├── ATTACKdatamap.psd1 ├── ATTACKdatamap.psm1 ├── LICENSE ├── README.md ├── Sample results ├── ATTACKcoverage.json ├── sysmon-theoretical.json └── sysmon.xlsx ├── mitre_data_assessment.xlsx └── template.json /ATTACKdatamap.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | # If authoring a script module, the RootModule is the name of your .psm1 file 3 | RootModule = 'ATTACKdatamap.psm1' 4 | Author = 'Olaf Hartong ' 5 | ModuleVersion = '1.0' 6 | GUID = '5436b2bb-91af-4a6e-91eb-39667a8f6b41' 7 | Copyright = '2019 Olaf Hartong' 8 | CompanyName = 'Olaf Hartong' 9 | Description = 'A datasource assessment on an event level to show potential ATT&CK coverage' 10 | 11 | # Minimum PowerShell version supported by this module (optional, recommended) 12 | # PowerShellVersion = '' 13 | 14 | # Which PowerShell Editions does this module work with? (Core, Desktop) 15 | CompatiblePSEditions = @('Desktop', 'Core') 16 | 17 | # Which PowerShell functions are exported from your module? (eg. Get-CoolObject) 18 | FunctionsToExport = @( 19 | 'Request-ATTACKjson', 20 | 'Invoke-ATTACKUpdateExcel', 21 | 'Get-ATTACKdata', 22 | 'Request-ApplicationJSON', 23 | 'Request-DefenseJSON' 24 | ) 25 | 26 | 27 | # Which PowerShell aliases are exported from your module? (eg. gco) 28 | AliasesToExport = @('*') 29 | 30 | # List of all files packaged with this module 31 | FileList = @( 32 | 'ATTACKdatamap.psm1' 33 | ) 34 | 35 | # Which PowerShell variables are exported from your module? (eg. Fruits, Vegetables) 36 | VariablesToExport = @('*') 37 | 38 | # PowerShell Gallery: Define your module's metadata 39 | PrivateData = @{ 40 | PSData = @{ 41 | # What keywords represent your PowerShell module? (eg. cloud, tools, framework, vendor) 42 | Tags = @('DFIR', 'ThreatHunting') 43 | 44 | # What software license is your code being released under? (see https://opensource.org/licenses) 45 | LicenseUri = 'https://github.com/olafhartong/ATTACKdatamap/blob/master/LICENSE' 46 | 47 | # What is the URL to your project's website? 48 | ProjectUri = 'https://github.com/olafhartong/ATTACKdatamap' 49 | 50 | # What is the URI to a custom icon file for your project? (optional) 51 | IconUri = '' 52 | 53 | # What new features, bug fixes, or deprecated features, are part of this release? 54 | ReleaseNotes = @' 55 | '@ 56 | } 57 | } 58 | 59 | # If your module supports updateable help, what is the URI to the help archive? (optional) 60 | # HelpInfoURI = '' 61 | } -------------------------------------------------------------------------------- /ATTACKdatamap.psm1: -------------------------------------------------------------------------------- 1 | function Get-ATTACKdata { 2 | <# 3 | .SYNOPSIS 4 | Downloads the MITRE ATT&CK Enterprise JSON file 5 | .DESCRIPTION 6 | Long description 7 | .EXAMPLE 8 | PS C:\> Get-ATTACKdata -AttackPath ./enterprise-attack.json 9 | .OUTPUTS 10 | $AttackPath = The location where the ATT&CK Enterprise file will be stored, default is .\enterprise-attack.json 11 | #> 12 | param ( 13 | # Log name of where to look for the PowerShell events. 14 | [Parameter(Mandatory=$false, 15 | ValueFromPipelineByPropertyName=$true, 16 | Position=0)] 17 | [string] 18 | $AttackPath = 'enterprise-attack.json' 19 | ) 20 | $url = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" 21 | 22 | if(!(Split-Path -parent $AttackPath) -or !(Test-Path -pathType Container (Split-Path -parent $AttackPath))) { 23 | $AttackPath = Join-Path $pwd (Split-Path -leaf $AttackPath) 24 | } 25 | 26 | Write-Host "[++] Downloading [$url]`nSaving at [$AttackPath]" -ForegroundColor Cyan 27 | $client = new-object System.Net.WebClient 28 | $client.DownloadFile($url, $AttackPath) 29 | 30 | $AttackPath 31 | } 32 | 33 | function Invoke-ATTACKUpdateExcel { 34 | <# 35 | .SYNOPSIS 36 | Generates MITRE ATT&CK relevant fields into a table and creates or updates a worksheet in an Excel sheet 37 | Requires module ImportExcel, Install it like this PS C:\> Install-Module ImportExcel 38 | .DESCRIPTION 39 | .EXAMPLE 40 | PS C:\> Invoke-ATTACKUpdateExcel -AttackPath .