |                         default="enterprise-attack")
218 |     parser.add_argument("-output",
219 |                         dest="output_location",
220 |                         help="The folder where layers will be saved to.",
221 |                         type=Path,
222 |                         default=Path(ROOT_DIR, "mappings", "layers"))
223 |     parser.add_argument("-version",
224 |                         dest="version",
225 |                         help="which ATT&CK version to use",
226 |                         default="13.1")
227 |     parser.add_argument("-clear",
228 |                         action="store_true",
229 |                         help="if flag specified, will remove the contents the output folder before writing layers")
230 |     parser.add_argument("-map_subtechniques",
231 |                          dest="map_subtechniques",
232 |                          action="store_true",
233 |                          help="if flag is specified, will map down to sub-techniques")
234 | 
235 |     return parser.parse_args()
236 | 
237 | 
238 | def main():
239 |     args = _parse_args()
240 |     domain_dirs = {
241 |         "enterprise-attack": "enterprise",
242 |         "ics-attack": "ics",
243 |         "mobile-attack": "mobile",
244 |     }
245 |     out_dir = Path(args.output_location, domain_dirs[args.domain])
246 | 
247 |     files_to_visualize = [file for file in args.mappings_location.glob('*mappings*.json') if file.is_file() and domain_dirs[args.domain] in file.name and 'reference' not in file.name.lower()]
248 | 
249 |     create_mappings_heatmap(files_to_visualize, out_dir, args.domain, args.version, args.clear, args.map_subtechniques)
250 |     create_comparison_layer(out_dir, args.domain, args.version)
251 | 
252 | 
253 | if __name__ == "__main__":
254 |     main()


--------------------------------------------------------------------------------
/docs/_static/css/ctid.css:
--------------------------------------------------------------------------------
  1 | /* Document styles */
  2 | 
  3 | body {
  4 |   --mitre-black: #111921;
  5 |   --mitre-dark-navy: #0b2338;
  6 |   --mitre-navy: #0d2f4f;
  7 |   --mitre-blue: #005b94;
  8 |   --mitre-light-blue: #87deff;
  9 |   --mitre-highlighter: #fff601;
 10 |   --mitre-dark-gray: #7e8284;
 11 |   --mitre-silver: #d4d4d3;
 12 |   --mitre-light-silver: #f1f3f4;
 13 |   --me-ext-code: #880132;
 14 |   --me-orange-dark: #c94f1f;
 15 |   --text-color-inverse: #ffffff;
 16 | 
 17 |   color: var(--mitre-black);
 18 |   font-family: Arial, Helvetica, sans-serif;
 19 | }
 20 | 
 21 | /* Bootstrap button styles */
 22 | .btn,
 23 | .btn:focus,
 24 | .btn-primary,
 25 | .btn-primary:focus {
 26 |   background-color: var(--mitre-blue);
 27 |   color: white;
 28 |   border-radius: 0;
 29 |   border: none;
 30 |   text-decoration: none !important;
 31 | }
 32 | 
 33 | .btn:hover,
 34 | .btn-primary:hover {
 35 |   background-color: var(--mitre-navy);
 36 |   text-decoration: none !important;
 37 | }
 38 | 
 39 | .btn-secondary,
 40 | .btn-secondary:focus {
 41 |   background-color: var(--mitre-black);
 42 | }
 43 | 
 44 | .btn-secondary:hover {
 45 |   background-color: var(--mitre-dark-gray);
 46 | }
 47 | 
 48 | .btn-link,
 49 | .btn-link:focus {
 50 |   color: var(--mitre-blue);
 51 | }
 52 | 
 53 | .btn-link:hover {
 54 |   color: var(--mitre-navy) !important;
 55 | }
 56 | 
 57 | figure img {
 58 |   border-radius: 0;
 59 |   box-shadow: none;
 60 |   max-width: 100%;
 61 |   max-height: fit-content;
 62 | }
 63 | 
 64 | table p {
 65 |   margin: 0;
 66 | }
 67 | 
 68 | /* Table of contents styles */
 69 | .rst-content .toctree-wrapper a {
 70 |   font-weight: normal;
 71 | }
 72 | 
 73 | .rst-content .toctree-wrapper ul li ul {
 74 |   margin-top: 0;
 75 | }
 76 | 
 77 | /* Admonition styles */
 78 | 
 79 | .admonition {
 80 |   background-color: var(--mitre-light-silver) !important;
 81 |   color: var(--mitre-black);
 82 |   border-radius: var(--border-radius);
 83 | }
 84 | 
 85 | .admonition .admonition-title {
 86 |   padding: 0.8em 1em !important;
 87 | }
 88 | 
 89 | .admonition p,
 90 | body.theme-dark .admonition p {
 91 |   color: var(--mitre-black);
 92 | }
 93 | 
 94 | .admonition p:last-child,
 95 | body.theme-dark .admonition p:last-child {
 96 |   margin-bottom: 0;
 97 | }
 98 | 
 99 | .admonition a,
100 | .admonition a.reference.external:after {
101 |   color: var(--mitre-black) !important;
102 | }
103 | 
104 | .admonition.caution .admonition-title,
105 | .admonition.warning .admonition-title  {
106 |   background-color: var(--me-orange-dark);
107 |   color: var(--text-color-inverse);
108 | }
109 | 
110 | .admonition.danger .admonition-title,
111 | .admonition.error .admonition-title {
112 |   background-color: var(--me-ext-code);
113 |   color: var(--text-color-inverse);
114 | }
115 | 
116 | .admonition.hint .admonition-title,
117 | .admonition.tip .admonition-title {
118 |   background-color: var(--mitre-blue);
119 |   color: var(--text-color-inverse);
120 | }
121 | 
122 | .admonition.important .admonition-title,
123 | .admonition.attention .admonition-title {
124 |   background-color: var(--mitre-light-blue);
125 |   color: var(--mitre-black) !important;
126 | }
127 | 
128 | /* Figure styles */
129 | 
130 | .rst-content figcaption p span.caption-text {
131 |   font-size: 10pt;
132 |   font-style: initial;
133 |   color: #555;
134 |   /* color: #999; */
135 | }
136 | 
137 | .page-toc a {
138 |   color: #555 !important;
139 | }
140 | 
141 | /* Epigraph styles */
142 | 
143 | blockquote.epigraph {
144 |   background-color: var(--mitre-light-silver);
145 |   margin: 2em 0;
146 |   padding: 1em;
147 | }
148 | 
149 | body.theme-dark blockquote.epigraph {
150 |   background-color: var(--mitre-navy);
151 | }
152 | 
153 | blockquote.epigraph p.attribution {
154 |   margin: 0;
155 |   font-style: italic;
156 | }
157 | 
158 | body.theme-dark {
159 |   background-color: var(--mitre-black);
160 | }
161 | 
162 | .bg-primary {
163 |   background-color: #0d2f4f !important;
164 | }
165 | 
166 | /* .theme-dark .bg-primary {
167 |   background-color: #005b94 !important;
168 | } */
169 | body.theme-dark .input-group-text,
170 | body.theme-dark .form-control {
171 |   background-color: var(--mitre-black);
172 |   border-color: var(--mitre-silver);
173 | }
174 | 
175 | body.theme-dark .input-group-text.bg-white {
176 |   background-color: var(--mitre-black) !important;
177 | }
178 | 
179 | body.theme-dark .border-top {
180 |   border-color: var(--mitre-dark-navy) !important;
181 | }
182 | 
183 | a {
184 |   color: #005b94;
185 |   text-decoration-color: #005b94;
186 |   text-decoration-thickness: 1px;
187 |   text-decoration: none;
188 | }
189 | 
190 | p a {
191 |   text-decoration: underline;
192 | }
193 | 
194 | a:hover {
195 |   text-decoration: underline;
196 |   color: #005b94;
197 | }
198 | 
199 | body.theme-dark {
200 | 
