└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Awesome Mitre ATT&CK™ Framework 2 | 3 | > 4 | 5 | [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome) 6 | 7 | > A curated list of awesome resources related to Mitre ATT&CK™ Framework 8 | 9 | 10 | ## Contents 11 | - [Red and Purple Team](#red-and-purple-team) 12 | - [Resources](#resources) 13 | - [Tools](#tools) 14 | - [Red Team](#red-team) 15 | - [Purple Team](#purple-team) 16 | - [Adversary Emulation](#adversary-emulation) 17 | - [Threat Hunting](#threat-hunting) 18 | - [Resources](#resources-1) 19 | - [Tools](#tools-1) 20 | - [Threat Intelligence](#threat-intelligence) 21 | - [Resources](#resources-2) 22 | - [Tools](#tools-2) 23 | - [Community](#community) 24 | ------ 25 | 26 | ## Red and Purple Team 27 | ### Resources 28 | - [MITRE ATT&CK™ Evaluations Round 1 - APT3](https://attackevals.mitre.org/methodology/round1/) 29 | - [Getting Started with ATT&CK: Adversary Emulation and Red Teaming](https://medium.com/mitre-attack/getting-started-with-attack-red-29f074ccf7e3) 30 | - [Adversary Emulation Plans](https://attack.mitre.org/resources/adversary-emulation-plans/) 31 | - [The Threat Emulation Problem](https://blog.cobaltstrike.com/2016/02/17/the-threat-emulation-problem/) 32 | - [Why we love threat emulation exercises (and how to get started with one of your own)](https://expel.io/blog/why-we-love-threat-emulation-exercises/) 33 | - [MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary to Create Better Detections, David Herrald and Ryan Kovar, Splunk](https://www.slideshare.net/attackcon2018/mitre-attckcon-2018-from-automation-to-analytics-simulating-the-adversary-to-create-better-detections-david-herrald-and-ryan-kovar-splunk) 34 | - [Living Off The Land Binaries and Scripts (and also Libraries)](https://lolbas-project.github.io/) 35 | - [Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK](https://www.digitalshadows.com/blog-and-research/purple-teaming-with-vectr-cobalt-strike-and-mitre-attck/) 36 | - [Red Team Use of MITRE ATT&CK](https://medium.com/@malcomvetter/red-team-use-of-mitre-att-ck-f9ceac6b3be2) 37 | - [Purple Teaming with ATT&CK - x33fcon 2018](https://www.slideshare.net/ChristopherKorban/purple-teaming-with-attck-x33fcon-2018) 38 | - [Live Adversary Simulation: Red and Blue Team Tactics](https://www.rsaconference.com/writable/presentations/file_upload/hta-t06_live_adversary_simulation-red_and_blue_team_tactics.pdf) 39 | - [MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with ATT&CK, David Middlehurst, Trustwave](https://www.slideshare.net/attackcon2018/mitre-attckcon-2018-playing-devils-advocate-to-security-initiatives-with-attck-david-middlehurst-trustwave) 40 | - [MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincent Van Mieghem, Deloitte](https://www.slideshare.net/attackcon2018/mitre-attckcon-2018-from-red-vs-blue-to-red-blue-olaf-hartong-and-vincent-van-mieghem-deloitte) 41 | - [PowerShell for Practical Purple Teaming](https://www.slideshare.net/nikhil_mittal/powershell-for-practical-purple-teaming) 42 | - [Signal the ATT&CK: Part 1](https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/signal-att-and-ck-part-1.html) 43 | - [Signal the ATT&CK: Part 2](https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/signal-att-and-ck-part-2.html) 44 | 45 | ### Tools 46 | 47 | #### Red Team 48 | - [Cobalt Strike](https://www.cobaltstrike.com/) - Software for Adversary Simulations and Red Team Operations 49 | - [PoshC2](https://github.com/nettitude/PoshC2_Python) - PoshC2 is a proxy aware C2 framework that utilises Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. 50 | - [Empire](https://github.com/EmpireProject/Empire) - Post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. 51 | - [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/) - Collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. 52 | - [Invoke-PSImage](https://github.com/peewpw/Invoke-PSImage) - Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. 53 | 54 | #### Purple Team 55 | - [RE:TERNAL](https://github.com/d3vzer0/reternal-quickstart) - RE:TERNAL is a centralised purple team simulation platform. Reternal uses agents installed on a simulation network to execute various known red-teaming techniques in order to test blue-teaming capabilities. 56 | - [Purple Team ATT&CK Automation](https://github.com/praetorian-inc/purple-team-attack-automation) - Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs 57 | - [VECTR](https://github.com/SecurityRiskAdvisors/VECTR) - VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios 58 | - [Mordor](https://github.com/Cyb3rWard0g/mordor) - The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. 59 | 60 | #### Adversary Emulation 61 | 62 | - [MITRE CALDERA](https://github.com/mitre/caldera) - CALDERA is an automated adversary emulation system, built on the MITRE ATT&CK™ framework. 63 | - [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) - Small and highly portable detection tests based on MITRE's ATT&CK. 64 | - [Metta](https://github.com/uber-common/metta) - An information security preparedness tool to do adversarial simulation. 