\enterprise-attack.json -Excelfile .\mitre_data_assessment.xlsx 41 | .INPUTS 42 | AttackPath = The location of the ATT&CK Enterprise JSON file, default is .\enterprise-attack.json 43 | .OUTPUTS 44 | $Excefile = The location of the Excel file in which you want to create/update the DataSources reference workbook, default is .\mitre_data_assessment.xlsx 45 | .NOTES 46 | #> 47 | param ( 48 | [Parameter(Mandatory=$false, 49 | ValueFromPipelineByPropertyName=$true, 50 | Position=0)] 51 | [string] 52 | $Excelfile = 'mitre_data_assessment.xlsx', 53 | [Parameter(Mandatory=$false, 54 | ValueFromPipelineByPropertyName=$true, 55 | Position=0)] 56 | [string] 57 | $AttackPath = 'enterprise-attack.json' 58 | ) 59 | $dataset=Get-Content -Path $AttackPath | ConvertFrom-Json | Select-Object -ExpandProperty objects | Where-Object type -eq "attack-pattern" 60 | 61 | $Collection =@() 62 | foreach ($object in $dataset) 63 | { 64 | $Props = @{ 65 | 'ID' = $object.external_references.'external_id' 66 | 'Data Source' = $object.'x_mitre_data_sources' 67 | 'Name' = $object.'name' 68 | 'Detection' = $object.'x_mitre_detection' 69 | 'Platforms' = $object.'x_mitre_platforms' 70 | 'Description' = $object.'description' 71 | 'Tactic' = $object.'kill_chain_phases'.'phase_name' 72 | 'Defense Bypassed' = $object.'x_mitre_defense_bypassed' 73 | 'Revoked' = $object.'revoked' 74 | } 75 | $TotalObjects = New-Object PSCustomObject -Property $Props 76 | if ($TotalObjects.Revoked -notcontains $true){ 77 | $Collection += $TotalObjects } 78 | } 79 | 80 | Write-Host "[++] Updating your Data Source sheet, this takes a few secs...." -ForegroundColor Cyan 81 | $Collection | Select-Object @{Name ="ID"; Expression={$_.ID | Select-Object -Index 0 }},@{Name ="Name"; Expression={$_.Name -join ","}},@{Name="Data Source";Expression={$_.'Data Source' -join ","}},@{Name="Platforms";Expression={$_.'Platforms' -join ","}},@{Name="Detection";Expression={$_.'Detection' -join ","}},@{Name="Description";Expression={$_.'Description' -join ","}},@{Name="Tactic";Expression={$_.'Tactic' -join ","}},@{Name="Defense Bypassed";Expression={$_.'Defense Bypassed' -join ","}} | Sort-Object ID | Export-Excel $Excelfile -WorksheetName REF-DataSources 82 | } 83 | 84 | function Request-ATTACKjson { 85 | <# 86 | .SYNOPSIS 87 | Generates a JSON file to be imported into the ATT&CK Navigator. Based on a template and a filled Excel sheet 88 | Requires module ImportExcel, Install it like this PS C:\> Install-Module ImportExcel 89 | .DESCRIPTION 90 | Generates a JSON file to be imported into the ATT&CK Navigator. The mitre_data_assessment Excel file contains all Techniques, which can be updated via Invoke-ATTACK-UpdateExcel. 91 | These techniques contain DataSources, which are individually scored with a weight. The DataSourceEventTypes need to be scored per environment. 92 | This script multiplies the respective DataSource scores and adds them to a total technique score. The generation date is added to the description. 93 | 94 | This is all gathered into a JSON file which can be opened here; 95 | https://mitre-attack.github.io/attack-navigator/enterprise/ 96 | .EXAMPLE 97 | PS C:\> Request-ATTACKjson -Excelfile .\mitre_data_assessment.xlsx -Template .\template.json -Output 2019-03-23-ATTACKcoverage.json 98 | .INPUTS 99 | Excelfile = The Excel file containing all Datasource scores, default is .\mitre_data_assessment.xlsx 100 | Template = The ATT&CK Navigator JSON template, default is .