201 |   h1,
202 |   h2,
203 |   h3,
204 |   h4,
205 |   h5,
206 |   h6 {
207 |     color: white;
208 |   }
209 | 
210 |   p {
211 |     color: rgba(255, 255, 255, 0.9);
212 |   }
213 | 
214 |   a {
215 |     color: #87deff;
216 |     text-decoration: none;
217 |     /* text-decoration-color: #87deff; */
218 |   }
219 | 
220 |   p a {
221 |     text-decoration: underline;
222 |   }
223 | 
224 |   a:hover {
225 |     color: #87deff;
226 |     text-decoration: underline;
227 |   }
228 | 
229 |   .page-toc a {
230 |     color: var(--mitre-silver) !important;
231 |   }
232 | 
233 |   .rst-content figcaption p span.caption-text {
234 |     color: var(--mitre-silver);
235 |   }
236 | }
237 | 
238 | .btn-light {
239 |   background-color: var(--mitre-blue) !important;
240 | }
241 | 
242 | .btn-light:hover,
243 | .btn-light:focus,
244 | .btn-light:active {
245 |   background-color: var(--mitre-navy) !important;
246 |   color: white !important;
247 | }
248 | 
249 | .admonition.note .admonition-title,
250 | .admonition.seealso .admonition-title,
251 | .admonition-title {
252 |   background-color: #005b94;
253 |   color: white !important;
254 | }
255 | 
256 | body.theme-dark .admonition.note p {
257 |   color: var(--mitre-black);
258 | }
259 | 
260 | .page-toc a:hover {
261 |   color: #005b94;
262 | }
263 | 
264 | .site-toc .toc ul {
265 |   padding-left: 0;
266 | }
267 | 
268 | .current.reference.internal {
269 |   color: #000;
270 | }
271 | 
272 | /* navbar styles */
273 | .navbar {
274 |   padding: 20px 0 !important;
275 | }
276 | 
277 | .navbar .navbar-brand {
278 |   font-size: 24px;
279 | }
280 | 
281 | .navbar a,
282 | .nav-link {
283 |   text-transform: uppercase;
284 |   font-family: "Oswald", "Roboto", Helvetica, Arial, sans-serif;
285 |   font-weight: 400;
286 |   letter-spacing: 1px;
287 |   color: var(--mitre-silver);
288 | }
289 | 
290 | .navbar .version {
291 |   font-size: 16px;
292 |   color: #87DEFF;
293 | }
294 | 
295 | .navbar .logo-img {
296 |   margin-right: 0;
297 | }
298 | 
299 | .navbar-toggler {
300 |   background-color: inherit !important;
301 | }
302 | 
303 | /* footer styles: */
304 | footer p a {
305 |   color: white !important;
306 |   text-decoration: underline !important;
307 | }
308 | 
309 | footer .row {
310 |   display: flex;
311 |   flex-wrap: wrap;
312 |   padding: 80px 0;
313 |   row-gap: 40px;
314 | }
315 | 
316 | .footer-row {
317 |   display: flex;
318 |   flex-wrap: wrap;
319 |   gap: 20px;
320 | }
321 | 
322 | .footer-row .logo {
323 |   margin: auto 0px;
324 | }
325 | 
326 | .social-links {
327 |   display: flex;
328 |   flex-wrap: wrap;
329 |   gap: 20px;
330 | }
331 | 
332 | .social-links a {
333 |   margin: auto 0px;
334 | }
335 | 
336 | .social-links i {
337 |   color: var(--mitre-light-blue);
338 |   font-size: 1.5em;
339 | }
340 | 
341 | .external-links {
342 |   display: flex;
343 |   flex-wrap: wrap;
344 |   margin: 20px 0;
345 | }
346 | 
347 | .external-links .link {
348 |   text-transform: uppercase;
349 |   font-family: "Oswald", "Roboto", Helvetica, Arial, sans-serif;
350 |   color: white;
351 | }
352 | 
353 | .external-links .link:not(:last-child) {
354 |   padding-right: 10px;
355 |   margin-right: 10px;
356 |   border-right: 3px solid var(--mitre-light-blue);
357 | }
358 | 
359 | footer h3,
360 | footer h4 {
361 |   text-transform: uppercase;
362 |   font-family: "Oswald", "Roboto", Helvetica, Arial, sans-serif;
363 |   font-weight: 500;
364 | }
365 | 
366 | footer p {
367 |   font-size: 15px;
368 | }
369 | 
370 | /* sidebar styles */
371 | .sidebar-container p.caption,
372 | #page-toc-heading {
373 |   text-transform: uppercase;
374 |   font-family: "Oswald", "Roboto", Helvetica, Arial, sans-serif;
375 |   font-weight: 500;
376 |   margin-top: 20px;
377 |   margin-bottom: 10px;
378 |   font-size: 16px;
379 | }
380 | 
381 | .highlight-bash .highlight pre, pre {
382 |   background-color: var(--mitre-dark-navy);
383 |   border-radius: var(--border-radius);
384 | }
385 | 
386 | .table .thead-dark th,
387 | table.docutils:not(.field-list) .thead-dark th,
388 | body.theme-dark table.docutils:not(.field-list) thead th {
389 |   color: rgba(255, 255, 255, 0.8);
390 |   background-color: rgba(255, 255, 255, 0.1);
391 |   border-color: rgba(255, 255, 255, 0.3);
392 | }
393 | 
394 | .table-dark,
395 | body.theme-dark table.docutils:not(.field-list) {
396 |   background-color: var(--mitre-black);
397 | }
398 | 
399 | .table-dark th,
400 | body.theme-dark table.docutils:not(.field-list) th,
401 | .table-dark td,
402 | body.theme-dark table.docutils:not(.field-list) td,
403 | .table-dark thead th {
404 |   border-color: rgba(255, 255, 255, 0.3);
405 | }
406 | 
407 | .breadcrumb-item.active {
408 |   color: #555;
409 | }
410 | 
411 | body.theme-dark .breadcrumb-item.active {
412 |   color: var(--mitre-silver);
413 | }
414 | 
415 | h1,
416 | h2,
417 | h3,
418 | h4,
419 | h5,
420 | h6 {
421 |   font-family: "Oswald", "Roboto", Helvetica, Arial, sans-serif;
422 |   font-weight: 400;
423 | }
424 | 
425 | section[id] {
426 |   scroll-margin-top: 6rem;
427 | }
428 | 
429 | .reference.internal:hover {
430 |   color: var(--mitre-black);
431 |   text-decoration: underline;
432 | }
433 | 
434 | .reference.internal.active {
435 |   color: var(--mitre-black) !important;
436 |   font-weight: 600;
437 | }
438 | 
439 | .page-toc {
440 |   word-break: keep-all;
441 |   line-break: strict;
442 | }
443 | 
444 | body.theme-dark .reference.internal:hover,
445 | body.theme-dark .reference.internal.active {
446 |   color: var(--mitre-light-blue) !important;
447 | }
448 | 
449 | body.theme-dark hr,
450 | body.theme-dark .border,
451 | body.theme-dark .with-border,
452 | body.theme-dark .border-top,
453 | body.theme-dark .border-right,
454 | body.theme-dark .sidebar-container,
455 | body.theme-dark .border-bottom,
456 | body.theme-dark .border-left,
457 | body.theme-dark .search li {
458 |   border-color: rgba(255, 255, 255, 0.1) !important;
459 | }
460 | 
461 | #collapseSidebar {
462 |   top: 80px;
463 | }
464 | 
465 | .sticky-top.toc.page-toc {
466 |   top: 100px;
467 |   padding-top: 0;
468 | }
469 | 
470 | header .navbar {
471 |   justify-content: space-between;
472 | }
473 | 
474 | a.navbar-brand {
475 |   float: right;
476 | }
477 | 
478 | .navbar a h1 {
479 |   color: var(--text-color-inverse);
480 |   font-size: 24px;
481 |   margin-bottom: 0;
482 | }
483 | 
484 | #main {
485 |   padding: 10px 40px;
486 | }
487 | 
488 | header.sticky-top {
489 |   z-index: 100;
490 | }
491 | 
492 | #search-form .input-group-prepend div,
493 | #search-form input {
494 |   border-radius: 0 !important;
495 | }
496 | 
497 | .toc.page-toc p,
498 | .caption .caption-text {
499 |   color: var(--mitre-black);
500 |   font-weight: 500 !important;
501 | }
502 | 
503 | code {
504 |   color: var(--me-ext-code) !important;
505 | }
506 | 
507 | body.theme-dark code {
508 |   color: var(--me-ext-cranberry-highlighter) !important;