65 | - [Red Team Automation (RTA)](https://github.com/endgameinc/RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK. 66 | 67 | ------ 68 | 69 | ## Threat Hunting 70 | ### Resources 71 | - [MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student](https://www.slideshare.net/attackcon2018/mitre-attckcon-2018-hunters-attcking-with-the-data-robert-rodriguez-specterops-and-jose-luis-rodriguez-student) 72 | - [Testing the Top MITRE ATT&CK Techniques: PowerShell, Scripting, Regsvr32](https://redcanary.com/blog/testing-the-top-mitre-attck-techniques-powershell-scripting-regsvr32/) 73 | - [Ten Ways Zeek Can Help You Detect the TTPs of MITRE ATT&CK](https://m.youtube.com/watch?v=DfTbSc_q2F8) 74 | - [SEC1244 - Cops and Robbers: Simulating the Adversary to Test Your Splunk Security Analytics](https://static.rainfocus.com/splunk/splunkconf18/sess/1522696002986001hj1a/finalPDF/Simulating-the-Adversary-Test-1244_1538791048709001YJnK.pdf) 75 | - [Mapping your Blue Team to MITRE ATT&CK™](https://www.siriussecurity.nl/blog/2019/5/8/mapping-your-blue-team-to-mitre-attack) 76 | - [Quantify Your Hunt: Not Your Parent’s Red Teaming Redux](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536351477.pdf) 77 | - [Post-Exploitation Hunting with ATT&CK & Elastic](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1533071345.pdf) 78 | - [ThreatHunter-Playbook](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook) 79 | - [How MITRE ATT&CK helps security operations](https://www.slideshare.net/votadlos/how-mitre-attck-helps-security-operations) 80 | - [MITRE Cyber Analytics Repository](https://car.mitre.org/) 81 | - [MITRE ATT&CK Windows Logging Cheat Sheets](https://github.com/MalwareArchaeology/ATTACK) 82 | - [Defensive Gap Assessment with MITRE ATT&CK](https://www.cybereason.com/blog/defensive-gap-assessment-with-mitre-attck) 83 | - [Prioritizing the Remediation of Mitre ATT&CK Framework Gaps](https://blog.netspi.com/prioritizing-the-remediation-of-mitre-attck-framework-gaps/) 84 | - [Finding Related ATT&CK Techniques](https://medium.com/mitre-attack/finding-related-att-ck-techniques-f1a4e8dfe2b6) 85 | - [Getting Started with ATT&CK: Detection and Analytics](https://medium.com/mitre-attack/getting-started-with-attack-detection-a8e49e4960d0) 86 | - [2019 Threat Detection Report](https://redcanary.com/resources/guides/threat-detection-report/) 87 | - [A Process is No One : Hunting for Token Manipulation](https://specterops.io/assets/resources/A_Process_is_No_One.pdf) 88 | 89 | #### Tools 90 | - [osquery-attck](https://github.com/teoseller/osquery-attck) - Mapping the MITRE ATT&CK Matrix with Osquery 91 | - [ATTACKdatamap](https://github.com/olafhartong/ATTACKdatamap) - A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework 92 | - [Splunk Mitre ATT&CK App](https://github.com/olafhartong/ThreatHunting) - A Splunk app mapped to MITRE ATT&CK to guide your threat hunts 93 | - [auditd-attack](https://github.com/bfuzzy1/auditd-attack/tree/master/auditd-attack) - A Linux Auditd rule set mapped to MITRE's Attack Framework 94 | - [DeTTACT](https://github.com/rabobank-cdc/DeTTACT) - DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. 95 | - [HELK](https://github.com/Cyb3rWard0g/HELK) - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities. 96 | - [Sigma](https://github.com/Neo23x0/sigma) - Generic Signature Format for SIEM Systems 97 | - [atomic-threat-coverage](https://github.com/krakow2600/atomic-threat-coverage) - Automatically generated actionable analytics designed to combat threats based on MITRE's ATT&CK. 98 | - [CyberMenace](https://github.com/PM0ney/CyberMenace) - A one stop shop hunting app in Splunk that can ingest Zeek, Suricata, Sysmon, and Windows event data to find malicious indicators of compromise relating to the MITRE ATT&CK Matrix. 99 | - [Wayfinder](https://github.com/egaus/wayfinder) - Artificial Intelligence Agent to extract threat intelligence TTPs from feeds of malicious and benign event sources and automate threat hunting activities. 100 | - [pyattck](https://github.com/swimlane/pyattck) - A python package to interact with the Mitre ATT&CK Framework. You can find documentation [here](https://pyattck.readthedocs.io/en/latest/) 101 | 102 | ------ 103 | 104 | ## Threat Intelligence 105 | ### Resources 106 | - [FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™](https://www.slideshare.net/KatieNickels/first-cti-symposium-turning-intelligence-into-action-with-mitre-attck) 107 | - [Getting Started with ATT&CK: Threat Intelligence](https://medium.com/mitre-attack/getting-started-with-attack-cti-4eb205be4b2f) 108 | - [Using ATT&CK to Advance Cyber Threat Intelligence — Part 1](https://medium.com/mitre-attack/using-att-ck-to-advance-cyber-threat-intelligence-part-1-c5ad14d59724) 109 | - [Using ATT&CK to Advance Cyber Threat Intelligence — Part 2](https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat-0) 110 | - [ATT&CKing the Status Quo: ThreatBased Adversary Emulation with MITRE 111 | ATT&CK™](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536260992.pdf) 112 | 113 | ### Tools 114 | - [cti](https://github.com/mitre/cti) - Cyber Threat Intelligence Repository expressed in STIX 2.0 115 | - [TALR](https://github.com/SecurityRiskAdvisors/TALR) - A public repository for the collection and sharing of detection rules in STIX format. 116 | 117 | ## Community 118 | - [EU ATT&CK Community](https://www.attack-community.org/) 119 | - [MITRE ATT&CKcon 2018](https://attack.mitre.org/resources/attackcon/) 120 | ------ 121 | 122 | ## License 123 | [![CC0](http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](http://creativecommons.org/publicdomain/zero/1.0) 124 | 125 | To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and related or neighboring rights to this work. 126 | --------------------------------------------------------------------------------