\template.json 101 | .OUTPUTS 102 | Output = The name of the JSON file you want to generate for the ATT&CK Navigator, default is ATTACKcoverage.json 103 | .NOTES 104 | #> 105 | 106 | param ( 107 | [Parameter(Mandatory=$false, 108 | ValueFromPipelineByPropertyName=$true, 109 | Position=0)] 110 | [string] 111 | $Excelfile = 'mitre_data_assessment.xlsx', 112 | [Parameter(Mandatory=$false, 113 | ValueFromPipelineByPropertyName=$true, 114 | Position=0)] 115 | [string] 116 | $Template = 'template.json', 117 | [Parameter(Mandatory=$false, 118 | ValueFromPipelineByPropertyName=$true, 119 | Position=0)] 120 | [string] 121 | $Title = 'DataCoverage', 122 | [Parameter(Mandatory=$false, 123 | ValueFromPipelineByPropertyName=$true, 124 | Position=0)] 125 | [string] 126 | $Output = 'ATTACKcoverage.json' 127 | ) 128 | 129 | $lookup = Import-Excel $Excelfile -WorksheetName DataSourceEvents 130 | $mitre = Import-Excel $Excelfile -WorksheetName TechniqueDataSourceWeights 131 | $JSONtemplate = (Get-Content -Raw -Path $Template | ConvertFrom-Json) 132 | $Date = (get-date).ToString("yyy-MM-dd") 133 | $finalresult = @() 134 | # main loop 135 | foreach($line in $mitre) 136 | { 137 | # Collect info 138 | $DataSources = $line."Data Source" 139 | $weights = $line.Weight -split ";" 140 | # Define Variables 141 | $techniques = @() 142 | $techniquescore = 0 143 | # Comma-separated datasources 144 | $i = 0; 145 | foreach($ds in $DataSources -split ",") 146 | { 147 | # Collect info 148 | $DataSourceEvents = $lookup | Where-Object DataSource -eq $ds 149 | $weight = ($weights[$i]) 150 | # Variables 151 | $total = 0 152 | $metas = @() 153 | # Iterate over DataSourceEvents 154 | foreach($f in $DataSourceEvents) 155 | { 156 | $total += ($f.Score * $weight) 157 | $meta = New-Object PSCustomObject -Property @{ 158 | "name"="$($ds):$($f.Event)"; 159 | "value"="Score: $($f.Score * $weight)" 160 | } 161 | $metas += $meta 162 | } 163 | # Create technique object with technique, datasource score and events in metadata per datasource 164 | $technique = New-Object PSCustomObject -Property @{ 165 | "techniqueID"=$line.ID; 166 | "score"=$total; 167 | "metadata"=$metas 168 | } 169 | # Add Technique data to technique list 170 | $techniques += $technique 171 | # Add the technique datasource score to the technique total 172 | $techniquescore += $total 173 | $i += 1 174 | } 175 | $techniqueDSscore = 0 176 | $techniqueMetadata = @() 177 | $techniques | ForEach-Object -Begin { 178 | } -Process { 179 | $techniqueDSscore += $_.score 180 | $techniqueMetadata += $_.metadata 181 | } 182 | $techniqueTotal = New-Object PSCustomObject -Property @{ 183 | "techniqueID"=$technique.techniqueID; 184 | "score"=$techniqueDSscore; 185 | "metadata"=$techniqueMetadata 186 | } 187 | $finalresult += $techniqueTotal 188 | } 189 | $JSONtemplate.name = $Title 190 | $JSONtemplate.description = $Date 191 | # Insert the generated techniques into the json template 192 | $JSONtemplate.techniques = $finalresult 193 | # Generate the ATT&CK navigator file 194 | $JSONtemplate | ConvertTo-Json -Depth 5 | Out-File -Encoding ascii $Output 195 | } 196 | 197 | 198 | function Request-ApplicationJSON { 199 | <# 200 | .SYNOPSIS 201 | Generates a Applicability JSON file to be imported into the ATT&CK Navigator. Based on a template and a filled Excel sheet 202 | Requires module ImportExcel, Install it like this PS C:\> Install-Module ImportExcel 203 | .DESCRIPTION 204 | Generates a JSON file to be imported into the ATT&CK Navigator. The mitre_data_assessment Excel file contains all Techniques, which can be updated via Invoke-ATTACK-UpdateExcel. 205 | These techniques are rated on the likelihood of achieving full coverage of that technique in Alerting, Hunting and/or Forensics The generation date is added to the description. 206 | 207 | This is all gathered into a JSON file which can be opened here; 208 | https://mitre-attack.github.io/attack-navigator/enterprise/ 209 | .EXAMPLE 210 | PS C:\> Request-ApplicationJSON -Excelfile .