509 | }
510 | 
511 | iframe {
512 |   max-width: 100% !important;
513 | }
514 | 
515 | *:focus {
516 |   outline: none !important;
517 | }
518 | 
519 | @media (min-width: 1400px) {
520 |   .container.container-fluid {
521 |     width: 1370px;
522 |     max-width: 1370px;
523 |   }
524 | }


--------------------------------------------------------------------------------
/mappings/input/enterprise-attack-v13.1-datasources.csv:
--------------------------------------------------------------------------------
 1 | name,ID,description,collection layers,platforms,created,modified,type,version,url
 2 | Active Directory,DS0026,"A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)","Cloud Control Plane, Host","Azure AD, Windows",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0026
 3 | Application Log,DS0015,"Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)","Cloud Control Plane, Host","Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0015
 4 | Certificate,DS0037,"A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications",OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0037
 5 | Cloud Service,DS0025,"Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products)",Cloud Control Plane,"Azure AD, Google Workspace, IaaS, Office 365, SaaS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0025
 6 | Cloud Storage,DS0010,"Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)",Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0010
 7 | Command,DS0017,"A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)","Container, Host","Android, Containers, Linux, Network, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0017
 8 | Container,DS0032,A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container),Container,Containers,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0032
 9 | Domain Name,DS0038,Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org),OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0038
10 | Drive,DS0016,"A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0016
11 | Driver,DS0027,"A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0027
12 | File,DS0022,"A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)",Host,"Linux, Network, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0022
13 | Firewall,DS0018,"A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)","Cloud Control Plane, Host","Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0018
14 | Firmware,DS0001,"Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0001
15 | Group,DS0036,A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups),"Cloud Control Plane, Host","Azure AD, Google Workspace, IaaS, Office 365, SaaS, Windows",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0036
16 | Image,DS0007,A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI),Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0007
17 | Instance,DS0030,"A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM)",Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0030
18 | Internet Scan,DS0035,Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet,OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0035
19 | Kernel,DS0008,"A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)",Host,"Linux, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0008
20 | Logon Session,DS0028,"Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)","Cloud Control Plane, Host, Network","Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0028
21 | Malware Repository,DS0004,"Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries",OSINT,PRE,20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0004
22 | Module,DS0011,"Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0011
23 | Named Pipe,DS0023,Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes),Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0023
24 | Network Share,DS0033,"A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0033
25 | Network Traffic,DS0029,"Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)","Cloud Control Plane, Host, Network","Android, IaaS, Linux, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0029
26 | Persona,DS0021,A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims,OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0021
27 | Pod,DS0014,"A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)",Container,Containers,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0014
28 | Process,DS0009,"Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",Host,"Android, Linux, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0009
29 | Scheduled Job,DS0003,"Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)","Container, Host","Containers, Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0003
30 | Script,DS0012,"A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)",Host,Windows,20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0012
31 | Sensor Health,DS0013,"Information from host telemetry providing insights about system status, errors, or other notable functional activity",Host,"Android, Linux, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0013
32 | Service,DS0019,"A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0019
33 | Snapshot,DS0020,"A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)",Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0020
34 | User Account,DS0002,"A profile representing a user, device, service, or application used to authenticate and access resources","Cloud Control Plane, Container, Host","Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0002
35 | Volume,DS0034,"Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)","Cloud Control Plane, Host","IaaS, Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0034
36 | WMI,DS0005,The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture),Host,Windows,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0005
37 | Web Credential,DS0006,"Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)","Cloud Control Plane, Host","Azure AD, Google Workspace, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0006
38 | Windows Registry,DS0024,"A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)",Host,Windows,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0024
39 | 


--------------------------------------------------------------------------------
/mappings/input/enterprise/csv/Auditd-sensors-mappings-enterprise.csv:
--------------------------------------------------------------------------------
  1 | EVENT ID,EVENT DESCRIPTION,ATT&CK DATA SOURCE ID,ATT&CK DATA SOURCE,ATT&CK DATA COMPONENT,SOURCE,RELATIONSHIP,TARGET
  2 | USYS_CONFIG,Triggered when a user-space system configuration change is detected,DS0017,Command,Command Execution,Process/User,Modified,Configuration
  3 | FS_RELABEL,Triggered when a file system relabel operation is detected,DS0016,Drive,Drive Modification,Process/User,Modified,Drive
  4 | ANOM_LINK,Triggered when suspicious use of file links is detected,DS0022,File,File Access,Process/User,Created,File
  5 | USER_AVC,Triggered when a user-space AVC message is generated,DS0022,File,File Access,Process/User,Accessed,File
  6 | USER_CHAUTHTOK,op record field contains value deleting mail file,DS0022,File,File Deletion,Process/User,Deleted,File
  7 | USER_LABELED_EXPORT,Triggered when an object is exported with an SELinux label,DS0022,File,File Metadata,Service,Modified,File
  8 | USER_UNLABELED_EXPORT,Triggered when an object is exported without an SELinux label,DS0022,File,File Metadata,Process/User,Modified,File
  9 | LABEL_LEVEL_CHANGE,Triggered when an object's level label is modified,DS0022,File,File Modification,Process/User,Modified,File
 10 | LABEL_OVERRIDE,Triggered when administrator overrides object's level label,DS0022,File,File Modification,User,Modified,File
 11 | NETFILTER_CFG,Triggered when Netfilter chain modifications are detected,DS0018,Firewall,Firewall Rule Modification,Process/User,Modified,Firewall
 12 | ADD_GROUP,Triggered when a user-space group is added,DS0036,Group,Group Creation,Process/User,Created,Group
 13 | DEL_GROUP,Triggered when a user-space group is deleted,DS0036,Group,Group Deletion,Process/User,Deleted,Group
 14 | SYSTEM_RUNLEVEL,Triggered when the system run level is changed,DS0013,Sensor Health,Host Status,Process/User,Modified,Host Status
 15 | SYSTEM_SHUTDOWN,Triggered when the system is shut down,DS0013,Sensor Health,Host Status,Process/User,Modified,Host Status
 16 | CRYPTO_SESSION,Triggered to record parameters set during a TLS session establishment,DS0028,Logon Session,Logon Session Creation,Service,Created,Logon
 17 | USER_LOGIN,Triggered when a user logs in,DS0028,Logon Session,Logon Session Creation,Service,Created,Logon
 18 | USER_START,Triggered when a user-space session is started,DS0028,Logon Session,Logon Session Creation,Service,Created,Logon Session
 19 | CRYPTO_KEY_USER,Triggered to record crypto key identifier used for crypto purposes,DS0028,Logon Session,Logon Session Metadata,Service,Accessed,Logon Session
 20 | LOGIN,Triggered to record relevant login information when user logs into system,DS0028,Logon Session,Logon Session Metadata,Service,Modified,Logon Session
 21 | USER_END,Triggered when a user-space session is terminated,DS0028,Logon Session,Logon Session Metadata,Service,Terminated,Logon Session
 22 | USER_LOGOUT,Triggered when a user logs out,DS0028,Logon Session,Logon Session Metadata,Service,Terminated,Logon
 23 | MAC_UNLBL_ALLOW,Triggered when unlabeled traffic is allowed when using packet labeling,DS0029,Network Traffic,Network Traffic Content,Process/User,Accessed,Network
 24 | TTY,Triggered when TTY input was sent to an administrative process,DS0009,Process,Process Access,Process/User,Accessed,Process
 25 | USER_CMD,Triggered when a user-space shell command is executed,DS0009,Process,Process Creation,User,Created,Process
 26 | ANOM_ABEND,"Triggered when a processes ends abnormally (with core dump, if enabled)",DS0009,Process,Process Termination,Process/User,Deleted,Process
 27 | AVC,Triggered to record an SELinux permission check,DS0019,Service,Service Access,Service,Modified,Service
 28 | DAEMON_START,Triggered when the auditd daemon is started,DS0019,Service,Service Creation,Process/User,Created,Service
 29 | MAC_POLICY_LOAD,Triggered when a SELinux Policy file is loaded,DS0019,Service,Service Creation,Service,Created,Service
 30 | DAEMON_ABORT,Triggered when a daemon is stopped due to an error,DS0019,Service,Service Metadata,Process/User,Terminated,Service
 31 | DAEMON_END,Triggered when a daemon is successfully stopped,DS0019,Service,Service Metadata,Process/User,Terminated,Service
 32 | DAEMON_RESUME,Triggered when the auditd daemon resumes logging,DS0019,Service,Service Metadata,Service,Resumed,Service
 33 | DAEMON_ROTATE,Triggered when the auditd daemon rotates the Audit log files,DS0019,Service,Service Metadata,Service,Modified,Service
 34 | SELINUX_ERR,Triggered when an internal SELinux error is detected,DS0019,Service,Service Metadata,Process/User,Accessed,Service
 35 | USER_TTY,Triggered when an explanatory msg about TTY input to admin proc is sent,DS0019,Service,Service Metadata,Service,Accessed,Service
 36 | ANOM_PROMISCUOUS,Triggered when a device enables or disables promiscuous mode,DS0019,Service,Service Modification,Process/User,Modified,Service
 37 | CONFIG_CHANGE,audit_enabled record field contains 1 or 2,DS0019,Service,Service Modification,Process/User,Modified,Service
 38 | CONFIG_CHANGE,audit_enabled record field contains 0,DS0019,Service,Service Modification,Process/User,Modified,Service
 39 | CONFIG_CHANGE,op record field contains add rule,DS0019,Service,Service Modification,Process/User,Modified,Service
 40 | CONFIG_CHANGE,op record field contains remove rule,DS0019,Service,Service Modification,Process/User,Modified,Service
 41 | CONFIG_CHANGE,audit_failure record field contains value 0,DS0019,Service,Service Modification,Service,Modified,Service
 42 | CONFIG_CHANGE,audit_failure record field contains value 1,DS0019,Service,Service Modification,Service,Modified,Service
 43 | CONFIG_CHANGE,audit_failure record field contains value 2,DS0019,Service,Service Modification,Service,Modified,Service
 44 | CONFIG_CHANGE,any other CONFIG_CHANGE cases not specified above,DS0019,Service,Service Modification,Process/User,Modified,Service
 45 | DAEMON_CONFIG,Triggered when a daemon configuration change is detected,DS0019,Service,Service Modification,Process/User,Modified,Service
 46 | MAC_CIPSOV4_ADD,Triggered when Commercial Internet Protocol Security Option user adds a new Domain of Interpretation (DOI) via NetLabel,DS0019,Service,Service Modification,User,Modified,Service
 47 | MAC_CIPSOV4_DEL,Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.,DS0019,Service,Service Modification,User,Modified,Service
 48 | MAC_CONFIG_CHANGE,Triggered when an SELinux Boolean value is changed,DS0019,Service,Service Modification,Process/User,Modified,Service
 49 | MAC_MAP_ADD,Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.,DS0019,Service,Service Modification,User,Modified,Service
 50 | MAC_MAP_DEL,Triggered when existing LSM domain mapping is deleted,DS0019,Service,Service Modification,User,Modified,Service
 51 | MAC_STATUS,"Triggered when the SELinux mode is changed (enforcing, permissive, etc)",DS0019,Service,Service Modification,Process/User,Modified,Service
 52 | ROLE_ASSIGN,Triggered when an administrator user assigns user to SELinux role,DS0019,Service,Service Modification,Process/User,Modified,Service
 53 | ROLE_REMOVE,Triggered when an administrator removes a user from an SELinux role,DS0019,Service,Service Modification,Process/User,Modified,Service
 54 | CRED_REFR,Triggered when a user refreshes their user-space credentials,DS0002,User Account,User Account Access,Process/User,Accessed,User Account