\mitre_data_assessment.xlsx -Template .\applicability-template.json -Type Alerting -Output ATTACKapplicability-Alerting.json 211 | .INPUTS 212 | Excelfile = The Excel file containing all Datasource scores, default is .\mitre_data_assessment.xlsx 213 | Template = The ATT&CK Navigator JSON template, default is .\template.json 214 | Type = Alerting, Hunting or Forensics, default is Alerting 215 | .OUTPUTS 216 | Output = The name of the JSON file you want to generate for the ATT&CK Navigator, default is ATTACKapplicability-TYPE.json 217 | .NOTES 218 | #> 219 | param ( 220 | [Parameter(Mandatory=$false, 221 | ValueFromPipelineByPropertyName=$true, 222 | Position=0)] 223 | [ValidateSet('Alerting','Hunting,Forensics')] 224 | [string] 225 | $Type = 'Alerting', 226 | [Parameter(Mandatory=$false, 227 | ValueFromPipelineByPropertyName=$true, 228 | Position=0)] 229 | [string] 230 | $Excelfile = 'mitre_data_assessment.xlsx', 231 | [Parameter(Mandatory=$false, 232 | ValueFromPipelineByPropertyName=$true, 233 | Position=0)] 234 | [string] 235 | $Template = 'applicability-template.json', 236 | [Parameter(Mandatory=$false, 237 | ValueFromPipelineByPropertyName=$true, 238 | Position=0)] 239 | [string] 240 | $Title = ($Type+' Coverage Probability'), 241 | [Parameter(Mandatory=$false, 242 | ValueFromPipelineByPropertyName=$true, 243 | Position=0)] 244 | $Output = ('ATTACKapplicability-'+$Type+'.json') 245 | ) 246 | 247 | $lookup = Import-Excel $Excelfile -WorksheetName TechniqueApplication 248 | $JSONtemplate = (Get-Content -Raw -Path $Template | ConvertFrom-Json) 249 | $Date = (get-date).ToString("yyy-MM-dd") 250 | # Define Variables 251 | $techniques = @() 252 | # main loop 253 | foreach($line in $lookup) 254 | { 255 | # Create technique object with technique, applicability score 256 | $technique = New-Object PSCustomObject -Property @{ 257 | "techniqueID"=$line.ID; 258 | "score"=$line.$Type; 259 | } 260 | $techniques += $technique 261 | } 262 | $JSONtemplate.name = $Title 263 | $JSONtemplate.description = $Date 264 | # Insert the generated techniques into the json template 265 | $JSONtemplate.techniques = $techniques 266 | # Generate the ATT&CK navigator file 267 | $JSONtemplate | ConvertTo-Json -Depth 5 | Out-File -Encoding ascii $Output 268 | } 269 | 270 | function Request-DefenseJSON { 271 | <# 272 | .SYNOPSIS 273 | Generates a Defense Bypassed rating JSON file to be imported into the ATT&CK Navigator. Based on a template and a filled Excel sheet 274 | Requires module ImportExcel, Install it like this PS C:\> Install-Module ImportExcel 275 | .DESCRIPTION 276 | Generates a JSON file to be imported into the ATT&CK Navigator. The mitre_data_assessment Excel file contains all Techniques, which can be updated via Invoke-ATTACK-UpdateExcel. 277 | These techniques are rated on the likelihood of achieving a bypass of the defensive measures of that techniques. The generation date is added to the description. 278 | 279 | This is all gathered into a JSON file which can be opened here; 280 | https://mitre-attack.github.io/attack-navigator/enterprise/ 281 | .EXAMPLE 282 | PS C:\> Request-DefenseJSON -Excelfile .\mitre_data_assessment.xlsx -Template .\defense-template.json -Output DefenseCoverage.json 283 | .INPUTS 284 | Excelfile = The Excel file containing all Datasource scores, default is .\mitre_data_assessment.xlsx 285 | Template = The ATT&CK Navigator JSON template, default is .