 55 | USER_CHAUTHTOK,op record field contains value moving home directory,DS0002,User Account,User Account Access,Process/User,Modified,User Account
 56 | USER_CHAUTHTOK,op record field contains value user lookup,DS0002,User Account,User Account Access,Process/User,Accessed,User Account
 57 | ANOM_LOGIN_FAILURES,Triggered when the limit of failed login attempts is reached,DS0002,User Account,User Account Authentication,Service,Accessed,User Account
 58 | ANOM_LOGIN_LOCATION,Triggered when a login atempt is made from forbidden location,DS0002,User Account,User Account Authentication,Service,Closed,User Account
 59 | ANOM_LOGIN_SESSIONS,Triggered when a login attempt reaches max amount of sessions,DS0002,User Account,User Account Authentication,Service,Closed,User Account
 60 | ANOM_LOGIN_TIME,Triggered when a login attempt is made at a time when prevented,DS0002,User Account,User Account Authentication,Service,Closed,User Account
 61 | RESP_ACCT_LOCK,Triggered when a user account is locked,DS0002,User Account,User Account Authentication,Process/User,Locked,User Account
 62 | RESP_ACCT_UNLOCK_TIMED,Triggered when user account is unlocked after configured time,DS0002,User Account,User Account Authentication,Service,Unlocked,User Account
 63 | USER_ACCT,Triggered when a user-space user authorization attempt is detected,DS0002,User Account,User Account Authentication,Service,Authorized,User Account
 64 | USER_AUTH,Triggered when a user-space user authentication attempt is detected,DS0002,User Account,User Account Authentication,Service,Authenticates,User Account
 65 | ADD_USER,Triggered when a user-space user account is created,DS0002,User Account,User Account Creation,Process/User,Created,User Account
 66 | ANOM_ADD_ACCOUNT,Triggered when a user-space account addition ends abnormally,DS0002,User Account,User Account Creation,Process/User,Created,User Account
 67 | USER_ROLE_CHANGE,op record field contains add SELinux user record,DS0002,User Account,User Account Creation,Process/Suer,Created,User Account
 68 | ANOM_DEL_ACCOUNT,Triggered when a user-space account deletion ends abnormally,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account
 69 | DEL_USER,Triggered when a user-space user is deleted,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account
 70 | USER_CHAUTHTOK,op record field contains value deleting user entries,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account
 71 | USER_CHAUTHTOK,op record field contains value deleting user not found,DS0002,User Account,User Account Deletion,Process/User,Errored,User Account
 72 | USER_CHAUTHTOK,op record field contains value deleting user,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account
 73 | USER_CHAUTHTOK,op record field contains value deleting user logged in,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account
 74 | USER_CHAUTHTOK,op record field contains value deleting home directory,DS0002,User Account,User Account Deletion,Process/User,Modified,User Account
 75 | USER_ROLE_CHANGE,op record field contains delete SELinux user record,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account
 76 | CRED_ACQ,Triggered when a user acquires user-space credentials,DS0002,User Account,User Account Metadata,Service,Accessed,User Account
 77 | CRED_DISP,Triggered when a user disposes of user-space credentials,DS0002,User Account,User Account Metadata,Service,Deleted,User Account
 78 | USER_CHAUTHTOK,op record field contains value unlock password,DS0002,User Account,User Account Metadata,Process/User,Unlocked,User Account
 79 | USER_ERR,Triggered when a user account state error is detected,DS0002,User Account,User Account Metadata,Process/User,Accessed,User Account
 80 | USER_CHAUTHTOK,op record field contains value change password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 81 | USER_CHAUTHTOK,op record field contains value changing password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 82 | USER_CHAUTHTOK,op record field contains value change expired password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 83 | USER_CHAUTHTOK,op record field contains value change age,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 84 | USER_CHAUTHTOK,op record field contains value change max age,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 85 | USER_CHAUTHTOK,op record field contains value change min age,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 86 | USER_CHAUTHTOK,op record field contains value change passwd warning,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 87 | USER_CHAUTHTOK,op record field contains value change inactive days,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 88 | USER_CHAUTHTOK,op record field contains value change passwd expiration,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 89 | USER_CHAUTHTOK,op record field contains value change last change date,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 90 | USER_CHAUTHTOK,op record field contains value change all aging information,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 91 | USER_CHAUTHTOK,op record field contains value password attribute change,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 92 | USER_CHAUTHTOK,op record field contains value password aging data updated,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 93 | USER_CHAUTHTOK,op record field contains value display aging info,DS0002,User Account,User Account Modification,Process/User,Accessed,User Account
 94 | USER_CHAUTHTOK,op record field contains value password status display,DS0002,User Account,User Account Modification,Process/User,Accessed,User Account
 95 | USER_CHAUTHTOK,op record field contains value password status displayed for user,DS0002,User Account,User Account Modification,Process/User,Accessed,User Account
 96 | USER_CHAUTHTOK,op record field contains value adding to group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 97 | USER_CHAUTHTOK,op record field contains value adding group member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 98 | USER_CHAUTHTOK,op record field contains value adding user to group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
 99 | USER_CHAUTHTOK,op record field contains value adding user to shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
100 | USER_CHAUTHTOK,op record field contains value changing primary group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
101 | USER_CHAUTHTOK,op record field contains value changing group member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
102 | USER_CHAUTHTOK,op record field contains value changing admin name in shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
103 | USER_CHAUTHTOK,op record field contains value changing member in shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
104 | USER_CHAUTHTOK,op record field contains value deleting group password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
105 | USER_CHAUTHTOK,op record field contains value deleting member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
106 | USER_CHAUTHTOK,op record field contains value deleting user from group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
107 | USER_CHAUTHTOK,op record field contains value deleting user from shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
108 | USER_CHAUTHTOK,op record field contains value removing group member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
109 | USER_CHAUTHTOK,op record field contains value removing user from shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
110 | USER_CHAUTHTOK,op record field contains value adding group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
111 | USER_CHAUTHTOK,op record field contains value deleting group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
112 | USER_CHAUTHTOK,op record field contains value adding user,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
113 | USER_CHAUTHTOK,op record field contains value adding home directory,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
114 | USER_CHAUTHTOK,op record field contains value lock password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
115 | USER_CHAUTHTOK,op record field contains value delete password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
116 | USER_CHAUTHTOK,op record field contains value updating password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
117 | USER_CHAUTHTOK,op record field contains value changing name,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
118 | USER_CHAUTHTOK,op record field contains value changing uid,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
119 | USER_CHAUTHTOK,op record field contains value changing home directory,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
120 | USER_CHAUTHTOK,op record field contains value changing mail file name,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
121 | USER_CHAUTHTOK,op record field contains value changing mail file owner,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
122 | USER_CHAUTHTOK,Triggered when a user account password or PIN is modified,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
123 | USER_ROLE_CHANGE,any other USER_ROLE_CHANGE cases not specified above,DS0002,User Account,User Account Modification,Process/User,Modified,User Account
124 | 


--------------------------------------------------------------------------------
/mappings/input/enterprise/csv/WinEvtx-sensors-mappings-enterprise.csv:
--------------------------------------------------------------------------------
  1 | EVENT ID,EVENT DESCRIPTION,ATT&CK DATA SOURCE ID,ATT&CK DATA SOURCE,ATT&CK DATA COMPONENT,SOURCE,RELATIONSHIP,TARGET
  2 | 4768,A Kerberos authentication ticket (TGT) was requested.,DS0026,Active Directory,Active Directory Credential Request,User,Requested,Ad Credential
  3 | 4769,A Kerberos service ticket was requested.,DS0026,Active Directory,Active Directory Credential Request,User,Requested,Ad Credential
  4 | 4771,Kerberos pre-authentication failed,DS0026,Active Directory,Active Directory Credential Request,User,Requested,Ad Credential
  5 | 4661,A handle to an object was requested.,DS0026,Active Directory,Active Directory Object Access,User,Requested Access To,Ad Object
  6 | 4662,An operation was performed on an object.,DS0026,Active Directory,Active Directory Object Access,User,Accessed,Ad Object
  7 | 4773,A Kerberos service ticket request failed,DS0026,Active Directory,Active Directory Object Access,User,Requested,Service Ticket
  8 | 4932,Synchronization of a replica of an Active Directory naming context has begun.,DS0026,Active Directory,Active Directory Object Access,User,Accessed,Ad Object
  9 | 5137,A directory service object was created.,DS0026,Active Directory,Active Directory Object Creation,User,Created,Ad Object
 10 | 5138,A directory service object was undeleted,DS0026,Active Directory,Active Directory Object Creation,User,Restored,Ad Object
 11 | 5141,A directory service object was deleted.,DS0026,Active Directory,Active Directory Object Deletion,User,Deleted,Ad Object
 12 | 4719,System audit policy was changed.,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Ad Object
 13 | 4737,A security-enabled global group was changed.,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Group
 14 | 4770,A Kerberos service ticket was renewed,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Ad Credential
 15 | 5136,A directory service object was modified.,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Ad Object
 16 | 5139,A directory service object was moved.,DS0026,Active Directory,Active Directory Object Modification,User,Created,Ad Object
 17 | 4103,Module logging.,DS0017,Command,Command Execution,User,Executed,Command
 18 | 6416,A new external device was recognized by the system.,DS0016,Drive,Drive Creation,User,Installed,Drive
 19 | 6423,The installation of this device is forbidden by system policy.,DS0016,Drive,Drive Creation,User,Attempted To Install,Drive
 20 | 6424,"The installation of this device was allowed, after having previously been forbidden by policy.",DS0016,Drive,Drive Creation,User,Installed,Drive
 21 | 6419,A request was made to disable a device.,DS0016,Drive,Drive Modification,User,Attempted To Disable,Drive
 22 | 6420,A device was disabled.,DS0016,Drive,Drive Modification,User,Disabled,Drive
 23 | 6421,A request was made to enable a device.,DS0016,Drive,Drive Modification,User,Attempted To Enable,Drive
 24 | 6422,A device was enabled.,DS0016,Drive,Drive Modification,User,Enabled,Drive
 25 | 4656,A handle to an object was requested.,DS0022,File,File Access,Process/User,Requested Access To,File
 26 | 4661,A handle to an object was requested.,DS0022,File,File Access,User,Requested Access To,File
 27 | 4663,An attempt was made to access an object,DS0022,File,File Access,Process/User,Accessed,File
 28 | 4690,An attempt was made to duplicate a handle to an object.,DS0022,File,File Access,File,Accessed,File Handle
 29 | 4663,An attempt was made to access an object.,DS0022,File,File Creation,Process/User,Created,File
 30 | 4660,An object was deleted.,DS0022,File,File Deletion,Process/User,Deleted,Registry
 31 | 4663,An attempt was made to access an object.,DS0022,File,File Deletion,Process/User,Deleted,File
 32 | 4664,An attempt was made to create a hard link.,DS0022,File,File Metadata,File,Modified,File
 33 | 4670,Permissions on an object were changed.,DS0022,File,File Modification,Process/User,Modified,File
 34 | 5025,The Windows Firewall Service has been stopped.,DS0018,Firewall,Firewall Disable,Process/User,Disabled,Firewall
 35 | 5034,The Windows Firewall Driver was stopped.,DS0018,Firewall,Firewall Disable,Process/User,Disabled,Firewall
 36 | 5024,The Windows Firewall Service has started successfully.,DS0018,Firewall,Firewall Enabled,Process/User,Enabled,Firewall