\defense-template.json 286 | .OUTPUTS 287 | Output = The name of the JSON file you want to generate for the ATT&CK Navigator, default is DefenseCoverage.json 288 | .NOTES 289 | #> 290 | param ( 291 | [Parameter(Mandatory=$false, 292 | ValueFromPipelineByPropertyName=$true, 293 | Position=0)] 294 | [string] 295 | $Excelfile = 'mitre_data_assessment.xlsx', 296 | [Parameter(Mandatory=$false, 297 | ValueFromPipelineByPropertyName=$true, 298 | Position=0)] 299 | [string] 300 | $Template = 'defense-template.json', 301 | [Parameter(Mandatory=$false, 302 | ValueFromPipelineByPropertyName=$true, 303 | Position=0)] 304 | [string] 305 | $Title = 'Defense Coverage', 306 | [Parameter(Mandatory=$false, 307 | ValueFromPipelineByPropertyName=$true, 308 | Position=0)] 309 | [string] 310 | $Output = 'DefenseCoverage.json' 311 | ) 312 | 313 | $lookup = Import-Excel $Excelfile -WorksheetName DefenseMitigation 314 | $mitre = Import-Excel $Excelfile -WorksheetName DefenseBypassWeights 315 | $JSONtemplate = (Get-Content -Raw -Path $Template | ConvertFrom-Json) 316 | $Date = (get-date).ToString("yyy-MM-dd") 317 | $finalresult = @() 318 | # main loop 319 | foreach($line in $mitre) 320 | { 321 | # Collect info 322 | $DataSources = $line."Defense Bypassed" 323 | $weights = $line.Weight -split ";" 324 | # Define Variables 325 | $techniques = @() 326 | $techniquescore = 0 327 | # Comma-separated datasources 328 | $i = 0; 329 | foreach($ds in $DataSources -split ",") 330 | { 331 | # Collect info 332 | $DataSourceEvents = $lookup | Where-Object Defense -eq $ds 333 | $weight = ($weights[$i]) 334 | # Variables 335 | $total = 0 336 | $metas = @() 337 | # Iterate over DataSourceEvents 338 | foreach($f in $DataSourceEvents) 339 | { 340 | $total += ($f.Score * $weight) 341 | $meta = New-Object PSCustomObject -Property @{ 342 | "name"="$($ds):$($f.Event)"; 343 | "value"="Score: $($f.Score * $weight)" 344 | } 345 | $metas += $meta 346 | } 347 | # Create technique object with technique, datasource score and events in metadata per datasource 348 | if ($line.Weight -eq 0) { 349 | $technique = New-Object PSCustomObject -Property @{ 350 | "techniqueID"=$line.ID; 351 | "score"=$total; 352 | "metadata"=$metas; 353 | "enabled"='false' 354 | } 355 | } 356 | else { 357 | $technique = New-Object PSCustomObject -Property @{ 358 | "techniqueID"=$line.ID; 359 | "score"=$total; 360 | "metadata"=$metas; 361 | "enabled"='true' 362 | } 363 | } 364 | 365 | # Add Technique data to technique list 366 | $techniques += $technique 367 | # Add the technique datasource score to the technique total 368 | $techniquescore += $total 369 | $i += 1 370 | } 371 | $techniqueDSscore = 0 372 | $techniqueMetadata = @() 373 | $techniques | ForEach-Object -Begin { 374 | } -Process { 375 | $techniqueDSscore += $_.score 376 | $techniqueMetadata += $_.metadata 377 | } 378 | $techniqueTotal = New-Object PSCustomObject -Property @{ 379 | "techniqueID"=$technique.techniqueID; 380 | "score"=$techniqueDSscore; 381 | "metadata"=$techniqueMetadata; 382 | "enabled"=$technique.enabled 383 | } 384 | $finalresult += $techniqueTotal 385 | } 386 | $JSONtemplate.name = $Title 387 | $JSONtemplate.description = $Date 388 | # Insert the generated techniques into the json template 389 | $JSONtemplate.techniques = $finalresult 390 | # Generate the ATT&CK navigator file 391 | $JSONtemplate | ConvertTo-Json -Depth 5 | Out-File -Encoding ascii $Output 392 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Olaf Hartong 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![license](https://img.shields.io/github/license/olafhartong/sysmon-modular.svg?style=flat-square)](https://github.com/olafhartong/sysmon-modular/blob/master/license.md) 2 | ![Maintenance](https://img.shields.io/maintenance/yes/2020.svg?style=flat-square) 3 | [![GitHub last commit](https://img.shields.io/github/last-commit/olafhartong/ATTACKdatamap.svg?style=flat-square)](https://github.com/olafhartong/ATTACKdatamap/commit/master) 4 | [![Twitter](https://img.shields.io/twitter/follow/olafhartong.svg?style=social&label=Follow)](https://twitter.com/olafhartong) 5 | 6 | # ATTACKdatamap 7 | A datasource assessment on an event level to show potential coverage of the "MITRE ATT&CK" framework. 