 37 | 2002,A Windows Defender Firewall setting has changed.,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall
 38 | 2003,A Windows Defender Firewall setting in the Private profile has changed.,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall
 39 | 2009,The Windows Firewall service failed to load Group Policy.,DS0018,Firewall,Firewall Metadata,Firewall,Attempted To Load,Configuration
 40 | 4950,A windows firewall setting has changed,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall Setting
 41 | 4954,Windows firewall group policy settings has changed,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall Group Policy
 42 | 2004,A rule has been added to the Windows Defender Firewall exception list,DS0018,Firewall,Firewall Rule Modification,Process/User,Add,Firewall Rule
 43 | 2005,A rule has been modified in the Windows Defender Firewall exception list.,DS0018,Firewall,Firewall Rule Modification,Process/User,Modified,Firewall Rule
 44 | 2006,A rule has been deleted in the Windows Defender Firewall exception list,DS0018,Firewall,Firewall Rule Modification,Process/User,Removed,Firewall Rule
 45 | 2033,All rules have been deleted from the Windows Firewall configuration on this computer.,DS0018,Firewall,Firewall Rule Modification,User,Removed,Firewall Rule
 46 | 4946,A change has been made to Windows Firewall exception list. A rule was added.,DS0018,Firewall,Firewall Rule Modification,Process/User,Added,Firewall Rule
 47 | 4947,A change has been made to Windows Firewall exception list. A rule was modified.,DS0018,Firewall,Firewall Rule Modification,Process/User,Modified,Firewall Rule
 48 | 4948,A change has been made to Windows Firewall exception list. A rule was deleted.,DS0018,Firewall,Firewall Rule Modification,Process/User,Removed,Firewall Rule
 49 | 4727,A security-enabled global group was created.,DS0036,Group,Group Creation,User,Created,Group
 50 | 4731,A security-enabled local group was created.,DS0036,Group,Group Creation,User,Created,Group
 51 | 4754,A security-enabled universal group was created.,DS0036,Group,Group Creation,User,Created,Group
 52 | 4730,A security-enabled global group was deleted.,DS0036,Group,Group Deletion,User,Deleted,Group
 53 | 4734,A security-enabled local group was deleted.,DS0036,Group,Group Deletion,User,Deleted,Group
 54 | 4758,A security-enabled universal group was deleted.,DS0036,Group,Group Deletion,User,Deleted,Group
 55 | 4798,A user's local group membership was enumerated.,DS0036,Group,Group Enumeration,User,Enumerated,Group
 56 | 4799,A security-enabled local group membership was enumerated.,DS0036,Group,Group Enumeration,Group,Enumerated,Group
 57 | 4729,A member was removed from a security-enabled global group.,DS0036,Group,Group Modification,User,Modified,Group
 58 | 4732,A member was added to a security-enabled local group.,DS0036,Group,Group Modification,User,Modified,Group
 59 | 4733,A member was removed from a security-enabled local group.,DS0036,Group,Group Modification,User,Modified,Group
 60 | 4735,A security-enabled local group was changed.,DS0036,Group,Group Modification,User,Modified,Group
 61 | 4755,A security-enabled universal group was changed.,DS0036,Group,Group Modification,User,Modified,Group
 62 | 4756,A member was added to a security-enabled universal group.,DS0036,Group,Group Modification,User,Modified,Group
 63 | 4757,A member was removed from a security-enabled universal group.,DS0036,Group,Group Modification,User,Modified,Group
 64 | 4764,A groups type was changed.,DS0036,Group,Group Modification,User,Modified,Group
 65 | 1100,The event logging service has shut down.,DS0013,Sensor Health,Host Status,Sensor Health,Changed,
 66 | 1101,Audit events have been dropped by the transport.,DS0013,Sensor Health,Host Status,Sensor Health,Changed,
 67 | 1102,The audit log was cleared.,DS0013,Sensor Health,Host Status,Sensor Health,Changed,
 68 | 1104,The security Log is now full.,DS0013,Sensor Health,Host Status,Sensor Health,Changed,
 69 | 4616,The system time was changed.,DS0013,Sensor Health,Host Status,Sensor Health,Changed,
 70 | 6005,The Event log service was started.,DS0013,Sensor Health,Host Status,Sensor Health,Changed,
 71 | 6006,The Event log service was stopped.,DS0013,Sensor Health,Host Status,Sensor Health,Changed,
 72 | 4624,An account was successfully logged on,DS0028,Logon Session,Logon Session Creation,User,Created Logon From,Ip/Port/Logon Session
 73 | 4778,A session was reconnected to a Window Station.,DS0028,Logon Session,Logon Session Creation,User,Created Logon From,Ip
 74 | 4964,Special groups have been assigned to a new logon.,DS0028,Logon Session,Logon Session Creation,User,Created,Logon Session
 75 | 4610,An authentication package has been loaded by the Local Security Authority.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata,
 76 | 4611,A trusted logon process has been registered with the Local Security Authority.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata,
 77 | 4614,A notification package has been loaded by the Security Account Manager.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata,
 78 | 4622,A security package has been loaded by the Local Security Authority.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata,
 79 | 4634,An account was logged off,DS0028,Logon Session,Logon Session Metadata,User,Terminated,Logon Session
 80 | 4647,User initiated logoff.,DS0028,Logon Session,Logon Session Metadata,User,Terminated,Logon Session
 81 | 4673,A privileged service was called.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata,
 82 | 4674,An operation was attempted on a privileged object.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata,
 83 | 4672,Special privileges assigned to new logon.,DS0028,Logon Session,Logon Session Modification,Logon,Modified,
 84 | 4779,A session was disconnected from a Window Station,DS0028,Logon Session,Logon Session Terminated,User,Disconnected Fom,Host
 85 | 4656,A handle to an object was requested.,DS0023,Named Pipe,Named Pipe Metadata,Process,Created,Pipe
 86 | 5145,A network share object was checked to see whether client can be granted desired access.,DS0023,Named Pipe,Named Pipe Metadata,User,Created,Pipe
 87 | 5031,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Connection To,Process
 88 | 5154,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Device,Permitted Listener On,Ip/Port/Process
 89 | 5154,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Process,Listened On,Port
 90 | 5155,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Listener To,Ip/Port/Process
 91 | 5155,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Process,Attempted To Listen On,Port
 92 | 5156,The Windows Filtering Platform has permitted a connection.,DS0029,Network Traffic,Network Connection Creation,Process,Connected To,Ip/Port
 93 | 5157,The Windows Filtering Platform has blocked a connection.,DS0029,Network Traffic,Network Connection Creation,Process,Attempted Connection To/From,Ip/Port
 94 | 5157,The Windows Filtering Platform has blocked a connection.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Connection To,Process/Port
 95 | 5158,The Windows Filtering Platform has permitted a bind to a local port.,DS0029,Network Traffic,Network Connection Creation,Process,Bound To,Port
 96 | 5159,The Windows Filtering Platform has blocked a bind to a local port.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Port Bind On,Ip/Port/Process
 97 | 5159,The Windows Filtering Platform has blocked a bind to a local port.,DS0029,Network Traffic,Network Connection Creation,Process,Attempted To Bind On,Port
 98 | 5140,A network share object was accessed.,DS0033,Network Share,Network Share Access,User,Attempted To Access,Network Share
 99 | 5145,A network share object was checked to see whether client can be granted desired access.,DS0033,Network Share,Network Share Access,User,Attempted To Access,Network Share
100 | 5142,A network share object was added.,DS0033,Network Share,Network Share Creation,User,Created,Network Share
101 | 5144,A network share object was deleted.,DS0033,Network Share,Network Share Deletion,User,Deleted,Network Share
102 | 5143,A network share object was modified.,DS0033,Network Share,Network Share Modification,User,Modified,Network Share
103 | 4656,A handle to an object was requested,DS0009,Process,Process Access,Process,Requested Access To,Process
104 | 4663,An attempt was made to access an object,DS0009,Process,Process Access,Process/User,Accessed,Process
105 | 4688,Program execution. When you start a program you are creating a process that stays open until the program ends,DS0009,Process,Process Creation,Process/User,Created,Process
106 | 4696,A primary token was assigned to process. The assigning process fields identifies the process that started the child (new) process,DS0009,Process,Process Creation,Process/User,Created,Process
107 | 4689,A process has exited.,DS0009,Process,Process Termination,User,Terminated,Process
108 | 4698,A scheduled task was created.,DS0003,Scheduled Job,Scheduled Job Creation,User,Created,Scheduled Job
109 | 4699,A scheduled task was deleted.,DS0003,Scheduled Job,Scheduled Job Deletion,User,Deleted,Scheduled Job
110 | 4700,A scheduled task was enabled.,DS0003,Scheduled Job,Scheduled Job Modification,User,Enabled,Scheduled Job
111 | 4701,A scheduled task was disabled.,DS0003,Scheduled Job,Scheduled Job Modification,User,Disabled,Scheduled Job
112 | 4702,A scheduled task was updated.,DS0003,Scheduled Job,Scheduled Job Modification,User,Modified,Scheduled Job
113 | 4103,Module logging.,DS0012,Script,Script Execution,Process,Executed,Script
114 | 4104,Script Block Logging.,DS0012,Script,Script Execution,Process,Executed,Script
115 | 4656,A handle to an object was requested.,DS0019,Service,Service Access,User,Requested Access To,Service
116 | 4697,A service was installed in the system.,DS0019,Service,Service Creation,User,Created,Service
117 | 6005,The Event log service was started.,DS0019,Service,Service Metadata,Service,Started,
118 | 6006,The Event log service was stopped.,DS0019,Service,Service Metadata,Service,Stopped,
119 | 4648,A logon was attempted using explicit credentials.,DS0002,User Account,User Account Authentication,User,Attempted To Authenticate From,Ip/Port
120 | 4776,The computer attempted to validate the credentials for an account,DS0002,User Account,User Account Authentication,User,Authenticated From,Device
121 | 4625,An account failed to log on,DS0002,User Account,User Account Authentication,User,Attempted To Authenticate From,Ip/Port
122 | 4720,A user account was created,DS0002,User Account,User Account Creation,User,Created,User Account
123 | 4741,A computer account was created.,DS0002,User Account,User Account Creation,User,Created,User Account
124 | 4726,A user account was deleted,DS0002,User Account,User Account Deletion,User,Deleted,User Account
125 | 4743,A computer account was deleted.,DS0002,User Account,User Account Deletion,User,Deleted,User Account
126 | 4674,An operation was attempted on a privileged object,DS0002,User Account,User Account Metadata,Process/User,Accessed,User Privileges
127 | 4703,A user right was adjusted.,DS0002,User Account,User Account Modification,Logon,Metadata,
128 | 4717,System security access was granted to an account.,DS0002,User Account,User Account Modification,User,Granted Access To,User Account
129 | 4718,System security access was removed from an account.,DS0002,User Account,User Account Modification,User,Removed Access To,User Account
130 | 4722,A user account was enabled.,DS0002,User Account,User Account Modification,User,Enabled,User Account
131 | 4723,An attempt was made to change an account's password.,DS0002,User Account,User Account Modification,User,Attempted To Modify,User Account
132 | 4724,An attempt was made to reset an account's password,DS0002,User Account,User Account Modification,User,Attempted To Modify,User Account
133 | 4725,A user account was disabled.,DS0002,User Account,User Account Modification,User,Disabled,User Account
134 | 4738,A user account was changed.,DS0002,User Account,User Account Modification,User,Modified,User Account
135 | 4740,A user account was locked out.,DS0002,User Account,User Account Modification,User,Locked,User Account
136 | 4742,A computer account was changed.,DS0002,User Account,User Account Modification,User,Modified,User Account
137 | 4767,A user account was unlocked.,DS0002,User Account,User Account Modification,User,Unlocked,User Account
138 | 4781,The name of an account was changed.,DS0002,User Account,User Account Modification,User,Modified,User Account
139 | 4663,An attempt was made to access an object,DS0024,Windows Registry,Windows Registry Key Access,Process/User,Accessed,Registry
140 | 4657,A registry value was modified.,DS0024,Windows Registry,Windows Registry Key Creation,Process/User,Created,Registry
141 | 4657,A registry value was modified.,DS0024,Windows Registry,Windows Registry Key Deletion,Process/User,Deleted,Registry
142 | 4660,An object was deleted.,DS0024,Windows Registry,Windows Registry Key Deletion,Process/User,Deleted,Registry
143 | 4657,A registry value was modified.,DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,Registry
144 | 4670,Permissions on an object were changed.,DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,File
145 | 5857,WMIProv provider started.,DS0005,WMI,WMI Creation,User,Created,WMI Object
146 | 5858,WMI Query Error.,DS0005,WMI,WMI Creation,User,Created,WMI Object
147 | 5859,WMI Event.,DS0005,WMI,WMI Creation,User,Created,WMI Object
148 | 5860,WMI temporary event created.,DS0005,WMI,WMI Creation,User,Created,WMI Object
149 | 5861,WMI permanent event created.,DS0005,WMI,WMI Creation,User,Created,WMI Object
150 | 


--------------------------------------------------------------------------------