8 | 9 | This tool is developed by me and has no affiliation with "MITRE" nor with its great "ATT&CK" team, it is developed with the intention to ease the mapping of data sources to assess one's potential coverate. 10 | 11 | More details in a blogpost [here](https://medium.com/@olafhartong/assess-your-data-potential-with-att-ck-datamap-f44884cfed11) 12 | 13 | # Start 14 | This tool requires module ImportExcel, Install it like this ```PS C:\> Install-Module ImportExcel``` 15 | 16 | Import the module with ```Import-Module .\ATTACKdatamap.psd1``` 17 | 18 | OS X Only, ImportExcel Module Cannot Autosize by default, install: ```brew install mono-libgdiplus``` 19 | 20 | ## Request-ATTACKjson 21 | Generates a JSON file to be imported into the ATT&CK Navigator. The mitre_data_assessment.xlsx file contains all Techniques, which can be updated via Invoke-ATTACK-UpdateExcel. 22 | 23 | Each technique contains DataSources, which are individually scored by me with a weight. The DataSourceEventTypes need to be scored per environment. 24 | 25 | This script multiplies the respective DataSource scores and adds them to a total technique score. The generation date is added to the description. 26 | 27 | EXAMPLE 28 | 29 | ```PS C:\> Request-ATTACKjson -Excelfile .\mitre_data_assessment.xlsx -Template .\template.json -Output 2019-03-23-ATTACKcoverage.json``` 30 | 31 | This is all gathered into a JSON file which can be opened here; 32 | [MITRE ATT&CK Navigator/enterprise/](https://mitre-attack.github.io/attack-navigator/enterprise/) 33 | 34 | ## Invoke-ATTACKUpdateExcel 35 | This generates all MITRE ATT&CK relevant fields into a table and creates or updates the REF-DataSources worksheet in an Excel sheet 36 | 37 | EXAMPLE 38 | 39 | ```PS C:\> Invoke-ATTACKUpdateExcel -AttackPath .\enterprise-attack.json -Excelfile .\mitre_data_assessment.xlsx``` 40 | 41 | The -AttackPath and -Excelfile parameters are optional 42 | 43 | ## Get-ATTACKdata 44 | This downloads the MITRE ATT&CK Enterprise JSON file 45 | 46 | EXAMPLE 47 | 48 | ```PS C:\> Get-ATTACKdata -AttackPath ./enterprise-attack.json``` 49 | 50 | The -AttackPath parameter is optional 51 | -------------------------------------------------------------------------------- /Sample results/sysmon.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/olafhartong/ATTACKdatamap/8c5bb3c24e725c98faa60ac4aff6ca98cd254405/Sample results/sysmon.xlsx -------------------------------------------------------------------------------- /mitre_data_assessment.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/olafhartong/ATTACKdatamap/8c5bb3c24e725c98faa60ac4aff6ca98cd254405/mitre_data_assessment.xlsx -------------------------------------------------------------------------------- /template.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "DataCoverage", 3 | "version": "2.2", 4 | "domain": "mitre-enterprise", 5 | "description": "", 6 | "filters": { 7 | "stages": [ 8 | "act" 9 | ], 10 | "platforms": [ 11 | "windows", 12 | "linux", 13 | "mac" 14 | ] 15 | }, 16 | "sorting": 0, 17 | "viewMode": 0, 18 | "hideDisabled": false, 19 | "techniques" : [], 20 | "gradient": { 21 | "colors": [ 22 | "#ffffff", 23 | "#edfbff", 24 | "#d0f4ff", 25 | "#b8daf5", 26 | "#427ba9", 27 | "#0c1b33" 28 | ], 29 | "minValue": 0, 30 | "maxValue": 2100 31 | }, 32 | "legendItems": [ 33 | { 34 | "label": "Low Coverage", 35 | "color": "#ffffff" 36 | }, 37 | { 38 | "label": "Medium Coverage", 39 | "color": "#76aad4" 40 | }, 41 | { 42 | "label": "Pretty Good Coverage", 43 | "color": "#0c1b33" 44 | } 45 | ], 46 | "metadata": [], 47 | "showTacticRowBackground": false, 48 | "tacticRowBackground": "#dddddd", 49 | "selectTechniquesAcrossTactics": true 50 | } --------------------------------------------------------------------------------